github.com/osrg/gobgp@v2.0.0+incompatible/docs/sources/policy.md (about) 1 # Policy Configuration 2 3 This page explains GoBGP policy feature for controlling the route 4 advertisement. It might be called Route Map in other BGP 5 implementations. 6 7 We explain the overview firstly, then the details. 8 9 ## Prerequisites 10 11 Assumed that you finished [Getting Started](getting-started.md). 12 13 ## Contents 14 15 - [Overview](#overview) 16 - [Policy Model](#policy-model) 17 - [Route Server Policy Model](#route-server-policy-model) 18 - [Policy Structure](#policy-structure) 19 - [Configure Policies](#configure-policies) 20 - [Defining defined-sets](#1-defining-defined-sets) 21 - [Defining bgp-defined-sets](#2-defining-bgp-defined-sets) 22 - [Defining policy-definitions](#3-Defining-policy-definitions) 23 - [Attaching policy](#4-attaching-policy) 24 - [Attach policy to global rib](#41-attach-policy-to-global-rib) 25 - [Attach policy to route-server-client](#42-attach-policy-to-route-server-client) 26 - [Policy Configuration Example](#policy-configuration-example) 27 28 ## Overview 29 30 Policy is a way to control how BGP routes inserted to RIB or advertised to 31 peers. Policy has two parts, **Condition** and **Action**. 32 When a policy is configured, **Action** is applied to routes which meet 33 **Condition** before routes proceed to next step. 34 35 GoBGP supports **Condition** like `prefix`, `neighbor`(source/destination of 36 the route), `aspath` etc.., and **Action** like `accept`, `reject`, 37 `MED/aspath/community manipulation` etc... 38 39 You can configure policy by configuration file, CLI or gRPC API. 40 Here, we show how to configure policy via configuration file. 41 42 ## Policy Model 43 44 The following figure shows how policy works in normal BGP configuration. 45 46  47 48 There are **Import** and **Export** policy. **Import** policy is invoked 49 before best path calculation and pushing routes to RIB. 50 **Export** policy is invoked after that. 51 52 You can check each policy by the following commands. 53 54 ```shell 55 $ gobgp global policy import 56 $ gobgp global policy export 57 ``` 58 59 ## Route Server Policy Model 60 61 The following figure shows how policy works in 62 [route server BGP configuration](route-server.md). 63 64  65 66 In route server mode, **Import** and **Export** policies are defined 67 with respect to a peer. The **Import** policy defines what routes 68 will be imported into the master RIB. The **Export** policy defines 69 what routes will be exported from the master RIB. 70 71 You can check each policy by the following commands. 72 73 ```shell 74 $ gobgp neighbor <neighbor-addr> policy import 75 $ gobgp neighbor <neighbor-addr> policy export 76 ``` 77 78 ## Policy Structure 79 80  81 82 A policy consists of statements. Each statement has condition(s) and action(s). 83 84 Conditions are categorized into attributes below: 85 86 - prefix 87 - neighbor 88 - aspath 89 - aspath length 90 - community 91 - extended community 92 - rpki validation result 93 - route type (internal/external/local) 94 - large community 95 - afi-safi in 96 97 As showed in the figure above, some of the conditions point to defined sets, 98 which are a container for each condition item (e.g. prefixes). 99 100 Actions are categorized into attributes below: 101 102 - accept or reject 103 - add/replace/remove community or remove all communities 104 - add/subtract or replace MED value 105 - set next-hop 106 - set local-pref 107 - prepend AS number in the AS_PATH attribute 108 109 When **ALL** conditions in the statement are `true`, the action(s) in the 110 statement are executed. 111 112 You can check policy configuration by the following commands. 113 114 ```shell 115 $ gobgp policy 116 $ gobgp policy statement 117 $ gobgp policy prefix 118 $ gobgp policy neighbor 119 $ gobgp policy as-path 120 $ gobgp policy community 121 $ gobgp policy ext-community 122 $ gobgp policy large-community 123 ``` 124 125 ## Configure Policies 126 127 Policy Configuration comes from two parts, [definition](#defined-sets) and 128 [attachment](#attachment). For definition, we have 129 [defined-sets](#defined-sets) and [policy-definition](#policy-definition). 130 **defined-sets** defines condition item for some of the condition type. 131 **policy-definitions** defines policies based on actions and conditions. 