6.4. Configuring Route Policies with CLI

This section provides information to configure route policies using the command line interface.

Topics in this section include:

  1. Route Policy Configuration Overview
  2. Basic Route Policy Configuration
  3. Configuring Route Policy Components
  4. Route Policy Configuration Management Tasks

6.5. Route Policy Configuration Overview

Route policies allow you to configure routing according to specifically defined policies. You can create policies and entries to allow or deny paths based on parameters such as source address, destination address, protocol, and community list.

Policies can be as simple or complex as required. A simple policy can block routes for a specific location or IP address. More complex policies can be configured using numerous policy statement entries containing matching conditions to specify whether to accept or reject the route, control how a series of policies are evaluated, and manipulate the characteristics associated with a route.

6.5.1. When to Create Routing Policies

Route policies are created in the config>router context. There are no default route policies. Each route policy must be explicitly created and applied. Applying route policies can introduce more efficiency as well as more complexity to the capabilities of the 7705 SAR.

Route policies are used to control which MPLS labels should be learned or advertised. Based on the configured routing policy, MPLS labels from certain neighbors can be discarded.

Route policies are also used to control the size and content of the BGP, OSPF, and IS-IS routing tables, the routes that are advertised, and the best route to take to reach a destination.

Route policies can be created to control:

  1. a protocol to export all the active routes learned by that protocol
  2. route characteristics to control which route is selected to act as the active route to reach a destination and advertise the route to neighbors
  3. the protocol to import all routes into the routing table. A routing table must learn about particular routes to be able to forward packets and redistribute to other routing protocols.
  4. damping

Before a route policy is applied, analyze the policy’s purpose and be aware of the results (and consequences) when packets match the specified criteria and the associated actions and default actions, if specified, are executed. Membership reports can be filtered based on a specific source address.

6.5.2. Default Route Policy Actions

Routing protocols have default behaviors for the import and export of routing information.

For BGP, OSPF, and IS-IS, the default route policy actions are as follows:

  1. BGP
    1. import – all routes from BGP peers are accepted and passed to the BGP route selection process
    2. export (internal routes) – all active BGP routes are advertised to BGP peers
    3. export (external routes) – all non-BGP learned routes are not advertised to BGP peers
  2. OSPF and IS-IS
    1. import – not applicable; all OSPF or IS-IS routes are accepted from OSPF or IS-IS neighbors and cannot be controlled by route policies
    2. export (internal routes) – all OSPF or IS-IS routes are automatically advertised to all neighbors
    3. export (external routes) – all non-OSPF or non-IS-IS learned routes are not advertised to OSPF or IS-IS neighbors

6.5.3. Policy Evaluation

Routing policy statements can consist of one or several entries. The entries specify the matching criteria. A label is compared to the first entry in the policy statement. If it matches, the specified entry action is taken, either accepted or rejected. If the action is to accept or reject the label, that action is taken and the evaluation of the label ends.

If the label does not match the first entry, the label is compared to the next entry (if more than one is configured) in the policy statement. If there is a match with the second entry, the specified action is taken. If the action is to accept or reject the label, that action is taken and the evaluation of the label ends, and so on.

Each route policy statement can have a default-action clause defined. If a default action is defined for one or more of the configured route policies, the default action should be handled in the following ways.

  1. The process stops when the first complete match is found and executes the action defined in the entry.
  2. If the packet does not match any of the entries, the system executes the default action specified in the policy statement.

Route policies can also match a given route policy entry and continue to search for other entries within either the same route policy or the next route policy by specifying the next-entry or next-policy option in the entry’s action command. Policies can be constructed to support multiple states to the evaluation and setting of various route attributes.

Figure 18 shows an example of the route policy process.

Figure 19 shows the next-entry and next-policy route policy processes. The next-entry logic is that for each policy statement, the process checks each entry until the first match is hit, at which point the appropriate action is taken, which could be next-policy.

