summaryrefslogtreecommitdiff
path: root/docs/configuration/policy/index.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/policy/index.rst')
-rw-r--r--docs/configuration/policy/index.rst872
1 files changed, 864 insertions, 8 deletions
diff --git a/docs/configuration/policy/index.rst b/docs/configuration/policy/index.rst
index 7127957a..84b41ed6 100644
--- a/docs/configuration/policy/index.rst
+++ b/docs/configuration/policy/index.rst
@@ -6,16 +6,871 @@
Policy
######
-Routing Policies could be used to tell the router (self or neighbors) what
-routes and their attributes needs to be put into the routing table.
+Policies are used for filtering and traffic management. With policies, network administrators could filter and treat traffic
+according to their needs.
-There could be a wide range of routing policies. Some examples are below:
+There could be a wide range of routing policies. Some examples are listed below:
+
+* Filter traffic based on source/destination address.
+* Set some metric to routes learned from a particular neighbor.
+* Set some attributes (like AS PATH or Community value) to advertised routes to neighbors.
+* Prefer a specific routing protocol routes over another routing protocol running on the same router.
+
+Policies, in VyOS, are implemented using FRR filtering and route maps. Detailed information of FRR could be found in http://docs.frrouting.org/
+
+*************
+Configuration
+*************
+
+.. _policy-filter:
+
+Filter
+======
+
+Filtering is used for both input and output of the routing information. Once filtering is defined, it can be applied in
+any direction.
+VyOS makes filtering possible using acls and prefix lists.
+
+policy access-list
+------------------
+
+Basic filtering could be done by access-list.
+
+.. cfgcmd:: set policy access-list <acl_number>
+
+This command creates the new access list policy, where <acl_number> must be a number from 1 to 2699.
+
+.. cfgcmd:: set policy access-list <acl_number> description <text>
+
+Set description for the access list.
+
+.. cfgcmd:: set policy access-list <acl_number> rule <1-65535> action <permit|deny>
+
+This command creates a new rule in the access list and defines an action.
+
+.. cfgcmd:: set policy access-list <acl_number> rule <1-65535> <destination|source> <any|host|inverse-mask|network>
+
+This command defines matching parameters for access list rule. Matching criteria could be applied to destinarion or source
+parameters:
+
+* any: any IP address to match.
+* host: single host IP address to match.
+* inverse-match: network/netmask to match (requires network be defined).
+* network: network/netmask to match (requires inverse-match be defined).
+
+policy access-list6
+-------------------
+
+Basic filtering could also be applied to IPv6 traffic.
+
+.. cfgcmd:: set policy access-list6 <text>
+
+This command creates the new IPv6 access list, identified by <text>
+
+.. cfgcmd:: set policy access-list6 <text> description <text>
+
+Set description for the IPv6 access list.
+
+.. cfgcmd:: set policy access-list6 <text> rule <1-65535> action <permit|deny>
+
+This command creates a new rule in the IPv6 access list and defines an action.
+
+.. cfgcmd:: set policy access-list6 <text> rule <1-65535> source <any|exact-match|network>
+
+This command defines matching parameters for IPv6 access list rule. Matching criteria could be applied to source parameters:
+
+* any: any IPv6 address to match.
+* exact-match: exact match of the network prefixes.
+* network: network/netmask to match (requires inverse-match be defined) BUG, NO inver-match option in access-list6
+
+policy prefix-list
+------------------
+
+Prefix lists provides the most powerful prefix based filtering mechanism. In addition to access-list functionality,
+ip prefix-list has prefix length range specification.
+
+If no ip prefix list is specified, it acts as permit. If ip prefix list is defined, and no match is found,
+default deny is applied.
+
+.. cfgcmd:: set policy prefix-list <text>
+
+This command creates the new prefix-list policy, identified by <text>.
+
+.. cfgcmd:: set policy prefix-list <text> description <text>
+
+Set description for the prefix-list policy.
