Table Of Contents

Implementing Routing Policy on Cisco IOS XR Software

Contents

Prerequisites for Implementing Routing Policy

Information About Implementing Routing Policy

Routing Policy Language

Routing Policy Language Overview

Routing Policy Language Structure

Routing Policy Language Components

Routing Policy Language Usage

Routing Policy Configuration Basics

Policy Definitions

Parameterization

Semantics of Policy Application

Boolean Operator Precedence

Multiple Modifications of the Same Attribute

When Attributes Are Modified

Default Drop Disposition

Control Flow

Policy Verification

Policy Statements

Remark

Disposition

Action

If

Boolean Conditions

apply

Attach Points

BGP Policy Attach Points

OSPF Policy Attach Points

OSPFv3 Policy Attach Points

IS-IS Policy Attach Points

Attached Policy Modification

Nonattached Policy Modification

Editing Routing Policy Configuration Elements

How to Implement Routing Policy

Defining a Route Policy

Attaching a Routing Policy to a BGP Neighbor

Prerequisites

Modifying a Routing Policy Using the Microemacs Editor

Configuration Examples for Implementing Routing Policy

Routing Policy Definition: Example

Simple Inbound Policy: Example

Modular Inbound Policy: Example

Translating Cisco IOS Route Maps to Cisco IOS XR Routing Policy Language: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Implementing Routing Policy on Cisco IOS XR Software

---

A routing policy instructs the router to inspect routes, filter them, and potentially modify their attributes as they are accepted from a peer, advertised to a peer, or redistributed from one routing protocol to another. Routing protocols make decisions to advertise, aggregate, discard, distribute, export, hold, import, redistribute and otherwise modify routes based on configured routing policy.

The routing policy language (RPL) has been designed to provide a single, straightforward language in which all routing policy needs can be expressed. RPL was designed to support large-scale routing configurations. It greatly reduces the redundancy inherent in previous routing policy configuration methods. RPL has been designed to streamline routing policy configuration, to reduce system resources required to store and process these configurations, and to simplify troubleshooting.

---

Note For more information about routing policy on the Cisco IOS XR software and complete descriptions of the routing policy commands listed in this module, see the "Related Documents" section of this module. To locate documentation for other commands that might appear during execution of a configuration task, search online in the Cisco IOS XR software master command index.

---

Feature History for Implementing Routing Policy on Cisco IOS XR Software

Release	Modification
Release 2.0	This feature was introduced on the Cisco CRS-1.
Release 3.0	No modification.
Release 3.2	Support was added for the Cisco XR 12000 Series Router.

Contents

•Prerequisites for Implementing Routing Policy

•Information About Implementing Routing Policy

•How to Implement Routing Policy

•Configuration Examples for Implementing Routing Policy

•Additional References

Prerequisites for Implementing Routing Policy

The following are prerequisites for implementing Routing Policy on Cisco IOS XR Software:

•To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

•Border Gateway Protocol (BGP), integrated Intermediate System-to-Intermediate System (IS-IS), or Open Shortest Path First (OSPF) must be configured in your network.

Information About Implementing Routing Policy

To implement RPL, you need to understand the following concepts:

•Routing Policy Language

•Routing Policy Language

•Routing Policy Configuration Basics

•Policy Definitions

•Parameterization

•Semantics of Policy Application

•Policy Statements

•Attach Points

•Attached Policy Modification

•Nonattached Policy Modification

Routing Policy Language

This section contains the following information:

•Routing Policy Language Overview

•Routing Policy Language Structure

•Routing Policy Language Components

•Routing Policy Language Usage

Routing Policy Language Overview

RPL was developed to support large-scale routing configurations. RPL has several fundamental capabilities that differ from those present in configurations oriented to traditional route maps, access lists, and prefix lists. The first of these capabilities is the ability to build policies in a modular form. Common blocks of policy can be defined and maintained independently. These common blocks of policy can then be applied from other blocks of policy to build complete policies. This capability reduces the amount of configuration information that needs to be maintained. In addition, these common blocks of policy can be parameterized. This parameterization allows for policies that share the same structure but differ in the specific values that are set or matched against to be maintained as independent blocks of policy. For example, three policies that are identical in every way except for the local preference value they set can be represented as one common parameterized policy that takes the varying local preference value as a parameter to the policy.

The policy language introduces the notion of sets. Sets are containers of similar data that can be used in route attribute matching and setting operations. Four set types exist: prefix-sets, community-sets, as-path-sets, and extcommunity-sets. These sets hold groupings of IPv4 or IPv6 prefixes, community values, AS path regular expressions, and extended community values, respectively. Sets are simply containers of data. Most sets also have an inline variant. An inline set allows for small enumerations of values to be used directly in a policy rather than having to refer to a named set. Prefix lists, community lists, and AS path lists must be maintained even when only one or two items are in the list. An inline set in RPL allows the user to place small sets of values directly in the policy body without having to refer to a named set.

Decision making, such as accept and deny, is explicitly controlled by the policy definitions themselves. RPL combines matching operators, which may use set data, with the traditional Boolean logic operators and, or, and not into complex conditional expressions. All matching operations return a true or false result. The execution of these conditional expressions and their associated actions can then be controlled by using simple if then, elseif, and else structures, which allow the evaluation paths through the policy to be fully specified by the user.

Routing Policy Language Structure

This section describes the basic structure of RPL.

Names

The policy language provides two kinds of persistent, namable objects: sets and policies. Definition of these objects is bracketed by beginning and ending command lines. For example, to define a policy named test, the configuration syntax would look similar to the following:

route-policy test

	[ . . . policy statements . . . ]

end-policy

Legal names for policy objects can be any sequence of the upper- and lowercase alphabetic characters; the numerals 0 to 9; and the punctuation characters period, hyphen, and underscore. A name must begin with a letter or numeral.

Sets

In this context, the term set is used in its mathematical sense to mean an unordered collection of unique elements. The policy language provides sets as a container for groups of values for matching purposes. Sets are used in conditional expressions. The elements of the set are separated by commas. Null (empty) sets are not allowed.

Four kinds of sets exist: as-path-set, community-set, extcommunity-set, and prefix-set. You may want to perform comparisons against a small number of elements, such as two or three community values, for example. To allow for these comparisons, the user can enumerate these values directly. These enumerations are referred to as inline sets. Functionally, inline sets are equivalent to named sets, but allow for simple tests to be inline. Thus, comparisons do not require that a separate named set be maintained when only one or two elements are being compared. See the set types described in the following sections for the syntax. In general, the syntax for an inline set is a comma-separated list surrounded by parentheses as follows: (<element-entry>,<element-entry>,<element-entry>, ...<element-entry>), where <element-entry> is an entry of an item appropriate to the type of usage such as a prefix or a community value.

The following is an example using an inline community set:

route-policy sample-inline

	if community matches-any ([10..15]:100) then

		set local-preference 100

	endif

end-policy

The following is an equivalent example using the named set test-communities:

community-set test-communities

	10:100,

	11:100,

	12:100,

	13:100,

	14:100,

	15:100

end-set

route-policy sample

	if community matches-any test-communities then

		set local-preference 100

	endif

end-policy

Both of these policies are functionally equivalent, but the inline form does not require the configuration of the community set just to store the six values. You can choose the form appropriate to the configuration context. In the following sections, examples of both the named set version and the inline form are provided where appropriate.

as-path-set

An AS path set comprises operations for matching an AS path attribute. The only matching operation is a regular expression match.

Named Set Form

The named set form uses the ios-regex keyword to indicate the type of regular expression and requires single quotation marks around the regular expression.

The following is a sample definition of a named AS path set:

as-path-set aset1

	ios-regex '_42$',

	ios-regex '_127$'

end-set

This AS path set comprises two elements. When used in a matching operation, this AS path set matches any route whose AS path ends with either the autonomous system (AS) number 42 or 127.

To remove the named AS path set, use the no as-path-set aset1 command-line interface (CLI) command.

Inline Set Form

The inline set form is a parenthesized list of comma-separated expressions, as follows:

(ios-regex '_42$', ios-regex '_127$')

This set matches the same AS paths as the previously named set, but does not require the extra effort of creating a named set separate from the policy that uses it.

community-set

A community-set holds community values for matching against the BGP community attribute. A community is a 32-bit quantity. Integer community values must be split in half and expressed as two unsigned decimal integers in the range from 0 to 65535, separated by a colon. Single 32-bit community values are not allowed. The following is the named set form:

Named Set Form

community-set cset1

	12:34,

	12:56,

	12:78,

	internet

end-set

Inline Set Form

(12:34, 12:56, 12:78)

($as:34, $as:$tag1, 12:78, internet)

The inline form of a community-set also supports parameterization. Each 16-bit portion of the community may be parameterized. See the "Parameterization" section for more information.

