Policy Configuration

Configuration Hierarchy

The diagram illustrates the policy configuration hierarchy.

Policy Configuration Hierarchy

Configuration Syntax and Commands

The following sections describe the policy configuration syntax and commands.

Configuring Policy Statements

Syntax:

set policy statement <policy-name> ordinal <number> <attribute> <value>

Attribute Description

<policy-name>

Name of the policy statement. Policy names can contain alphanumeric characters and underscore character. They must not include special characters like hyphen. For example, BGP-EXPORT is not supported, whereas BGP_EXPORT is supported. A valid name cannot start with a number but it can contain numbers and underscore (_) in the string. The length of the names should not exceed 64 characters.

<number>

Specifies the ordinal number.

description <text>

Description of the ordinal.

match <…​>

Match configuration hierarchy. Please refer to section 2.2.1.1 for the match rule configuration.

match-logic <value>

Specifies the match logic. Supported values are and and or.

action <…​>

Action configuration hierarchy. Please refer to section 2.2.1.2 for the action rule configuration.

condition <condition-name>

Optionally, apply a policy condition. Please refer to section 2.2.3 for the policy condition configuration.

Configuring Match Rules

Syntax:

set policy statement <policy-name> ordinal <number> match rule <number> <attribute> <value>

Attribute Description

rule <number>

Specifies the match rule number.

type <attribute-type>

Specifies the attribute type. Please refer to section 2.2.1.1.1 for supported attribute types.

match-type <match-type>

Specifies the match type. Please refer to section 2.2.1.1.1 for supported match types per attribute, and to section 2.2.1.1.2 for descriptions of the match types.

value <value>

Attribute value. This is the actual value of the attribute to match, for example an IP prefix, a metric, or a community.

value-type <value-type>

Attribute value type. Supported types are discrete, this is a single value, and list, a list of values defined in a policy list.

Attribute and Match Types
Attribute Type Match Types Supported

ipv4-prefix

regex
exact
longer
or-longer
prefix-length-exact
prefix-length-greater
prefix-length-greater-or-exact

ipv6-prefix

regex
exact
longer
or-longer
prefix-length-exact
prefix-length-greater
prefix-length-greater-or-exact

route-distinguisher

regex
exact

community

regex
exact
exists

extended-community

regex
exact
exists

large-community

regex
exact
exists

as-path

regex
exact
exists

cluster-list

regex
exact
exists

source

regex
exact

sub-source

regex
exact

originator-identifier

regex
exact

peer-router-id

regex
exact

ipv4-nexthop

regex
exact

ipv6-nexthop

regex
exact

label

regex
exact

peer-ipv4

regex
exact

peer-ipv6

regex
exact

sid

regex
exact

sid-flag

regex
exact

external

exact

igp-metric

regex
exact
greater
greater-or-exact
less
less-or-exact

Match Types
Match Types Description

regex

An attribute can be matched using a standard Linux egrep regular expression.

Example: "label": "label-op:push,label:206,bos:1"

In this example, the label is a 64bit number, which has label value, bos, and operation encoding. A regex is used to match the string which is displayed in the table dump, that is, label-op:push,label:206,bos:1 not the 64bit value. The same is applicable to an array type attribute. A regex can be written to the string which is visible in the table dump output.

exact

Value configured in the command must be same as application attribute value

exists

This is applicable only for array type attribute; an exist match is the one where value configured in the command must exist in the application attribute value which is an array.

less

The application attribute value must be less than the value configured in the command

less-or-exact

The application attribute value must be less than or exact value configured in the command

greater

The application attribute value must be greater than the value configured in the command

greater-or-exact

The application attribute value must be greater than or exact value configured in the command

greater-longer

The route shares the same most-significant bits (described by prefix-length), and prefix-length is greater than the route’s prefix length

greater-or-longer

The route shares the same most-significant bits (described by prefix-length), and prefix-length is equal to or greater than the route’s prefix length.

longer

The route address shares the same most-significant bits as the match prefix (destination-prefix or source-prefix). The number of significant bits is described by the prefix-length component of the match prefix. The match will be performed only for prefixes longer than the one supplied for matching.

or-longer

The route address shares the same most-significant bits as the match prefix (destination-prefix or the source-prefix). The number of significant bits is described by the prefix-length component of the match prefix. The match is performed for the prefix supplied and for any prefixes that are subnets of it.

prefix-length-exact

The application attribute value whose prefix length must be lesser than or exact the value configured in the command

prefix-length-greater

The application attribute value whose prefix length must be greater than the value configured in the command

prefix-length-greater-or-exact

The application attribute value whose prefix length must be greater than or exact value configured in the command

Configuring Action Rules

Syntax:

set policy statement <policy-name> ordinal <number> action rule <number> <attribute> <value>

Attribute Description

rule <number>

Specifies the action rule number.

operation <operation-type>

Specifies the operation type. Please refer to section 2.2.1.2.1 for supported operations, and to section 2.2.1.2.2 for operations per attribute.

type <attribute-type>

Specifies the attribute type. Please refer to section 2.2.1.2.2 for supported attribute types.

value <value>

Specifies the operation value.