132 133 - **defined-sets** 134 A single **defined-sets** entry has prefix match that is named 135 **prefix-sets** and neighbor match part that is named **neighbor-sets**. It 136 also has **bgp-defined-sets**, a subset of **defined-sets** that defines 137 conditions referring to BGP attributes such as aspath. This **defined-sets** 138 has a name and it's used to refer to **defined-sets** items from outside. 139 140 - **policy-definitions** 141 **policy-definitions** is a list of policy. A single element has 142 **statements** part that combines conditions with an action. 143 144 Below are the steps for policy configuration 145 146 1. define defined-sets 147 1. define prefix-sets 148 1. define neighbor-sets 149 1. define bgp-defined-sets 150 1. define community-sets 151 1. define ext-community-sets 152 1. define as-path-setList 153 1. define large-community-sets 154 1. define policy-definitions 155 1. attach policies to global rib (or neighbor local rib when neighbor is 156 [route-server-client](route-server.md)). 157 158 ### 1. Defining defined-sets 159 160 defined-sets has prefix information and neighbor information in prefix-sets and 161 neighbor-sets section, and GoBGP uses these information to evaluate routes. 162 Defining defined-sets is needed at first. 163 prefix-sets and neighbor-sets section are prefix match part and neighbor match 164 part. 165 166 - defined-sets example 167 168 ```toml 169 # prefix match part 170 [[defined-sets.prefix-sets]] 171 prefix-set-name = "ps1" 172 [[defined-sets.prefix-sets.prefix-list]] 173 ip-prefix = "10.33.0.0/16" 174 masklength-range = "21..24" 175 176 # neighbor match part 177 [[defined-sets.neighbor-sets]] 178 neighbor-set-name = "ns1" 179 neighbor-info-list = ["10.0.255.1"] 180 ``` 181 182 #### prefix-sets 183 184 prefix-sets has prefix-set-list, and prefix-set-list has prefix-set-name and 185 prefix-list as its element. prefix-set-list is used as a condition. Note that 186 prefix-sets has either v4 or v6 addresses. 187 188 **prefix-set-list** has 1 element and list of sub-elements. 189 190 | Element | Description | Example | Optional | 191 |------------------|------------------------------------|---------------|------------| 192 | prefix-set-name | name of prefix-set | "ps1" | | 193 | prefix-list | list of prefix and range of length | | | 194 195 **PrefixList** has 2 elements. 196 197 | Element | Description | Example | Optional | 198 |------------------|-------------------|----------------|------------| 199 | ip-prefix | prefix value | "10.33.0.0/16" | | 200 | masklength-range | range of length | "21..24" | Yes | 201 202 ##### Examples 203 204 - example 1 205 - Match routes whose high order 2 octets of NLRI is 10.33 and its prefix 206 length is between from 21 to 24 207 - If you define a prefix-list that doesn't have MasklengthRange, it matches 208 routes that have just 10.33.0.0/16 as NLRI. 209 210 ```toml 211 # example 1 212 [[defined-sets.prefix-sets]] 213 prefix-set-name = "ps1" 214 [[defined-sets.prefix-sets.prefix-list]] 215 ip-prefix = "10.33.0.0/16" 216 masklength-range = "21..24" 217 ``` 218 219 - example 2 220 - If you want to evaluate multiple routes with a single prefix-set-list, you 221 can do this by adding an another prefix-list like this: 222 - This prefix-set-list match checks if a route has 10.33.0.0/21 to 24 or 223 10.50.0.0/21 to 24. 224 225 ```toml 226 # example 2 227 [[defined-sets.prefix-sets]] 228 prefix-set-name = "ps1" 229 [[defined-sets.prefix-sets.prefix-list]] 230 ip-prefix = "10.33.0.0/16" 231 masklength-range = "21..24" 232 [[defined-sets.prefix-sets.prefix-list]] 233 ip-prefix = "10.50.0.0/16" 234 masklength-range = "21..24" 235 ``` 236 237 - example 3 238 - prefix-set-name under prefix-set-list is reference to a single prefix-set. 239 - If you want to add different prefix-set more, you can add other blocks that 240 form the same structure with example 1. 241 242 ```toml 243 # example 3 244 [[defined-sets.prefix-sets]] 245 prefix-set-name = "ps1" 246 [[defined-sets.prefix-sets.prefix-list]] 247 ip-prefix = "10.33.0.0/16" 248 masklength-range = "21..24" 249 [[defined-sets.prefix-sets]] 250 prefix-set-name = "ps2" 251 [[defined-sets.prefix-sets.prefix-list]] 252 ip-prefix = "10.50.0.0/16" 253 masklength-range = "21..24" 254 ``` 255 256 #### neighbor-sets 257 258 neighbor-sets has neighbor-set-list, and neighbor-set-list has 259 neighbor-set-name and neighbor-info-list as its element. It is necessary to 260 specify a neighbor address in neighbor-info-list. neighbor-set-list is used as 261 a condition. 