RPL provides symbolic names for the standard well-known community values: internet is 0:0, no-export is 65535:65281, no-advertise is 65535:65282, and local-as is 65535:65283.

RPL also provides a facility for using wildcards in community specifications. A wildcard is specified by inserting an asterisk (*) in place of one of the 16-bit portions of the community specification; the wildcard indicates that any value for that portion of the community matches. Thus, the following policy matches all communities in which the autonomous system part of the community is 123:

community-set cset3

   123:*

end-set

Every community set must contain at least one community value. Empty community sets are invalid and are rejected.

extcommunity-set

An extended community-set is analogous to a community-set except that it contains extended community values instead of regular community values. It also supports named forms and inline forms. The following are syntactic examples:

Named Form

extcommunity-set extcomm-set1

	RT:1.2.3.4:666,

	RT:1234:666,

	SoO:1.2.3.4:777,

	SoO	:4567:777

end-set

Inline Form

(RT:1.2.3.4:666, RT:1234:6667, SoO:1.2.3.4:777, SoO:45678:777)

(RT:$ipaddr:666, RT:1234:$tag, SoO:1.2.3.4:777, SoO:$tag2:777)

As with community sets, the inline form supports parameterization within parameterized policies. Either portion of the extended community value can be parameterized.

Every extended community-set must contain at least one extended community value. Empty extended community-sets are invalid and rejected.

prefix-set

A prefix-set holds IPv4 or IPv6 prefix match specifications, each of which has four parts: an address, a mask length, a minimum matching length, and a maximum matching length. The address is required, but the other three parts are optional. The address is a standard dotted-decimal IPv4 or colon-separated hexadecimal IPv6 address. The mask length, if present, is a nonnegative decimal integer in the range from 0 to 32 (0 to 128 for IPv6) following the address and separated from it by a slash. The optional minimum matching length follows the address and optional mask length and is expressed as the keyword ge (mnemonic for greater than or equal to), followed by a nonnegative decimal integer in the range from 0 to 32 (0 to 128 for IPv6). The optional maximum matching length follows the rest and is expressed by the keyword le (mnemonic for less than or equal to), followed by yet another nonnegative decimal integer in the range from 0 to 32 (0 to 128 for IPv6). A syntactic shortcut for specifying an exact length for prefixes to match is the eq keyword (mnemonic for equal to).

If a prefix match specification has no mask length, then the default mask length is 32 for IPv4 and 128 for IPv6. The default minimum matching length is the mask length. If a minimum matching length is specified, then the default maximum matching length is 32 for IPv4 and 128 for IPv6. Otherwise, if neither minimum nor maximum is specified, the default maximum is the mask length.

The prefix-set itself is a comma-separated list of prefix match specifications. The following are examples:

prefix-set legal-ipv4-prefix-examples

	10.0.1.1,

	10.0.2.0/24,

	10.0.3.0/24 ge 28,

	10.0.4.0/24 le 28,

	10.0.5.0/24 ge 26 le 30,

	10.0.6.0/24 eq 28

end-set

prefix-set legal-ipv6-prefix-examples

  2001:0:0:1::/64,

  2001:0:0:2::/64 ge 96,

  2001:0:0:2::/64 ge 96 le 100,

  2001:0:0:2::/64 eq 100

end-set

The first element of the prefix-set matches only one possible value, 10.0.1.1/32 or the host address 10.0.1.1. The second element matches only one possible value, 10.0.2.0/24. The third element matches a range of prefix values, from 10.0.3.0/28 to 10.0.3.255/32. The fourth element matches a range of values, from 10.0.4.0/24 to 10.0.4.240/28. The fifth element matches prefixes in the range from 10.0.5.0/26 to 10.0.5.252/30. The sixth element matches any prefix of length 28 in the range from 10.0.6.0/28 through 10.0.6.240/28.

The following prefix-set consists entirely of invalid prefix match specifications:

prefix-set ILLEGAL-PREFIX-EXAMPLES

	10.1.1.1 ge 16,

	10.1.2.1 le 16,

	10.1.3.0/24 le 23,

	10.1.4.0/24 ge 33,

	10.1.5.0/25 ge 29 le 28

end-set

Neither the minimum length nor maximum length is valid without a mask length. The maximum length must be at least the mask length. For IPv4, the minimum length must be less than 32, the maximum length of an IPv4 prefix. For IPv6, the minimum length must be less than 128, the maximum length of an IPv6 prefix. The maximum length must be equal to or greater than the minimum length.

Routing Policy Language Components

Four main components in the routing policy language are involved in defining, modifying, and using policies: the configuration front end, policy repository, execution engine, and policy clients themselves.

The configuration front end (CLI) is the mechanism to define and modify policies. This configuration is then stored on the router using the normal storage means and can be displayed using the normal configuration show commands.

The second component of the policy infrastructure, the policy repository, has several responsibilities. First, it compiles the user-entered configuration into a form that the execution engine can understand. Second, it performs much of the verification of policies; and it ensures that defined policies can actually be executed properly. Third, it tracks which attach points are using which policies so that when policies are modified the appropriate clients are properly updated with the new policies relevant to them.

The third component is the execution engine. This component is the piece that actually runs policies as the clients request. The process can be thought of as receiving a route from one of the policy clients and then executing the actual policy against the specific route data.

The fourth component is the policy clients (the routing protocols). This component calls the execution engine at the appropriate times to have a given policy be applied to a given route, and then perform some number of actions. These actions may include deleting the route if policy indicated that it should be dropped, passing along the route to the protocol decision tree as a candidate for the best route, or advertising a policy modified route to a neighbor or peer as appropriate.

Routing Policy Language Usage

This section provides basic routing policy language usage examples. See the "How to Implement Routing Policy" section for detailed information on how to implement routing policy language.

The pass policy

The following example shows how the policy accepts all presented routes without modifying the routes.

route-policy quickstart-pass

	pass

end-policy

The drop everything policy

The following example shows how the policy explicitly rejects all routes presented to it. This type of policy is used to ignoring everything coming from a misbehaving peer.

route-policy quickstart-drop

	drop

end-policy

Ignore routes with specific AS numbers in the path

The following example shows the policy definition in three parts. First, the as-path-set command defines three regular expressions to match against an AS path. Second, the route-policy command applies the AS path set to a route. If the AS path attribute of the route matches the regular expression defined with the as-path-set command, the protocol refuses the route. Third, the route policy is attached to BGP neighbor 10.0.1.2. BGP consults the policy named ignore_path_as on routes received (imported) from neighbor 10.0.1.2.

as-path-set ignore_path

	ios-regex '_11_',

	ios-regex '_22_',

	ios-regex '_33_'

end-set

route-policy ignore_path_as

	if as-path in ignore_path then

		drop

	else

		pass

	endif

end-policy

router bgp 2

	neighbor 10.0.1.2 address-family ipv4 unicast policy ignore_path_as in

Set community based on MED

The following example shows how the policy tests the MED of a route and modifies the community attribute of the route based on the value of the MED. If the MED value is 127, the policy adds the community 123:456 to the route. If the MED value is 63, the policy adds the value 123:789 to the community attribute of the route. Otherwise, the policy removes the community 123:123 from the route. In any case, the policy instructs the protocol to accept the route.

route-policy quickstart-med

	if med eq 127 then

		set community (123:456) additive

	elseif med eq 63 then

		set community (123:789) additive

	else

		delete community in (123:123)

	endif

	pass

end-policy

Set local preference based on community

The following example shows how the community-set named quickstart-communities defines community values. The route policy named quickstart-localpref tests a route for the presence of the communities specified in the quickstart-communities community set. If any of the community values are present in the route, the route policy sets the local preference attribute of the route to 31. In any case, the policy instructs the protocol to accept the route.

community-set quickstart-communities

	987:654,

	987:543,

	987:321,

	987:210

end-set

route-policy quickstart-localpref

	if community matches-any quickstart-communities then

		set local-preference 31

	endif

	pass

end-policy

Persistent Remarks

The following example shows how comments are placed in the policy to clarify the meaning of the entries in the set and the statements in the policy. The remarks are persistent, meaning they remain attached to the policy. For example, remarks are displayed in the output of the show running-config command. Adding remarks to the policy makes the policy easier to understand, modify at a later date, and troubleshoot if an unexpected behavior occurs.

prefix-set rfc1918

	# These are the networks defined as private in RFC1918 (including

	# all subnets thereof)

	10.0.0.0/8 ge 8,

	172.16.0.0/12 ge 12,

	192.168.0.0/16 ge 16

end-set

route-policy quickstart-remarks

	# Handle routes to RFC1918 networks

	if destination in rfc1918 then

		# Set the community such that we do not export the route

		set community (no-export) additive

	endif

end-policy

Routing Policy Configuration Basics

Route policies comprise series of statements and expressions that are bracketed with the route-policy and end-policy keywords. Rather than a collection of individual commands (one for each line), the statements within a route policy have context relative to each other. Thus, instead of each line being an individual command, each policy or set is an independent configuration object that can be used, entered, and manipulated as a unit.