Figure 18:  Route Policy Process Example 

Figure 19:  Next Entry and Next Policy Logic Example  

6.5.3.1. Damping

Damping initiates controls when routes flap. Route flapping can occur when an advertised route between nodes alternates (flaps) back and forth between two paths due to network problems that cause intermittent route failures. To limit processing requirements, the amount of routing state change updates propagated must be reduced. Thus, when a route flaps beyond a configured value (the suppress value), then that route is removed from the routing table and routing protocols until the value falls below the reuse value.

A route can be suppressed according to the Figure of Merit (FoM) value. The FoM is a value that is added to a route each time it flaps. A new route begins with an FoM value of 0.

Damping is optional. If damping is configured, the following parameter values must be explicitly specified because there are no default values:

  1. suppress
  2. half-life
  3. reuse
  4. max-suppress

When a route’s FoM value exceeds the suppress value, the route is removed from the routing table. The route is considered to be stable when the FoM drops below the reuse value by means of the specified half-life parameter. The route is then returned to the routing tables. When routes have higher FoM and half-life values, they are suppressed for longer periods of time. Figure 20 depicts an example of a flapping route, the suppress threshold, the half-life decay (time), and reuse threshold. The peaks represent route flaps, and the slopes represent half-life decay.

Figure 20:  Damping Example 

6.6. Basic Route Policy Configuration

This section provides information on configuring route policies and shows configuration examples of common tasks.

The minimum route policy parameters that need to be configured are:

  1. policy statement with the following parameters specified:
    1. at least one entry
    2. entry action

The following is an example of route policy configuration, including examples for defining community members, community expressions, and the as-path regular expressions.

A:ALU-B>config>router>policy-options# info
----------------------------------------------
       community "all-types" members "5000:[1-6][1-9][0-9]"
       community "all-normal" members "5000:[1-5][1-9][0-9]"
       community "comm-expression-1" expression "target:1234:111 OR target:1234:222"
       community "comm-expression-2" expression "target:555:100 AND target:555:600"
. . .
       as-path "Outside madeup paths" expression ".* 5001 .*"
       as-path "Outside Internet paths" expression ".* 5002 .*"
       policy-statement "RejectOutsideASPaths"
           entry 1
               from
                   protocol bgp
                   as-path "Outside madeup paths"
               exit
               action reject
               exit
           exit
           entry 2
               from
                   protocol bgp
                   as-path "Outside Internet paths"
               exit
               action reject
               exit
           exit
           entry 3
               from
                   protocol ospf
               exit
               to
                   protocol bgp
               exit
               action reject
               exit
           exit
           entry 4
               from
                   protocol isis
               exit
               to
                   protocol bgp
               exit
               action reject
               exit
           exit
           default-action accept
           exit
       exit
       policy-statement "aggregate-customer-peer-only"
           entry 1
               from
                   community "all-customer-announce"
               exit
               action accept
               exit
           exit
           default-action reject
           exit
           exit
----------------------------------------------
A:ALU-B>config>router>policy-options#

6.7. Configuring Route Policy Components

Use the CLI syntax displayed below to configure the following:

  1. Beginning the Policy Statement
  2. Creating a Route Policy
  3. Configuring a Default Action
  4. Configuring an Entry
  5. Configuring an AS Path (policy-option)
  6. Configuring a Community List or Expression
  7. Configuring Damping
  8. Configuring a Prefix List
  9. Configuring PIM Join/Register Policies
  10. Configuring Bootstrap Message Import and Export Policies

CLI Syntax:
config>router>policy-options
begin
commit
abort
prefix-list name
prefix ip-prefix/mask [exact | longer | through length | prefix-length-range length1-length2]
policy-statement name
description text
default-action {accept | next-entry | next-policy | reject}
entry entry-id
description text
action {accept | next-entry |next-policy | reject}
from
neighbor {ip_address | prefix-list name}
prefix-list name [name...up to 5 max]

6.7.1. Beginning the Policy Statement

Use the following CLI syntax to begin a policy statement configuration. In order for a policy statement to be complete, an entry must be specified (see Configuring an Entry).

CLI Syntax:
config>router>policy-options
begin
policy-statement name
description text

The following error message displays if you try to enter a policy options command without entering begin first.