262 263 **neighbor-set-list** has 1 element and list of sub-elements. 264 265 | Element |Description | Example | Optional | 266 |--------------------|---------------------------|--------------|------------| 267 | neighbor-set-name | name of neighbor-set | "ns1" | | 268 | neighbor-info-list | list of neighbor address | | | 269 270 **neighbor-info-list** has 1 element. 271 272 | Element |Description | Example | Optional | 273 |-----------------|---------------------|--------------|------------| 274 | address | neighbor address | "10.0.255.1" | | 275 276 ##### Examples 277 278 - example 1 279 280 ```toml 281 # example 1 282 [[defined-sets.neighbor-sets]] 283 neighbor-set-name = "ns1" 284 neighbor-info-list = ["10.0.255.1"] 285 # Prefix representations are also acceptable. 286 [[defined-sets.neighbor-sets]] 287 neighbor-set-name = "ns2" 288 neighbor-info-list = ["10.0.0.0/24"] 289 ``` 290 291 - example 2 292 - As with prefix-set-list, neighbor-set-list can have multiple 293 neighbor-info-list like this. 294 295 ```toml 296 # example 2 297 [[defined-sets.neighbor-sets]] 298 neighbor-set-name = "ns1" 299 neighbor-info-list = ["10.0.255.1", "10.0.255.2"] 300 ``` 301 302 - example 3 303 - As with prefix-set-list, multiple neighbor-set-lists can be defined. 304 305 ```toml 306 # example 3 307 [[defined-sets.neighbor-sets]] 308 neighbor-set-name = "ns1" 309 neighbor-info-list = ["10.0.255.1"] 310 # another neighbor-set-list 311 [[defined-sets.neighbor-sets]] 312 neighbor-set-name = "ns2" 313 neighbor-info-list = ["10.0.254.1"] 314 ``` 315 316 ### 2. Defining bgp-defined-sets 317 318 bgp-defined-sets has Community information, Extended Community 319 information and AS_PATH information in each Sets section 320 respectively. And it is a child element of defined-sets. 321 community-sets, ext-community-sets and as-path-sets section are each match 322 part. Like prefix-sets and neighbor-sets, each can have multiple sets and each 323 set can have multiple values. 324 325 - bgp-defined-sets example 326 327 ```toml 328 # Community match part 329 [[defined-sets.bgp-defined-sets.community-sets]] 330 community-set-name = "community1" 331 community-list = ["65100:10"] 332 # Extended Community match part 333 [[defined-sets.bgp-defined-sets.ext-community-sets]] 334 ext-community-set-name = "ecommunity1" 335 ext-community-list = ["RT:65100:10"] 336 # AS_PATH match part 337 [[defined-sets.bgp-defined-sets.as-path-sets]] 338 as-path-set-name = "aspath1" 339 as-path-list = ["^65100"] 340 # Large Community match part 341 [[defined-sets.bgp-defined-sets.large-community-sets]] 342 large-community-set-name = "lcommunity1" 343 large-community-list = ["65100:100:100"] 344 ``` 345 346 #### community-sets 347 348 community-sets has community-set-name and community-list as its element. The 349 Community value are used to evaluate communities held by the destination. 350 351 | Element | Description | Example | Optional | 352 |--------------------|-------------------------|--------------|----------| 353 | community-set-name | name of CommunitySet | "community1" | | 354 | community-list | list of community value | | | 355 356 **community-list** has 1 element. 357 358 | Element | Description | Example | Optional | 359 |------------|-------------------------|--------------|----------| 360 | community | community value | "65100:10" | | 361 362 You can use regular expressions to specify community in community-list. 363 364 ##### Examples 365 366 - example 1 367 - Match routes which has "65100:10" as a community value. 368 369 ```toml 370 # example 1 371 [[defined-sets.bgp-defined-sets.community-sets]] 372 community-set-name = "community1" 373 community-list = ["65100:10"] 374 ``` 375 376 - example 2 377 - Specifying community by regular expression 378 - You can use regular expressions based on POSIX 1003.2 regular expressions. 379 380 ```toml 381 # example 2 382 [[defined-sets.bgp-defined-sets.community-sets]] 383 community-set-name = "community2" 384 community-list = ["6[0-9]+:[0-9]+"] 385 ``` 386 387 #### ext-community-sets 388 389 ext-community-sets has ext-community-set-name and ext-community-list as its 390 element. The values are used to evaluate extended communities held by the 391 destination. 392 393 | Element | Description | Example | Optional | 394 |------------------------|------------------------------------|------------------|----------| 395 | ext-community-set-name | name of ExtCommunitySet | "ecommunity1" | | 396 | ext-community-list | list of extended community value | | | 397 398 **ext-community-list** has 1 element. 