Each line of a policy configuration is a logical subunit. At least one new line must follow the then, else, and end-policy keywords. A new line must also follow the closing parenthesis of a parameter list and the name string in a reference to an AS path set, community set, extended community set, or prefix set. At least one new line must precede the definition of a route policy, AS path set, community set, extended community set, or prefix set. One or more new lines can follow an action statement. One or more new lines can follow a comma separator in a named AS path set, community set, extended community set, or prefix set. A new line must appear at the end of a logical unit of policy expression and may not appear anywhere else.

Policy Definitions

Policy definitions create named sequences of policy statements. A policy definition consists of the CLI route-policy keyword followed by a name, a sequence of policy statements, and the end-policy keyword. For example, the following policy drops any route it encounters:

route-policy drop-everything

	drop

end-policy

The name serves as a handle for binding the policy to protocols. To remove a policy definition, issue the no route-policy name command.

Policies may also refer to other policies such that common blocks of policy can be reused. This reference to other policies is accomplished by using the apply statement, as shown in the following example:

route-policy check-as-1234

	if as-path passes-through `1234' then

		apply drop-everything

	else

		pass

	endif

end-policy

The apply statement indicates that the policy drop-everything should be executed if the route under consideration passed through autonomous system 1234 before it is received. If a route that has autonomous system 1234 in its AS path is received, the route is dropped; otherwise, the route is accepted without modification. This policy is an example of a hierarchical policy. Thus, the semantics of the apply statement are just as if the applied policy were cut and pasted into the applying policy:

route-policy check-as-1234-prime

 if as-path passes-through '1234' then

    drop

 else

    pass

 endif

end-policy

You may have as many levels of hierarchy as desired. However, many levels may be difficult to maintain and understand.

Parameterization

In addition to supporting reuse of policies using the apply statement, policies can be defined that allow for parameterization of some of the attributes. The following example shows how to define a parameterized policy named param-example. In this case, the policy takes one parameter, $mytag. Parameters always begin with a dollar sign and consist otherwise of any alphanumeric characters. Parameters can be substituted into any attribute that takes a parameter.

In the following example, a 16-bit community tag is used as a parameter:

route-policy param-example ($mytag)

		set community (1234:$mytag) additive

end-policy

This parameterized policy can then be reused with different parameterizations, as shown in the following example. In this manner, policies that share a common structure but use different values in some of their individual statements can be modularized. For details on which attributes can be parameterized, see the individual attribute sections.

route-policy origin-10

	if as-path originates-from `10' then

		apply param-example(10)

	else

		pass

	endif

end-policy

route-policy origin-20

	if as-path originates-from `20' then

		apply param-example(20)

	else

		pass

	endif

end-policy

The parameterized policy param-example provides a policy definition that is expanded with the values provided as the parameters in the apply statement. Note that the policy hierarchy is always maintained, Thus, if the definition of param-example changes, then the behavior of origin_10 and origin_20 changes to match.

The effect of the origin-10 policy is that it adds the community 1234:10 to all routes that pass through this policy and have an AS path indicating the route originated from autonomous system 10. The origin-20 policy is similar except that it adds to community 1234:20 for routes originating from autonomous system 20.

Semantics of Policy Application

This section discusses how routing policies are evaluated and applied. The following concepts are discussed:

•Boolean Operator Precedence

•Multiple Modifications of the Same Attribute

•When Attributes Are Modified

•Default Drop Disposition

•Control Flow

•Policy Verification

Boolean Operator Precedence

Boolean expressions are evaluated in order of operator precedence, from left to right. The highest precedence operator is not, followed by and, and then or. The following expression:

med eq 10 and not destination in (10.1.3.0/24) or community matches-any ([10..25]:35) 

if fully parenthesized to display the order of evaluation, would look like this:

(med eq 10 and (not destination in (10.1.3.0/24))) or community matches-any ([10..25]:35)

The inner not applies only to the destination test; the and combines the result of the not expression with the Multi Exit Discriminator (MED) test; and the or combines that result with the community test. If the order of operations are rearranged:

not med eq 10 and destination in (10.1.3.0/24) or community matches-any ([10..25]:35)

then the expression, fully parenthesized, would look like the following:

((not med eq 10) and destination in (10.1.3.0/24)) or community matches-any ([10..25]:35)

Multiple Modifications of the Same Attribute

When a policy replaces the value of an attribute multiple times, the last assignment wins because all actions are executed. Because the MED attribute in BGP is one unique value, the last value to which it gets set to wins. Therefore, the following policy results in a route with a MED value of 12:

set med 9

set med 10

set med 11

set med 12

This example is trivial, but the feature is not. It is possible to write a policy that effectively changes the value for an attribute. For example:

set med 8

if community matches-any cs1 then

	set local-preference 122

	if community matches-any cs2 then

		set med 12

	endif

endif

The result is a route with a MED of 8, unless the community list of the route matches both cs1 and cs2, in which case the result is a route with a MED of 12.

In the case in which the attribute being modified can contain only one value, it is easy to think of this case as the last statement wins. However, a few attributes can contain multiple values and the result of multiple actions on the attribute is cumulative rather than as a replacement. The first of these cases is the use of the additive keyword on community and extended community evaluation. Consider a policy of the form:

route-policy community-add

	set community (10:23)

	set community (10:24) additive

	set community (10:25) additive

end-policy

This policy sets the community string on the route to contain all three community values: 10:23, 10:24, and 10:25.

The second of these cases is AS path prepending. Consider a policy of the form:

route-policy prepend-example

	prepend as-path 2 3

	prepend as-path 666 2

end-policy

This policy prepends the following to the AS path (666 666 2 2 2). This prepending is a result of all actions being taken and to AS path being an attribute that contains an array of values rather than a simple scalar value.

When Attributes Are Modified

A policy does not modify route attribute values until all tests have been completed. In other words, comparison operators always run on the initial data in the route. Intermediate modifications of the route attributes do not have a cascading effect on the evaluation of the policy. Take the following example:

if	med eq 12 then

	set med 42

	if med eq 42 then

		drop

	endif

endif

This policy never executes the drop statement because the second test (med eq 42) sees the original, unmodified value of the MED in the route. Because the MED has to be 12 to get to the second test, the second test always returns false.

Default Drop Disposition

All route policies have a default action to drop the route under evaluation unless the route has been modified by a policy action or explicitly passed. Applied (nested) policies implement this disposition as though the applied policy were pasted into the point where it is applied.

Consider a policy to allow all routes in the 10 network and set their local preference to 200 while dropping all other routes. You might write the policy as follows:

route-policy two

	if destination in (10.0.0.0/8 ge 8 le 32) then

		set local-preference 200

	endif

end-policy

route-policy one

	apply two

end-policy

It may appear that policy one drops all routes because it neither contains an explicit pass statement nor modifies a route attribute. However, the applied policy does set an attribute for some routes and this disposition is passed along to policy one. The result is that policy one passes routes with destinations in network 10, and drops all others.

Control Flow

Policy statements are processed sequentially in the order in which they appear in the configuration. Policies that hierarchically reference other policy blocks are processed as if the referenced policy blocks had been directly substituted inline. For example, if the following policies are defined:

route-policy one

	set weight 100

end-policy

route-policy two

	set med 200

end-policy

route-policy three

	apply two

	set community (2:666) additive

end-policy

route-policy four

	apply one

	apply three

	pass

end-policy

Policy four could be rewritten in an equivalent way as follows:

route-policy four-equivalent

	set weight 100

	set med 200

	set community (2:666) additive

	pass

end-policy

---

Note The pass statement is not required and can be removed to represent the equivalent policy in another way.

---

Policy Verification

Several different types of verification occur when policies are being defined and used.