+
+.. cfgcmd:: set policy prefix-list <text> rule <1-65535> action <permit|deny>
+
+This command creates a new rule in the prefix-list and defines an action.
+
+.. cfgcmd:: set policy prefix-list <text> rule <1-65535> description <text>
+
+Set description for rule in the prefix-list.
+
+.. cfgcmd:: set policy prefix-list <text> rule <1-65535> prefix <x.x.x.x/x>
+
+Prefix to match against.
+
+.. cfgcmd:: set policy prefix-list <text> rule <1-65535> ge <0-32>
+
+Netmask greater than length.
+
+.. cfgcmd:: set policy prefix-list <text> rule <1-65535> le <0-32>
+
+Netmask less than lenght
+
+policy prefix-list6
+-------------------
+
+Prefix list filtering could also be applied to IPv6 traffic.
+
+.. cfgcmd:: set policy prefix-list6 <text>
+
+This command creates the new IPv6 prefix-list policy, identified by <text>.
+
+.. cfgcmd:: set policy prefix-list6 <text> description <text>
+
+Set description for the IPv6 prefix-list policy.
+
+.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> action <permit|deny>
+
+This command creates a new rule in the IPv6 prefix-list and defines an action.
+
+.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> description <text>
+
+Set description for rule in IPv6 prefix-list.
+
+.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> prefix <h:h:h:h:h:h:h:h/x>
+
+IPv6 prefix.
+
+.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> ge <0-128>
+
+Netmask greater than length.
+
+.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> le <0-128>
+
+Netmask less than lenght
+
+Route
+======
+
+Route policies are defined in this section. This route policies can then be associated to interfaces.
+
+policy route
+------------
+
+.. cfgcmd:: set policy route <text>
+
+This command creates a new route policy, identified by <text>.
+
+.. cfgcmd:: set policy route <text> description <text>
+
+Set description for the route policy.
+
+.. cfgcmd:: set policy route <text> enable-default-log
+
+Option to log packets hitting default-action.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> description <text>
+
+Set description for rule in route policy.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> action drop
+
+Set rule action to drop.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> destination address <match_criteria>
+
+Set match criteria based on destination address, where <match_criteria> could be:
+
+* <x.x.x.x>: IP address to match.
+* <x.x.x.x/x>: Subnet to match.
+* <x.x.x.x>-<x.x.x.x>: IP range to match.
+* !<x.x.x.x>: Match everything except the specified address.
+* !<x.x.x.x/x>: Match everything except the specified subnet.
+* !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> destination group <address-group|network-group|port-group> <text>
+
+Set destination match criteria based on groups, where <text> would be the group name/identifier.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> destination port <match_criteria>
+
+Set match criteria based on destination port, where <match_criteria> could be:
+
+* <port name>: Named port (any name in /etc/services, e.g., http).
+* <1-65535>: Numbered port.
+* <start>-<end>: Numbered port range (e.g., 1001-1005).
+
+Multiple destination ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'.
+For example: '!22,telnet,http,123,1001-1005'
+
+.. cfgcmd:: set policy route <text> rule <1-9999> disable
+
+Option to disable rule.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> fragment <match-grag|match-non-frag>
+
+Set IP fragment match, where:
+
+* match-frag: Second and further fragments of fragmented packets.
+* match-non-frag: Head fragments or unfragmented packets.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> icmp <code|type|type-name>
+
+Set ICMP match criterias, based on code and/or types. Types could be referenced by number or by name.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> ipsec <match-ipsec|match-none>
+
+Set IPSec inbound match criterias, where:
+
+* match-ipsec: match inbound IPsec packets.