A:ALU-B>config>router>policy-options# policy-statement “allow all”
MINOR: CLI The policy-options must be in edit mode by calling begin before any
changes can be made.

The following example displays policy statement configuration command usage. These commands are configured in the config>router context.

Example:
config>router# policy-options
policy-options# begin

There are no default policy statement options. All parameters must be explicitly configured.

6.7.2. Creating a Route Policy

To enter the mode to create or edit route policies, you must enter the begin keyword at the config>router>policy-options prompt. Other editing commands include:

  1. the commit command, which saves changes made to route policies during a session
  2. the abort command, which discards changes that have been made to route policies during a session

Use the following CLI syntax to enter the edit mode:

CLI Syntax:
config>router>policy-options
begin

The following example displays some commands to configure a policy statement. Policy option commands are configured in the config>router context. Use the commit command to save the changes.

Example:
config>router>policy-options# begin
policy-options# policy-statement "allow all"
policy-options>policy-statement$ description "General Policy"
policy-options>policy-statement>default# entry 1
policy-options>policy-statement>entry$ action accept
policy-options>policy-statement>entry# exit
policy-options>policy-statement# exit
policy-options# commit

The following error message displays if you try to modify a policy option without entering begin first.

A:ALU-B>config>router>policy-options# policy-statement “allow all”
MINOR: CLI The policy-options must be in edit mode by calling begin before any 
changes can be made.
 
 
A:ALU-B>config>router>policy-options# info
#------------------------------------------
# Policy
#------------------------------------------
 
        policy-options
            begin
            policy-statement "allow all"
        description "General Policy"
        ...
            exit
    exit
----------------------------------------------
A:ALU-B>config>router>policy-options#

6.7.3. Configuring a Default Action

Specifying a default action is optional. The default action controls those packets not matching any policy statement entries. The default action is applied only to those routes that do not match any policy entries.

If no default action is specified and there is no match, the packets will be accepted.

A policy statement must include at least one entry (see Configuring an Entry).

To enter the mode to create or edit route policies, you must enter the begin keyword at the config>router>policy-options prompt. Other editing commands include:

  1. the commit command, which saves changes made to route policies during a session
  2. the abort command, which discards changes made to route policies during a session
CLI Syntax:
config>router>policy-options
begin
commit
abort
policy-statement name
default-action {accept |next-entry | next-policy | reject}
as-path {add | replace} name
community {add | remove | replace} name [name...(up to 28 max)]
damping name
metric {add | subtract} metric
metric set {igp | metric}
preference preference
tag tag
type type

The following example displays default action configuration command usage. These commands are configured in the config>router>policy-options context.

Example:
config>router>policy-options# policy-statement "1"
policy-statement$ default-action accept

The following example displays the default action configuration:

A:ALU-B>config>router>policy-options# info
----------------------------------------------
            policy-statement "1"
                default-action accept
                    as-path add "saratoga"
                    community add "365"
                    damping "flaptest"
                    metric igp
                         next-hop 10.10.10.104 
                exit
                     type 1
            exit
----------------------------------------------
A:ALU-B>config>router>policy-options#

6.7.4. Configuring an Entry

An entry action must be specified. The other parameters in the entry>action context are optional.

The from>community and from>community expression commands are mutually exclusive for a specific entry. The last community command entered overwrites any previous community command.

CLI Syntax:
config>router>policy-options
begin
commit
abort
policy-statement name
entry entry-id
description text
action {accept | next-entry | next-policy | reject}
from
area area-id
as-path {add | replace} name
community comm-name
community expression expression
external
family [ipv4] [vpn-ipv4]
group-address prefix-list-name
interface interface-name
level {1 | 2}
neighbor {ip-address | prefix-list name}
origin {igp | egp | incomplete | any}
prefix-list name [name...(up to 5 max)]
protocol protocol [all | instance instance]
source-address ip-address
tag tag
type type
to
level {1 | 2}
neighbor {ip-address | prefix-list name}
prefix-list name [name...(up to 5 max)]
protocol protocol [all | instance instance]

The following example displays entry command usage. These commands are configured in the config>router>policy-options context.