Range Checking

As policies are being defined, some simple verifications, such as range checking of values, is done. For example, the MED that is being set is checked to verify that it is in a proper range for the MED attribute. However, this range checking cannot cover parameter specifications because they may not have defined values yet. These parameter specifications are verified when a policy is attached to an attach point. The policy repository also verifies that there are no recursive definitions of policy, and that parameter numbers are correct. At attach time, all policies must be well formed. All sets and policies that they reference must be defined and have valid values. Likewise, any parameter values must also be in the proper ranges.

Incomplete Policy and Set References

As long as a given policy is not attached at an attach point, the policy is allowed to refer to nonexistent sets and policies, which allows for freedom of workflow. You can build configurations that reference sets or policy blocks that are not yet defined, and then can later fill in those undefined policies and sets, thereby achieving much greater flexibility in policy definition. Every piece of policy you want to reference while defining a policy need not exist in the configuration. Thus, a user can define a policy sample that references the policy bar using an apply statement even if the policy bar does not exist. Similarly, a user can enter a policy statement that refers to a nonexistent set.

However, the existence of all referenced policies and sets is enforced when a policy is attached. If you attempt to attach the policy sample with the reference to an undefined policy bar at an inbound BGP policy using the neighbor 1.2.3.4 address-family ipv4 unicast policy sample in command, the configuration attempt is rejected because the policy bar does not exist.

Likewise, you cannot remove a route policy or set that is currently in use at an attach point because this removal would result in an undefined reference. An attempt to remove a route policy or set that is currently in use results in an error message to the user.

A condition exists that is referred to as a null policy in which the policy bar exists but has no statements, actions, or dispositions in it. In other words, the policy bar does exist as follows:

route-policy bar

end-policy

This is a valid policy block. It effectively forces all routes to be dropped because it is a policy block that never modifies a route, nor does it include the pass statement. Thus, the default action of drop for the policy block is followed.

Attached Policy Modification

Policies that are in use do, on occasion, need to be modified. Traditionally, configuration changes are done by completely removing the relevant configuration and then re-entering it. However, this allows for a window of time in which no policy is attached and the default action takes place. RPL provides a mechanism for an atomic change so that if a policy is redeclared, or edited using the emacs editor, the new configuration is applied immediately, which allows for policies that are in use to be changed without having a window of time in which no policy is applied at the given attach point.

Verification of Attribute Comparisons and Actions

The policy repository knows which attributes, actions, and comparisons are valid at each attach point. When a policy is attached, these actions and comparisons are verified against the capabilities of that particular attach point. Take, for example, the following policy definition:

route-policy bad

	set med 100

	set level level-1-2

	set cost 200

end-policy

This policy attempts to perform actions to set the BGP attribute med, IS-IS attribute level, and OSPF attribute cost. The system allows you to define such a policy, but it does not allow you to attach such a policy. If you had defined the policy bad and then attempted to attach it as an inbound BGP policy using the BGP configuration statement neighbor 1.2.3.4 address-family ipv4 unicast route-policy bad in the system would reject this configuration attempt. This rejection results from the verification process checking the policy and realizing that while BGP could set the MED, it has no way of setting the level or cost as the level and cost are attributes of IS-IS and OSPF, respectively. Instead of silently omitting the actions that cannot be done, the system generates an error to the user. Likewise, a valid policy in use at an attach point cannot be modified in such a way as to introduce an attempt to modify a nonexistent attribute or to compare against a nonexistent attribute. The verifiers test for nonexistent attributes and reject such a configuration attempt.

Policy Statements

Four types of policy statements exist: remark, disposition (drop and pass), action (set), and if (comparator).

Remark

A remark is text attached to policy configuration but otherwise ignored by the policy language parser. Remarks are useful for documenting parts of a policy. The syntax for a remark is text that has each line prepended with a pound sign (#):

# This is a simple one-line remark.

# This

# is a remark

# comprising multiple

# lines. 

In general, remarks are used between complete statements or elements of a set. Remarks are not supported in the middle of statements or within an inline set definition.

Unlike traditional !-comments in the CLI, RPL remarks persist through reboots and when configurations are saved to disk or a TFTP server and then loaded back onto the router.

Disposition

By default, a route is dropped at the end of policy processing unless either the policy modifies a route attribute or it passes the route by means of an explicit pass statement. For example, the following policy drops all routes because it neither modifies the attribute of any route nor explicitly passes it.

route-policy EMPTY

end-policy

Whereas the following policies pass all routes that they evaluate.

route-policy PASS-ALL

	pass

end-policy

route-policy SET-LPREF

	set local-preference 200

end-policy

In addition to being implicitly dropped, a route may be dropped by an explicit drop statement. Drop statements cause a route to be dropped immediately so that no further policy processing is done. Note also that a drop statement overrides any previously processed pass statements or attribute modifications. For example, the following policy drops all routes. The first pass statement is executed, but is then immediately overridden by the drop statement. The second pass statement never gets executed.

route-policy DROP-EXAMPLE

	pass

	drop

	pass

end-policy

When one policy applies another, it is as if the applied policy were copied into the right place in the applying policy, and then the same drop-and-pass semantics are put into effect. For example, policies ONE and TWO are equivalent to policy ONE-PRIME:

route-policy ONE

	apply route-policy two

	if as-path neighbor-is '123' then

		pass

	endif

end-policy

route-policy TWO

	if destination in (10.0.0.0/16 le 32) then

		drop

	endif

end-policy

route-policy ONE-PRIME

	if destination in (10.0.0.0/16 le 32) then

		drop

	endif    

	if as-path neighbor-is '123' then

		pass

	endif

end-policy

Because the effect of an explicit drop statement is immediate, routes in 10.0.0.0/16 le 32 are dropped without any further policy processing. Other routes are then considered to see if they were advertised by autonomous system 123. If they were advertised, they are passed; otherwise, they are implicitly dropped at the end of all policy processing.

Action

An action is a sequence of primitive operations that modify a route. Most actions, but not all, are distinguished by the set keyword. In a route policy, actions can be grouped together. For example, the following is a route policy comprising three actions:

route-policy actions

	set med 217

	set community (12:34) additive

	delete community in (12:56)

end-policy

If

In its simplest form, an if statement uses a conditional expression to decide which actions or dispositions should be taken for the given route. For example:

if as-path in as-path-set-1 then 

	drop 

endif

The example indicates that any routes whose AS path is in the set as-path-set-1 are dropped. The contents of the then clause may be an arbitrary sequence of policy statements.

The following example contains two action statements:

if origin is igp then

	set med 42

	prepend as-path 73 5

endif

The CLI provides support for the exit command as an alternative to the endif command.

The if statement also permits an else clause, which is executed if the if condition is false:

if med eq 8 then

	set community (12:34) additive

else

	set community (12:56) additive

endif

The policy language also provides syntax, using the elseif keyword, to string together a sequence of tests:

if med eq 150 then

	set local-preference 10

elseif med eq 200 then

	set local-preference 60

elseif med eq 250 then

	set local-preference 110

else

	set local-preference 0

endif

The statements within an if statement may themselves be if statements, as shown in the following example:

if community matches-any (12:34,56:78) then

	if med eq 150 then

		drop

	endif

	set local-preference 100

endif

This policy example sets the value of the local preference attribute to 100 on any route that has a community value of 12:34 or 56:78 associated with it. However, if any of these routes has a MED value of 150, then these routes with either the community value of 12:34 or 56:78 and a MED of 150 are dropped.

Boolean Conditions

In the previous section describing the if statement, all of the examples use simple Boolean conditions that evaluate to either true or false. RPL also provides a way to build compound conditions from simple conditions by means of Boolean operators.

Three Boolean operators exist: negation (not), conjunction (and), and disjunction (or). In the policy language, negation has the highest precedence, followed by conjunction, and then by disjunction. Parentheses may be used to group compound conditions to override precedence or to improve readability.

The following simple condition:

med eq 42

is true only if the value of the MED in the route is 42, otherwise it is false.

A simple condition may also be negated using the not operator:

not next-hop in (10.0.2.2)

Any Boolean condition enclosed in parentheses is itself a Boolean condition:

(destination in prefix-list-1)

A compound condition takes either of two forms. It can be a simple expression followed by the and operator, itself followed by a simple condition:

med eq 42 and next-hop in (10.0.2.2)

A compound condition may also be a simpler expression followed by the or operator and then another simple condition:

origin is igp or origin is incomplete

An entire compound condition may be enclosed in parentheses:

(med eq 42 and next-hop in (10.0.2.2))

The parentheses may serve to make the grouping of subconditions more readable, or they may force the evaluation of a subcondition as a unit.