399 400 | Element | Description | Example | Optional | 401 |----------------|----------------------------|------------------|----------| 402 | ext-community | extended community value | "RT:65001:200" | | 403 404 You can use regular expressions to specify extended community in 405 ext-community-list. However, the first one element separated by (part of "RT") 406 does not support to the regular expression. The part of "RT" indicates a 407 subtype of extended community and subtypes that can be used are as follows: 408 409 - RT: mean the route target. 410 - SoO: mean the site of origin(route origin). 411 412 ##### Examples 413 414 - example 1 415 - Match routes which has "RT:65001:200" as a extended community value. 416 417 ```toml 418 # example 1 419 [[defined-sets.bgp-defined-sets.ext-community-sets]] 420 ext-community-set-name = "ecommunity1" 421 ext-community-list = ["RT:65100:200"] 422 ``` 423 424 - example 2 425 - Specifying extended community by regular expression 426 - You can use regular expressions that is available in Golang. 427 428 ```toml 429 # example 2 430 [[defined-sets.bgp-defined-sets.ext-community-sets]] 431 ext-community-set-name = "ecommunity2" 432 ext-community-list = ["RT:6[0-9]+:[0-9]+"] 433 ``` 434 435 #### as-path-sets 436 437 as-path-sets has as-path-set-name and as-path-list as its element. The numbers 438 are used to evaluate AS numbers in the destination's AS_PATH attribute. 439 440 | Element | Description | Example | Optional | 441 |------------------|---------------------------|------------|----------| 442 | as-path-set-name | name of as-path-set | "aspath1" | | 443 | as-path-list | list of as path value | | | 444 445 **as-path-list** has 1 elements. 446 447 | Element | Description | Example | Optional | 448 |------------------|-------------------|------------|----------| 449 | as-path-set | as path value | "^65100" | | 450 451 The AS path regular expression is compatible with 452 [Quagga](http://www.nongnu.org/quagga/docs/docs-multi/AS-Path-Regular-Expression.html) 453 and Cisco. Note Character `_` has special meaning. It is abbreviation for 454 `(^|[,{}() ]|$)`. 455 456 Some examples follow: 457 458 - From: `^65100_` means the route is passed from AS 65100 directly. 459 - Any: `_65100_` means the route comes through AS 65100. 460 - Origin: `_65100$` means the route is originated by AS 65100. 461 - Only: `^65100$` means the route is originated by AS 65100 and comes from it 462 directly. 463 - `^65100_65001` 464 - `65100_[0-9]+_.*$` 465 - `^6[0-9]_5.*_65.?00$` 466 467 ##### Examples 468 469 - example 1 470 - Match routes which come from AS 65100. 471 472 ```toml 473 # example 1 474 [[defined-sets.bgp-defined-sets.as-path-sets]] 475 as-path-set-name = "aspath1" 476 as-path-list = ["^65100_"] 477 ``` 478 479 - example 2 480 - Match routes which come Origin AS 65100 and use regular expressions to 481 other AS. 482 483 ```toml 484 # example 2 485 [[defined-sets.bgp-defined-sets.as-path-sets]] 486 as-path-set-name = "aspath1" 487 as-path-list = ["[0-9]+_65[0-9]+_65100$"] 488 ``` 489 490 ### 3. Defining policy-definitions 491 492 policy-definitions consists of condition and action. Condition part is used to 493 evaluate routes from neighbors, if matched, action will be applied. 494 495 - an example of policy-definitions 496 497 ```toml 498 [[policy-definitions]] 499 name = "example-policy" 500 [[policy-definitions.statements]] 501 name = "statement1" 502 [policy-definitions.statements.conditions.match-prefix-set] 503 prefix-set = "ps1" 504 match-set-options = "any" 505 [policy-definitions.statements.conditions.match-neighbor-set] 506 neighbor-set = "ns1" 507 match-set-options = "invert" 508 [policy-definitions.statements.conditions.bgp-conditions.match-community-set] 509 community-set = "community1" 510 match-set-options = "any" 511 [policy-definitions.statements.conditions.bgp-conditions.match-ext-community-set] 512 community-set = "ecommunity1" 513 match-set-options = "any" 514 [policy-definitions.statements.conditions.bgp-conditions.match-as-path-set] 515 as-path-set = "aspath1" 516 match-set-options = "any" 517 [policy-definitions.statements.conditions.bgp-conditions.as-path-length] 518 operator = "eq" 519 value = 2 520 [policy-definitions.statements.conditions.bgp-conditions] 521 afi-safi-in = ["l3vpn-ipv4-unicast", "ipv4-unicast"] 522 [policy-definitions.statements.actions] 523 route-disposition = "accept-route" 