Example:
config>router>policy-options# policy-statement "1"
policy-statement# entry 1
policy-statement>entry$ to
policy-statement>entry>to# protocol bgp
policy-statement>entry>to# neighbor 10.10.10.104
policy-statement>entry>to# exit
policy-statement>entry# action accept
policy-statement>entry>action# exit
policy-statement>entry# exit
policy-statement# entry 2
policy-statement>entry$ from
policy-statement>entry>from# protocol ospf
policy-statement>entry>from# exit
policy-statement>entry$ to
policy-statement>entry>to# protocol ospf
policy-statement>entry>to# neighbor 10.10.0.91
policy-statement>entry>to# exit
policy-statement>entry# action accept
policy-statement>entry>action# exit

The following example displays entry parameters and includes the default action parameters that were displayed in the previous section.

A:ALU-B>config>router>policy-options# info
----------------------------------------------
            policy-statement "1"
                entry 1
                    to
                         protocol bgp
                         neighbor 10.10.10.104
                    exit
                    action accept
                    exit
                exit
                entry 2
                    from
                        protocol ospf
                    exit
                    to
                        protocol ospf
                        neighbor 10.10.0.91
                    exit
                    action accept
                    exit
                exit
                default-action accept
                    . . .
                exit
            exit
----------------------------------------------

6.7.5. Configuring an AS Path (policy-option)

An AS path is defined by a regular expression in the config>router>policy-options context. Once defined, it can be added, removed, or replaced in a policy statement as part of a default action, an entry action, or an entry from (source) definition. See Configuring a Default Action and Configuring an Entry.

The following example displays as-path command usage.

A:ALU-B>config>router># info
----------------------------------------------
    . . .
       as-path "Outside madeup paths" expression ".* 5001 .*"
       as-path "Outside Internet paths" expression ".* 5002 .*"
    . . .
----------------------------------------------
A:ALU-B>config>router># 

6.7.6. Configuring a Community List or Expression

Community lists are composed of a group of destinations that share a common property. Community lists allow you to administer actions on a configured group instead of having to execute identical commands for each member.

Community expressions are logical expressions composed of community lists (community IDs) separated by AND, OR, and NOT operations. Community expressions provide flexible matching of communities.

Community lists and expressions must be enclosed within quotes.

The following example displays community list and community expression configurations:

A:ALU-B>config>router>policy-options# info
----------------------------------------------
     community "eastern" members "100:200"
     community "western" members "100:300"
     community "northern" members "100:400"
     community "southern" members "100:500"
     community "headquarters" members "100:1000"
     community "manor" expression "target:100:111"
     community "manor2" expression "target:100:111 AND target:100:555"
     policy-statement "1"
          entry 1
               to
                    protocol bgp
                    neighbor 10.10.10.104
               exit
          entry 10
               from
                    community expression "NOT ([eastern] OR [western])"
               exit
               action accept
....
----------------------------------------------

6.7.7. Configuring Damping

Observe the following when configuring damping.

  1. For each damping profile, all parameters must be configured.
  2. The suppress value must be greater than the reuse value (see Figure 20).
  3. Damping is enabled in the config>router>bgp context at the BGP global, group, and neighbor levels. If damping is enabled but route policy does not specify a damping profile, the default damping profile is used. This default profile is always present and consists of the following parameters:
    1. half-life: 15 min
    2. max-suppress: 60 min
    3. reuse: 750
    4. suppress: 3000

Use the following CLI syntax to configure damping:

CLI Syntax:
config>router>policy-options
damping name
half-life minutes
max-suppress minutes
reuse integer
suppress integer

The following example displays damping configuration command usage.