In the following example, the highest-precedence not operator applies only to the destination test, the and operator combines the result of the not expression with the community test, and the or operator combines that result with the MED test.

med eq 10 or not destination in (10.1.3.0/24) and community matches-any 
([12..34]:[56..78])

With a set of parentheses to express the precedence, the result is the following:

med eq 10 or ((not destination in (10.1.3.0/24)) and community matches-any 
([12..34]:[56..78])

The following is another example of a complex expression:

(origin is igp or origin is incomplete or not med eq 42) and next-hop in (10.0.2.2)

The left conjunction is a compound condition enclosed in parentheses. The first simple condition of the inner compound condition tests the value of the origin attribute; if it is Interior Gateway Protocol (IGP), then the inner compound condition is true. Otherwise, the evaluation moves on to test the value of the origin attribute again, and if it is incomplete, then the inner compound condition is true. Otherwise, the evaluation moves to check the next component condition, which is a negation of a simple condition.

apply

As discussed in the sections on policy definitions and parameterization of policies, the apply command executes another policy (either parameterized or unparameterized) from within another policy, which allows for the reuse of common blocks of policy. When combined with the ability to parameterize common blocks of policy, the apply command becomes a powerful tool for reducing repetitive configuration.

Attach Points

Policies do not become useful until they are applied to routes, and for policies to be applied to routes they need to be made known to routing protocols. In BGP, for example, there are several situations where policies can be used, the most common of these is defining import and export policy. The policy attach point is the point in which an association is formed between a specific protocol entity, in this case a BGP neighbor, and a specific named policy. It is important to note that a verification step happens at this point. Each time a policy is attached, the given policy and any policies it may apply are checked to ensure that the policy can be validly used at that attach point. For example, if a user defines a policy that sets the IS-IS level attribute and then attempts to attach this policy as an inbound BGP policy, the attempt would be rejected because BGP routes do not carry IS-IS attributes. Likewise, when policies are modified that are in use, the attempt to modify the policy is verified against all current uses of the policy to ensure that the modification is compatible with the current uses.

Each protocol has a distinct definition of the set of attributes (commands) that compose a route. For example, BGP routes may have a community attribute, which is undefined in OSPF. Routes in IS-IS have a level attribute, which is unknown to BGP. Routes carried internally in the RIB may have a tag attribute.

When a policy is attached to a protocol, the protocol checks the policy to ensure the policy operates using route attributes known to the protocol. If the protocol uses unknown attributes, then the protocol rejects the attachment. For example, OSPF rejects attachment of a policy that tests the values of BGP communities.

The situation is made more complex by the fact that each protocol has access to at least two distinct route types. In addition to native protocol routes, for example BGP or IS-IS, some protocol policy attach points operate on RIB routes, which is the common central representation. Using BGP as an example, the protocol provides an attach point to apply policy to routes redistributed from the RIB to BGP. An attach point dealing with two different kinds of routes permits a mix of operations: RIB attribute operations for matching and BGP attribute operations for setting.

---

Note The protocol configuration rejects attempts to attach policies that perform unsupported operations.

---

The following sections describe the protocol attach points, including information on the attributes (commands) and operations that are valid for each attach point.

•BGP Policy Attach Points

•OSPF Policy Attach Points

•OSPFv3 Policy Attach Points

•IS-IS Policy Attach Points

See the Cisco IOS XR Routing Command Reference for more information on the attributes and operations.

BGP Policy Attach Points

This section describes each of the BGP policy attach points and provides a summary of the BGP attributes and operators.

Aggregation

The aggregation attach point generates an aggregate route to be advertised based on the conditional presence of subcomponents of that aggregate. Policies attached at this attach point are also able to set any of the valid BGP attributes on the aggregated routes. For example, the policy could set a community value or a MED on the aggregate that is generated. The specified aggregate is generated if any routes evaluated by the named policy pass the policy. More specifics of the aggregate are filtered using the suppress-route keyword. Any actions taken to set attributes in the route affect attributes on the aggregate.

In the policy language, the configuration is controlled by which routes pass the policy. The suppress map was used to selectively filter or suppress specific components of the aggregate when the summary-only flag is not set. In other words, when the aggregate and more specific components are being sent, some of the more specific components can be filtered using a suppress map. In the policy language, this is controlled by selecting the route and setting the suppress flag. The attribute-map allowed the user to set specific attributes on the aggregated route. In the policy language, setting attributes on the aggregated route is controlled by normal action operations.

In the following example, the aggregate address 10.0.0.0/8 is generated if there are any component routes in the range 10.0.0.0/8 ge 8 le 25 except for 10.2.0.0/24. Because summary-only is not set, all components of the aggregate are advertised. However, the specific component 10.1.0.0 are suppressed.

route-policy sample

	if destination in (10.0.0.0/8 ge 8 le 25) then

		set community (10:33)

	endif

	if destination in (10.2.0.0/24) then

		drop

	endif

	if destination in (10.1.0.0/24) then

		 suppress-route

	endif

end-policy

router bgp 2

address-family ipv4

	aggregate-address 10.0.0.0/8 policy sample

	.

	.

	.

Dampening

The dampening attach point controls the default route-dampening behavior within BGP. Unless overridden by a more specific policy on the associate peer, all routes in BGP apply the associated policy to set their dampening attributes.

The following policy sets dampening values for BGP IPv4 unicast routes. Those routes that are more specific than a /25 take longer to recover after they have been dampened than routes that are less specific than /25.

route-policy sample_damp

	if destination in (0.0.0.0/0 ge 25) then

		set dampening halflife 30 others default

	else

		set dampening halflife 20 others default

	endif

end-policy

router bgp 2

	address-family ipv4 unicast

		bgp dampening policy sample_damp

		.

		.

		.

Default Originate

The default originate attach point allows the default route (0.0.0.0/0) to be conditionally generated and advertised to a peer, based on the presence of other routes. It accomplishes this configuration by evaluating the associated policy against routes in the Routing Information Base (RIB). If any routes pass the policy, the default route is generated and sent to the relevant peer.

The following policy generates and sends a default-route to the BGP neighbor 10.0.0.1 if any routes that match 10.0.0.0/8 ge 8 le 32 are present in the RIB.

route-policy sample-originate

	if rib-has-route in (10.0.0.0/8 ge 8 le 32) then

		pass

	endif

end-policy

router bgp 2

	neighbor 10.0.0.1

			remote-as 3

			address-family ipv4 unicast

			default-originate policy sample-originate

			.

			.

			.

---

Note The current implementation of default origination policy permits matching only on destination address.

---

Neighbor Export

The neighbor export attach point selects the BGP routes to send to a given peer or group of peers. The routes are selected by running the set of possible BGP routes through the associated policy. Any routes that pass the policy are then sent as updates to the peer or group of peers. The routes that are sent may have had their BGP attributes altered by the policy that has been applied.

The following policy sends all BGP routes to neighbor 10.0.0.5. Routes that are tagged with any community in the range 2:100 to 2:200 are sent with a MED of 100 and a community of 2:666. The rest of the routes are sent with a MED of 200 and a community of 2:200.

route-policy sample-export

	if community matches-any (2:[100-200]) then

		set med 100

		set community (2:666)

	else

		set med 200

		set community (2:200)

	endif

end-policy

router bgp 2

	neighbor 10.0.0.5

	remote-as 3

	address-family ipv4 unicast

		route-policy sample-export out

		.

		.

		.

Neighbor Import

The neighbor import attach point controls the reception of routes from a specific peer. All routes that are received by a peer are run through the attached policy. Any routes that pass the attached policy are passed to the BGP Routing Information Base (BRIB) as possible candidates for selection as best path routes.

When a BGP import policy is modified, it is necessary to rerun all the routes that have been received from that peer against the new policy. The modified policy may now discard routes that were previously allowed through, allow through previously discarded routes, or change the way the routes are modified. A new configuration option in BGP (bgp auto-policy-soft-reset) that allows this modification to happen automatically in cases for which either soft reconfiguration is configured or the BGP route-refresh capability has been negotiated.

The following example shows how to receive routes from neighbor 10.0.0.1. Any routes received with the community 3:100 have their local preference set to 100 and their community tag set to 2:666. All other routes received from this peer have their local preference set to 200 and their community tag set to 2:200.

route-policy sample_import

	if community matches-any (3:100) then

		set local-preference 100

		set community (2:666)

	else

		set local-preference 200

		set community (2:200)

	endif

end-policy

router bgp 2

	neighbor 10.0.0.1

		remote-as 3

		address-family ipv4 unicast

			route-policy sample_import in

			.

			.

			.

