Configuring Localized Control Policy
This article provides procedures for configuring localized control policy from the CLI. Localized control policy, configured on vEdge routers, lets you affect routing policy on the network at the local site where the vEdge router is located. This type of control policy is called route policy.
Configuration Components
A route policy consists of a series of numbered (ordered) sequences of match-action pair that are evaluated in order, from lowest sequence number to highest sequence number. When a packet matches one of the match conditions, the associated action is taken and policy evaluation on that packets stops. Keep this in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.
If a packet matches no parameters in any of the sequences in the policy configured, it is, by default, rejected and discarded.
To create a localized data policy, you include the following components in the configuration on a vEdge router:
| Component | Description | Configuration Command |
|---|---|---|
| Lists | Groupings of related items that you reference in the match and action portions of the control policy configuration. The items you can group include IP prefixes, BGP AS paths, and BGP community and extended community attributes. | policy lists |
| Centralized control policy instance | Container for localized control policy. | policy route-policy |
| Numbered sequences of match–action pairs | Sequences establish the order in which the policy components are applied. | policy route-policy sequence |
| Match parameters | Conditions that the routes must match to be considered for a control policy. | policy route-policy sequence match |
| Actions | Whether to accept or reject matching routes, and how to process matching items. | policy route-policy sequence action |
| Default action | Action to take if a route matches none of the match parameters in any of the sequences. By default, nonmatching routes are rejected. | policy route-policy default-action |
| Application of localized control policy | For a control policy to take effect, you apply it to either a BGP neighbor or via OSPF route distribution. | vpn router bgp neighbor address-family ipv4-unicast route-policy |
The following figure illustrates the configuration components for localized control policy.
General Configuration Procedure
Following are the high-level steps for configuring a route policy:
- Create lists of prefixes, as needed:
vEdge(config)# policy lists
vEdge(config-lists)# prefix-list list-nam
vEdge(config-lists-list-name)# ip-prefix prefix/length - Create lists of BGP AS paths, and community and extended community attributes, as needed:
vEdge(config)# policy lists
vEdge(config-lists)# as-path-list list-name
vEdge(config-lists-list-name)# as-path path-list
vEdge(config)# policy lists
vEdge(config-lists)# community-list list-name
vEdge(config-lists-list-name)# community [aa:nn | internet | local-as | no-advertise | no-export]
vEdge(config)# policy lists
vEdge(config-lists)# ext-community-list list-name
vEdge(config-lists-list-name)#community [rt (aa:nn | ip-address) | soo (aa:nn | ip-address)]
- Create a route policy instance:
vEdge(config)# policy route-policy policy-name
vEdge(config-route-policy-policy-name)# - Create a series of match–action pair sequences:
vEdge(config-route-policy-policy-name)# sequence number
vEdge(config-sequence-number)#
The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is). - Define match parameters for routes:
vEdge(config-sequence-number)# match match-parameter - Define actions to take when a match occurs:
vEdge(config-sequence-number)# action reject
vEdge(config-sequence-number)# action accept set parameter - Create additional numbered sequences of match–action pairs within the router policy, as needed.
- If a route does not match any of the conditions in one of the sequences, it is rejected by default. To accept nonmatching routes, configure the default action for the policy:
vEdge(config-policy-name)# default-action accept - Apply the policy to a BGP address family, to all OSPF inbound routes, or when redistributing OSPF routes:
vEdge(config)# vpn vpn-id router bgp local-as-number neighbor address
vEdge(config-neighbor)# address-family ipv4-unicast
vEdge(config-address-family-ipv4-unicast)# route-policy policy-name (in | out)
vEdge(config)# vpn vpn-id router ospf
vEdge(config-ospf)# route-policy policy-name in
vEdge(config)# vpn vpn-id router ospf
vEdge(config-ospf)# redistribute (bgp | connected | nat | omp | static) route-policy policy-name
Lists
Route policy uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy on vEdge routers.
| List Type | Description | Command |
|---|---|---|
| AS path list | List of one or more BGP AS paths. | as-path-list list-name |
| Community list | List of one or more BGP community attributes. | community-list list-name |
| Extended community list | List of one or more BGP extended community attributes. | ext-community-list list-name |
| Prefix list | List of one or more IP prefixes. Specify the IP prefixes as follows: | prefix-list list-name |
Sequences
A localized control policy contains sequences of match–action pairs. The sequences are numbered to set the order in which a route is analyzed by the match–action pairs in the policy. You configure sequences with the route-policy sequence command.