524 [policy-definitions.statements.actions.bgp-actions] 525 set-med = "-200" 526 [policy-definitions.statements.actions.bgp-actions.set-as-path-prepend] 527 as = "65005" 528 repeat-n = 5 529 [policy-definitions.statements.actions.bgp-actions.set-community] 530 options = "add" 531 [policy-definitions.statements.actions.bgp-actions.set-community.set-community-method] 532 communities-list = ["65100:20"] 533 ``` 534 535 The elements of policy-definitions are as follows: 536 537 - policy-definitions 538 539 | Element | Description | Example | 540 |---------|---------------|------------------| 541 | name | policy's name | "example-policy" | 542 543 - policy-definitions.statements 544 545 | Element | Description | Example | 546 |---------|-------------------|----------------| 547 | name | statements's name | "statement1" | 548 549 - policy-definitions.statements.conditions.match-prefix-set 550 551 | Element | Description | Example | 552 |--------------------|-------------------------------------------------------------------------------|---------| 553 | prefix-set | name for defined-sets.prefix-sets.prefix-set-list that is used in this policy | "ps1" | 554 | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | 555 556 - policy-definitions.statements.conditions.match-neighbor-set 557 558 | Element | Description | Example | 559 |-------------------|-------------------------------------------------------------------------------|---------| 560 | neighbor-set | name for defined-sets.neighbor-sets.neighbor-set-list that is used in this policy | "ns1" | 561 | match-set-options | option for the check:<br> "any" or "invert". default is "any" | "any" | 562 563 - policy-definitions.statements.conditions.bgp-conditions.match-community-set 564 565 | Element | Description | Example | 566 |-------------------|----------------------------------------------------------------------------------------------------|----------------| 567 | community-set | name for defined-sets.bgp-defined-sets.community-sets.CommunitySetList that is used in this policy | "community1" | 568 | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | 569 570 - policy-definitions.statements.conditions.bgp-conditions.match-ext-community-set 571 572 | Element | Description | Example | 573 |-------------------|---------------------------------------------------------------------------------------|---------------| 574 | ext-community-set | name for defined-sets.bgp-defined-sets.ext-community-sets that is used in this policy | "ecommunity1" | 575 | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | 576 577 - policy-definitions.statements.conditions.bgp-conditions.match-as-path-set 578 579 | Element | Description | Example | 580 |--------------------|---------------------------------------------------------------------------------|-----------| 581 | as-path-set | name for defined-sets.bgp-defined-sets.as-path-sets that is used in this policy | "aspath1" | 582 | match-set-options | option for the check:<br> "any" or "all" or "invert". default is "any" | "invert" | 583 584 - policy-definitions.statements.conditions.bgp-conditions.match-as-path-length 585 586 | Element | Description | Example | 587 |----------|----------------------------------------------------------------------------------------------------|---------| 588 | operator | operator to compare the length of AS number in AS_PATH attribute. <br> "eq","ge","le" can be used. <br> "eq" means that length of AS number is equal to Value element <br> "ge" means that length of AS number is equal or greater than the Value element <br> "le" means that length of AS number is equal or smaller than the Value element| "eq" | 589 | value | value used to compare with the length of AS number in AS_PATH attribute | 2 | 590 591 - policy-definitions.statements.actions 592 593 | Element | Description | Example | 594 |-------------------|---------------------------------------------------------------------------------------------------------------|----------------| 595 | route-disposition | stop following policy/statement evaluation and accept/reject the route:<br> "accept-route" or "reject-route" | "accept-route" | 596 597 - policy-definitions.statements.actions.bgp-actions 598 599 | Element | Description | Example | 600 |----------|---------------------------------------------------------------------------------------|---------| 601 | set-med | set-med used to change the med value of the route. <br> If only numbers have been specified, replace the med value of route.