From 1fb2465d8cb7197a18daeb46270c3d42e64e3dbe Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Thu, 22 Jul 2021 11:54:18 -0300 Subject: Policy file updated/recreated. Added commands and descriptions. From examples section, and after that, no changes where made. --- docs/configuration/policy/index.rst | 872 +++++++++++++++++++++++++++++++++++- 1 file changed, 864 insertions(+), 8 deletions(-) (limited to 'docs/configuration/policy/index.rst') diff --git a/docs/configuration/policy/index.rst b/docs/configuration/policy/index.rst index 7127957a..84b41ed6 100644 --- a/docs/configuration/policy/index.rst +++ b/docs/configuration/policy/index.rst @@ -6,16 +6,871 @@ Policy ###### -Routing Policies could be used to tell the router (self or neighbors) what -routes and their attributes needs to be put into the routing table. +Policies are used for filtering and traffic management. With policies, network administrators could filter and treat traffic +according to their needs. -There could be a wide range of routing policies. Some examples are below: +There could be a wide range of routing policies. Some examples are listed below: + +* Filter traffic based on source/destination address. +* Set some metric to routes learned from a particular neighbor. +* Set some attributes (like AS PATH or Community value) to advertised routes to neighbors. +* Prefer a specific routing protocol routes over another routing protocol running on the same router. + +Policies, in VyOS, are implemented using FRR filtering and route maps. Detailed information of FRR could be found in http://docs.frrouting.org/ + +************* +Configuration +************* + +.. _policy-filter: + +Filter +====== + +Filtering is used for both input and output of the routing information. Once filtering is defined, it can be applied in +any direction. +VyOS makes filtering possible using acls and prefix lists. + +policy access-list +------------------ + +Basic filtering could be done by access-list. + +.. cfgcmd:: set policy access-list + +This command creates the new access list policy, where must be a number from 1 to 2699. + +.. cfgcmd:: set policy access-list description + +Set description for the access list. + +.. cfgcmd:: set policy access-list rule <1-65535> action + +This command creates a new rule in the access list and defines an action. + +.. cfgcmd:: set policy access-list rule <1-65535> + +This command defines matching parameters for access list rule. Matching criteria could be applied to destinarion or source +parameters: + +* any: any IP address to match. +* host: single host IP address to match. +* inverse-match: network/netmask to match (requires network be defined). +* network: network/netmask to match (requires inverse-match be defined). + +policy access-list6 +------------------- + +Basic filtering could also be applied to IPv6 traffic. + +.. cfgcmd:: set policy access-list6 + +This command creates the new IPv6 access list, identified by + +.. cfgcmd:: set policy access-list6 description + +Set description for the IPv6 access list. + +.. cfgcmd:: set policy access-list6 rule <1-65535> action + +This command creates a new rule in the IPv6 access list and defines an action. + +.. cfgcmd:: set policy access-list6 rule <1-65535> source + +This command defines matching parameters for IPv6 access list rule. Matching criteria could be applied to source parameters: + +* any: any IPv6 address to match. +* exact-match: exact match of the network prefixes. +* network: network/netmask to match (requires inverse-match be defined) BUG, NO inver-match option in access-list6 + +policy prefix-list +------------------ + +Prefix lists provides the most powerful prefix based filtering mechanism. In addition to access-list functionality, +ip prefix-list has prefix length range specification. + +If no ip prefix list is specified, it acts as permit. If ip prefix list is defined, and no match is found, +default deny is applied. + +.. cfgcmd:: set policy prefix-list + +This command creates the new prefix-list policy, identified by . + +.. cfgcmd:: set policy prefix-list description + +Set description for the prefix-list policy. + +.. cfgcmd:: set policy prefix-list rule <1-65535> action + +This command creates a new rule in the prefix-list and defines an action. + +.. cfgcmd:: set policy prefix-list rule <1-65535> description + +Set description for rule in the prefix-list. + +.. cfgcmd:: set policy prefix-list rule <1-65535> prefix + +Prefix to match against. + +.. cfgcmd:: set policy prefix-list rule <1-65535> ge <0-32> + +Netmask greater than length. + +.. cfgcmd:: set policy prefix-list rule <1-65535> le <0-32> + +Netmask less than lenght + +policy prefix-list6 +------------------- + +Prefix list filtering could also be applied to IPv6 traffic. + +.. cfgcmd:: set policy prefix-list6 + +This command creates the new IPv6 prefix-list policy, identified by . + +.. cfgcmd:: set policy prefix-list6 description + +Set description for the IPv6 prefix-list policy. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> action + +This command creates a new rule in the IPv6 prefix-list and defines an action. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> description + +Set description for rule in IPv6 prefix-list. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> prefix + +IPv6 prefix. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> ge <0-128> + +Netmask greater than length. + +.. cfgcmd:: set policy prefix-list6 rule <1-65535> le <0-128> + +Netmask less than lenght + +Route +====== + +Route policies are defined in this section. This route policies can then be associated to interfaces. + +policy route +------------ + +.. cfgcmd:: set policy route + +This command creates a new route policy, identified by . + +.. cfgcmd:: set policy route description + +Set description for the route policy. + +.. cfgcmd:: set policy route enable-default-log + +Option to log packets hitting default-action. + +.. cfgcmd:: set policy route rule <1-9999> description + +Set description for rule in route policy. + +.. cfgcmd:: set policy route rule <1-9999> action drop + +Set rule action to drop. + +.. cfgcmd:: set policy route rule <1-9999> destination address + +Set match criteria based on destination address, where could be: + +* : IP address to match. +* : Subnet to match. +* -: IP range to match. +* !: Match everything except the specified address. +* !: Match everything except the specified subnet. +* !-: Match everything except the specified range. + +.. cfgcmd:: set policy route rule <1-9999> destination group + +Set destination match criteria based on groups, where would be the group name/identifier. + +.. cfgcmd:: set policy route rule <1-9999> destination port + +Set match criteria based on destination port, where could be: + +* : Named port (any name in /etc/services, e.g., http). +* <1-65535>: Numbered port. +* -: Numbered port range (e.g., 1001-1005). + +Multiple destination ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. +For example: '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy route rule <1-9999> disable + +Option to disable rule. + +.. cfgcmd:: set policy route rule <1-9999> fragment + +Set IP fragment match, where: + +* match-frag: Second and further fragments of fragmented packets. +* match-non-frag: Head fragments or unfragmented packets. + +.. cfgcmd:: set policy route rule <1-9999> icmp + +Set ICMP match criterias, based on code and/or types. Types could be referenced by number or by name. + +.. cfgcmd:: set policy route rule <1-9999> ipsec + +Set IPSec inbound match criterias, where: + +* match-ipsec: match inbound IPsec packets. +* match-none: match inbound non-IPsec packets. + +.. cfgcmd:: set policy route rule <1-9999> limit burst <0-4294967295> + +Set maximum number of packets to alow in excess of rate + +.. cfgcmd:: set policy route rule <1-9999> limit rate + +Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, +hour or day.For example 1/second implies rule to be matched at an average of once per second. + +.. cfgcmd:: set policy route rule <1-9999> log + +Option to enable or disable log matching rule. + +.. cfgcmd:: set policy route rule <1-9999> log + +Option to log matching rule. + +.. cfgcmd:: set policy route rule <1-9999> protocol + +Set protocol to match. Protocol name in /etc/protocols or protocol number, or "tcp_udp" or "all". +Also, protocol could be denied by using !. + +.. cfgcmd:: set policy route rule <1-9999> recent <1-255|0-4294967295> + +Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than +<1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). + +.. cfgcmd:: set policy route rule <1-9999> set dscp <0-63> + +Set packet modifications: Packet Differentiated Services Codepoint (DSCP) + +.. cfgcmd:: set policy route rule <1-9999> set mark <1-2147483647> + +Set packet modifications: Packet marking + +.. cfgcmd:: set policy route rule <1-9999> set table + +Set packet modifications: Routing table to forward packet with. + +.. cfgcmd:: set policy route rule <1-9999> set tcp-mss <500-1460> + +Set packet modifications: Explicitly set TCP Maximum segment size value. + +.. cfgcmd:: set policy route rule <1-9999> source address + +Set match criteria based on source address, where could be: + +* : IP address to match. +* : Subnet to match. +* -: IP range to match. +* !: Match everything except the specified address. +* !: Match everything except the specified subnet. +* !-: Match everything except the specified range. + +.. cfgcmd:: set policy route rule <1-9999> source group + +Set source match criteria based on groups, where would be the group name/identifier. + +.. cfgcmd:: set policy route rule <1-9999> source port + +Set match criteria based on source port, where could be: + +* : Named port (any name in /etc/services, e.g., http). +* <1-65535>: Numbered port. +* -: Numbered port range (e.g., 1001-1005). + +Multiple source ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. +For example: '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy route rule <1-9999> state + +Set match criteria based on session state. + +.. cfgcmd:: set policy route rule <1-9999> tcp flags + +Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. + +.. cfgcmd:: set policy route rule <1-9999> time monthdays + +Set monthdays to match rule on. Format for monthdays: 2,12,21. +To negate add ! at the front eg. !2,12,21 + +.. cfgcmd:: set policy route rule <1-9999> time startdate + +Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy route rule <1-9999> time starttime + +Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation. + +.. cfgcmd:: set policy route rule <1-9999> time stopdate + +Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy route rule <1-9999> time stoptime + +Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation. + +.. cfgcmd:: set policy route rule <1-9999> time utc + +Interpret times for startdate, stopdate, starttime and stoptime to be UTC. + +.. cfgcmd:: set policy route rule <1-9999> time weekdays + +Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat. + + +policy ipv6-route +----------------- + +IPv6 route policies are defined in this section. This route policies can then be associated to interfaces. + +.. cfgcmd:: set policy ipv6-route + +This command creates a new IPv6 route policy, identified by . + +.. cfgcmd:: set policy ipv6-route description + +Set description for the IPv6 route policy. + +.. cfgcmd:: set policy ipv6-route enable-default-log + +Option to log packets hitting default-action. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> action drop + +Set rule action to drop. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> description + +Set description for rule in IPv6 route policy. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> destination address + +Set match criteria based on destination IPv6 address, where could be: + +* : IPv6 address to match. +* : IPv6 prefix to match. +* -: IPv6 range to match. +* !: Match everything except the specified address. +* !: Match everything except the specified prefix. +* !-: Match everything except the specified range. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> destination port + +Set match criteria based on destination port, where could be: + +* : Named port (any name in /etc/services, e.g., http). +* <1-65535>: Numbered port. +* -: Numbered port range (e.g., 1001-1005). + +Multiple destination ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. +For example: '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy ipv6-route rule <1-9999> disable + +Option to disable rule. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> icmpv6 type + +Set ICMPv6 match criterias, based on ICMPv6 type/code name. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> ipsec + +Set IPSec inbound match criterias, where: + +* match-ipsec: match inbound IPsec packets. +* match-none: match inbound non-IPsec packets. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> limit burst <0-4294967295> + +Set maximum number of packets to alow in excess of rate + +.. cfgcmd:: set policy ipv6-route rule <1-9999> limit rate + +Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, +hour or day.For example 1/second implies rule to be matched at an average of once per second. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> log + +Option to enable or disable log matching rule. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> log + +Option to log matching rule. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> protocol + +Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or protocol number, or "tcp_udp" or "all". +Also, protocol could be denied by using !. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> recent <1-255|0-4294967295> + +Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than +<1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). + +.. cfgcmd:: set policy ipv6-route rule <1-9999> set dscp <0-63> + +Set packet modifications: Packet Differentiated Services Codepoint (DSCP) + +.. cfgcmd:: set policy ipv6-route rule <1-9999> set mark <1-2147483647> + +Set packet modifications: Packet marking. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> set table + +Set packet modifications: Routing table to forward packet with. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> set tcp-mss + +Set packet modifications: pmtu option automatically set to Path Maximum Transfer Unit minus 60 bytes. Otherwise, expliicitly +set TCP MSS value from 500 to 1460 + +.. cfgcmd:: set policy ipv6-route rule <1-9999> source address + +Set match criteria based on IPv6 source address, where could be: + +* : IPv6 address to match +* : IPv6 prefix to match +* -: IPv6 range to match +* !: Match everything except the specified address +* !: Match everything except the specified prefix +* !-: Match everything except the specified range + +.. cfgcmd:: set policy ipv6-route rule <1-9999> source mac-address + +Set source match criteria based on MAC address. Declare specific MAC address to match, or match everything except the specified MAC. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> source port + +Set match criteria based on source port, where could be: + +* : Named port (any name in /etc/services, e.g., http). +* <1-65535>: Numbered port. +* -: Numbered port range (e.g., 1001-1005). + +Multiple source ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. +For example: '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy ipv6-route rule <1-9999> state + +Set match criteria based on session state. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> tcp flags + +Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time monthdays + +Set monthdays to match rule on. Format for monthdays: 2,12,21. +To negate add ! at the front eg. !2,12,21 + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time startdate + +Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time starttime + +Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time stopdate + +Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time stoptime + +Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time utc + +Interpret times for startdate, stopdate, starttime and stoptime to be UTC. + +.. cfgcmd:: set policy ipv6-route rule <1-9999> time weekdays + +Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! at the front eg. !Mon,Thu,Sat. + + + +Route Map +========= + +Route map is a powerfull command, that gives network administrators a very useful and flexible tool for traffic manipulation. + +policy route-map +---------------- + +.. cfgcmd:: set policy route-map + +This command creates a new route-map policy, identified by . + +.. cfgcmd:: set policy route-map description + +Set description for the route-map policy. + +.. cfgcmd:: set policy route-map rule <1-65535> action + +Set action for the route-map policy. + +.. cfgcmd:: set policy route-map rule <1-65535> call + +Call another route-map policy on match. + +.. cfgcmd:: set policy route-map rule <1-65535> continue <1-65535> + +Jump to a different rule in this route-map on a match. + +.. cfgcmd:: set policy route-map rule <1-65535> description + +Set description for the rule in the route-map policy. + +.. cfgcmd:: set policy route-map rule <1-65535> match as-path + +BGP as-path list to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match community community-list + +BGP community-list to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match community exact-match + +Set BGP community-list to exactly match. + +.. cfgcmd:: set policy route-map rule <1-65535> match extcommunity + +BGP extended community to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match interface + +First hop interface of a route to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip address access-list <1-2699> + +IP address of route to match, based on access-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip address prefix-list + +IP address of route to match, based on prefix-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip nexthop access-list <1-2699> + +IP next-hop of route to match, based on access-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip nexthop prefix-list + +IP next-hop of route to match, based on prefix-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip route-source access-list <1-2699> + +IP route source of route to match, based on access-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ip route-source prefix-list + +IP route source of route to match, based on prefix-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ipv6 address access-list + +IPv6 address of route to match, based on IPv6 access-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ipv6 address prefix-list + +IPv6 address of route to match, based on IPv6 prefix-list. + +.. cfgcmd:: set policy route-map rule <1-65535> match ipv6 nexthop + +Nexthop IPv6 address to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match large-community large-community-list + +Match BGP large communities. + +.. cfgcmd:: set policy route-map rule <1-65535> match local-preference <0-4294967295> + +Match local preference. + +.. cfgcmd:: set policy route-map rule <1-65535> match metric <1-65535> + +Match route metric. + +.. cfgcmd:: set policy route-map rule <1-65535> match origin + +Boarder Gateway Protocol (BGP) origin code to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match peer + +Peer IP address to match. + +.. cfgcmd:: set policy route-map rule <1-65535> match rpki + +Match RPKI validation result. + +.. cfgcmd:: set policy route-map rule <1-65535> match tag <1-65535> + +Route tag to match. + +.. cfgcmd:: set policy route-map rule <1-65535> on-match goto <1-65535> + +Exit policy on match: go to rule <1-65535> + +.. cfgcmd:: set policy route-map rule <1-65535> on-match next + +Exit policy on match: go to next sequence number. + +.. cfgcmd:: set policy route-map rule <1-65535> set aggregator <1-4294967295|x.x.x.x> + +BGP aggregator attribute: AS number or IP address of an aggregation. + +.. cfgcmd:: set policy route-map rule <1-65535> set as-path-exclude + +Remove ASN(s) from a BGP AS-path attribute. For example "456 64500 45001". + +.. cfgcmd:: set policy route-map rule <1-65535> set as-path-prepend + +Prepend string for a BGP AS-path attribute. For example "64501 64501". + +.. cfgcmd:: set policy route-map rule <1-65535> set atomic-aggregate + +BGP atomic aggregate attribute. + +.. cfgcmd:: set policy route-map rule <1-65535> set bgp-extcommunity-rt + +Set route target value. ExtCommunity in format: asn:value. + +.. cfgcmd:: set policy route-map rule <1-65535> set comm-list comm-list + +BGP communities with a community-list. + +.. cfgcmd:: set policy route-map rule <1-65535> set