Operation Types
Operation Type Description

add

The application attribute value will be added with the value configured in the command

append

The application attribute value will be appended with the value configured in the command

delete-attribute

Deletes the attribute from the route/BDS object, that is, clearing all the info for that specific attribute in the object

divide

The application attribute value will be divided with the value configured in the command

goto-next-ordinal

If next term exists, then next term is executed and the policy result is decided based on the result of the execution

multiply

The application attribute value will be multiplied with the value configured in the command

overwrite

The application attribute value will be overwritten with the value configured in the command

prepend

The application attribute value will be prefixed with the value configured in the command

return-deny

Stops policy execution and returns result as deny (resulting route/BDS object to be denied)

return-permit

Stops policy execution and return result as permit (resulting route/BDS object to be permitted)

subtract

The application attribute value will be subtracted with the value configured in the command. If the result of the subtraction results in a number less than 0, the value "0" is used.

Attribute Types and Supported Operations
Attribute Type Operation Types Supported

ipv4-prefix

overwrite

ipv6-prefix

overwrite

route-distinguisher

overwrite

community

append
prepend
overwrite

extended-community

append
prepend
overwrite

large-community

append
prepend
overwrite

as-path

append
prepend
overwrite

cluster-list

append
prepend
overwrite

source

overwrite

sub-source

overwrite

originator-identifier

overwrite

peer-router-id

overwrite

ipv4-nexthop

overwrite

ipv6-nexthop

overwrite

label

overwrite

peer-ipv4

overwrite

peer-ipv6

overwrite

sid

overwrite

sid-flag

overwrite

external

overwrite

igp-metric

add
subtract
multiply
divide
overwrite

metric-type

overwrite

Example: Policy statement configuration

{
    "rtbrick-config:policy": {
      "statement": [
        {
          "name": "EXPORT_POLICY1",
          "ordinal": [
            {
              "ordinal": 10,
              "description": "Add BGP community to direct routes",
              "match-logic": "and",
              "match": {
                "rule": [
                  {
                    "rule": 1,
                    "type": "ipv6-prefix",
                    "value-type": "discrete",
                    "match-type": "or-longer",
                    "value": "2001:db8:0:60::/32"
                  },
                  {
                    "rule": 2,
                    "type": "source",
                    "value-type": "discrete",
                    "match-type": "exact",
                    "value": "direct"
                  }
                ]
              },
              "action": {
                "rule": [
                  {
                    "rule": 1,
                    "type": "community",
                    "operation": "append",
                    "value": "100:1"
                  },
                  {
                    "rule": 2,
                    "operation": "return-permit"
                  }
                ]
              }
            },
            {
              "ordinal": 20,
              "description": "Allow any other route",
              "action": {
                "rule": [
                  {
                    "rule": 1,
                    "operation": "return-permit"
                  }
                ]
              }
            }
          ]
        }
      ]
    }
  }

Configuring Policy Lists

Syntax:

set policy list <list-name> <list-type> ordinal <ordinal-number> value <value>

Attribute Description

<list-name>

Name of the policy list

<list-type>

Type of the policy list. The following types of lists are supported:

- as-path
- cluster-list
- community
- route-distinguisher
- extended-community
- ipv4-address
- ipv4-mcast-group
- ipv4-prefix
- ipv6-address
- ipv6-prefix
- large-community
- mpls-label
- source
- sub-source

<ordinal-number>

The number of the list entry.

<value>

The value of the list entry, for example an IP prefix, or a community.

Example: Policy list configuration

{
    "rtbrick-config:policy": {
      "list": [
        {
          "name": "PREFIX_LIST1",
          "type": "ipv6-prefix",
          "ordinal": [
            {
              "ordinal": 1,
              "value": "2001:db8:0:10::/32"
            },
            {
              "ordinal": 2,
              "value": "2001:db8:0:25::/32"
            },
            {
              "ordinal": 3,
              "value": "2001:db8:0:30::/32"
            }
          ]
        }
      ]
    }
}

Configuring Policy Conditions

Policy conditions refer to certain states of the system represented in BDS tables. You need to specify the table, the daemon (BD) that needs to resolve the condition, and if applicable, the attributes used to define the condition.

There are two types of conditions:

  • Match on certain attributes in BDS table objects.

  • Match on the number of objects in a BDS table.

Configuring Table Match

Syntax:

set policy condition <condition-name> table <attribute> <value>

Attribute Description

<condition-name>

Name of the policy condition

name <table-name>

Name of the BDS table

bd <bd-name>

Name of the BD which resolves the condition. Currently supported BDs are: ifmd, ribd, mribd, pppoed, subscriberd, ipoed, l2tpd, pimd, igmp.iod, isis.iod, ospf.appd ospf.iod

count <number>

Optionally, match on the number of objects in a table

match <type>

Type of match for an object count. Supported match types are:
equal
greater
greater-or-equal
less
less-or-equal

Configuring Attribute Match

You can configure attributes to define a condition. The attributes refer to objects in the table configured in the section above. Please note:

  • You can match on multiple attributes.

  • In order to identify matching objects, you need to specify all attributes which are primary keys in the table.