+* match-none: match inbound non-IPsec packets.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> limit burst <0-4294967295>
+
+Set maximum number of packets to alow in excess of rate
+
+.. cfgcmd:: set policy route <text> rule <1-9999> limit rate <text>
+
+Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute,
+hour or day.For example 1/second implies rule to be matched at an average of once per second.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> log <enable|disable>
+
+Option to enable or disable log matching rule.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> log <text>
+
+Option to log matching rule.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> protocol <text|0-255|tcp_udp|all|!protocol>
+
+Set protocol to match. Protocol name in /etc/protocols or protocol number, or "tcp_udp" or "all".
+Also, protocol could be denied by using !.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> recent <count|time> <1-255|0-4294967295>
+
+Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than
+<1-255> times) and/or time (source address seen in the last <0-4294967295> seconds).
+
+.. cfgcmd:: set policy route <text> rule <1-9999> set dscp <0-63>
+
+Set packet modifications: Packet Differentiated Services Codepoint (DSCP)
+
+.. cfgcmd:: set policy route <text> rule <1-9999> set mark <1-2147483647>
+
+Set packet modifications: Packet marking
+
+.. cfgcmd:: set policy route <text> rule <1-9999> set table <main|1-200>
+
+Set packet modifications: Routing table to forward packet with.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> set tcp-mss <500-1460>
+
+Set packet modifications: Explicitly set TCP Maximum segment size value.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> source address <match_criteria>
+
+Set match criteria based on source address, where <match_criteria> could be:
+
+* <x.x.x.x>: IP address to match.
+* <x.x.x.x/x>: Subnet to match.
+* <x.x.x.x>-<x.x.x.x>: IP range to match.
+* !<x.x.x.x>: Match everything except the specified address.
+* !<x.x.x.x/x>: Match everything except the specified subnet.
+* !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> source group <address-group|network-group|port-group> <text>
+
+Set source match criteria based on groups, where <text> would be the group name/identifier.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> source port <match_criteria>
+
+Set match criteria based on source port, where <match_criteria> could be:
+
+* <port name>: Named port (any name in /etc/services, e.g., http).
+* <1-65535>: Numbered port.
+* <start>-<end>: Numbered port range (e.g., 1001-1005).
+
+Multiple source ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'.
+For example: '!22,telnet,http,123,1001-1005'
+
+.. cfgcmd:: set policy route <text> rule <1-9999> state <established|invalid|new|related> <disable|enable>
+
+Set match criteria based on session state.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> tcp flags <text>
+
+Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL
+When specifying more than one flag, flags should be comma-separated.
+For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time monthdays <text>
+
+Set monthdays to match rule on. Format for monthdays: 2,12,21.
+To negate add ! at the front eg. !2,12,21
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time startdate <text>
+
+Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append
+'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate
+value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time starttime <text>
+
+Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time stopdate <text>
+
+Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append
+'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate
+value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time stoptime <text>
+
+Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time utc
+
+Interpret times for startdate, stopdate, starttime and stoptime to be UTC.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time weekdays
+
+Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat.
+
+
+policy ipv6-route
+-----------------
+
+IPv6 route policies are defined in this section. This route policies can then be associated to interfaces.
+
+.. cfgcmd:: set policy ipv6-route <text>
+
+This command creates a new IPv6 route policy, identified by <text>.
+
+.. cfgcmd:: set policy ipv6-route <text> description <text>
+
+Set description for the IPv6 route policy.
+
+.. cfgcmd:: set policy ipv6-route <text> enable-default-log
+
+Option to log packets hitting default-action.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> action drop
+
+Set rule action to drop.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> description <text>
+
+Set description for rule in IPv6 route policy.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination address <match_criteria>
+
+Set match criteria based on destination IPv6 address, where <match_criteria> could be:
+
+* <h:h:h:h:h:h:h:h>: IPv6 address to match.
+* <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match.
+* <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match.
+* !<h:h:h:h:h:h:h:h>: Match everything except the specified address.
+* !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix.
+* !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the specified range.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination port <match_criteria>
+
+Set match criteria based on destination port, where <match_criteria> could be:
+
+* <port name>: Named port (any name in /etc/services, e.g., http).