Each sequence in a localized control policy can contain one match command and one action
Match Parameters
For route policy routes, you can configure these parameters under the match command:
| Description | Command | Value or Range |
|---|---|---|
| IP prefix or prefixes from which the route was learned | address list-name | Name of an IP prefix list |
| BGP AS paths | as-path list-name | Name of an AS path list |
| BGP communities | community list-name | Name of a BGP community list |
| BGP extended communities | ext-community list-name | Name of a BGP extended community list. |
| Route metric | metric number | 0 through 4294967295 |
| Next hop | next-hop list-name | Name of an IP prefix list |
| OMP tag for OSPF | omp-tag number | 0 through 4294967295 |
| BGP origin code | origin origin | egp (default), igp, incomplete |
| Peer address | peer address | IP address |
Action Parameters
When a route matches the conditions in the match portion of a route policy, the route can be accepted or rejected:
| Description | Command | Value or Range |
|---|---|---|
| Accept the route. An accepted route is eligible to be modified by the additional parameters configured in the action portion of the policy configuration. | accept | — |
| Discard the packet. | reject | — |
For a route that is accepted, the following actions can be configured:
| Description | Parameter | Value or Range |
|---|---|---|
| Set the AS number in which a BGP route aggregator is located and the IP address of the route aggregator. | set aggregator as-number ip-address | 0 through 65535 |
| Set an AS number or a series of AS numbers to exclude from the AS path or to prepend to the AS path. | set as‑path (exclude | prepend) as‑number | 0 through 65535 |
| Set the BGP atomic aggregate attribute. | set atomic-aggregate | — |
| Set the BGP community value. | set community value | [aa:nn | internet | local-as | no-advertise | no-export] |
| Set the BGP local preference. | set local-preference number | 0 through 4294967295 |
| Set the metric value. | set metric number | 0 through 4294967295 |
| Set the metric type. | set metric-type type | type1, type2 |
| Set the next-hop address. | set next-hop ip-address | IP address |
| Set the OMP tag for OSPF to use. | set omp-tag number | 0 through 4294967295 |
| Set the BGP origin code. | set origin origin | egp, igp (default), incomplete |
| Set the IP address from which the route was learned. | set originator ip-address | IP address |
| Set the OSPF tag value. | set ospf-tag number | 0 through 4294967295 |
| Set the BGP weight. | set weight number | 0 through 4294967295 |
Defining the Default Action
If a route being evaluated does not match any of the match conditions in a control policy, a default action is applied to this route. By default, the route is rejected. To modify this behavior, include the default-action accept command in the control policy.
Applying Route Policy for BGP
For a route policy to take effect for BGP, you must apply it to an address family. Currently, the Viptela software supports only the IPv4 address family, so you apply route policy with this command:
vEdge(config)# vpn vpn-id router bgp local-as-number neighbor address address-family ipv4-unicast route-policy policy-name (in | out)
Applying the policy in the inbound direction (in) affects routes being received by BGP. Applying the policy in the outbound direction (out) affects routes being advertised by BGP.
Applying Route Policy for OSPF
For a route policy to take effect for OSPF, you can apply it to all inbound traffic:
vEdge(config)# vpn vpn-id router ospf route-policy policy-name in
You can also apply the policy when redistributing routes into OSPF:
vEdge(config)# vpn vpn-id router ospf redistribute (bgp | connected | nat | omp | static) route-policy policy-name