<br> if number and operater(+ or -) have been specified, adding or subtracting the med value of route. | "-200" | 602 603 - policy-definitions.statements.actions.bgp-actions.set-community 604 605 | Element | Description | Example | 606 |-------------|----------------------------------------------------------------------------------|------------| 607 | options | operator to manipulate Community attribute in the route | "ADD" | 608 | communities | communities used to manipulate the route's community according to options below | "65100:20" | 609 610 - policy-definitions.statements.actions.bgp-actions.set-as-path-prepend 611 612 | Element | Description | Example | 613 |----------|-------------------------------------------------------------------------------------------------------|---------| 614 | as | AS number to prepend. You can use "last-as" to prepend the leftmost AS number in the aspath attribute.| "65100" | 615 | repeat-n | repeat count to prepend AS | 5 | 616 617 #### Execution condition of Action 618 619 Action statement is executed when the result of each Condition, including 620 match-set-options is all true. 621 **match-set-options** is defined how to determine the match result, in the 622 condition with multiple evaluation set as follows: 623 624 | Value | Description | 625 |--------|---------------------------------------------------------------------------| 626 | any | match is true if given value matches any member of the defined set | 627 | all | match is true if given value matches all members of the defined set | 628 | invert | match is true if given value does not match any member of the defined set | 629 630 ##### Examples 631 632 - example 1 633 - This policy definition has prefix-set *ps1* and neighbor-set *ns1* as its 634 condition and routes matches the condition is rejected. 635 636 ```toml 637 # example 1 638 [[policy-definitions]] 639 name = "policy1" 640 [[policy-definitions.statements]] 641 name = "statement1" 642 [policy-definitions.statements.conditions.match-prefix-set] 643 prefix-set = "ps1" 644 [policy-definitions.statements.conditions.match-neighbor-set] 645 neighbor-set = "ns1" 646 [policy-definitions.statements.actions] 647 route-disposition = "reject-route" 648 ``` 649 650 - example 2 651 - policy-definition has two statements 652 - If a route matches the condition inside the first statement(1), GoBGP 653 applies its action and quits the policy evaluation. 654 655 ```toml 656 # example 2 657 [[policy-definitions]] 658 name = "policy1" 659 # first statement - (1) 660 [[policy-definitions.statements]] 661 name = "statement1" 662 [policy-definitions.statements.conditions.match-prefix-set] 663 prefix-set = "ps1" 664 [policy-definitions.statements.conditions.match-neighbor-set] 665 neighbor-set = "ns1" 666 [policy-definitions.statements.actions] 667 route-disposition = "reject-route" 668 # second statement - (2) 669 [[policy-definitions.statements]] 670 name = "statement2" 671 [policy-definitions.statements.conditions.match-prefix-set] 672 prefix-set = "ps2" 673 [policy-definitions.statements.conditions.match-neighbor-set] 674 neighbor-set = "ns2" 675 [policy-definitions.statements.actions] 676 route-disposition = "reject-route" 677 ``` 678 679 - example 3 680 - If you want to add other policies, just add policy-definitions block 681 following the first one like this 682 683 ```toml 684 # example 3 685 # first policy 686 [[policy-definitions]] 687 name = "policy1" 688 [[policy-definitions.statements]] 689 name = "statement1" 690 [policy-definitions.statements.conditions.match-prefix-set] 691 prefix-set = "ps1" 692 [policy-definitions.statements.conditions.match-neighbor-set] 693 neighbor-set = "ns1" 694 [policy-definitions.statements.actions] 695 route-disposition = "reject-route" 696 # second policy 697 [[policy-definitions]] 698 name = "policy2" 699 [[policy-definitions.statements]] 700 name = "statement2" 701 [policy-definitions.statements.conditions.match-prefix-set] 702 prefix-set = "ps2" 703 [policy-definitions.statements.conditions.match-neighbor-set] 704 neighbor-set = "ns2" 705 [policy-definitions.statements.actions] 706 route-disposition = "reject-route" 707 ``` 708 709 - example 4 710 - This PolicyDefinition has multiple conditions including BgpConditions as 711 follows: 712 - prefix-set: *ps1* 713 - neighbor-set: *ns1* 714 - community-set: *community1* 715 - ext-community-set: *ecommunity1* 716 - as-path-set: *aspath1* 717 - as-path length: *equal 2* 718 - If a route matches all these conditions, it will be accepted with community 719 "65100:20", next-hop 10.0.0.1, local-pref 110, med subtracted 200, as-path 720 prepended 65005 five times. 