diff options
Diffstat (limited to 'docs/sources/policy.md')
-rw-r--r-- | docs/sources/policy.md | 676 |
1 files changed, 354 insertions, 322 deletions
diff --git a/docs/sources/policy.md b/docs/sources/policy.md index dde2c664..ee051a1c 100644 --- a/docs/sources/policy.md +++ b/docs/sources/policy.md @@ -1,49 +1,49 @@ -# Policy configuration +# Policy Configuration This page explains GoBGP policy feature for controlling the route advertisement. It might be called Route Map in other BGP implementations. -We explain the overview firstly, then the details, +We explain the overview firstly, then the details. ## Prerequisites -Assumed that you finished [Getting Started](https://github.com/osrg/gobgp/blob/master/docs/sources/getting-started.md). +Assumed that you finished [Getting Started](getting-started.md). ## Contents + - [Overview](#overview) -- [Policy Model](#model) -- [Route Server Policy Model](#rs-model) -- [Policy Structure](#policy) -- [Policy Configuration](#configuration) - - [Defining defined-sets](#defined-sets) - - [Defining bgp-defined-sets](#bgp-defined-sets) - - [Defining policy-definitions](#policy-definition) - - [Attaching policy](#attachment) - - [Attach policy to global rib](#global-attachment) - - [Attach policy to route-server-client](#rs-attachment) - -## <a name="overview"> Overview +- [Policy Model](#policy-model) +- [Route Server Policy Model](#route-server-policy-model) +- [Policy Structure](#policy-structure) +- [Configure Policies](#configure-policies) + - [Defining defined-sets](#1-defining-defined-sets) + - [Defining bgp-defined-sets](#2-defining-bgp-defined-sets) + - [Defining policy-definitions](#3-Defining-policy-definitions) + - [Attaching policy](#4-attaching-policy) + - [Attach policy to global rib](#41-attach-policy-to-global-rib) + - [Attach policy to route-server-client](#42-attach-policy-to-route-server-client) +- [Policy Configuration Example](#policy-configuration-example) + +## Overview Policy is a way to control how BGP routes inserted to RIB or advertised to -peers. Policy has two parts, **Condition** and **Action**. -When a policy is configured, **Action** is applied to routes which meet **Condition** -before routes proceed to next step. +peers. Policy has two parts, **Condition** and **Action**. +When a policy is configured, **Action** is applied to routes which meet +**Condition** before routes proceed to next step. -GoBGP supports **Condition** like `prefix`, `neighbor`(source/destination of the route), -`aspath` etc.., and **Action** like `accept`, `reject`, `MED/aspath/community manipulation` -etc... +GoBGP supports **Condition** like `prefix`, `neighbor`(source/destination of +the route), `aspath` etc.., and **Action** like `accept`, `reject`, +`MED/aspath/community manipulation` etc... You can configure policy by configuration file, CLI or gRPC API. Here, we show how to configure policy via configuration file. -## <a name="model"> Policy Model +## Policy Model The following figure shows how policy works in normal BGP configuration. -<p align="center"> - <img src="./policy.png" alt="policy model"/> -</p> +![policy model](./policy.png) There are **Import** and **Export** policy. **Import** policy is invoked before best path calculation and pushing routes to RIB. @@ -56,15 +56,15 @@ $ gobgp global policy import $ gobgp global policy export ``` -## <a name="rs-model"> Route Server Policy Model +## Route Server Policy Model -The following figure shows how policy works in [route server BGP configuration](https://github.com/osrg/gobgp/blob/master/docs/sources/route-server.md). +The following figure shows how policy works in +[route server BGP configuration](route-server.md). -<p align="center"> - <img src="./rs-policy.png" alt="Announcement processing model implemented by the route server"/> -</p> +![route server policy model](./rs-policy.png) -In route server mode, adding to **Import** and **Export**, we have **In** policy. +In route server mode, adding to **Import** and **Export**, we have **In** +policy. **Import** and **Export** policies are defined with respect to the local routing table. The **Import** policy defines what routes will be @@ -81,11 +81,9 @@ $ gobgp neighbor <neighbor-addr> policy import $ gobgp neighbor <neighbor-addr> policy export ``` -## <a name="policy"> Policy Stracture +## Policy Structure -<p align="center"> - <img src="./policy-component.png" alt="policy component"/> -</p> +![policy component](./policy-component.png) A policy consists of statements. Each statement has condition(s) and action(s). @@ -113,7 +111,8 @@ Actions are categorized into attributes below: - set local-pref - prepend AS number in the AS_PATH attribute -When **ALL** conditions in the statement are `true`, the action(s) in the statement are executed. +When **ALL** conditions in the statement are `true`, the action(s) in the +statement are executed. You can check policy configuration by the following commands. @@ -128,37 +127,46 @@ $ gobgp policy ext-community $ gobgp policy large-community ``` -## <a name="configuration"> Policy Configuration +## Configure Policies -Policy Configuration comes from two parts, [definition](#defined-sets) and [attachment](#attachment). -For definition, we have [defined-sets](#defined-sets) and [policy-definition](#policy-definition). +Policy Configuration comes from two parts, [definition](#defined-sets) and +[attachment](#attachment). For definition, we have +[defined-sets](#defined-sets) and [policy-definition](#policy-definition). **defined-sets** defines condition item for some of the condition