diff options
author | ISHIDA Wataru <ishida.wataru@lab.ntt.co.jp> | 2016-05-16 08:39:38 +0000 |
---|---|---|
committer | ISHIDA Wataru <ishida.wataru@lab.ntt.co.jp> | 2016-05-16 08:44:28 +0000 |
commit | 949c58fbf6d5ccb79ee87a5105968d3fe591a3a9 (patch) | |
tree | fbcbd5d4292e2c053d359238c03bfff7d9ba1eb0 /docs/sources/policy.md | |
parent | e6b4e0f4edb9d501fabbc52ffbaac013b3748aba (diff) |
docs: update policy.md
Signed-off-by: ISHIDA Wataru <ishida.wataru@lab.ntt.co.jp>
Diffstat (limited to 'docs/sources/policy.md')
-rw-r--r-- | docs/sources/policy.md | 377 |
1 files changed, 196 insertions, 181 deletions
diff --git a/docs/sources/policy.md b/docs/sources/policy.md index 5d4a0c05..088efcb7 100644 --- a/docs/sources/policy.md +++ b/docs/sources/policy.md @@ -16,7 +16,12 @@ Assumed that you finished [Getting Started](https://github.com/osrg/gobgp/blob/m - [Route Server Policy Model](#rs-model) - [Policy Structure](#policy) - [Policy Configuration](#configuration) - + - [Defining defined-sets](#defined-sets) + - [Defining bgp-defined-sets](#bgp-defined-sets) + - [Defining policy-definitions](#policy-definition) + - [Attaching policy](#attachment) + - [Attach policy to global rib](#global-attachment) + - [Attach policy to route-server-client](#rs-attachment) ## <a name="overview"> Overview @@ -30,6 +35,7 @@ GoBGP supports **Condition** like `prefix`, `neighbor`(source/destination of the etc... You can configure policy by configuration file, CLI or gRPC API. +Here, we show how to configure policy via configuration file. ## <a name="model"> Policy Model @@ -93,6 +99,9 @@ Conditions are categorized into attributes below: - extended community - rpki validation result +As showed in the figure above, some of the conditions point to defined sets, +which are a container for each condition item (e.g. prefixes). + Actions are categorized into attributes below: - accept or reject @@ -101,15 +110,7 @@ Actions are categorized into attributes below: - set next-hop - prepend AS number in the AS_PATH attribute -If All condition in the statement are true, the action(s) in the statement are executed. - -A condition can have multiple values. For example, you can define a prefix -condition that has 10.20.0.0/16, 10.30.3.0/24, and 10.30.4.0/24. You can specify -how these values are used to decide whether the condition is true or -false. In this case, you can specify either: - -- true if a route matches any of 10.20.0.0/16, 10.30.3.0/24, and 10.30.4.0/24. -- true if a route matches none of 10.20.0.0/16, 10.30.3.0/24, and 10.30.4.0/24. +When **ALL** conditions in the statement are `true`, the action(s) in the statement are executed. You can check policy configuration by the following commands. @@ -125,38 +126,36 @@ $ gobgp policy ext-community ## <a name="configuration"> Policy Configuration -GoBGP's configuration file has two parts named **DefinedSets** and **PolicyDefinitions** as its policy configuration. **DefinedSets** part defines conditions. **PolicyDefinitions** defines policies based on actions and these conditions. - - - - DefinedSets - - A single DefinedSets entry has prefix match that is named PrefixSets and neighbor match part that is named NeighborSets. It also has BgpDefinedSets, a subset of DefinedSets that defines conditions referring to BGP attributes such as aspath. This DefinedSets has a name and it's used to refer to DefinedSets items from outside. +Policy Configuration comes from two parts, [definition](#defined-sets) and [attachment](#attachment). +For definition, we have [defined-sets](#defined-sets) and [policy-definition](#policy-definition). +**defined-sets** defines condition item for some of the condition type. +**policy-definitions** defines policies based on actions and conditions. - - PolicyDefinitions +- **defined-sets** + A single **defined-sets** entry has prefix match that is named **prefix-sets** and neighbor match part that is named **neighbor-sets**. It also has **bgp-defined-sets**, a subset of **defined-sets** that defines conditions referring to BGP attributes such as aspath. This **defined-sets** has a name and it's used to refer to **defined-sets** items from outside. - PolicyDefinitions has PolicyDefinitionList, it's a list of policy. - A single element of PolicyDefinitionList has a statement part that combines conditions with an action. +- **policy-definitions** + **policy-definitions** is a list of policy. A single element has **statements** part that combines conditions with an action. +Below are the steps for policy configuration -These are steps to define policy: +1. define defined-sets + 1. define prefix-sets + 1. define neighbor-sets +1. define bgp-defined-sets + 1. define community-sets + 1. define ext-community-sets + 1. define as-path-setList +1. define policy-definitions +1. attach policies to global rib (or neighbor local rib when neighbor is [route-server-client](https://github.com/osrg/gobgp/blob/master/docs/sources/route-server.md)). -1. define DefinedSets - 1. define PrefixSets - 1. define