Network

The network attach point controls the injection of routes from the RIB into BGP. A route policy attached at this point is able to set any of the valid BGP attributes on the routes that are being injected.

The following example shows a route policy attached at the network attach point that sets the well-known community no-export for any routes more specific than /24:

route-policy NetworkControl

   if destination in (0.0.0.0/0 ge 25) then

      set community (no-export) additive

   endif

end-policy

router bgp 2

    address-family ipv4 unicast

    network 172.16.0.5/27 route-policy NetworkControl

Redistribute

The redistribute attach point allows routes from other sources to be advertised by BGP. The policy attached at this point is able to set any of the valid BGP attributes on the routes that are being redistributed. Likewise, selection operators allow a user to control what route sources are being redistributed and which routes from those sources.

The following example shows how to redistribute all routes from OSPF instance 12 into BGP. If OSPF were carrying a default route, it is dropped. Routes carrying a tag of 10 have their local preference set to 300 and the community value of 2:666 and no-advertise attached. All other routes have their local preference set to 200 and a community value of 2:100 set.

route-policy sample_redistribute

	if destination in (0.0.0.0/0) then

		drop

	endif

	if tag eq 10 then

		set local-preference 300

		set community (2:666, no-advertise)

	else

		set local-preference 200

		set community (2:100)

	endif

end-policy

router bgp 2

	address-family ipv4 unicast

		redistribute ospf 12 route-policy sample_redistribute

		.

		.

Show bgp

The show bgp attach point allows the user to display selected BGP routes that pass the given policy. Any routes that are not dropped by the attached policy are displayed in a manner similar to the output of the show ip bgp command.

In the following example, the show bgp route-policy command is used to display any BGP routes carrying a MED of 5:

route-policy sample-display

	if med eq 5 then

		pass

	endif

end-policy

!

show bgp route-policy sample-display

A show bgp policy route-policy command also exists, which runs all routes in the RIB past the named policy as if the RIB were an outbound BGP policy. This command then displays what each route looked like before it was modified and after it was modified, as shown in the following example:

RP/0/RP0/CPU0:router# show rpl route-policy test2

route-policy test2

  if (destination in  (10.0.0.0/8 ge 8 le 32)) then

    set med 333

  endif

end-policy

!

RP/0/RP0/CPU0:router# show bgp

BGP router identifier 10.0.0.1, local AS number 2

BGP main routing table version 11

BGP scan interval 60 secs

Status codes:s suppressed, d damped, h history, * valid, > best

              i - internal, S stale

Origin codes:i - IGP, e - EGP, ? - incomplete

   Network            Next Hop            Metric LocPrf Weight Path

*> 10.0.0.0           10.0.1.2                10             0 3 ?

*> 10.0.0.0/9         10.0.1.2                10             0 3 ?

*> 10.0.0.0/10        10.0.1.2                10             0 3 ?

*> 10.0.0.0/11        10.0.1.2                10             0 3 ?

*> 10.1.0.0/16        10.0.1.2                10             0 3 ?

*> 10.3.30.0/24       10.0.1.2                10             0 3 ?

*> 10.3.30.128/25     10.0.1.2                10             0 3 ?

*> 10.128.0.0/9       10.0.1.2                10             0 3 ?

*> 10.255.0.0/24      10.0.101.2            1000    555      0 100 e

*> 10.255.64.0/24     10.0.101.2            1000    555      0 100 e

....

RP/0/RP0/CPU0:router# show bgp policy route-policy test2

10.0.0.0/8 is advertised to 10.0.101.2

  Path info:

    neighbor:10.0.1.2        neighbor router id:10.0.1.2

    valid  external  best  

  Attributes after inbound policy was applied:

    next hop:10.0.1.2

    MET ORG AS 

    origin:incomplete  neighbor as:3  metric:10  

    aspath:3

  Attributes after outbound policy was applied:

    next hop:10.0.1.2

    MET ORG AS 

    origin:incomplete  neighbor as:3  metric:333  

    aspath:2 3

	...

Table Policy

The table policy attach point allows the user to configure traffic-index values on routes as they are installed into the global routing table. This attach point supports the BGP policy accounting feature. BGP policy accounting uses the traffic indexes that are set on the BGP routes to track various counters. This way, router operators can select different sets of BGP route attributes using the matching operations and then set different traffic indexes for each different class of route they are interested in tracking.

The following example shows how to set the traffic index to 10 in IPv4 unicast routes that originated from autonomous system 10. Likewise, any IPv4 unicast routes that originated from autonomous system 11 have their traffic index set to 11 when they are installed into the FIB. These traffic indexes are then used to count traffic being forwarded on these routes in line cards by enabling the BGP policy accounting counters on the interfaces of interest.

route-policy sample-table

	if as-path originates-from `10' then

		set traffic-index 10

	elseif as-path originates-from `11' then

		set traffic-index 11

	endif

end-policy

router bgp 2

	address-family ipv4 unicast

		table-policy sample-table

		.

		.

		.

BGP Attributes and Operators

Table 3 summarizes the BGP attributes and operators.

Table 3 BGP Attributes and Operators 

Attribute	Match	Set
as-path	in is-local length neighbor-is originates-from passes-though unique-length	prepend
community	is-empty matches-any matches-every	delete set
dampening	n/a	set dampening... to set values that control the dampening (see Dampening)
destination	in	n/a
extended community	is-empty matches-any matches-every	delete set
local-preference	n/a	set
med	is, eq, ge, le	set set + set -
next-hop	in	set
origin	is	set
rib-has-route	in	n/a
route-type	is	n/a
source	in	n/a
suppress-route	n/a	suppress-route
tag	is, eq, ge, le	set
traffic-index	n/a	set
unsuppress-route	n/a	unsuppress-route
weight	n/a	set

Some BGP route attributes are inaccessible from some BGP attach points for various reasons. For example, the set med igp-cost only command makes sense when there is a configured igp-cost to provide a source value. Table 4 summarizes which operations are valid and where they are valid.

Table 4 Restricted BGP Operations by Attach Point

	import	export	aggregation	redistribution
prepend as-path	eBGP only	eBGP only	n/a	n/a
set med igp-cost	forbidden	eBGP only	forbidden	forbidden
set weight	n/a	forbidden	n/a	n/a
suppress	forbidden	forbidden	n/a	forbidden

OSPF Policy Attach Points

This section describes each of the OSPF policy attach points and provides a summary of the OSPF attributes and operators.

Default Originate

The default originate attach point allows the user to conditionally inject the default route 0.0.0.0/0 into the OSPF link-state database, which is done by evaluating the attached policy. If any routes in the local RIB pass the policy, then the default route is inserted into the link-state database.

The following example shows how to generate a default route if any of the routes that match 10.0.0.0/8 ge 8 le 25 are present in the RIB:

route-policy ospf-originate

	if rib-has-route in (10.0.0.0/8 ge 8 le 25) then

		pass

	endif

end-policy

router ospf 1

	default-information originate policy ospf-originate

	.

	.

	.

Redistribute

The redistribute attach point within OSPF injects routes from other routing protocol sources into the OSPF link-state database, which is done by selecting the route types it wants to import from each protocol. It then sets the OSPF parameters of cost and metric type. The policy can control how the routes are injected into OSPF by using the set level command.

The following example shows how to redistribute routes from IS-IS instance instance_10 into OSPF instance 1 using the policy OSPF-redist. The policy sets the metric type to type-2 for all redistributed routes. IS-IS routes with a tag of 10 have their cost set to 100, and IS-IS routes with a tag of 20 have their OSPF cost set to 200. Any IS-IS routes not carrying a tag of either 10 or 20 are not be redistributed into the OSPF link-state database.

route-policy OSPF-redist

	set metric-type type-2

	if tag eq 10 then

		set cost 100

	elseif tag eq 20 then

		set cost 200

	else

		drop

	endif

end-policy

router ospf 1

	redistribute isis instance_10 policy OSPF-redist

	.

	.

	.

OSPF Attributes and Operators

Table 5 summarizes the OSPF attributes and operators.

Table 5 OSPF Attributes and Operators 

Attribute	Match	Set
cost	n/a	set
destination	in	n/a
metric-type	n/a	set
rib-has-route	in	n/a
route-type	is	n/a
tag	eq, ge, le	set

OSPFv3 Policy Attach Points

This section describes each of the OSPFv3 policy attach points and provides a summary of the BGP attributes and operators.

Default Originate

The default originate attach point allows the user to conditionally inject the default route 0::/0 into the OSPFv3 link-state database, which is done by evaluating the attached policy. If any routes in the local RIB pass the policy, then the default route is inserted into the link-state database.