type. **policy-definitions** defines policies based on actions and conditions. - **defined-sets** - A single **defined-sets** entry has prefix match that is named **prefix-sets** and neighbor match part that is named **neighbor-sets**. It also has **bgp-defined-sets**, a subset of **defined-sets** that defines conditions referring to BGP attributes such as aspath. This **defined-sets** has a name and it's used to refer to **defined-sets** items from outside. + A single **defined-sets** entry has prefix match that is named + **prefix-sets** and neighbor match part that is named **neighbor-sets**. It + also has **bgp-defined-sets**, a subset of **defined-sets** that defines + conditions referring to BGP attributes such as aspath. This **defined-sets** + has a name and it's used to refer to **defined-sets** items from outside. - **policy-definitions** - **policy-definitions** is a list of policy. A single element has **statements** part that combines conditions with an action. + **policy-definitions** is a list of policy. A single element has + **statements** part that combines conditions with an action. Below are the steps for policy configuration 1. define defined-sets - 1. define prefix-sets - 1. define neighbor-sets -1. define bgp-defined-sets - 1. define community-sets - 1. define ext-community-sets - 1. define as-path-setList - 1. define large-community-sets -1. define policy-definitions -1. attach policies to global rib (or neighbor local rib when neighbor is [route-server-client](https://github.com/osrg/gobgp/blob/master/docs/sources/route-server.md)). - - -### <a name="defined-sets"> 1. Defining defined-sets -defined-sets has prefix information and neighbor information in prefix-sets and neighbor-sets section, and GoBGP uses these information to evaluate routes. + 1. define prefix-sets + 1. define neighbor-sets +1. define bgp-defined-sets + 1. define community-sets + 1. define ext-community-sets + 1. define as-path-setList + 1. define large-community-sets +1. define policy-definitions +1. attach policies to global rib (or neighbor local rib when neighbor is + [route-server-client](route-server.md)). + +### 1. Defining defined-sets + +defined-sets has prefix information and neighbor information in prefix-sets and +neighbor-sets section, and GoBGP uses these information to evaluate routes. Defining defined-sets is needed at first. -prefix-sets and neighbor-sets section are prefix match part and neighbor match part. +prefix-sets and neighbor-sets section are prefix match part and neighbor match +part. - defined-sets example @@ -176,30 +184,33 @@ prefix-sets and neighbor-sets section are prefix match part and neighbor match p neighbor-info-list = ["10.0.255.1"] ``` - ---- +#### prefix-sets - #### prefix-sets - prefix-sets has prefix-set-list, and prefix-set-list has prefix-set-name and prefix-list as its element. prefix-set-list is used as a condition. Note that prefix-sets has either v4 or v6 addresses. +prefix-sets has prefix-set-list, and prefix-set-list has prefix-set-name and +prefix-list as its element. prefix-set-list is used as a condition. Note that +prefix-sets has either v4 or v6 addresses. - **prefix-set-list** has 1 element and list of subelement. +**prefix-set-list** has 1 element and list of sub-elements. - | Element | Description | Example | Optional | - |------------------|------------------------------------|---------------|------------| - | prefix-set-name | name of prefix-set | "ps1" | | - | prefix-list | list of prefix and range of length | | | +| Element | Description | Example | Optional | +|------------------|------------------------------------|---------------|------------| +| prefix-set-name | name of prefix-set | "ps1" | | +| prefix-list | list of prefix and range of length | | | - **PrefixLlist** has 2 elements. +**PrefixList** has 2 elements. - | Element | Description | Example | Optional | - |------------------|-------------------|----------------|------------| - | ip-prefix | prefix value | "10.33.0.0/16" | | - | masklength-range | range of length | "21..24" | Yes | +| Element | Description | Example | Optional | +|------------------|-------------------|----------------|------------| +| ip-prefix | prefix value | "10.33.0.0/16" | | +| masklength-range | range of length | "21..24" | Yes | +##### Examples - ##### Examples - - example 1 - - Match routes whose high order 2 octets of NLRI is 10.33 and its prefix length is between from 21 to 24 - - If you define a prefix-list that doesn't have MasklengthRange, it matches routes that have just 10.33.0.0/16 as NLRI. +- example 1 + - Match routes whose high order 2 octets of NLRI is 10.33 and its prefix + length is between from 21 to 24 + - If you define a prefix-list that doesn't have MasklengthRange, it matches + routes that have just 10.33.0.0/16 as NLRI. ```toml # example 1 @@ -210,10 +221,11 @@ prefix-sets and neighbor-sets section are prefix match part and neighbor match p masklength-range = "21..24" ``` - - - example 2 - - If you want to evaluate multiple routes with a single prefix-set-list, you can do this by adding an another prefix-list like this: - - This prefix-set-list match checks if a route has 10.33.0.0/21 to 24 or 10.50.0.0/21 to 24. +- example 2 + - If you want to evaluate multiple routes with a single prefix-set-list, you + can do this by adding an another prefix-list like this: + - This prefix-set-list match checks if a route has 10.33.0.0/21 to 24 or + 10.50.0.0/21 to 24. ```toml # example 2 @@ -227,9 +239,10 @@ prefix-sets and neighbor-sets section are prefix match part and neighbor match p