+* <1-65535>: Numbered port.
+* <start>-<end>: Numbered port range (e.g., 1001-1005).
+
+Multiple destination ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'.
+For example: '!22,telnet,http,123,1001-1005'
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> disable
+
+Option to disable rule.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> icmpv6 type <icmpv6_typ>
+
+Set ICMPv6 match criterias, based on ICMPv6 type/code name.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> ipsec <match-ipsec|match-none>
+
+Set IPSec inbound match criterias, where:
+
+* match-ipsec: match inbound IPsec packets.
+* match-none: match inbound non-IPsec packets.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit burst <0-4294967295>
+
+Set maximum number of packets to alow in excess of rate
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit rate <text>
+
+Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute,
+hour or day.For example 1/second implies rule to be matched at an average of once per second.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <enable|disable>
+
+Option to enable or disable log matching rule.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <text>
+
+Option to log matching rule.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> protocol <text|0-255|tcp_udp|all|!protocol>
+
+Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or protocol number, or "tcp_udp" or "all".
+Also, protocol could be denied by using !.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> recent <count|time> <1-255|0-4294967295>
+
+Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than
+<1-255> times) and/or time (source address seen in the last <0-4294967295> seconds).
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set dscp <0-63>
+
+Set packet modifications: Packet Differentiated Services Codepoint (DSCP)
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set mark <1-2147483647>
+
+Set packet modifications: Packet marking.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set table <main|1-200>
+
+Set packet modifications: Routing table to forward packet with.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set tcp-mss <pmtu|500-1460>
+
+Set packet modifications: pmtu option automatically set to Path Maximum Transfer Unit minus 60 bytes. Otherwise, expliicitly
+set TCP MSS value from 500 to 1460
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source address <match_criteria>
+
+Set match criteria based on IPv6 source address, where <match_criteria> could be:
+
+* <h:h:h:h:h:h:h:h>: IPv6 address to match
+* <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match
+* <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match
+* !<h:h:h:h:h:h:h:h>: Match everything except the specified address
+* !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix
+* !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the specified range
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source mac-address <MAC_address|!MAC_address>
+
+Set source match criteria based on MAC address. Declare specific MAC address to match, or match everything except the specified MAC.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source port <match_criteria>
+
+Set match criteria based on source port, where <match_criteria> could be:
+
+* <port name>: Named port (any name in /etc/services, e.g., http).
+* <1-65535>: Numbered port.
+* <start>-<end>: Numbered port range (e.g., 1001-1005).
+
+Multiple source ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'.
+For example: '!22,telnet,http,123,1001-1005'
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> state <established|invalid|new|related> <disable|enable>
+
+Set match criteria based on session state.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> tcp flags <text>
+
+Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL
+When specifying more than one flag, flags should be comma-separated.
+For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time monthdays <text>
+
+Set monthdays to match rule on. Format for monthdays: 2,12,21.
+To negate add ! at the front eg. !2,12,21
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time startdate <text>
+
+Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append
+'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate
+value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time starttime <text>
+
+Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stopdate <text>
+
+Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append
+'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate
+value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stoptime <text>
+
+Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time utc
+
+Interpret times for startdate, stopdate, starttime and stoptime to be UTC.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time weekdays
+
+Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat.
+
+
+
+Route Map
+=========
+
+Route map is a powerfull command, that gives network administrators a very useful and flexible tool for traffic manipulation.
+
+policy route-map
+----------------
+
+.. cfgcmd:: set policy route-map <text>
+
+This command creates a new route-map policy, identified by <text>.