NeighborSets -1. define BgpDefinedSets - 1. define CommunitySets - 1. define ExtCommunitySets - 1. define AsPathSetList -1. define PolicyDefinitions -1. attach policies to a neighbor +### <a name="defined-sets"> 1. Defining defined-sets +defined-sets has prefix information and neighbor information in prefix-sets and neighbor-sets section, and GoBGP uses these information to evaluate routes. +Defining defined-sets is needed at first. +prefix-sets and neighbor-sets section are prefix match part and neighbor match part. -### 1. Defining DefinedSets -DefinedSets has prefix information and neighbor information in PrefixSets and NeighborSets section, and GoBGP uses these information to evaluate routes. -Defining DefinedSets is needed at first. -PrefixSets and NeighborSets section are prefix match part and neighbor match part. - -- DefinedSets example +- defined-sets example ```toml # prefix match part @@ -174,28 +173,28 @@ PrefixSets and NeighborSets section are prefix match part and neighbor match par ---- - #### PrefixSets - PrefixSets has PrefixSetList, and PrefixSetList has PrefixSetName and PrefixList as its element. PrefixSetList is used as a condition. + #### prefix-sets + prefix-sets has prefix-set-list, and prefix-set-list has prefix-set-name and prefix-list as its element. prefix-set-list is used as a condition. - **PrefixSetList** has 1 element and list of subelement. + **prefix-set-list** has 1 element and list of subelement. - | Element | Description | Example | Optional | - |-----------------|------------------------------------|---------------|------------| - | PrefixSetName | name of PrefixSet | "ps1" | | - | PrefixList | list of prefix and range of length | | | + | Element | Description | Example | Optional | + |------------------|------------------------------------|---------------|------------| + | prefix-set-name | name of prefix-set | "ps1" | | + | prefix-list | list of prefix and range of length | | | **PrefixLlist** has 2 elements. - | Element | Description | Example | Optional | - |-----------------|-------------------|---------------|------------| - | IpPrefix | prefix value | "10.33.0.0/16"| | - | MasklengthRange | range of length | "21..24" | Yes | + | Element | Description | Example | Optional | + |------------------|-------------------|----------------|------------| + | ip-prefix | prefix value | "10.33.0.0/16" | | + | masklength-range | range of length | "21..24" | Yes | ##### Examples - example 1 - Match routes whose high order 2 octets of NLRI is 10.33 and its prefix length is between from 21 to 24 - - If you define a PrefixList that doesn't have MasklengthRange, it matches routes that have just 10.33.0.0/16 as NLRI. + - If you define a prefix-list that doesn't have MasklengthRange, it matches routes that have just 10.33.0.0/16 as NLRI. ```toml # example 1 @@ -208,8 +207,8 @@ PrefixSets and NeighborSets section are prefix match part and neighbor match par - example 2 - - If you want to evaluate multiple routes with a single PrefixSetList, you can do this by adding an another PrefixList like this: - - This PrefixSetList match checks if a route has 10.33.0.0/21 to 24 or 10.50.0.0/21 to 24. + - If you want to evaluate multiple routes with a single prefix-set-list, you can do this by adding an another prefix-list like this: + - This prefix-set-list match checks if a route has 10.33.0.0/21 to 24 or 10.50.0.0/21 to 24. ```toml # example 2 @@ -224,8 +223,8 @@ PrefixSets and NeighborSets section are prefix match part and neighbor match par ``` - example 3 - - PrefixSetName under PrefixSetList is reference to a single PrefixSet. - - If you want to add different PrefixSet more, you can add other blocks that form the same structure with example 1. + - prefix-set-name under prefix-set-list is reference to a single prefix-set. + - If you want to add different prefix-set more, you can add other blocks that form the same structure with example 1. ```toml # example 3 @@ -243,22 +242,22 @@ PrefixSets and NeighborSets section are prefix match part and neighbor match par ---- - #### NeighborSets + #### neighbor-sets - NeighborSets has NeighborSetList, and NeighborSetList has NeighborSetName and NeighborInfoList as its element. It is necessary to specify a neighbor address in NeighborInfoList. NeighborSetList is used as a condition. + neighbor-sets has neighbor-set-list, and neighbor-set-list has neighbor-set-name and neighbor-info-list as its element. It is necessary to specify a neighbor address in neighbor-info-list. neighbor-set-list is used as a condition. - **NeighborSetList** has 1 element and list of subelement. + **neighbor-set-list** has 1 element and list of subelement. - | Element |Description | Example | Optional | - |------------------|---------------------------|--------------|------------| - | NeighborSetName | name of NeighborSet | "ns1" | | - | NeighborInfoList | list of neighbor address | | | + | Element |Description | Example | Optional | + |--------------------|---------------------------|--------------|------------| + | neighbor-set-name | name of neighbor-set | "ns1" | | + | neighbor-info-list | list of neighbor address | | | - **NeighborInfoList** has 1 element. + **neighbor-info-list** has 1 element. | Element |Description | Example | Optional | |-----------------|---------------------|--------------|------------| - | Address | neighbor address | "10.0.255.1" | | + | address | neighbor address | "10.0.255.1" | | ##### Examples @@ -271,7 +270,7 @@ PrefixSets and NeighborSets section are prefix match part and neighbor match par ``` - example 2 - - As with PrefixSetList, NeighborSetList can have multiple NeighborInfoList like this. + - As with prefix-set-list, neighbor-set-list can have multiple neighbor-info-list like this. ```toml # example 2 @@ -281,14 +280,14 @@ PrefixSets and NeighborSets section are prefix match part and neighbor match par ``` - example 3 - - As with PrefixSetList, multiple NeighborSetLists can be defined. + - As with prefix-set-list, multiple neighbor-set-lists can be defined. ```toml # example 3 [[defined-sets.neighbor-sets]] neighbor-set-name = "ns1" neighbor-info-list = ["10.0.255.1"] - # another NeighborSetList + # another neighbor-set-list [[defined-sets.neighbor-sets]] neighbor-set-name = "ns2" neighbor-info-list = ["10.0.254.1"] @@ -296,15 +295,15 @@ PrefixSets and NeighborSets section are prefix match part and neighbor match par --- -### 2. Defining BgpDefinedSets +### <a name="bgp-defined-sets"> 2. Defining bgp-defined-sets -BgpDefinedSets has Community information, Extended Community +bgp-defined-sets has Community information, Extended Community information and AS_PATH information in each Sets section -respectively. And it is a child element of DefinedSets. -CommunitySets, ExtCommunitySets and AsPathSets section are each match -part. Like PrefixSets and NeighborSets, each can have multiple sets and each set can have multiple values. +respectively. And it is a child element of defined-sets. +community-sets, ext-community-sets and as-path-sets section are each match +part. Like prefix-sets and neighbor-sets, each can have multiple sets and each set can have multiple values. -- BgpDefinedSets example +- bgp-defined-sets example ```toml # Community match part @@ -323,23 +322,21 @@ part. Like PrefixSets and NeighborSets, each can have multiple sets and each set ---- - #### CommunitySets - CommunitySets has CommunitySetList, and CommunitySetList has CommunitySetName and CommunityList as its element. The Community value are used to evaluate communities held by the destination. - - **CommunitySetList** has 1 element and list of subelement. + #### community-sets + community-sets has community-set-name and community-list as its element. The Community value are used to evaluate communities held by the destination. - | Element | Description | Example | Optional | - |------------------|-------------------------|--------------|----------| - | CommunitySetName | name of CommunitySet | "community1" | | - | CommunityList | list of community value | | | + | Element | Description | Example | Optional | + |--------------------|-------------------------|--------------|----------| + | community-set-name | name of CommunitySet | "community1" | | + | community-list | list of community value | | | - **CommunityList** has 1 element. + **community-list** has 1 element. - | Element | Description | Example | Optional | - |------------------|-------------------------|--------------|----------| - | Community | community value | "65100:10" | | + | Element | Description | Example | Optional | + |------------|-------------------------|--------------|----------| + | community | community value | "65100:10" | | - You can use regular expressions to specify community in CommunityList. + You can use regular expressions to specify community in community-list. ##### Examples - example 1 @@ -364,23 +361,21 @@ part. Like PrefixSets and NeighborSets, each can have multiple sets and each set ``` ---- - #### ExtCommunitySets - ExtCommunitySets has ExtCommunitySetList, and ExtCommunitySetList has ExtCommunitySetName and ExtCommunityList as its element. The values are used to evaluate extended communities held by the destination. - - **ExtCommunitySetList** has 1 element and list of subelement. + #### ext-community-sets + ext-community-sets has ext-community-set-name and ext-community-list as its element. The values are used to evaluate extended communities held by the destination. - | Element | Description | Example | Optional | - |---------------------|------------------------------------|------------------|----------| - | ExtCommunitySetName | name of ExtCommunitySet | "ecommunity1" | | - | ExtCommunityList | list of extended community value | | | + | Element | Description | Example | Optional | + |------------------------|------------------------------------|------------------|----------| + | ext-community-set-name | name of ExtCommunitySet | "ecommunity1" | | + | ext-community-list | list of extended community value | | | - **ExtCommunityList** has 1 element. + **ext-community-list** has 1 element. - | Element | Description | Example | Optional | - |---------------------|----------------------------|------------------|----------| - | ExtCommunity | extended community value | "RT:65001:200" | | + | Element | Description | Example | Optional | + |----------------|----------------------------|------------------|----------| + | ext-community | extended community value | "RT:65001:200" | | - You can use regular expressions to specify extended community in ExtCommunityList. + You can use regular expressions to specify extended community in ext-community-list. However, the first one element separated by (part of "RT") does not support to the regular expression. The part of "RT" indicates a subtype of extended community and subtypes that can be used are as follows: @@ -411,21 +406,19 @@ part. Like PrefixSets and NeighborSets, each can have multiple sets and each set ---- - #### AsPathSets - AsPathSets has AsPathSetList, and AsPathSetList has AsPathSetName and AsPathList as its element. The numbers are used to evaluate AS numbers in the destination's AS_PATH attribute. - - **AsPathSetList** has 1 element and list of subelement. + #### as-path-sets + as-path-sets has as-path-set-name and as-path-list as its element. The numbers are used to evaluate AS numbers in the destination's AS_PATH attribute. | Element | Description | Example | Optional | |------------------|---------------------------|------------|----------| - | AsPathSetName | name of AsPathSet | "aspath1" | | - | AsPathSet | list of as path value | | | + | as-path-set-name | name of as-path-set | "aspath1" | | + | as-path-list | list of as path value | | | - **AsPathList** has 1 elements. + **as-path-list** has 1 elements. | Element | Description | Example | Optional | |------------------|-------------------|------------|----------| - | AsPathSet | as path value | "^65100" | | + | as-path-set | as path value | "^65100" | | The AS path regular expression is compatible with [Quagga](http://www.nongnu.org/quagga/docs/docs-multi/AS-Path-Regular-Expression.html) and Cisco. Note Character `_` has special meaning. It is abbreviation for `(^|[,{}() ]|$)`. @@ -462,15 +455,13 @@ part. Like PrefixSets and NeighborSets, each can have multiple sets and each set --- -### 3. Defining PolicyDefinitions -PolicyDefinitions has PolicyDefinitionList, and PolicyDefinitionList consists of condition and action of the policy. The condition part evaluates routes from neighbors and applies action if the routes match conditions. You can use DefinedSets above and other conditions to specify conditions in the PolicyDefinitions. +### <a name="policy-definition"> 3. Defining policy-definitions -PolicyDefinitions has PolicyDefinition as its element and the PolicyDefinition is a policy itself. -You can write condition and action under Statements. +policy-definitions consists of condition and action. Condition part is used to evaluate routes from neighbors, if matched, action will be applied. - - an example of PolicyDefinitions +- an example of policy-definitions - ```toml +```toml [[policy-definitions]] name = "example-policy" [[policy-definitions.statements]] @@ -506,93 +497,93 @@ You can write condition and action under Statements. communities-list = ["65100:20"] ``` - The elements of PolicyDefinitionList are as follows: + The elements of policy-definitions are as follows: - - PolicyDefinitions.PolicyDefinitionList + - policy-definitions | Element | Description | Example | |---------|---------------|------------------| | name | policy's name | "example-policy" | - - PolicyDefinitionsPolicyDefinitionList.StatementList + - policy-definitions.statements | Element | Description | Example | |---------|-------------------|----------------| | name | statements's name | "statement1" | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Conditions.MatchPrefixSet + - policy-definitions.statements.conditions.match-prefix-set | Element | Description | Example | |------------------|---------------------------------------------------------------------------|---------| - | PrefixSet | name for DefinedSets.PrefixSets.PrefixSetList that is used in this policy | "ps1" | - | MatchSetOptions | option for the check:<br> "any" or "invert". default is "any" | "any" | + | prefix-set | name for defined-sets.prefix-sets.prefix-set-list that is used in this policy | "ps1" | + | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Conditions.MatchNegihborSet + - policy-definitions.statements.conditions.match-neighbor-set - | Element | Description | Example | - |------------------|-------------------------------------------------------------------------------|---------| - | NegihborSet | name for DefinedSets.NeighborSets.NeighborSetList that is used in this policy | "ns1" | - | MatchSetOptions | option for the check:<br> "any" or "invert". default is "any" | "any" | + | Element | Description | Example | + |-------------------|-------------------------------------------------------------------------------|---------| + | neighbor-set | name for defined-sets.neighbor-sets.neighbor-set-list that is used in this policy | "ns1" | + | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Conditions.BgpConditions.MatchCommunitySet + - policy-definitions.statements.conditions.bgp-conditions.match-community-set - | Element | Description | Example | - |------------------|------------------------------------------------------------------------------------------------|----------------| - | CommunitySet | name for DefinedSets.BgpDefinedSets.CommunitySets.CommunitySetList that is used in this policy | "community1" | - | MatchSetOptions | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | + | Element | Description | Example | + |-------------------|----------------------------------------------------------------------------------------------------|----------------| + | community-set | name for defined-sets.bgp-defined-sets.community-sets.CommunitySetList that is used in this policy | "community1" | + | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Conditions.BgpConditions.MatchExtCommunitySet + - policy-definitions.statements.conditions.bgp-conditions.match-ext-community-set - | Element | Description | Example | - |------------------|------------------------------------------------------------------------------------------------------|---------------| - | ExtCommunitySet | name for DefinedSets.BgpDefinedSets.ExtCommunitySets.ExtCommunitySetList that is used in this policy | "ecommunity1" | - | MatchSetOptions | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | + | Element | Description | Example | + |-------------------|---------------------------------------------------------------------------------------|---------------| + | ext-community-set | name for defined-sets.bgp-defined-sets.ext-community-sets that is used in this policy | "ecommunity1" | + | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Conditions.BgpConditions.MatchAsPathSet + - policy-definitions.statements.conditions.bgp-conditions.match-as-path-set - | Element | Description | Example | - |------------------|------------------------------------------------------------------------------------------------|-----------| - | AsPathSet | name for DefinedSets.BgpDefinedSets.AsPathSets.AsPathSetList that is used in this policy | "aspath1" | - | MatchSetOptions | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | + | Element | Description | Example | + |--------------------|---------------------------------------------------------------------------------|-----------| + | as-path-set | name for defined-sets.bgp-defined-sets.as-path-sets that is used in this policy | "aspath1" | + | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Conditions.BgpConditions.AsPathLength + - policy-definitions.statements.conditions.bgp-conditions.match-as-path-length | Element | Description | Example | |----------|----------------------------------------------------------------------------------------------------|---------| - | Operator | operator to compare the length of AS number in AS_PATH attribute. <br> "eq","ge","le" can be used. <br> "eq" means that length of AS number is equal to Value element <br> "ge" means that length of AS number is equal or greater than the Value element <br> "le" means that length of AS number is equal or smaller than the Value element| "eq" | - | Value | value used to compare with the length of AS number in AS_PATH attribute | 2 | + | operator | operator to compare the length of AS number in AS_PATH attribute. <br> "eq","ge","le" can be used. <br> "eq" means that length of AS number is equal to Value element <br> "ge" means that length of AS number is equal or greater than the Value element <br> "le" means that length of AS number is equal or smaller than the Value element| "eq" | + | value | value used to compare with the length of AS number in AS_PATH attribute | 2 | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Actions.RouteDisposition + - policy-definitions.statements.actions.route-disposition - | Element | Description | Example | - |-------------|-----------------------------------------------------------------------------------|---------| - | AcceptRoute | action to accept the route if matches conditions. If true, this route is accepted | true | + | Element | Description | Example | + |--------------|-----------------------------------------------------------------------------------|---------| + | accept-route | action to accept the route if matches conditions. If true, this route is accepted | true | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Actions.BgpActions + - policy-definitions.statements.actions.bgp-actions - | Element | Description | Example | - |---------|---------------------------------------------------------------------------------------|---------| - | SetMed | SetMed used to change the med value of the route. <br> If only numbers have been specified, replace the med value of route.