masklength-range = "21..24" ``` - - example 3 - - prefix-set-name under prefix-set-list is reference to a single prefix-set. - - If you want to add different prefix-set more, you can add other blocks that form the same structure with example 1. +- example 3 + - prefix-set-name under prefix-set-list is reference to a single prefix-set. + - If you want to add different prefix-set more, you can add other blocks that + form the same structure with example 1. ```toml # example 3 @@ -245,28 +258,30 @@ prefix-sets and neighbor-sets section are prefix match part and neighbor match p masklength-range = "21..24" ``` - ---- +#### neighbor-sets - #### neighbor-sets +neighbor-sets has neighbor-set-list, and neighbor-set-list has +neighbor-set-name and neighbor-info-list as its element. It is necessary to +specify a neighbor address in neighbor-info-list. neighbor-set-list is used as +a condition. - neighbor-sets has neighbor-set-list, and neighbor-set-list has neighbor-set-name and neighbor-info-list as its element. It is necessary to specify a neighbor address in neighbor-info-list. neighbor-set-list is used as a condition. +**neighbor-set-list** has 1 element and list of sub-elements. - **neighbor-set-list** has 1 element and list of subelement. +| Element |Description | Example | Optional | +|--------------------|---------------------------|--------------|------------| +| neighbor-set-name | name of neighbor-set | "ns1" | | +| neighbor-info-list | list of neighbor address | | | - | Element |Description | Example | Optional | - |--------------------|---------------------------|--------------|------------| - | neighbor-set-name | name of neighbor-set | "ns1" | | - | neighbor-info-list | list of neighbor address | | | +**neighbor-info-list** has 1 element. - **neighbor-info-list** has 1 element. +| Element |Description | Example | Optional | +|-----------------|---------------------|--------------|------------| +| address | neighbor address | "10.0.255.1" | | - | Element |Description | Example | Optional | - |-----------------|---------------------|--------------|------------| - | address | neighbor address | "10.0.255.1" | | +##### Examples - ##### Examples +- example 1 - - example 1 ```toml # example 1 [[defined-sets.neighbor-sets]] @@ -278,8 +293,9 @@ prefix-sets and neighbor-sets section are prefix match part and neighbor match p neighbor-info-list = ["10.0.0.0/24"] ``` - - example 2 - - As with prefix-set-list, neighbor-set-list can have multiple neighbor-info-list like this. +- example 2 + - As with prefix-set-list, neighbor-set-list can have multiple + neighbor-info-list like this. ```toml # example 2 @@ -288,9 +304,9 @@ prefix-sets and neighbor-sets section are prefix match part and neighbor match p neighbor-info-list = ["10.0.255.1", "10.0.255.2"] ``` - - example 3 - - As with prefix-set-list, multiple neighbor-set-lists can be defined. - +- example 3 + - As with prefix-set-list, multiple neighbor-set-lists can be defined. + ```toml # example 3 [[defined-sets.neighbor-sets]] @@ -302,15 +318,14 @@ prefix-sets and neighbor-sets section are prefix match part and neighbor match p neighbor-info-list = ["10.0.254.1"] ``` ---- - -### <a name="bgp-defined-sets"> 2. Defining bgp-defined-sets +### 2. Defining bgp-defined-sets bgp-defined-sets has Community information, Extended Community information and AS_PATH information in each Sets section respectively. And it is a child element of defined-sets. community-sets, ext-community-sets and as-path-sets section are each match -part. Like prefix-sets and neighbor-sets, each can have multiple sets and each set can have multiple values. +part. Like prefix-sets and neighbor-sets, each can have multiple sets and each +set can have multiple values. - bgp-defined-sets example @@ -327,33 +342,34 @@ part. Like prefix-sets and neighbor-sets, each can have multiple sets and each s [[defined-sets.bgp-defined-sets.as-path-sets]] as-path-set-name = "aspath1" as-path-list = ["^65100"] -# Large Community match part + # Large Community match part [[defined-sets.bgp-defined-sets.large-community-sets]] large-community-set-name = "lcommunity1" large-community-list = ["65100:100:100"] ``` - ---- +#### community-sets - #### community-sets - community-sets has community-set-name and community-list as its element. The Community value are used to evaluate communities held by the destination. +community-sets has community-set-name and community-list as its element. The +Community value are used to evaluate communities held by the destination. - | Element | Description | Example | Optional | - |--------------------|-------------------------|--------------|----------| - | community-set-name | name of CommunitySet | "community1" | | - | community-list | list of community value | | | +| Element | Description | Example | Optional | +|--------------------|-------------------------|--------------|----------| +| community-set-name | name of CommunitySet | "community1" | | +| community-list | list of community value | | | - **community-list** has 1 element. +**community-list** has 1 element. - | Element | Description | Example | Optional | - |------------|-------------------------|--------------|----------| - | community | community value | "65100:10" | | +| Element | Description | Example | Optional | +|------------|-------------------------|--------------|----------| +| community | community value | "65100:10" | | - You can use regular expressions to specify community in community-list. +You can use regular expressions to specify community in community-list. - ##### Examples - - example 