diff options
Diffstat (limited to 'docs/configuration/policy')
-rw-r--r-- | docs/configuration/policy/index.rst | 872 |
1 files changed, 864 insertions, 8 deletions
diff --git a/docs/configuration/policy/index.rst b/docs/configuration/policy/index.rst index 7127957a..84b41ed6 100644 --- a/docs/configuration/policy/index.rst +++ b/docs/configuration/policy/index.rst @@ -6,16 +6,871 @@ Policy ###### -Routing Policies could be used to tell the router (self or neighbors) what -routes and their attributes needs to be put into the routing table. +Policies are used for filtering and traffic management. With policies, network administrators could filter and treat traffic +according to their needs. -There could be a wide range of routing policies. Some examples are below: +There could be a wide range of routing policies. Some examples are listed below: + +* Filter traffic based on source/destination address. +* Set some metric to routes learned from a particular neighbor. +* Set some attributes (like AS PATH or Community value) to advertised routes to neighbors. +* Prefer a specific routing protocol routes over another routing protocol running on the same router. + +Policies, in VyOS, are implemented using FRR filtering and route maps. Detailed information of FRR could be found in http://docs.frrouting.org/ + +************* +Configuration +************* + +.. _policy-filter: + +Filter +====== + +Filtering is used for both input and output of the routing information. Once filtering is defined, it can be applied in +any direction. +VyOS makes filtering possible using acls and prefix lists. + +policy access-list +------------------ + +Basic filtering could be done by access-list. + +.. cfgcmd:: set policy access-list <acl_number> + +This command creates the new access list policy, where <acl_number> must be a number from 1 to 2699. + +.. cfgcmd:: set policy access-list <acl_number> description <text> + +Set description for the access list. + +.. cfgcmd:: set policy access-list <acl_number> rule <1-65535> action <permit|deny> + +This command creates a new rule in the access list and defines an action. + +.. cfgcmd:: set policy access-list <acl_number> rule <1-65535> <destination|source> <any|host|inverse-mask|network> + +This command defines matching parameters for access list rule. Matching criteria could be applied to destinarion or source +parameters: + +* any: any IP address to match. +* host: single host IP address to match. +* inverse-match: network/netmask to match (requires network be defined). +* network: network/netmask to match (requires inverse-match be defined). + +policy access-list6 +------------------- + +Basic filtering could also be applied to IPv6 traffic. + +.. cfgcmd:: set policy access-list6 <text> + +This command creates the new IPv6 access list, identified by <text> + +.. cfgcmd:: set policy access-list6 <text> description <text> + +Set description for the IPv6 access list. + +.. cfgcmd:: set policy access-list6 <text> rule <1-65535> action <permit|deny> + +This command creates a new rule in the IPv6 access list and defines an action. + +.. cfgcmd:: set policy access-list6 <text> rule <1-65535> source <any|exact-match|network> + +This command defines matching parameters for IPv6 access list rule. Matching criteria could be applied to source parameters: + +* any: any IPv6 address to match. +* exact-match: exact match of the network prefixes. +* network: network/netmask to match (requires inverse-match be defined) BUG, NO inver-match option in access-list6 + +policy prefix-list +------------------ + +Prefix lists provides the most powerful prefix based filtering mechanism. In addition to access-list functionality, +ip prefix-list has prefix length range specification. + +If no ip prefix list is specified, it acts as permit. If ip prefix list is defined, and no match is found, +default deny is applied. + +.. cfgcmd:: set policy prefix-list <text> + +This command creates the new prefix-list policy, identified by <text>. + +.. cfgcmd:: set policy prefix-list <text> description <text> + +Set description for the prefix-list policy. + +.. cfgcmd:: set policy prefix-list <text> rule <1-65535> action <permit|deny> + +This command creates a new rule in the prefix-list and defines an action. + +.. cfgcmd:: set policy prefix-list <text> rule <1-65535> description <text> + +Set description for rule in the prefix-list. + +.. cfgcmd:: set policy prefix-list <text> rule <1-65535> prefix <x.x.x.x/x> + +Prefix to match against. + +.. cfgcmd:: set policy prefix-list <text> rule <1-65535> ge <0-32> + +Netmask greater than length. + +.. cfgcmd:: set policy prefix-list <text> rule <1-65535> le <0-32> + +Netmask less than lenght + +policy prefix-list6 +------------------- + +Prefix list filtering could also be applied to IPv6 traffic. + +.. cfgcmd:: set policy prefix-list6 <text> + +This command creates the new IPv6 prefix-list policy, identified by <text>. + +.. cfgcmd:: set policy prefix-list6 <text> description <text> + +Set description for the IPv6 prefix-list policy. + +.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> action <permit|deny> + +This command creates a new rule in the IPv6 prefix-list and defines an action. + +.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> description <text> + +Set description for rule in IPv6 prefix-list. + +.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> prefix <h:h:h:h:h:h:h:h/x> + +IPv6 prefix. + +.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> ge <0-128> + +Netmask greater than length. + +.. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> le <0-128> + +Netmask less than lenght + +Route +====== + +Route policies are defined in this section. This route policies can then be associated to interfaces. + +policy route +------------ + +.. cfgcmd:: set policy route <text> + +This command creates a new route policy, identified by <text>. + +.. cfgcmd:: set policy route <text> description <text> + +Set description for the route policy. + +.. cfgcmd:: set policy route <text> enable-default-log + +Option to log packets hitting default-action. + +.. cfgcmd:: set policy route <text> rule <1-9999> description <text> + +Set description for rule in route policy. + +.. cfgcmd:: set policy route <text> rule <1-9999> action drop + +Set rule action to drop. + +.. cfgcmd:: set policy route <text> rule <1-9999> destination address <match_criteria> + +Set match criteria based on destination address, where <match_criteria> could be: + +* <x.x.x.x>: IP address to match. +* <x.x.x.x/x>: Subnet to match. +* <x.x.x.x>-<x.x.x.x>: IP range to match. +* !<x.x.x.x>: Match everything except the specified address. +* !<x.x.x.x/x>: Match everything except the specified subnet. +* !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range. + +.. cfgcmd:: set policy route <text> rule <1-9999> destination group <address-group|network-group|port-group> <text> + +Set destination match criteria based on groups, where <text> would be the group name/identifier. + +.. cfgcmd:: set policy route <text> rule <1-9999> destination port <match_criteria> + +Set match criteria based on destination port, where <match_criteria> could be: + +* <port name>: Named port (any name in /etc/services, e.g., http). +* <1-65535>: Numbered port. +* <start>-<end>: Numbered port range (e.g., 1001-1005). + +Multiple destination ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. +For example: '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy route <text> rule <1-9999> disable + +Option to disable rule. + +.. cfgcmd:: set policy route <text> rule <1-9999> fragment <match-grag|match-non-frag> + +Set IP fragment match, where: + +* match-frag: Second and further fragments of fragmented packets. +* match-non-frag: Head fragments or unfragmented packets. + +.. cfgcmd:: set policy route <text> rule <1-9999> icmp <code|type|type-name> + +Set ICMP match criterias, based on code and/or types. Types could be referenced by number or by name. + +.. cfgcmd:: set policy route <text> rule <1-9999> ipsec <match-ipsec|match-none> + +Set IPSec inbound match criterias, where: + +* match-ipsec: match inbound IPsec packets. +* match-none: match inbound non-IPsec packets. + +.. cfgcmd:: set policy route <text> rule <1-9999> limit burst <0-4294967295> + +Set maximum number of packets to alow in excess of rate + +.. cfgcmd:: set policy route <text> rule <1-9999> limit rate <text> + +Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, +hour or day.For example 1/second implies rule to be matched at an average of once per second. + +.. cfgcmd:: set policy route <text> rule <1-9999> log <enable|disable> + +Option to enable or disable log matching rule. + +.. cfgcmd:: set policy route <text> rule <1-9999> log <text> + +Option to log matching rule. + +.. cfgcmd:: set policy route <text> rule <1-9999> protocol <text|0-255|tcp_udp|all|!protocol> + +Set protocol to match. Protocol name in /etc/protocols or protocol number, or "tcp_udp" or "all". +Also, protocol could be denied by using !. + +.. cfgcmd:: set policy route <text> rule <1-9999> recent <count|time> <1-255|0-4294967295> + +Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than +<1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). + +.. cfgcmd:: set policy route <text> rule <1-9999> set dscp <0-63> + +Set packet modifications: Packet Differentiated Services Codepoint (DSCP) + +.. cfgcmd:: set policy route <text> rule <1-9999> set mark <1-2147483647> + +Set packet modifications: Packet marking + +.. cfgcmd:: set policy route <text> rule <1-9999> set table <main|1-200> + +Set packet modifications: Routing table to forward packet with. + +.. cfgcmd:: set policy route <text> rule <1-9999> set tcp-mss <500-1460> + +Set packet modifications: Explicitly set TCP Maximum segment size value. + +.. cfgcmd:: set policy route <text> rule <1-9999> source address <match_criteria> + +Set match criteria based on source address, where <match_criteria> could be: + +* <x.x.x.x>: IP address to match. +* <x.x.x.x/x>: Subnet to match. +* <x.x.x.x>-<x.x.x.x>: IP range to match. +* !<x.x.x.x>: Match everything except the specified address. +* !<x.x.x.x/x>: Match everything except the specified subnet. +* !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range. + +.. cfgcmd:: set policy route <text> rule <1-9999> source group <address-group|network-group|port-group> <text> + +Set source match criteria based on groups, where <text> would be the group name/identifier. + +.. cfgcmd:: set policy route <text> rule <1-9999> source port <match_criteria> + +Set match criteria based on source port, where <match_criteria> could be: + +* <port name>: Named port (any name in /etc/services, e.g., http). +* <1-65535>: Numbered port. +* <start>-<end>: Numbered port range (e.g., 1001-1005). + +Multiple source ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. +For example: '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy route <text> rule <1-9999> state <established|invalid|new|related> <disable|enable> + +Set match criteria based on session state. + +.. cfgcmd:: set policy route <text> rule <1-9999> tcp flags <text> + +Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. + +.. cfgcmd:: set policy route <text> rule <1-9999> time monthdays <text> + +Set monthdays to match rule on. Format for monthdays: 2,12,21. +To negate add ! at the front eg. !2,12,21 + +.. cfgcmd:: set policy route <text> rule <1-9999> time startdate <text> + +Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy route <text> rule <1-9999> time starttime <text> + +Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation. + +.. cfgcmd:: set policy route <text> rule <1-9999> time stopdate <text> + +Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy route <text> rule <1-9999> time stoptime <text> + +Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation. + +.. cfgcmd:: set policy route <text> rule <1-9999> time utc + +Interpret times for startdate, stopdate, starttime and stoptime to be UTC. + +.. cfgcmd:: set policy route <text> rule <1-9999> time weekdays + +Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat. + + +policy ipv6-route +----------------- + +IPv6 route policies are defined in this section. This route policies can then be associated to interfaces. + +.. cfgcmd:: set policy ipv6-route <text> + +This command creates a new IPv6 route policy, identified by <text>. + +.. cfgcmd:: set policy ipv6-route <text> description <text> + +Set description for the IPv6 route policy. + +.. cfgcmd:: set policy ipv6-route <text> enable-default-log + +Option to log packets hitting default-action. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> action drop + +Set rule action to drop. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> description <text> + +Set description for rule in IPv6 route policy. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination address <match_criteria> + +Set match criteria based on destination IPv6 address, where <match_criteria> could be: + +* <h:h:h:h:h:h:h:h>: IPv6 address to match. +* <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match. +* <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match. +* !<h:h:h:h:h:h:h:h>: Match everything except the specified address. +* !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix. +* !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the specified range. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination port <match_criteria> + +Set match criteria based on destination port, where <match_criteria> could be: + +* <port name>: Named port (any name in /etc/services, e.g., http). +* <1-65535>: Numbered port. +* <start>-<end>: Numbered port range (e.g., 1001-1005). + +Multiple destination ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. +For example: '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> disable + +Option to disable rule. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> icmpv6 type <icmpv6_typ> + +Set ICMPv6 match criterias, based on ICMPv6 type/code name. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> ipsec <match-ipsec|match-none> + +Set IPSec inbound match criterias, where: + +* match-ipsec: match inbound IPsec packets. +* match-none: match inbound non-IPsec packets. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit burst <0-4294967295> + +Set maximum number of packets to alow in excess of rate + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit rate <text> + +Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, +hour or day.For example 1/second implies rule to be matched at an average of once per second. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <enable|disable> + +Option to enable or disable log matching rule. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <text> + +Option to log matching rule. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> protocol <text|0-255|tcp_udp|all|!protocol> + +Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or protocol number, or "tcp_udp" or "all". +Also, protocol could be denied by using !. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> recent <count|time> <1-255|0-4294967295> + +Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than +<1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set dscp <0-63> + +Set packet modifications: Packet Differentiated Services Codepoint (DSCP) + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set mark <1-2147483647> + +Set packet modifications: Packet marking. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set table <main|1-200> + +Set packet modifications: Routing table to forward packet with. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set tcp-mss <pmtu|500-1460> + +Set packet modifications: pmtu option automatically set to Path Maximum Transfer Unit minus 60 bytes. Otherwise, expliicitly +set TCP MSS value from 500 to 1460 + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source address <match_criteria> + +Set match criteria based on IPv6 source address, where <match_criteria> could be: + +* <h:h:h:h:h:h:h:h>: IPv6 address to match +* <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match +* <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match +* !<h:h:h:h:h:h:h:h>: Match everything except the specified address +* !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix +* !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the specified range + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source mac-address <MAC_address|!MAC_address> + +Set source match criteria based on MAC address. Declare specific MAC address to match, or match everything except the specified MAC. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source port <match_criteria> + +Set match criteria based on source port, where <match_criteria> could be: + +* <port name>: Named port (any name in /etc/services, e.g., http). +* <1-65535>: Numbered port. +* <start>-<end>: Numbered port range (e.g., 1001-1005). + +Multiple source ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. +For example: '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> state <established|invalid|new|related> <disable|enable> + +Set match criteria based on session state. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> tcp flags <text> + +Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time monthdays <text> + +Set monthdays to match rule on. Format for monthdays: 2,12,21. +To negate add ! at the front eg. !2,12,21 + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time startdate <text> + +Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time starttime <text> + +Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stopdate <text> + +Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stoptime <text> + +Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time utc + +Interpret times for startdate, stopdate, starttime and stoptime to be UTC. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time weekdays + +Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat. + + + +Route Map +========= + +Route map is a powerfull command, that gives network administrators a very useful and flexible tool for traffic manipulation. + +policy route-map +---------------- + +.. cfgcmd:: set policy route-map <text> + +This command creates a new route-map policy, identified by <text>. + +.. cfgcmd:: set policy route-map <text> description <text> + +Set description for the route-map policy. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> action <permit|deny> + +Set action for the route-map policy. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> call <text> + +Call another route-map policy on match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> continue <1-65535> + +Jump to a different rule in this route-map on a match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> description <text> + +Set description for the rule in the route-map policy. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match as-path <text> + +BGP as-path list to match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match community community-list <text> + +BGP community-list to match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match community exact-match + +Set BGP community-list to exactly match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match extcommunity <text> + +BGP extended community to match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match interface <text> + +First hop interface of a route to match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip address access-list <1-2699> + +IP address of route to match, based on access-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip address prefix-list <text> + +IP address of route to match, based on prefix-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop access-list <1-2699> + +IP next-hop of route to match, based on access-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop prefix-list <text> + +IP next-hop of route to match, based on prefix-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip route-source access-list <1-2699> + +IP route source of route to match, based on access-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip route-source prefix-list <text> + +IP route source of route to match, based on prefix-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 address access-list <text> + +IPv6 address of route to match, based on IPv6 access-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 address prefix-list <text> + +IPv6 address of route to match, based on IPv6 prefix-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 nexthop <h:h:h:h:h:h:h:h> + +Nexthop IPv6 address to match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match large-community large-community-list <text> + +Match BGP large communities. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match local-preference <0-4294967295> + +Match local preference. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match metric <1-65535> + +Match route metric. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match origin <egp|igp|incomplete> + +Boarder Gateway Protocol (BGP) origin code to match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match peer <x.x.x.x> + +Peer IP address to match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match rpki <invalid|notfound|valid> + +Match RPKI validation result. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match tag <1-65535> + +Route tag to match. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> on-match goto <1-65535> + +Exit policy on match: go to rule <1-65535> + +.. cfgcmd:: set policy route-map <text> rule <1-65535> on-match next + +Exit policy on match: go to next sequence number. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set aggregator <as|ip> <1-4294967295|x.x.x.x> + +BGP aggregator attribute: AS number or IP address of an aggregation. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set as-path-exclude <text> + +Remove ASN(s) from a BGP AS-path attribute. For example "456 64500 45001". + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set as-path-prepend <text> + +Prepend string for a BGP AS-path attribute. For example "64501 64501". + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set atomic-aggregate + +BGP atomic aggregate attribute. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set bgp-extcommunity-rt <aa:nn> + +Set route target value. ExtCommunity in format: asn:value. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set comm-list comm-list <text> + +BGP communities with a community-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set comm-list delete + +Delete BGP communities matching the community-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set community <aa:bb|local-AS|no-advertise|no-export|internet|additive|none> + +Set BGP community attribute. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set distance <0-255> + +Locally significant administrative distance. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity-rt <text> + +Set route target value. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity-soo <text> + +Set site of origin value. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set ip-next-hop <x.x.x.x> + +Nexthop IP address. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set ipv6-next-hop <global|local> <h:h:h:h:h:h:h:h> + +Nexthop IPv6 address. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community <text> + +Set BGP large community value. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set local-preference <0-4294967295> + +Set BGP local preference attribute. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set metric <+/-metric|0-4294967295> + +Set destination routing protocol metric. Add or subtract metric, or set metric value. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set metric-type <type-1|type-2> + +Set OSPF external metric-type. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set origin <igp|egp|incomplete> + +Set BGP origin code. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set originator-id <x.x.x.x> + +Set BGP originator ID attribute. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set src <x.x.x.x|h:h:h:h:h:h:h:h> + +Set source IP/IPv6 address for route. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set table <1-200> + +Set prefixes to table. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set tag <1-65535> + +Set tag value for routing protocol. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set weight <0-4294967295> + +Set BGP weight attribute + + + +BGP filters +=========== + +With policies, BGP filters can be created. + +policy as-path-list +------------------- + +.. cfgcmd:: set policy as-path-list <text> + +Create as-path-policy identified by name <text>. + +.. cfgcmd:: set policy as-path-list <text> description <text> + +Set description for as-path-list policy. + +.. cfgcmd:: set policy as-path-list <text> rule <1-65535> action <permit|deny> + +Set action to take on entries matching this rule. + +.. cfgcmd:: set policy as-path-list <text> rule <1-65535> description <text> + +Set description for rule. + +.. cfgcmd:: set policy as-path-list <text> rule <1-65535> regex <text> + +Regular expression to match against an AS path. For example "64501 64502". + + +policy community-list +--------------------- + +.. cfgcmd:: set policy community-list <text> + +Creat community-list policy identified by name <text>. + +.. cfgcmd:: set policy community-list <text> description <text> + +Set description for community-list policy. + +.. cfgcmd:: set policy community-list <text> rule <1-65535> action <permit|deny> + +Set action to take on entries matching this rule. + +.. cfgcmd:: set policy community-list <text> rule <1-65535> description <text> + +Set description for rule. + +.. cfgcmd:: set policy community-list <text> rule <1-65535> regex <aa:nn|local-AS|no-advertise|no-export|internet|additive> + +Regular expression to match against a community-list. + + +policy extcommunity-list +------------------------ + +.. cfgcmd:: set policy extcommunity-list <text> + +Creat extcommunity-list policy identified by name <text>. + +.. cfgcmd:: set policy extcommunity-list <text> description <text> + +Set description for extcommunity-list policy. + +.. cfgcmd:: set policy extcommunity-list <text> rule <1-65535> action <permit|deny> + +Set action to take on entries matching this rule. + +.. cfgcmd:: set policy extcommunity-list <text> rule <1-65535> description <text> + +Set description for rule. + +.. cfgcmd:: set policy extcommunity-list <text> rule <1-65535> regex <text> + +Regular expression to match against an extended community list, where text could be: + +* <aa:nn:nn>: Extended community list regular expression. +* <rt aa:nn:nn>: Route Target regular expression. +* <soo aa:nn:nn>: Site of Origin regular expression. + + +policy large-community-list +--------------------------- + +.. cfgcmd:: set policy large-community-list <text> + +Creat large-community-list policy identified by name <text>. + +.. cfgcmd:: set policy large-community-list <text> description <text> + +Set description for large-community-list policy. + +.. cfgcmd:: set policy large-community-list <text> rule <1-65535> action <permit|deny> + +Set action to take on entries matching this rule. + +.. cfgcmd:: set policy large-community-list <text> rule <1-65535> description <text> + +Set description for rule. + +.. cfgcmd:: set policy large-community-list <text> rule <1-65535> regex <aa:nn:nn> + +Regular expression to match against a large community list. + + + +Local Route +=========== + +Policies for local traffic are defined in this section. + +policy local-route +------------------ + +.. cfgcmd:: set policy local-route rule <1-32765> set table <1-200|main> + +Set routing table to forward packet to. + +.. cfgcmd:: set policy local-route rule <1-32765> source <x.x.x.x|x.x.x.x/x> + +Set source address or prefix to match. + + + + + + + + + +************* +Examples +************* -* Set some metric to routes learned from a particular neighbor -* Set some attributes (like AS PATH or Community value) to advertised routes - to neighbors -* Prefer a specific routing protocol routes over another routing protocol - running on the same router Example ======= @@ -70,6 +925,7 @@ neighbor. You now see the longer AS path. + .. _routing-pbr: ### |