The following example shows how to generate a default route if any of the routes that match 2001::/96 are present in the RIB:

route-policy ospfv3-originate

	if rib-has-route in (2001::/96) then

		pass

	endif

end-policy

router ospfv3 1

	default-information originate policy ospfv3-originate

	.

	.

	.

Redistribute

The redistribute attach point within OSPFv3 injects routes from other routing protocol sources into the OSPFv3 link-state database, which is done by selecting the route types it wants to import from each protocol. It then sets the OSPFv3 parameters of cost and metric type. The policy can control how the routes are injected into OSPFv3 by using the metric type command.

The following example shows how to redistribute routes from BGP instance instance_15 into OSPF instance 1 using the policy OSPFv3-redist. The policy sets the metric type to type-2 for all redistributed routes. BGP routes with a tag of 10 have their cost set to 100, and BGP routes with a tag of 20 have their OSPFv3 cost set to 200. Any BGP routes not carrying a tag of either 10 or 20 are not be redistributed into the OSPFv3 link-state database.

route-policy OSPFv3-redist

	set metric-type type-2

	if tag eq 10 then

		set cost 100

	elseif tag eq 20 then

		set cost 200

	else

		drop

	endif

end-policy

router ospfv3 1

	redistribute bgp instance_15 policy OSPFv3-redist

	.

	.

	.

OSPFv3 Attributes and Operators

Table 6 summarizes the OSPFv3 attributes and operators.

Table 6 OSPFv3 Attributes and Operators 

Attribute	Match	Set
cost	n/a	set
destination	in	n/a
metric-type	n/a	set
rib-has-route	in	n/a
route-type	is	n/a
tag	eq, ge, le	set

IS-IS Policy Attach Points

This section describes each of the IS-IS policy attach points and provides a summary of the BGP attributes and operators.

Redistribute

The redistribute attach point within IS-IS allows routes from other protocols to be readvertised by IS-IS. The policy is a set of control structures for selecting the types of routes that a user wants to redistribute into IS-IS. The policy can also control which IS-IS level the routes are injected into and at what metric values.

The following example shows how to redistribute routes from IS-IS instance 1 into IS-IS instance instance_10 using the policy ISIS-redist. This policy sets the level to level-1-2 for all redistributed routes. OSPF routes with a tag of 10 have their metric set to 100, and IS-IS routes with a tag of 20 have their IS-IS metric set to 200. Any IS-IS routes not carrying a tag of either 10 or 20 are not be redistributed into the IS-IS database.

route-policy ISIS-redist

	set level level-1-2

	if tag eq 10 then

		set metric 100

	elseif tag eq 20 then

		set metric 200

	else

		drop

	endif

end-policy

router isis instance_10

	address-family ipv4 unicast

		redistribute ospf 1 policy ISIS-redist

		.

		.

		.

IS-IS Attributes and Operators

Table 7 summarizes the IS-IS attributes and operators.

Table 7 IS-IS Attributes and Operators 

Attribute	Match	Set
Destination	in	n/a
Level	n/a	set
metric	n/a	set
metric-type	n/a	set
rib-has-route	in	n/a
route-type	is	n/a
tag	eq, ge, le	n/a

Attached Policy Modification

Policies that are in use do, on occasion, need to be modified. In the traditional configuration model, a policy modification would be done by completely removing the policy and re-entering it. However, this model allows for a window of time in which no policy is attached and default actions to be used, which is an opportunity for inconsistencies to exist. To close this window of opportunity, you can modify a policy in use at an attach point by respecifying it, which allows for policies that are in use to be changed, without having a window of time in which no policy is applied at the given attach point.

---

Note A route policy or set that is in use at an attach point cannot be removed because this removal would result in an undefined reference. An attempt to remove a route policy or set that is in use at an attach point results in an error message to the user.

---

Nonattached Policy Modification

As long as a given policy is not attached at an attach point, the policy is allowed to refer to nonexistent sets and policies. Configurations can be built that reference sets or policy blocks that are not yet defined, and then later those undefined policies and sets can be filled in. This method of building configurations gives much greater flexibility in policy definition. Every piece of policy you want to reference while defining a policy need not exist in the configuration. Thus, you can define a policy sample1 that references a policy sample2 using an apply statement even if the policy sample2 does not exist. Similarly, you can enter a policy statement that refers to a nonexistent set.

However, the existence of all referenced policies and sets is enforced when a policy is attached. Thus, if a user attempts to attach the policy sample1 with the reference to an undefined policy sample2 at an inbound BGP policy using the statement neighbor 1.2.3.4 address-family ipv4 unicast policy sample1 in, the configuration attempt is rejected because the policy sample2 does not exist.

Editing Routing Policy Configuration Elements

RPL is based on statements rather than on lines. That is, within the begin-end pair that brackets policy statements from the CLI, a new line is merely a separator, the same as a space character.

The CLI provides the means to enter and delete route policy statements. RPL provides a means to edit the contents of the policy between the begin-end brackets using a microemacs editor.

Editing Routing Policy Configuration Elements Using the EMACS Editor

To edit the contents of a routing policy, use the following CLI command in EXEC mode:

edit {route-policy | prefix-set | as-path-set | community-set | extended-community-set} 
name 

A copy of the route policy is copied to a temporary file and the editor is launched. After editing, save the changes by using the save-buffer command, C-X C-S (Control-X Control-S). To exit the editor, use the quit command, Control-X Control-C. When you quit the editor, the buffer is committed. If there are no parse errors, the configuration is committed:

RP/0/RP0/CPU0:router# edit route-policy policy_A

----------------------------------------

== MicroEMACS 3.8b () == rpl_edit.139281 ==

  if destination in (2001::/8) then

    drop

  endif

end-policy

!

== MicroEMACS 3.8b () == rpl_edit.139281 ==

Parsing.

83 bytes parsed in 1 sec (82)bytes/sec

Committing.

1 items committed in 1 sec (0)items/sec

Updating.

Updated Commit database in 1 sec

RP/0/RP0/CPU0:router#

If there are parse errors, you are asked whether editing should continue:

RP/0/RP0/CPU0:router#edit route-policy policy_B

== MicroEMACS 3.8b () == rpl_edit.141738

route-policy policy_B

 set metric-type type_1

 if destination in (2001::/8) then

    drop

  endif  

end-policy

!

== MicroEMACS 3.8b () == rpl_edit.141738 ==

Parsing.

105 bytes parsed in 1 sec (103)bytes/sec

% Syntax/Authorization errors in one or more commands.!! CONFIGURATION 

FAILED DUE TO SYNTAX/AUTHORIZATION ERRORS

 set metric-type type_1

 if destination in (2001::/8) then

    drop

  endif

end-policy

!

Continue editing? [no]:

If you answer yes, the editor continues on the text buffer from where you left off. If you answer no, the running configuration is not changed and the editing session is ended.

Editing Routing Policy Configuration Elements Using the CLI

The CLI allows you to enter and delete route policy statements. You can complete a policy configuration block by entering applicable commands such as end-policy or end-set. Alternatively, the CLI interpreter allows you to use the exit command to complete a policy configuration block. The abort command is used to discard the current policy configuration and return to global configuration mode.

How to Implement Routing Policy

This section contains the following procedures:

•Defining a Route Policy (required)

•Attaching a Routing Policy to a BGP Neighbor (required)

•Modifying a Routing Policy Using the Microemacs Editor (optional)

Defining a Route Policy

This task explains how to define a route policy.

---

Note If you want to modify an existing routing policy using the command-line interface (CLI), you must redefine the policy by completing this task.

---

SUMMARY STEPS

1. configure

2. route-policy name

3. end-policy

4. end
or
commit

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure Example: RP/0/RP0/CPU0:router# configure	Enters global configuration mode.
Step 2	route-policy name Example: RP/0/RP0/CPU0:router(config)# route-policy sample1	Enters route-policy configuration mode. •After the route-policy has been entered, a group of commands can be entered to define the route-policy.
Step 3	end-policy Example: RP/0/RP0/CPU0:router(config-rpl)# end-policy	Ends the definition of a route policy and exits route-policy configuration mode.
Step 4	end or commit Example: RP/0/RP0/CPU0:router(config)# end or RP/0/RP0/CPU0:router(config)# commit	Saves configuration changes. •When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: –Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. –Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. –Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Attaching a Routing Policy to a BGP Neighbor

This task explains how to attach a routing policy to a BGP neighbor. The procedure to attach a routing policy to an IS-IS or OSPF neighbor is the same as BGP, except that the commands and applicable arguments vary.