1 - - Match routes which has "65100:10" as a community value. +##### Examples + +- example 1 + - Match routes which has "65100:10" as a community value. ```toml # example 1 @@ -362,9 +378,9 @@ part. Like prefix-sets and neighbor-sets, each can have multiple sets and each s community-list = ["65100:10"] ``` - - example 2 - - Specifying community by regular expression - - You can use regular expressions based on POSIX 1003.2 regular expressions. +- example 2 + - Specifying community by regular expression + - You can use regular expressions based on POSIX 1003.2 regular expressions. ```toml # example 2 @@ -372,32 +388,36 @@ part. Like prefix-sets and neighbor-sets, each can have multiple sets and each s community-set-name = "community2" community-list = ["6[0-9]+:[0-9]+"] ``` - ---- - #### ext-community-sets - ext-community-sets has ext-community-set-name and ext-community-list as its element. The values are used to evaluate extended communities held by the destination. +#### ext-community-sets + +ext-community-sets has ext-community-set-name and ext-community-list as its +element. The values are used to evaluate extended communities held by the +destination. - | Element | Description | Example | Optional | - |------------------------|------------------------------------|------------------|----------| - | ext-community-set-name | name of ExtCommunitySet | "ecommunity1" | | - | ext-community-list | list of extended community value | | | +| Element | Description | Example | Optional | +|------------------------|------------------------------------|------------------|----------| +| ext-community-set-name | name of ExtCommunitySet | "ecommunity1" | | +| ext-community-list | list of extended community value | | | - **ext-community-list** has 1 element. +**ext-community-list** has 1 element. - | Element | Description | Example | Optional | - |----------------|----------------------------|------------------|----------| - | ext-community | extended community value | "RT:65001:200" | | +| Element | Description | Example | Optional | +|----------------|----------------------------|------------------|----------| +| ext-community | extended community value | "RT:65001:200" | | - You can use regular expressions to specify extended community in ext-community-list. - However, the first one element separated by (part of "RT") does not support to the regular expression. - The part of "RT" indicates a subtype of extended community and subtypes that can be used are as follows: +You can use regular expressions to specify extended community in +ext-community-list. However, the first one element separated by (part of "RT") +does not support to the regular expression. The part of "RT" indicates a +subtype of extended community and subtypes that can be used are as follows: - - RT: mean the route target. - - SoO: mean the site of origin(route origin). +- RT: mean the route target. +- SoO: mean the site of origin(route origin). + +##### Examples - ##### Examples - - example 1 - - Match routes which has "RT:65001:200" as a extended community value. +- example 1 + - Match routes which has "RT:65001:200" as a extended community value. ```toml # example 1 @@ -406,9 +426,9 @@ part. Like prefix-sets and neighbor-sets, each can have multiple sets and each s ext-community-list = ["RT:65100:200"] ``` - - example 2 - - Specifying extended community by regular expression - - You can use regular expressions that is available in Golang. +- example 2 + - Specifying extended community by regular expression + - You can use regular expressions that is available in Golang. ```toml # example 2 @@ -417,37 +437,42 @@ part. Like prefix-sets and neighbor-sets, each can have multiple sets and each s ext-community-list = ["RT:6[0-9]+:[0-9]+"] ``` - ---- +#### as-path-sets - #### as-path-sets - as-path-sets has as-path-set-name and as-path-list as its element. The numbers are used to evaluate AS numbers in the destination's AS_PATH attribute. +as-path-sets has as-path-set-name and as-path-list as its element. The numbers +are used to evaluate AS numbers in the destination's AS_PATH attribute. - | Element | Description | Example | Optional | - |------------------|---------------------------|------------|----------| - | as-path-set-name | name of as-path-set | "aspath1" | | - | as-path-list | list of as path value | | | +| Element | Description | Example | Optional | +|------------------|---------------------------|------------|----------| +| as-path-set-name | name of as-path-set | "aspath1" | | +| as-path-list | list of as path value | | | - **as-path-list** has 1 elements. +**as-path-list** has 1 elements. - | Element | Description | Example | Optional | - |------------------|-------------------|------------|----------| - | as-path-set | as path value | "^65100" | | +| Element | Description | Example | Optional | +|------------------|-------------------|------------|----------| +| as-path-set | as path value | "^65100" | | - The AS path regular expression is compatible with [Quagga](http://www.nongnu.org/quagga/docs/docs-multi/AS-Path-Regular-Expression.html) and Cisco. - Note Character `_` has special meaning. It is abbreviation for `(^|[,{}() ]|$)`. +The AS path regular expression is compatible with +[Quagga](http://www.nongnu.org/quagga/docs/docs-multi/AS-Path-Regular-Expression.html) +and Cisco. Note Character `_` has special meaning. It is abbreviation for +`(^|[,{}() ]|$)`. - Some examples follow: - - From: `^65100_` means the route is passed from AS 65100 directly. - - Any: `_65100_` means the route comes through AS 65100. - - Origin: `_65100$` means the route is originated by AS 65100. - - Only: `^65100$` means the route is originated by AS 65100 and comes from it directly. - - `^65100_65001` - - `65100_[0-9]+_.