<br> if number and operater(+ or -) have been specified, adding or subtracting the med value of route. | "-200" | + | Element | Description | Example | + |----------|---------------------------------------------------------------------------------------|---------| + | set-med | set-med used to change the med value of the route. <br> If only numbers have been specified, replace the med value of route.<br> if number and operater(+ or -) have been specified, adding or subtracting the med value of route. | "-200" | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Actions.BgpActions.SetCommunity + - policy-definitions.statements.actions.bgp-actions.set-community | Element | Description | Example | |-------------|----------------------------------------------------------------------------------|------------| - | Options | operator to manipulate Community attribute in the route | "ADD" | - | Communities | communities used to manipulate the route's community accodriong to Options below | "65100:20" | + | options | operator to manipulate Community attribute in the route | "ADD" | + | communities | communities used to manipulate the route's community accodriong to options below | "65100:20" | - - PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Actions.BgpActions.SetAsPathPrepend + - policy-definitions.statements.actions.bgp-actions.set-as-path-prepend - | Element | Description | Example | - |---------|-------------------------------------------------------------------------------------------------------|---------| - | As | AS number to prepend. You can use "last-as" to prepend the leftmost AS number in the aspath attribute.| "65100" | - | RepeatN | repeat count to prepend AS | 5 | + | Element | Description | Example | + |----------|-------------------------------------------------------------------------------------------------------|---------| + | as | AS number to prepend. You can use "last-as" to prepend the leftmost AS number in the aspath attribute.| "65100" | + | repeat-n | repeat count to prepend AS | 5 | - Execution condition of Action - Action statement is executed when the result of each Condition, including MatchSetOption is all true. - **MatchSetOptions** is defined how to determine the match result, in the condition with multiple evaluation set as follows: + Action statement is executed when the result of each Condition, including match-set-options is all true. + **match-set-options** is defined how to determine the match result, in the condition with multiple evaluation set as follows: | Value | Description | |--------|---------------------------------------------------------------------------| @@ -606,7 +597,7 @@ You can write condition and action under Statements. ##### Examples - example 1 - - This PolicyDefinition has PrefixSet *ps1* and NeighborSet *ns1* as its condition and routes matches the condition is rejected. + - This policy definition has prefix-set *ps1* and neighbor-set *ns1* as its condition and routes matches the condition is rejected. ```toml # example 1 @@ -623,7 +614,7 @@ You can write condition and action under Statements. ``` - example 2 - - PolicyDefinition has two statements + - policy-definition has two statements ```toml # example 2 @@ -652,7 +643,7 @@ You can write condition and action under Statements. - example 3 - - If you want to add other policies, just add PolicyDefinitionList block following the first one like this + - If you want to add other policies, just add policy-definitions block following the first one like this ```toml # example 3 @@ -682,12 +673,12 @@ You can write condition and action under Statements. - example 4 - This PolicyDefinition has multiple conditions including BgpConditions as follows: - - PrefixSet: *ps1* - - NeighborSet: *ns1* - - CommunitySet: *community1* - - ExtCommunitySet: *ecommunity1* - - AsPathSet: *aspath1* - - AsPath length: *equal 2* + - prefix-set: *ps1* + - neighbor-set: *ns1* + - community-set: *community1* + - ext-community-set: *ecommunity1* + - as-path-set: *aspath1* + - as-path length: *equal 2* - If a route matches all these conditions, the route is accepted and added community "65100:20" and subtracted 200 from med value and prepended 65005 five times in its AS_PATH attribute, and also next-hop 10.0.0.1 is set. @@ -727,13 +718,37 @@ You can write condition and action under Statements. --- -### 4. Attaching policy -You can use policies defined above as Import or Export or In policy by -attaching them to neighbors. +### <a name="attachment"> 4. Attaching policy + +Here we explain how to attach defined policies to [global rib](#global-attachment) +and [neighbor local rib](#rs-attachment). + +#### <a name="global-attachment"> 4.1 Attach policy to global rib + +To attach policies to global rib, add policy name to `global.apply-policy.config`. + +```toml +[global.apply-policy.config] +import-policy-list = ["policy1"] +export-policy-list = ["policy2"] +default-import-policy = "accept-route" +default-export-policy = "accept-route" +``` - Note: The In policy is applied only when the peer is Route Server client. +| Element | Description | Example | +|-------------------------|---------------------------------------------------------------------------------------------|----------------| +| import-policy | policy-definitions.name for Import policy | "policy1" | +| export-policy | policy-definitions.name for Export policy | "policy2" | +| default-import-policy | action when the route doesn't match any policy:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | +| default-export-policy | action when the route doesn't match any policy:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | + + +#### <a name="rs-attachment"> 4.2. Attach policy to route-server-client + +You can use policies defined above as Import or Export or In policy by +attaching them to neighbors which is configured to be route-server client. -To attach policies to neighbors, you need to add policy's name to Neighbors.NeighborList.ApplyPolicy in the neighbor's setting. +To attach policies to neighbors, you need to add policy's name to `neighbors.apply-policy` in the neighbor's setting. This example attatches *policy1* to Import policy and *policy2* to Export policy and *policy3* is used as the In policy. ```toml @@ -752,17 +767,17 @@ This example attatches *policy1* to Import policy and *policy2* to Export policy default-in-policy = "accept-route" ``` -Neighbors.NeighborList has a section to specify policies and the section's name is ApplyPolicy. -The ApplyPolicy has 6 elements. +neighbors has a section to specify policies and the section's name is apply-policy. +The apply-policy has 6 elements. | Element | Description | Example | |-------------------------|---------------------------------------------------------------------------------------------|----------------| -| ImportPolicy | PolicyDefinitions.PolicyDefinitionList.name for Import policy | "policy1" | -| ExportPolicy | PolicyDefinitions.PolicyDefinitionList.name for Export policy | "policy2" | -| InPolicy | PolicyDefinitions.PolicyDefinitionList.name for In policy | "policy3" | -| DefaultImportPolicy | action when the route doesn't match any policy:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | -| DefaultExportPolicy | action when the route doesn't match any policy:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | -| DefaultInPolicy | action when the route doesn't match any policy:<br> "accept-route" or "reject-route". default is "accept-route" | "reject-route" | +| import-policy | policy-definitions.name for Import policy | "policy1" | +| export-policy | policy-definitions.name for Export policy | "policy2" | +| in-policy | policy-definitions.name for In policy | "policy3" | +| default-import-policy | action when the route doesn't match any policy:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | +| default-export-policy | action when the route doesn't match any policy:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | +| default-in-policy | action when the route doesn't match any policy:<br> "accept-route" or "reject-route". default is "accept-route" | "reject-route" | @@ -826,13 +841,13 @@ define an import policy for neighbor 10.0.255.2 that drops reject-route = true ``` -Neighbor 10.0.255.2 has pd2 policy. The pd2 policy consists of ps2 prefix match and ns1 neighbor match. The ps2 specifies 10.33.0.0 and 10.50.0.0 address. The ps2 specifies the mask with **MASK** keyword. **MasklengthRange** keyword can specify the range of mask length like ```MasklengthRange 24..26```. The *ns1* specifies neighbor 10.0.255.1. +Neighbor 10.0.255.2 has pd2 policy. The pd2 policy consists of ps2 prefix match and ns1 neighbor match. The ps2 specifies 10.33.0.0 and 10.50.0.0 address. The ps2 specifies the mask with **MASK** keyword. **masklength-range** keyword can specify the range of mask length like ```masklength-range 24..26```. The *ns1* specifies neighbor 10.0.255.1. The pd2 sets multiple condition, This means that only when all match conditions meets, the policy will be applied. -The MatchPrefixSet sets MatchSetOptions to "any". This means that when match to any of PrefixList, the policy will be applied. the policy will be applied to 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1. +The match-prefix-set sets match-set-options to "any". This means that when match to any of prefix-list, the policy will be applied. the policy will be applied to 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1. -If the MatchPrefixSet sets MatchSetOptions to "invert", It does not match to any of PrefixList, the policy will be applied. the policy will be applied to other than 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1 +If the match-prefix-set sets match-set-options to "invert", It does not match to any of prefix-list, the policy will be applied. the policy will be applied to other than 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1 Let's confirm that 10.0.255.1 neighbor advertises two routes. |