Example:
config>router>policy-options#
config>router>policy-options#damping damptest123
config>router>policy-options#damping# max-suppress 60
config>router>policy-options#damping# half-life 15
config>router>policy-options#damping# re-use 750
config>router>policy-options#damping# suppress 1000
config>router>policy-options#damping# exit
config>router>policy-options#

The following example displays a damping configuration:

A:ALU-B>config>router>policy-options# info
----------------------------------------------
     damping "damptest123"
          half-life 15
          max-suppress 60
          reuse 750
          suppress 1000
     exit
----------------------------------------------
A:ALU-B>config>router>policy-options#

6.7.8. Configuring a Prefix List

Use the following CLI syntax to configure a prefix list:

CLI Syntax:
prefix-list name
prefix ip-prefix/prefix-length [exact |longer | through length | prefix-length-range length1-length2]

The following example displays prefix list configuration command usage. These commands are configured in the config>router context.

Example:
config>router>policy-options# prefix-list
policy-options# prefix-list western
policy-options>prefix-list# prefix 10.10.0.1/32
policy-options>prefix-list# prefix 10.10.0.2/32
policy-options>prefix-list# prefix 10.10.0.3/32
policy-options>prefix-list# prefix 10.10.0.4/32

The following example displays the prefix list configuration.

A:ALU-B>config>router>policy-options# info
----------------------------------------------
            prefix-list "western"
                    prefix 10.10.0.1/32 exact
                    prefix 10.10.0.2/32 exact
                    prefix 10.10.0.3/32 exact
                    prefix 10.10.0.4/32 exact
            exit
----------------------------------------------
A:ALU-B>config>router>policy-options>#

6.7.9. Configuring PIM Join/Register Policies

Join policies are used in Protocol Independent Multicast (PIM) configurations to prevent the transport of multicast traffic across a network and the dropping of packets at a router at the edge of the network. PIM Join filters reduce the potential for denial of service (DoS) attacks and PIM state explosion—large numbers of Join messages forwarded to each router on the RPT, resulting in memory consumption.

Register policies are used to prevent any unwanted sources from transmitting multicast streams. You can apply register policies at the RP, or at the edge so that register data does not travel unnecessarily over the network towards the RP.

For information on importing a Join/Register policy into a PIM configuration, see the “PIM-SM Routing Policies” and “Importing PIM Join/Register Policies” sections in the 7705 SAR Routing Protocols Guide.

Configuring a PIM join or register policy follows the same process as that for any other policy. However, when configuring an entry, include the entry>from>group-address and entry>from>source-address commands. See Configuring an Entry for the CLI syntax.

The (*,G) or (S,G) information is used to forward unicast or multicast packets.

  1. group-address matches the group in join/prune messages
      group-address 229.55.150.208/32 exact
  2. source-address matches the source in join/prune messages
      source-address 192.168.0.0/16 longer
  3. interface matches any join message received on the specified interface
      interface port 1/1/1
  4. neighbor matches any join message received from the specified neighbor
      neighbor 1.1.1.1

The following example displays the command usage for a PIM join policy named “pim_join”. The policy will not allow Join messages for group 229.50.50.208/32 and source 192.168.0.0/16, but will allow other Join messages. These commands are configured in the config>router context.

Example:
policy-options# begin
policy-options# policy-statement pim_join
policy-options>policy-statement$ entry 10
policy-options>policy-statement>entry$ from
policy-options>policy-statement>entry>from$ group-address 229.50.50.208/32
policy-options>policy-statement>entry>from$ source-address 192.168.0.0
policy-options>policy-statement>entry>from$ exit
policy-options>policy-statement>entry# action reject
policy-options>policy-statement>entry#

The following example displays a PIM register policy that allows registration for (*,224,0.0.0/8). These commands are configured in the config>router context.