*$` - - `^6[0-9]_5.*_65.?00$` +Some examples follow: - ##### Examples - - example 1 - - Match routes which come from AS 65100. +- From: `^65100_` means the route is passed from AS 65100 directly. +- Any: `_65100_` means the route comes through AS 65100. +- Origin: `_65100$` means the route is originated by AS 65100. +- Only: `^65100$` means the route is originated by AS 65100 and comes from it + directly. +- `^65100_65001` +- `65100_[0-9]+_.*$` +- `^6[0-9]_5.*_65.?00$` + +##### Examples + +- example 1 + - Match routes which come from AS 65100. ```toml # example 1 @@ -456,8 +481,9 @@ part. Like prefix-sets and neighbor-sets, each can have multiple sets and each s as-path-list = ["^65100_"] ``` - - example 2 - - Match routes which come Origin AS 65100 and use regular expressions to other AS. +- example 2 + - Match routes which come Origin AS 65100 and use regular expressions to + other AS. ```toml # example 2 @@ -466,11 +492,10 @@ part. Like prefix-sets and neighbor-sets, each can have multiple sets and each s as-path-list = ["[0-9]+_65[0-9]+_65100$"] ``` ---- +### 3. Defining policy-definitions -### <a name="policy-definition"> 3. Defining policy-definitions - -policy-definitions consists of condition and action. Condition part is used to evaluate routes from neighbors, if matched, action will be applied. +policy-definitions consists of condition and action. Condition part is used to +evaluate routes from neighbors, if matched, action will be applied. - an example of policy-definitions @@ -512,91 +537,92 @@ policy-definitions consists of condition and action. Condition part is used to e The elements of policy-definitions are as follows: - - policy-definitions - - | Element | Description | Example | - |---------|---------------|------------------| - | name | policy's name | "example-policy" | +- policy-definitions - - policy-definitions.statements + | Element | Description | Example | + |---------|---------------|------------------| + | name | policy's name | "example-policy" | - | Element | Description | Example | - |---------|-------------------|----------------| - | name | statements's name | "statement1" | +- policy-definitions.statements - - policy-definitions.statements.conditions.match-prefix-set + | Element | Description | Example | + |---------|-------------------|----------------| + | name | statements's name | "statement1" | - | Element | Description | Example | - |------------------|---------------------------------------------------------------------------|---------| - | prefix-set | name for defined-sets.prefix-sets.prefix-set-list that is used in this policy | "ps1" | - | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | +- policy-definitions.statements.conditions.match-prefix-set - - policy-definitions.statements.conditions.match-neighbor-set + | Element | Description | Example | + |--------------------|-------------------------------------------------------------------------------|---------| + | prefix-set | name for defined-sets.prefix-sets.prefix-set-list that is used in this policy | "ps1" | + | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | - | Element | Description | Example | - |-------------------|-------------------------------------------------------------------------------|---------| - | neighbor-set | name for defined-sets.neighbor-sets.neighbor-set-list that is used in this policy | "ns1" | - | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | +- policy-definitions.statements.conditions.match-neighbor-set - - policy-definitions.statements.conditions.bgp-conditions.match-community-set + | Element | Description | Example | + |-------------------|-------------------------------------------------------------------------------|---------| + | neighbor-set | name for defined-sets.neighbor-sets.neighbor-set-list that is used in this policy | "ns1" | + | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | - | Element | Description | Example | - |-------------------|----------------------------------------------------------------------------------------------------|----------------| - | community-set | name for defined-sets.bgp-defined-sets.community-sets.CommunitySetList that is used in this policy | "community1" | - | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | +- policy-definitions.statements.conditions.bgp-conditions.match-community-set - - policy-definitions.statements.conditions.bgp-conditions.match-ext-community-set + | Element | Description | Example | + |-------------------|----------------------------------------------------------------------------------------------------|----------------| + | community-set | name for defined-sets.bgp-defined-sets.community-sets.CommunitySetList that is used in this policy | "community1" | + | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | - | Element | Description | Example | - |-------------------|---------------------------------------------------------------------------------------|---------------| - | ext-community-set | name for defined-sets.bgp-defined-sets.ext-community-sets that is used in this policy | "ecommunity1" | - | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | +- policy-definitions.statements.conditions.bgp-conditions.match-ext-community-set - - policy-definitions.statements.conditions.bgp-conditions.match-as-path-set + | Element | Description | Example | + |-------------------|---------------------------------------------------------------------------------------|---------------| + | ext-community-set | name for defined-sets.bgp-defined-sets.ext-community-sets that is used in this policy | "ecommunity1" | + | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | - | Element | Description | Example | - |--------------------|---------------------------------------------------------------------------------|-----------| - | as-path-set | name for defined-sets.bgp-defined-sets.as-path-sets that is used in this policy | "aspath1" | - | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | +- policy-definitions.statements.conditions.bgp-conditions.match-as-path-set - - policy-definitions.statements.conditions.bgp-conditions.match-as-path-length + | Element | Description | Example | + |--------------------|---------------------------------------------------------------------------------|-----------| + | as-path-set | name for defined-sets.bgp-defined-sets.as-path-sets that is used in this policy | "aspath1" | + | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | - | Element | Description | Example | - |----------|----------------------------------------------------------------------------------------------------|---------| - | operator | operator to compare the length of AS number in AS_PATH attribute. <br> "eq","ge","le" can be used. <br> "eq" means that length of AS number is equal to Value element <br> "ge" means that length of AS number is equal or greater than the Value element <br> "le" means that length of AS number is equal or smaller than the Value element| "eq" | - | value | value used to compare with the length of AS number in AS_PATH attribute | 2 | +- policy-definitions.statements.conditions.bgp-conditions.match-as-path-length - - policy-definitions.statements.actions + | Element | Description | Example | + |----------|----------------------------------------------------------------------------------------------------|---------| + | operator | operator to compare the length of AS number in AS_PATH attribute. <br> "eq","ge","le" can be used. <br> "eq" means that length of AS number is equal to Value element <br> "ge" means that length of AS number is equal or greater than the Value element <br> "le" means that length of AS number is equal or smaller than the Value element| "eq" | + | value | value used to compare with the length of AS number in AS_PATH attribute | 2 | - | Element | Description | Example | - |-------------------|---------------------------------------------------------------------------------------------------------------|----------------| - | route-disposition | stop following policy/statement evaluation and accept/reject the route:<br> "accept-route" or "reject-route" | "accept-route" | +- policy-definitions.statements.actions - - policy-definitions.statements.actions.bgp-actions + | Element | Description | Example | + |-------------------|---------------------------------------------------------------------------------------------------------------|----------------| + | route-disposition | stop following policy/statement evaluation and accept/reject the route:<br> "accept-route" or "reject-route" | "accept-route" | - | Element | Description | Example | - |----------|---------------------------------------------------------------------------------------|---------| - | set-med | set-med used to change the med value of the route. <br> If only numbers have been specified, replace the med value of route.<br> if number and operater(+ or -) have been specified, adding or subtracting the med value of route. | "-200" | +- policy-definitions.statements.actions.bgp-actions - - policy-definitions.statements.actions.bgp-actions.set-community + | Element | Description | Example | + |----------|---------------------------------------------------------------------------------------|---------| + | set-med | set-med used to change the med value of the route. <br> If only numbers have been specified, replace the med value of route.<br> if number and operater(+ or -) have been specified, adding or subtracting the med value of route. | "-200" | - | Element | Description | Example | - |-------------|----------------------------------------------------------------------------------|------------| - | options | operator to manipulate Community attribute in the route | "ADD" | - | communities | communities used to manipulate the route's community accodriong to options below | "65100:20" | +- policy-definitions.statements.actions.bgp-actions.set-community - - policy-definitions.statements.actions.bgp-actions.set-as-path-prepend + | Element | Description | Example | + |-------------|----------------------------------------------------------------------------------|------------| + | options | operator to manipulate Community attribute in the route | "ADD" | + | communities | communities used to manipulate the route's community according to options below | "65100:20" | - | Element | Description | Example | - |----------|-------------------------------------------------------------------------------------------------------|---------| - | as | AS number to prepend. You can use "last-as" to prepend the leftmost AS number in the aspath attribute.| "65100" | - | repeat-n | repeat count to prepend AS | 5 | +- policy-definitions.statements.actions.bgp-actions.set-as-path-prepend + | Element | Description | Example | + |----------|-------------------------------------------------------------------------------------------------------|---------| + | as | AS number to prepend. You can use "last-as" to prepend the leftmost AS number in the aspath attribute.