721 722 ```toml 723 # example 4 724 [[policy-definitions]] 725 name = "policy1" 726 [[policy-definitions.statements]] 727 name = "statement1" 728 [policy-definitions.statements.conditions.match-prefix-set] 729 prefix-set = "ps1" 730 [policy-definitions.statements.conditions.match-neighbor-set] 731 neighbor-set = "ns1" 732 [policy-definitions.statements.conditions.bgp-conditions.match-community-set] 733 community-set = "community1" 734 [policy-definitions.statements.conditions.bgp-conditions.match-ext-community-set] 735 community-set = "ecommunity1" 736 [policy-definitions.statements.conditions.bgp-conditions.match-as-path-set] 737 community-set = "aspath1" 738 [policy-definitions.statements.conditions.bgp-conditions.as-path-length] 739 operator = "eq" 740 value = 2 741 [policy-definitions.statements.actions] 742 route-disposition = "accept-route" 743 [policy-definitions.statements.actions.bgp-actions] 744 set-med = "-200" 745 set-next-hop = "10.0.0.1" 746 set-local-pref = 110 747 [policy-definitions.statements.actions.bgp-actions.set-as-path-prepend] 748 as = "65005" 749 repeat-n = 5 750 [policy-definitions.statements.actions.bgp-actions.set-community] 751 options = "ADD" 752 [policy-definitions.statements.actions.bgp-actions.set-community.set-community-method] 753 communities-list = ["65100:20"] 754 ``` 755 756 - example 5 757 - example of multiple statement 758 759 ```toml 760 # example 5 761 [[policy-definitions]] 762 name = "policy1" 763 [[policy-definitions.statements]] 764 # statement without route-disposition continues to the next statement 765 [policy-definitions.statements.actions.bgp-actions] 766 set-med = "+100" 767 [[policy-definitions.statements]] 768 # if matched with "ps1", reject the route and stop evaluating 769 # following statements 770 [policy-definitions.statements.conditions.match-prefix-set] 771 prefix-set = "ps1" 772 [policy-definitions.statements.actions] 773 route-disposition = "reject-route" 774 [[policy-definitions.statements]] 775 # if matched with "ps2", accept the route and stop evaluating 776 # following statements 777 [policy-definitions.statements.conditions.match-prefix-set] 778 prefix-set = "ps2" 779 [policy-definitions.statements.actions] 780 route-disposition = "accept-route" 781 [[policy-definitions.statements]] 782 # since this is the last statement, if the route matched with "ps3", 783 # add 10 to MED value and continue to the next policy if exists. 784 # If not, default-policy is applied. 785 [policy-definitions.statements.conditions.match-prefix-set] 786 prefix-set = "ps3" 787 [policy-definitions.statements.actions.bgp-actions] 788 set-med = "+10" 789 ``` 790 791 ### 4. Attaching policy 792 793 Here we explain how to attach defined policies to 794 [global rib](#global-attachment) and [neighbor local rib](#rs-attachment). 795 796 #### 4.1 Attach policy to global rib 797 798 To attach policies to global rib, add policy name to 799 `global.apply-policy.config`. 800 801 ```toml 802 [global.apply-policy.config] 803 import-policy-list = ["policy1"] 804 export-policy-list = ["policy2"] 805 default-import-policy = "accept-route" 806 default-export-policy = "accept-route" 807 ``` 808 809 | Element | Description | Example | 810 |-------------------------|---------------------------------------------------------------------------------------------|----------------| 811 | import-policy | policy-definitions.name for Import policy | "policy1" | 812 | export-policy | policy-definitions.name for Export policy | "policy2" | 813 | default-import-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | 814 | default-export-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | 815 816 #### 4.2. Attach policy to route-server-client 817 818 You can use policies defined above as Import or Export or In policy by 819 attaching them to neighbors which is configured to be route-server client. 820 821 To attach policies to neighbors, you need to add policy's name to 822 `neighbors.apply-policy` in the neighbor's setting. 823 This example attaches *policy1* to Import policy and *policy2* to Export policy 824 and *policy3* is used as the In policy. 