Example:
policy-options# policy-statement reg_pol
policy-options>policy-statement$ entry 10
policy-options>policy-statement>entry$ from
policy-options>policy-statement>entry>from$ group-address 224.0.0.0/8
policy-options>policy-statement>entry# action accept
policy-options>policy-statement>entry>action# exit
policy-options>policy-statement>entry# exit
policy-options>policy-statement# exit

The following example displays the PIM join and register policy configurations:

A:ALA-B>config>router>policy-options# info
----------------------------------------------
...
     policy-statement "pim_join"
          entry 10
               from
                    group-address "229.50.50.208/32"
                    source-address 192.168.0.0
               exit
               action reject
          exit
     exit
     policy-statement "reg_pol"
          entry 10
               from
                    group-address "224.0.0.0/8"
               exit
               action accept
          exit
     exit
...
----------------------------------------------

6.7.10. Configuring Bootstrap Message Import and Export Policies

Bootstrap import and export policies are used to control the flow of bootstrap messages to and from the rendezvous point (RP).

The following configuration example specifies that there should be no BSR messages received or sent out of interface port 1/1/1. These commands are configured in the config>router context.

Example:
policy-options# policy-statement pim_import_policy
policy-options>policy-statement$ entry 10
policy-options>policy-statement>entry$ from
policy-options>policy-statement>entry>from$ interface port 1/1/1
policy-options>policy-statement>entry>from$ exit
policy-options>policy-statement>entry# action reject
policy-options>policy-statement>entry# exit
policy-options>policy-statement# exit
Example:
policy-options# policy-statement pim_export_policy
policy-options>policy-statement$ entry 10
policy-options>policy-statement>entry$ to
policy-options>policy-statement>entry>to$ interface port 1/1/1
policy-options>policy-statement>entry# action reject
policy-options>policy-statement>entry# exit
policy-options>policy-statement# exit

The following configuration example illustrates the application of the policies to PIM. Up to five import and five export policies can be specified.

Example:
config>router>pim>rp# bootstrap-import pim_import_policy
config>router>pim>rp# bootstrap-export pim_export_policy

6.8. Route Policy Configuration Management Tasks

This section describes the following route policy configuration management tasks:

  1. Editing Policy Statements and Parameters
  2. Deleting an Entry
  3. Deleting a Policy Statement

6.8.1. Editing Policy Statements and Parameters

Route policy statements can be edited to modify, add, or delete parameters. To enter edit mode, you must enter the begin keyword at the config>router>policy-options prompt. Other editing commands include:

  1. the commit command, which saves changes made to route policies during a session
  2. the abort command, which discards changes that have been made to route policies during a session

The following example displays some commands to configure a policy statement. These commands are configured in the config>router>policy-options context.

Example:
config>router>policy-options# begin
policy-options# policy-statement "1"
policy-statement# description "Level 1"
policy-statement# entry 4
policy-statement>entry$ description “new entry”
policy-statement>entry# from
policy-statement>entry>from$ prefix-list “from hq”
policy-statement>entry>from# exit
policy-statement>entry# action reject
policy-statement>entry# commit
policy-statement>entry# exit

The following example displays the changed configuration.

A:ALU-B>config>router>policy-options>policy-statement# info
----------------------------------------------
                description "Level 1"
                entry 1
                    from
                        neighbor 10.10.10.104
                    exit
                    action accept
                    exit
                exit
                entry 2
                    from
                        prefix-list list1
                    exit
                    from
                        neighbor 10.10.0.91
                    exit
                    action accept
                    exit
                exit
                entry 4
                    description "new entry"
                    from
                        prefix-list “from hq”
                    exit
                    action reject
                exit
                default-action accept
                exit
----------------------------------------------
A:ALU-B>config>router>policy-options>policy-statement# 

6.8.2. Deleting an Entry

Use the following CLI syntax to delete a policy statement entry:

CLI Syntax:
config>router>policy-options
begin
commit
abort
policy-statement name
no entry entry-id

The following example displays the commands required to delete a policy statement entry.

Example:
config>router>policy-options# begin
policy-options# policy-statement "1"
policy-options>policy-statement# no entry 4
policy-options>policy-statement# commit

6.8.3. Deleting a Policy Statement

Use the following CLI syntax to delete a policy statement:

CLI Syntax:
config>router>policy-options
begin
commit
abort
no policy-statement name

The following example displays the commands required to delete a policy statement.

Example:
config>router>policy-options# begin
policy-options# no policy-statement 1
policy-options# commit