| "65100" | + | repeat-n | repeat count to prepend AS | 5 | - - Execution condition of Action +#### Execution condition of Action - Action statement is executed when the result of each Condition, including match-set-options is all true. - **match-set-options** is defined how to determine the match result, in the condition with multiple evaluation set as follows: + Action statement is executed when the result of each Condition, including + match-set-options is all true. + **match-set-options** is defined how to determine the match result, in the + condition with multiple evaluation set as follows: | Value | Description | |--------|---------------------------------------------------------------------------| @@ -604,64 +630,63 @@ policy-definitions consists of condition and action. Condition part is used to e | all | match is true if given value matches all members of the defined set | | invert | match is true if given value does not match any member of the defined set | - - - <br> - ##### Examples - - example 1 - - This policy definition has prefix-set *ps1* and neighbor-set *ns1* as its condition and routes matches the condition is rejected. - ```toml - # example 1 - [[policy-definitions]] - name = "policy1" - [[policy-definitions.statements]] - name = "statement1" - [policy-definitions.statements.conditions.match-prefix-set] - prefix-set = "ps1" - [policy-definitions.statements.conditions.match-neighbor-set] - neighbor-set = "ns1" - [policy-definitions.statements.actions] - route-disposition = "reject-route" - ``` +- example 1 + - This policy definition has prefix-set *ps1* and neighbor-set *ns1* as its + condition and routes matches the condition is rejected. - - example 2 - - policy-definition has two statements + ```toml + # example 1 + [[policy-definitions]] + name = "policy1" + [[policy-definitions.statements]] + name = "statement1" + [policy-definitions.statements.conditions.match-prefix-set] + prefix-set = "ps1" + [policy-definitions.statements.conditions.match-neighbor-set] + neighbor-set = "ns1" + [policy-definitions.statements.actions] + route-disposition = "reject-route" + ``` - ```toml - # example 2 - [[policy-definitions]] - name = "policy1" - # first statement - (1) - [[policy-definitions.statements]] - name = "statement1" - [policy-definitions.statements.conditions.match-prefix-set] - prefix-set = "ps1" - [policy-definitions.statements.conditions.match-neighbor-set] - neighbor-set = "ns1" - [policy-definitions.statements.actions] - route-disposition = "reject-route" - # second statement - (2) - [[policy-definitions.statements]] - name = "statement2" - [policy-definitions.statements.conditions.match-prefix-set] - prefix-set = "ps2" - [policy-definitions.statements.conditions.match-neighbor-set] - neighbor-set = "ns2" - [policy-definitions.statements.actions] - route-disposition = "reject-route" - ``` - - if a route matches the condition inside the first statement(1), GoBGP applies its action and quits the policy evaluation. +- example 2 + - policy-definition has two statements + - If a route matches the condition inside the first statement(1), GoBGP + applies its action and quits the policy evaluation. + ```toml + # example 2 + [[policy-definitions]] + name = "policy1" + # first statement - (1) + [[policy-definitions.statements]] + name = "statement1" + [policy-definitions.statements.conditions.match-prefix-set] + prefix-set = "ps1" + [policy-definitions.statements.conditions.match-neighbor-set] + neighbor-set = "ns1" + [policy-definitions.statements.actions] + route-disposition = "reject-route" + # second statement - (2) + [[policy-definitions.statements]] + name = "statement2" + [policy-definitions.statements.conditions.match-prefix-set] + prefix-set = "ps2" + [policy-definitions.statements.conditions.match-neighbor-set] + neighbor-set = "ns2" + [policy-definitions.statements.actions] + route-disposition = "reject-route" + ``` - - example 3 - - If you want to add other policies, just add policy-definitions block following the first one like this +- example 3 + - If you want to add other policies, just add policy-definitions block + following the first one like this - ```toml - # example 3 - # first policy - [[policy-definitions]] + ```toml + # example 3 + # first policy + [[policy-definitions]] name = "policy1" [[policy-definitions.statements]] name = "statement1" @@ -671,8 +696,8 @@ policy-definitions consists of condition and action. Condition part is used to e neighbor-set = "ns1" [policy-definitions.statements.actions] route-disposition = "reject-route" - # second policy - [[policy-definitions]] + # second policy + [[policy-definitions]] name = "policy2" [[policy-definitions.statements]] name = "statement2" @@ -682,22 +707,24 @@ policy-definitions consists of condition and action. Condition part is used to e neighbor-set = "ns2" [policy-definitions.statements.actions] route-disposition = "reject-route" - ``` + ``` - - example 4 - - This PolicyDefinition has multiple conditions including BgpConditions as follows: +- example 4 + - This PolicyDefinition has multiple conditions including BgpConditions as + follows: - prefix-set: *ps1* - neighbor-set: *ns1* - community-set: *community1* - ext-community-set: *ecommunity1* - as-path-set: *aspath1* - as-path length: *equal 2* + - If a route matches all these conditions, it will be accepted with community + "65100:20", next-hop 10.0.0.1, local-pref 110, med subtracted 200, as-path + prepended 65005 five times. - - If a route matches all