825 826 ```toml 827 [[neighbors]] 828 [neighbors.config] 829 neighbor-address = "10.0.255.2" 830 peer-as = 65002 831 [neighbors.route-server.config] 832 route-server-client = true 833 [neighbors.apply-policy.config] 834 import-policy-list = ["policy1"] 835 export-policy-list = ["policy2"] 836 default-import-policy = "accept-route" 837 default-export-policy = "accept-route" 838 ``` 839 840 neighbors has a section to specify policies and the section's name is 841 apply-policy. The apply-policy has 6 elements. 842 843 | Element | Description | Example | 844 |-------------------------|---------------------------------------------------------------------------------------------|----------------| 845 | import-policy | policy-definitions.name for Import policy | "policy1" | 846 | export-policy | policy-definitions.name for Export policy | "policy2" | 847 | default-import-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | 848 | default-export-policy | action when the route doesn't match any policy or none of the matched policy specifies `route-disposition`:<br> "accept-route" or "reject-route". default is "accept-route" | "accept-route" | 849 850 ## Policy Configuration Example 851 852 Neighbor 10.0.255.1 advertises 10.33.0.0/16 and 10.3.0.0/16 routes. We 853 define an import policy for neighbor 10.0.255.2 that drops 854 10.33.0.0/16 route from Neighbor 10.0.255.1. 855 856 ```toml 857 [global.config] 858 as = 64512 859 router-id = "192.168.255.1" 860 861 [[neighbors]] 862 [neighbors.config] 863 neighbor-address = "10.0.255.1" 864 peer-as = 65001 865 [neighbors.route-server.config] 866 route-server-client = true 867 868 [[neighbors]] 869 [neighbors.config] 870 neighbor-address = "10.0.255.2" 871 peer-as = 65002 872 [neighbors.route-server.config] 873 route-server-client = true 874 [neighbors.apply-policy.config] 875 import-policy-list = ["pd2"] 876 877 [[neighbors]] 878 [neighbors.config] 879 neighbor-address = "10.0.255.3" 880 peer-as = 65003 881 [neighbors.route-server.config] 882 route-server-client = true 883 884 [[defined-sets.prefix-sets]] 885 prefix-set-name = "ps2" 886 [[defined-sets.prefix-sets.prefix-list]] 887 ip-prefix = "10.33.0.0/16" 888 [[defined-sets.prefix-sets.prefix-list]] 889 ip-prefix = "10.50.0.0/16" 890 891 [[defined-sets.neighbor-sets]] 892 neighbor-set-name = "ns1" 893 [[defined-sets.neighbor-sets.neighbor-info-list]] 894 address = "10.0.255.1" 895 896 [[policy-definitions]] 897 name = "pd2" 898 [[policy-definitions.statements]] 899 name = "statement1" 900 [policy-definitions.statements.conditions.match-prefix-set] 901 prefix-set = "ps2" 902 match-set-options = "any" 903 [policy-definitions.statements.conditions.match-neighbor-set] 904 neighbor-set = "ns1" 905 match-set-options = "any" 906 [policy-definitions.statements.actions] 907 route-disposition = "reject-route" 908 ``` 909 910 Neighbor 10.0.255.2 has pd2 policy. The pd2 policy consists of ps2 prefix match 911 and ns1 neighbor match. The ps2 specifies 10.33.0.0 and 10.50.0.0 address. The 912 ps2 specifies the mask with **MASK** keyword. **masklength-range** keyword can 913 specify the range of mask length like ```masklength-range 24..26```. The *ns1* 914 specifies neighbor 10.0.255.1. 915 916 The pd2 sets multiple condition, This means that only when all match conditions 917 meets, the policy will be applied. 918 919 The match-prefix-set sets match-set-options to "any". This means that when 920 match to any of prefix-list, the policy will be applied. the policy will be 921 applied to 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1. 922 923 If the match-prefix-set sets match-set-options to "invert", It does not match 924 to any of prefix-list, the policy will be applied. the policy will be applied 925 to other than 10.33.0.0/16 or 10.50.0.0 route from neighbor 10.0.255.1 926 927 Let's confirm that 10.0.255.1 neighbor advertises two routes. 928 929 ```bash 930 $ gobgp neighbor 10.0.255.1 adj-in 931 Network Next Hop AS_PATH Age Attrs 932 10.3.0.0/16 10.0.255.1 [65001] 00:51:57 [{Origin: 0} {Med: 0}] 933 10.33.0.0/16 10.0.255.1 [65001] 00:51:57 [{Origin: 0} {Med: 0}] 934 ``` 935 936 Now let's check out if the policy works as expected. 937 938 ```bash 939 $ gobgp neighbor 10.0.255.2 local 940 Network Next Hop AS_PATH Age Attrs 941 *> 10.3.0.0/16 10.0.255.1 [65001] 00:49:36 [{Origin: 0} {Med: 0}] 942 $ gobgp neighbor 10.0.255.3 local 943 Network Next Hop AS_PATH Age Attrs 944 *> 10.3.0.0/16 10.0.255.1 [65001] 00:49:38 [{Origin: 0} {Med: 0}] 945 *> 10.33.0.0/16 10.0.255.1 [65001] 00:49:38 [{Origin: 0} {Med: 0}] 946 ```