+
+.. cfgcmd:: set policy route-map <text> description <text>
+
+Set description for the route-map policy.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> action <permit|deny>
+
+Set action for the route-map policy.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> call <text>
+
+Call another route-map policy on match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> continue <1-65535>
+
+Jump to a different rule in this route-map on a match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> description <text>
+
+Set description for the rule in the route-map policy.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match as-path <text>
+
+BGP as-path list to match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match community community-list <text>
+
+BGP community-list to match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match community exact-match
+
+Set BGP community-list to exactly match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match extcommunity <text>
+
+BGP extended community to match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match interface <text>
+
+First hop interface of a route to match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip address access-list <1-2699>
+
+IP address of route to match, based on access-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip address prefix-list <text>
+
+IP address of route to match, based on prefix-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop access-list <1-2699>
+
+IP next-hop of route to match, based on access-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop prefix-list <text>
+
+IP next-hop of route to match, based on prefix-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip route-source access-list <1-2699>
+
+IP route source of route to match, based on access-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip route-source prefix-list <text>
+
+IP route source of route to match, based on prefix-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 address access-list <text>
+
+IPv6 address of route to match, based on IPv6 access-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 address prefix-list <text>
+
+IPv6 address of route to match, based on IPv6 prefix-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 nexthop <h:h:h:h:h:h:h:h>
+
+Nexthop IPv6 address to match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match large-community large-community-list <text>
+
+Match BGP large communities.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match local-preference <0-4294967295>
+
+Match local preference.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match metric <1-65535>
+
+Match route metric.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match origin <egp|igp|incomplete>
+
+Boarder Gateway Protocol (BGP) origin code to match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match peer <x.x.x.x>
+
+Peer IP address to match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match rpki <invalid|notfound|valid>
+
+Match RPKI validation result.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> match tag <1-65535>
+
+Route tag to match.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> on-match goto <1-65535>
+
+Exit policy on match: go to rule <1-65535>
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> on-match next
+
+Exit policy on match: go to next sequence number.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set aggregator <as|ip> <1-4294967295|x.x.x.x>
+
+BGP aggregator attribute: AS number or IP address of an aggregation.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set as-path-exclude <text>
+
+Remove ASN(s) from a BGP AS-path attribute. For example "456 64500 45001".
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set as-path-prepend <text>
+
+Prepend string for a BGP AS-path attribute. For example "64501 64501".
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set atomic-aggregate
+
+BGP atomic aggregate attribute.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set bgp-extcommunity-rt <aa:nn>
+
+Set route target value. ExtCommunity in format: asn:value.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set comm-list comm-list <text>
+
+BGP communities with a community-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set comm-list delete
+
+Delete BGP communities matching the community-list.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set community <aa:bb|local-AS|no-advertise|no-export|internet|additive|none>
+
+Set BGP community attribute.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set distance <0-255>
+
+Locally significant administrative distance.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity-rt <text>
+
+Set route target value.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity-soo <text>
+
+Set site of origin value.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set ip-next-hop <x.x.x.x>
+
+Nexthop IP address.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set ipv6-next-hop <global|local> <h:h:h:h:h:h:h:h>
+
+Nexthop IPv6 address.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community <text>
+
+Set BGP large community value.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set local-preference <0-4294967295>
+
+Set BGP local preference attribute.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set metric <+/-metric|0-4294967295>
+
+Set destination routing protocol metric. Add or subtract metric, or set metric value.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set metric-type <type-1|type-2>
+
+Set OSPF external metric-type.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set origin <igp|egp|incomplete>
+
+Set BGP origin code.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set originator-id <x.x.x.x>
+
+Set BGP originator ID attribute.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set src <x.x.x.x|h:h:h:h:h:h:h:h>
+
+Set source IP/IPv6 address for route.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set table <1-200>
+
+Set prefixes to table.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set tag <1-65535>
+
+Set tag value for routing protocol.
+
+.. cfgcmd:: set policy route-map <text> rule <1-65535> set weight <0-4294967295>
+
+Set BGP weight attribute
+
+
+
+BGP filters
+===========
+
+With policies, BGP filters can be created.