  • Attribute configuration is not required for conditions matching on the number of table objects using the count option.

Syntax:

set policy condition <condition-name> attribute <name> <attribute> <value>

Attribute Description

<condition-name>

Name of the policy condition

attribute <name>

Name of the attribute in the BDS table

value <value>

Value of the attribute to match

match <type>

Type of the match. Supported match types are:
equal
exists
greater
greater-or-equal
less
less-or-equal
regex

Example: Policy condition configuration

{
    "rtbrick-config:policy": {
      "condition": [
        {
          "condition_name": "precheck",
          "table": {
            "name": "global.instance",
            "bd": "bgp.iod.1"
          },
          "attribute": [
            {
              "name": "instance_name",
              "match": "equal",
              "value": "default"
            }
          ]
        }
      ]
    }
  }

Attaching Policies

Once a policy has been created, they need to be applied to an application like a routing protocol to take effect.

BGP Attachment Points

  • Instance import/export

  • BGP peer group import/export

  • BGP redistribution

For attaching policies to the BGP protocol, please refer to the RBFS BGP User Guide.

IS-IS Attachment Points

  • IS-IS redistribution

For attaching policies to the IS-IS protocol, please refer to the IS-IS User Guide.

OSPFv2 Attachment Points

  • OSPFv2 redistribution

For attaching policies to the OSPFv2/v3 protocol, please refer to the OSPFv2 User Guide.

LDP Attachment Points

  • LDP redistribution#

For attaching policies to the LDP protocol, please refer to the LDP User Guide.

IGMP Attachment Points

  • IGMP group filtering

  • IGMP SSM-mapping

For attaching policies to the IGMP protocol, please refer to the RBFS IP Multicast Routing Configuration Guide.

Sample Configurations

Example 1: BGP export policy referencing a policy list

supervisor@leaf1: cfg> show config policy
{
  "rtbrick-config:policy": {
    "list": [
      {
        "name": "PREFIX_LIST2",
        "type": "ipv6-prefix",
        "ordinal": [
          {
            "ordinal": 1,
            "value": "2001:db8:0:60::/32"
          },
          {
            "ordinal": 2,
            "value": "2001:db8:0:80::/64"
          },
          {
            "ordinal": 3,
            "value": "2001:db8:0:110::/64 "
          }
        ]
      }
    ],
    "statement": [
      {
        "name": "EXPORT_POLICY2",
        "ordinal": [
          {
            "ordinal": 10,
            "description": "Add community to direct routes",
            "match": {
              "rule": [
                {
                  "rule": 1,
                  "type": "source",
                  "value-type": "discrete",
                  "match-type": "exact",
                  "value": "direct"
                }
              ]
            },
            "action": {
              "rule": [
                {
                  "rule": 1,
                  "type": "community",
                  "operation": "append",
                  "value": "100:1"
                },
                {
                  "rule": 2,
                  "operation": "return-permit"
                }
              ]
            }
          },
          {
            "ordinal": 20,
            "description": "Allow list of routes",
            "match": {
              "rule": [
                {
                  "rule": 1,
                  "type": "ipv6-prefix",
                  "value-type": "list",
                  "match-type": "or-longer",
                  "value": "PREFIX_LIST2"
                }
              ]
            },
            "action": {
              "rule": [
                {
                  "rule": 1,
                  "operation": "return-permit"
                }
              ]
            }
          },
          {
            "ordinal": 30,
            "description": "Deny any other route",
            "action": {
              "rule": [
                {
                  "rule": 1,
                  "operation": "return-deny"
                }
              ]
            }
          }
        ]
      }
    ]
  }
}

supervisor@leaf1: cfg> show config instance default protocol bgp peer-group spine address-family ipv6 unicast
{
  "rtbrick-config:address-family": [
    {
      "afi": "ipv6",
      "safi": "unicast",
      "policy": {
        "export": "EXPORT_POLICY2"
      }
    }
  ]
}

Example 2: IGMP filter policy

supervisor@leaf1: cfg> show config policy
{
  "rtbrick-config:policy": {
    "statement": [
      {
        "name": "IGMP_FILTER",
        "ordinal": [
          {
            "ordinal": 1,
            "description": "IGMP group filter",
            "match-logic": "or",
            "match": {
              "rule": [
                {
                  "rule": 1,
                  "type": "ipv4-mcast-group",
                  "value-type": "discrete",
                  "match-type": "or-longer",
                  "value": "198.51.100.30/24"
                },
                {
                  "rule": 2,
                  "type": "ipv4-mcast-group",
                  "value-type": "discrete",
                  "match-type": "or-longer",
                  "value": "198.51.100.40/24"
                }
              ]
            },
            "action": {
              "rule": [
                {
                  "rule": 1,
                  "operation": "return-permit"
                }
              ]
            }
          }
        ]
      }
    ]
  }
}

supervisor@leaf1: cfg> show config multicast-options igmp
{
  "rtbrick-config:igmp": {
    "interface-profile": [
      {
        "profile-name": "PROFILE1",
        "filter-policy": "IGMP_FILTER"
      }
    ]
  }
}