comm-list delete + +Delete BGP communities matching the community-list. + +.. cfgcmd:: set policy route-map rule <1-65535> set community + +Set BGP community attribute. + +.. cfgcmd:: set policy route-map rule <1-65535> set distance <0-255> + +Locally significant administrative distance. + +.. cfgcmd:: set policy route-map rule <1-65535> set extcommunity-rt + +Set route target value. + +.. cfgcmd:: set policy route-map rule <1-65535> set extcommunity-soo + +Set site of origin value. + +.. cfgcmd:: set policy route-map rule <1-65535> set ip-next-hop + +Nexthop IP address. + +.. cfgcmd:: set policy route-map rule <1-65535> set ipv6-next-hop + +Nexthop IPv6 address. + +.. cfgcmd:: set policy route-map rule <1-65535> set large-community + +Set BGP large community value. + +.. cfgcmd:: set policy route-map rule <1-65535> set local-preference <0-4294967295> + +Set BGP local preference attribute. + +.. cfgcmd:: set policy route-map rule <1-65535> set metric <+/-metric|0-4294967295> + +Set destination routing protocol metric. Add or subtract metric, or set metric value. + +.. cfgcmd:: set policy route-map rule <1-65535> set metric-type + +Set OSPF external metric-type. + +.. cfgcmd:: set policy route-map rule <1-65535> set origin + +Set BGP origin code. + +.. cfgcmd:: set policy route-map rule <1-65535> set originator-id + +Set BGP originator ID attribute. + +.. cfgcmd:: set policy route-map rule <1-65535> set src + +Set source IP/IPv6 address for route. + +.. cfgcmd:: set policy route-map rule <1-65535> set table <1-200> + +Set prefixes to table. + +.. cfgcmd:: set policy route-map rule <1-65535> set tag <1-65535> + +Set tag value for routing protocol. + +.. cfgcmd:: set policy route-map rule <1-65535> set weight <0-4294967295> + +Set BGP weight attribute + + + +BGP filters +=========== + +With policies, BGP filters can be created. + +policy as-path-list +------------------- + +.. cfgcmd:: set policy as-path-list + +Create as-path-policy identified by name . + +.. cfgcmd:: set policy as-path-list description + +Set description for as-path-list policy. + +.. cfgcmd:: set policy as-path-list rule <1-65535> action + +Set action to take on entries matching this rule. + +.. cfgcmd:: set policy as-path-list rule <1-65535> description + +Set description for rule. + +.. cfgcmd:: set policy as-path-list rule <1-65535> regex + +Regular expression to match against an AS path. For example "64501 64502". + + +policy community-list +--------------------- + +.. cfgcmd:: set policy community-list + +Creat community-list policy identified by name . + +.. cfgcmd:: set policy community-list description + +Set description for community-list policy. + +.. cfgcmd:: set policy community-list rule <1-65535> action + +Set action to take on entries matching this rule. + +.. cfgcmd:: set policy community-list rule <1-65535> description + +Set description for rule. + +.. cfgcmd:: set policy community-list rule <1-65535> regex + +Regular expression to match against a community-list. + + +policy extcommunity-list +------------------------ + +.. cfgcmd:: set policy extcommunity-list + +Creat extcommunity-list policy identified by name . + +.. cfgcmd:: set policy extcommunity-list description + +Set description for extcommunity-list policy. + +.. cfgcmd:: set policy extcommunity-list rule <1-65535> action + +Set action to take on entries matching this rule. + +.. cfgcmd:: set policy extcommunity-list rule <1-65535> description + +Set description for rule. + +.. cfgcmd:: set policy extcommunity-list rule <1-65535> regex + +Regular expression to match against an extended community list, where text could be: + +* : Extended community list regular expression. +* : Route Target regular expression. +* : Site of Origin regular expression. + + +policy large-community-list +--------------------------- + +.. cfgcmd:: set policy large-community-list + +Creat large-community-list policy identified by name . + +.. cfgcmd:: set policy large-community-list description + +Set description for large-community-list policy. + +.. cfgcmd:: set policy large-community-list rule <1-65535> action + +Set action to take on entries matching this rule. + +.. cfgcmd:: set policy large-community-list rule <1-65535> description + +Set description for rule. + +.. cfgcmd:: set policy large-community-list rule <1-65535> regex + +Regular expression to match against a large community list. + + + +Local Route +=========== + +Policies for local traffic are defined in this section. + +policy local-route +------------------ + +.. cfgcmd:: set policy local-route rule <1-32765> set table <1-200|main> + +Set routing table to forward packet to. + +.. cfgcmd:: set policy local-route rule <1-32765> source + +Set source address or prefix to match. + + + + + + + + + +************* +Examples +************* -* Set some metric to routes learned from a particular neighbor -* Set some attributes (like AS PATH or Community value) to advertised routes - to neighbors -* Prefer a specific routing protocol routes over another routing protocol - running on the same router Example ======= @@ -70,6 +925,7 @@ neighbor. You now see the longer AS path. + .. _routing-pbr: ### -- cgit v1.2.3