these conditions, it will be accepted with community "65100:20", next-hop 10.0.0.1, local-pref 110, med subtracted 200, as-path prepended 65005 five times. - - ```toml - # example 4 - [[policy-definitions]] + ```toml + # example 4 + [[policy-definitions]] name = "policy1" [[policy-definitions.statements]] name = "statement1" @@ -727,14 +754,14 @@ policy-definitions consists of condition and action. Condition part is used to e options = "ADD" [policy-definitions.statements.actions.bgp-actions.set-community.set-community-method] communities-list = ["65100:20"] - ``` + ``` - - example 5 - - example of multiple statement +- example 5 + - example of multiple statement - ```toml - # example 5 - [[policy-definitions]] + ```toml + # example 5 + [[policy-definitions]] name = "policy1" [[policy-definitions.statements]] # statement without route-disposition continues to the next statement @@ -762,20 +789,17 @@ policy-definitions consists of condition and action. Condition part is used to e prefix-set = "ps3" [policy-definitions.statements.actions.bgp-actions] set-med = "+10" - ``` - - - ---- + ``` -### <a name="attachment"> 4. Attaching policy +### 4. Attaching policy -Here we explain how to attach defined policies to [global rib](#global-attachment) -and [neighbor local rib](#rs-attachment). +Here we explain how to attach defined policies to +[global rib](#global-attachment) and [neighbor local rib](#rs-attachment). -#### <a name="global-attachment"> 4.1 Attach policy to global rib +#### 4.1 Attach policy to global rib -To attach policies to global rib, add policy name to `global.apply-policy.config`. +To attach policies to global rib, add policy name to +`global.apply-policy.config`. ```toml [global.apply-policy.config] @@ -792,14 +816,15 @@ default-export-policy = "accept-route" | default-import-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | | default-export-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | - -#### <a name="rs-attachment"> 4.2. Attach policy to route-server-client +#### 4.2. Attach policy to route-server-client You can use policies defined above as Import or Export or In policy by attaching them to neighbors which is configured to be route-server client. -To attach policies to neighbors, you need to add policy's name to `neighbors.apply-policy` in the neighbor's setting. -This example attatches *policy1* to Import policy and *policy2* to Export policy and *policy3* is used as the In policy. +To attach policies to neighbors, you need to add policy's name to +`neighbors.apply-policy` in the neighbor's setting. +This example attaches *policy1* to Import policy and *policy2* to Export policy +and *policy3* is used as the In policy. ```toml [[neighbors]] @@ -817,8 +842,8 @@ This example attatches *policy1* to Import policy and *policy2* to Export policy default-in-policy = "accept-route" ``` -neighbors has a section to specify policies and the section's name is apply-policy. -The apply-policy has 6 elements. +neighbors has a section to specify policies and the section's name is +apply-policy. The apply-policy has 6 elements. | Element | Description | Example | |-------------------------|---------------------------------------------------------------------------------------------|----------------| @@ -829,8 +854,6 @@ The apply-policy has 6 elements. | default-export-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | | default-in-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | - - ## Policy Configuration Example Neighbor 10.0.255.1 advertises 10.33.0.0/16 and 10.3.0.0/16 routes. We @@ -891,13 +914,22 @@ define an import policy for neighbor 10.0.255.2 that drops route-disposition = "reject-route" ``` -Neighbor 10.0.255.2 has pd2 policy. The pd2 policy consists of ps2 prefix match and ns1 neighbor match. The ps2 specifies 10.33.0.0 and 10.50.0.0 address. The ps2 specifies the mask with **MASK** keyword. **masklength-range** keyword can specify the range of mask length like ```masklength-range 24..26```. The *ns1* specifies neighbor 10.0.255.1. +Neighbor 10.0.255.2 has pd2 policy. The pd2 policy consists of ps2 prefix match +and ns1 neighbor match. The ps2 specifies 10.33.0.0 and 10.50.0.0 address. The +ps2 specifies the mask with **MASK** keyword. **masklength-range** keyword can +specify the range of mask length like ```masklength-range 24..26```. The *ns1* +specifies neighbor 10.0.255.1. -The pd2 sets multiple condition, This means that only when all match conditions meets, the policy will be applied. +The pd2 sets multiple condition, This means that only when all match conditions +meets, the policy will be applied. -The match-prefix-set sets match-set-options to "any". This means that when match to any of prefix-list, the policy will be applied. the policy will be applied to 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1. +The match-prefix-set sets match-set-options to "any". This means that when +match to any of prefix-list, the policy will be applied. the policy will be +applied to 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1. -If the match-prefix-set sets match-set-options to "invert", It does not match to any of prefix-list, the policy will be applied. the policy will be applied to other than 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1 +If the match-prefix-set sets match-set-options to "invert", It does not match +to any of prefix-list, the policy will be applied. the policy will be applied +to other than 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1 Let's confirm that 10.0.255.1 neighbor advertises two routes. |