Prerequisites

A routing policy must be preconfigured and well defined prior to it being applied at an attach point. If a policy is not predefined, an error message is generated stating that the policy is not defined.

SUMMARY STEPS

1. configure

2. router bgp as-number

3. neighbor ip-address

4. address-family {ipv4 | ipv6} {multicast | unicast}

5. route-policy route-policy-name {in | out}

6. end
or
commit

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure Example: RP/0/RP0/CPU0:router# configure	Enters global configuration mode.
Step 2	router bgp as-number Example: RP/0/RP0/CPU0:router(config)# router bgp 125	Configures a BGP routing process and enters router configuration mode. •The as-number argument identifies the autonomous system in which the router resides. Valid values are from 0 to 65535. Private autonomous system numbers that can be used in internal networks range from 64512 to 65535.
Step 3	neighbor ip-address Example: RP/0/RP0/CPU0:router(config-bgp)# neighbor 10.0.0.20	Specifies a neighbor IP address.
Step 4	address-family {ipv4 | ipv6} {multicast | unicast} Example: RP/0/RP0/CPU0:router(config-bgp-nbr)# address-family ipv4 unicast	Specifies the address family, the version of IP that is in use, and either multicast or unicast. •Enters address family configuration mode.
Step 5	route-policy policy-name {in | out} Example: RP/0/RP0/CPU0:router(config-bgp-nbr-af)# route-policy example1 in	Attaches the route-policy, which must be well formed and predefined.
Step 6	end or commit Example: RP/0/RP0/CPU0:router(config-bgp-nbr-af)# end or RP/0/RP0/CPU0:router(config-bgp-nbr-af)# commit	Saves configuration changes. •When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]: –Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. –Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. –Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Modifying a Routing Policy Using the Microemacs Editor

This task explains how to modify an existing routing policy using the microemacs editor.

SUMMARY STEPS

1. edit {route-policy | prefix-set | as-path-set | community-set | extended-community-set} name

2. show rpl route-policy name [detail]

3. show rpl prefix-set name

DETAILED STEPS

	Command or Action	Purpose
Step 1	edit {route-policy | prefix-set | as-path-set | community-set | extended-community-set} name Example: RP/0/RP0/CPU0:router# edit route-policy sample1	Identifies the route policy, prefix set, AS path set, community set, or extended community set name to be modified. •A copy of the route policy, prefix set, AS path set, community set, or extended community set is copied to a temporary file and the microemacs editor is launched. When you finish editing the policy or set, save the changes by using the save-buffer command, ^X^S (Control-X Control-S). To commit the changed configuration: •save the buffer (Control-X Control-S) •exit MicroEmacs (Control-X Control-C)
Step 2	show rpl route-policy name [detail] Example: RP/0/RP0/CPU0:router# show rpl route-policy sample2	(Optional) Displays the configuration of a specific named route policy. •Use the detail keyword to display all policies and sets that a policy uses.
Step 3	show rpl prefix-set name Example: RP/0/RP0/CPU0:router# show rpl prefix-set prefixset1	(Optional) Displays the contents of a named prefix set. •To display the contents of a named AS path set, community set, or extended community set, replace the prefix-set keyword with as-path-set, community-set, or extcommunity-set, respectively.

Configuration Examples for Implementing Routing Policy

This section provides the following configuration examples:

•Routing Policy Definition: Example

•Simple Inbound Policy: Example

•Modular Inbound Policy: Example

•Translating Cisco IOS Route Maps to Cisco IOS XR Routing Policy Language: Example

Routing Policy Definition: Example

In the following example, a BGP route policy named sample1 is defined using the route-policy name command. The policy compares the network layer reachability information (NLRI) to the elements in the prefix set test. If it evaluates to true, the policy performs the operations in the then clause. If it evaluates to false, the policy performs the operations in the else clause, that is, sets the MED value to 200 and adds the community 2:100 to the route. The final steps of the example commit the configuration to the router, exit configuration mode, and display the contents of route policy sample1.

configure

	route-policy sample1

       if destination in test then

         drop

       else

         set med 200

         set community (2:100) additive

       endif

    end-policy

    end

show config running route-policy sample1

Building configuration...

    route-policy sample1

       if destination in test then

         drop

       else

         set med 200

         set community (2:100) additive

       endif

    end-policy

Simple Inbound Policy: Example

The following policy discards any route whose network layer reachability information (NLRI) specifies a prefix longer than /24, and any route whose NLRI specifies a destination in the address space reserved by RFC 1918. For all remaining routes, it sets the MED and local preference, and adds a community to the list in the route.

For routes whose community lists include any values in the range from 101:202 to 106:202 that have a 16-bit tag portion containing the value 202, the policy prepends autonomous system number 2 twice, and adds the community 2:666 to the list in the route. Of these routes, if the MED is either 666 or 225, then the policy sets the origin of the route to incomplete, and otherwise sets the origin to IGP.

For routes whose community lists do not include any of the values in the range from 101:202 to 106:202, the policy adds the community 2:999 to the list in the route.

prefix-set too-specific

	0.0.0.0/0 ge 25 le 32

end-set

prefix-set rfc1918

	10.0.0.0/8 le 32,

	172.16.0.0/12 le 32,

	192.168.0.0/16 le 32

end-set

route-policy inbound-tx

	if destination in too-specific or destination in rfc1918 then

		drop

	endif

	set med 1000

	set local-preference 90

	set community (2:1001) additive

	if community matches-any ([101..106]:202) then

		prepend as-path 2 2

		set community (2:666) additive

		if med is 666 or med is 225 then

			set origin incomplete

		else

			set origin igp

		endif

	else

		set community (2:999) additive

	endif

end-policy

router bgp 2

	neighbor 10.0.1.2 address-family ipv4 unicast route-policy inbound-tx in

Modular Inbound Policy: Example

The following policy example shows how to build two inbound policies, in-100 and in-101, for two different peers. In building the specific policies for those peers, the policy reuses some common blocks of policy that may be common to multiple peers. It builds a few basic building blocks, the policies common-inbound, filter-bogons, and set-lpref-prepend.

The filter-bogons building block is a simple policy that filters all undesirable routes, such as those from the RFC 1918 address space. The policy set-lpref-prepend is a utility policy that can set the local preference and prepend the AS path according to parameterized values that are passed in. The common-inbound policy uses these filter-bogons building blocks to build a common block of inbound policy. The common-inbound policy is used as a building block in the construction of in-100 and in-101 along with the set-lpref-prepend building block.

This is a simple example that illustrates the modular capabilities of the policy language.

prefix-set bogon

  10.0.0.0/8 ge 8 le 32,

  0.0.0.0,

  0.0.0.0/0 ge 27 le 32,

  192.168.0.0/16 ge 16 le 32

end-set

!

route-policy in-100

  apply common-inbound

  if community matches-any ([100..120]:135) then

    apply set-lpref-prepend (100,100,2)

    set community (2:1234) additive

  else

    set local-preference 110

  endif

  if community matches-any ([100..666]:[100..999]) then

    set med 444

    set local-preference 200

    set community (no-export) additive

  endif

end-policy

!

route-policy in-101

  apply common-inbound

  if community matches-any ([101..200]:201) then

    apply set-lpref-prepend(100,101,2)

    set community (2:1234) additive

  else

    set local-preference 125

  endif

end-policy

!

route-policy filter-bogons

  if destination in bogon then

		drop

	else 

		pass

  endif

end-policy

!

route-policy common-inbound

  apply filter-bogons

  set origin igp

  set community (2:333)

end-policy

!

route-policy set-lpref-prepend($lpref,$as,$prependcnt)

  set local-preference $lpref

  prepend as-path $as $prependcnt

end-policy

Translating Cisco IOS Route Maps to Cisco IOS XR Routing Policy Language: Example

RPL performs the same functions as route-maps. See the Converting Cisco IOS Configurations to Cisco IOS XR Configurations guide.

Additional References

The following sections provide references related to implementing RPL.

Related Documents

Related Topic	Document Title
Routing policy language commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples	Routing Policy Language Commands on Cisco IOS XR Software, Release 3.2
Regular expression syntax	"Understanding Regular Expressions, Special Characters and Patterns" appendix in the Cisco IOS XR Getting Started Guide

Standards

Standards	Title
Draft-ietf-idr-bgp4-26.txt	A Border Gateway Protocol 4, by Y. Rekhter, T.Li, S. Hares

MIBs

MIBs	MIBs Link
There are no applicable MIBs for this module.	To locate and download MIBs for selected platforms using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

RFCs	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description	Link
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/techsupport