+
+policy as-path-list
+-------------------
+
+.. cfgcmd:: set policy as-path-list <text>
+
+Create as-path-policy identified by name <text>.
+
+.. cfgcmd:: set policy as-path-list <text> description <text>
+
+Set description for as-path-list policy.
+
+.. cfgcmd:: set policy as-path-list <text> rule <1-65535> action <permit|deny>
+
+Set action to take on entries matching this rule.
+
+.. cfgcmd:: set policy as-path-list <text> rule <1-65535> description <text>
+
+Set description for rule.
+
+.. cfgcmd:: set policy as-path-list <text> rule <1-65535> regex <text>
+
+Regular expression to match against an AS path. For example "64501 64502".
+
+
+policy community-list
+---------------------
+
+.. cfgcmd:: set policy community-list <text>
+
+Creat community-list policy identified by name <text>.
+
+.. cfgcmd:: set policy community-list <text> description <text>
+
+Set description for community-list policy.
+
+.. cfgcmd:: set policy community-list <text> rule <1-65535> action <permit|deny>
+
+Set action to take on entries matching this rule.
+
+.. cfgcmd:: set policy community-list <text> rule <1-65535> description <text>
+
+Set description for rule.
+
+.. cfgcmd:: set policy community-list <text> rule <1-65535> regex <aa:nn|local-AS|no-advertise|no-export|internet|additive>
+
+Regular expression to match against a community-list.
+
+
+policy extcommunity-list
+------------------------
+
+.. cfgcmd:: set policy extcommunity-list <text>
+
+Creat extcommunity-list policy identified by name <text>.
+
+.. cfgcmd:: set policy extcommunity-list <text> description <text>
+
+Set description for extcommunity-list policy.
+
+.. cfgcmd:: set policy extcommunity-list <text> rule <1-65535> action <permit|deny>
+
+Set action to take on entries matching this rule.
+
+.. cfgcmd:: set policy extcommunity-list <text> rule <1-65535> description <text>
+
+Set description for rule.
+
+.. cfgcmd:: set policy extcommunity-list <text> rule <1-65535> regex <text>
+
+Regular expression to match against an extended community list, where text could be:
+
+* <aa:nn:nn>: Extended community list regular expression.
+* <rt aa:nn:nn>: Route Target regular expression.
+* <soo aa:nn:nn>: Site of Origin regular expression.
+
+
+policy large-community-list
+---------------------------
+
+.. cfgcmd:: set policy large-community-list <text>
+
+Creat large-community-list policy identified by name <text>.
+
+.. cfgcmd:: set policy large-community-list <text> description <text>
+
+Set description for large-community-list policy.
+
+.. cfgcmd:: set policy large-community-list <text> rule <1-65535> action <permit|deny>
+
+Set action to take on entries matching this rule.
+
+.. cfgcmd:: set policy large-community-list <text> rule <1-65535> description <text>
+
+Set description for rule.
+
+.. cfgcmd:: set policy large-community-list <text> rule <1-65535> regex <aa:nn:nn>
+
+Regular expression to match against a large community list.
+
+
+
+Local Route
+===========
+
+Policies for local traffic are defined in this section.
+
+policy local-route
+------------------
+
+.. cfgcmd:: set policy local-route rule <1-32765> set table <1-200|main>
+
+Set routing table to forward packet to.
+
+.. cfgcmd:: set policy local-route rule <1-32765> source <x.x.x.x|x.x.x.x/x>
+
+Set source address or prefix to match.
+
+
+
+
+
+
+
+
+
+*************
+Examples
+*************
-* Set some metric to routes learned from a particular neighbor
-* Set some attributes (like AS PATH or Community value) to advertised routes
- to neighbors
-* Prefer a specific routing protocol routes over another routing protocol
- running on the same router
Example
=======
@@ -70,6 +925,7 @@ neighbor.
You now see the longer AS path.
+
.. _routing-pbr:
###