Configuring Localized Control Policy

Last updated
Save as PDF

This article provides procedures for configuring localized control policy from the CLI. Localized control policy, configured on vEdge routers, lets you affect routing policy on the network at the local site where the vEdge router is located. This type of control policy is called route policy.

Configuration Components

A route policy consists of a series of numbered (ordered) sequences of match-action pair that are evaluated in order, from lowest sequence number to highest sequence number. When a packet matches one of the match conditions, the associated action is taken and policy evaluation on that packets stops. Keep this in mind as you design your policies to ensure that the desired actions are taken on the items subject to policy.

If a packet matches no parameters in any of the sequences in the policy configured, it is, by default, rejected and discarded.

To create a localized data policy, you include the following components in the configuration on a vEdge router:

Component	Description	Configuration Command
Lists	Groupings of related items that you reference in the match and action portions of the control policy configuration. The items you can group include IP prefixes, BGP AS paths, and BGP community and extended community attributes.	policy lists
Centralized control policy instance	Container for localized control policy.	policy route-policy
Numbered sequences of match–action pairs	Sequences establish the order in which the policy components are applied.	policy route-policy sequence
Match parameters	Conditions that the routes must match to be considered for a control policy.	policy route-policy sequence match
Actions	Whether to accept or reject matching routes, and how to process matching items.	policy route-policy sequence action
Default action	Action to take if a route matches none of the match parameters in any of the sequences. By default, nonmatching routes are rejected.	policy route-policy default-action
Application of localized control policy	For a control policy to take effect, you apply it to either a BGP neighbor or via OSPF route distribution.	vpn router bgp neighbor address-family ipv4-unicast route-policy vpn router ospf redistribute route-policy

The following figure illustrates the configuration components for localized control policy.

General vManage Configuration Procedure

To configure a localized control policy, also called a route policy, in vManage NMS, perform the following steps:

Configure the route policy.
Apply the route policy in a device template.

Configure a Route Policy

In vManage NMS, select the Configuration ► Policies screen.
In the Policy title bar, click the Centralized Policy/Localized Policy drop-down. When you first open the Policies screen, Centralized Policy is selected by default.
Select Localized Policy.
Click Add CLI.
In the Name field, enter a name for the policy. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
In the Description field, enter a description for the route policy. This field is mandatory, and it can contain any characters and spaces.
In the CLI Configuration text box, enter the policy configuration. In this configuration, include the necessary lists (in the policy lists configuration command hierarchy) and the policy configuration itself (in one or more policy route-policy commands). You can either type the configuration directly, using the commands described in the sections below; you can copy and paste the configuration; or you can click Select a File to upload a text file that contains the policy configuration.
Click Add.

Apply a Route Policy in a Device Template

In vManage NMS, select the Configuration ► Templates screen.
If you are creating a new device template:
1. In the Device tab, click Create Template.
2. From the Create Template drop-down, select From Feature Template.
3. From the Device Model drop-down, select one of the vEdge devices.
4. In the Template Name field, enter a name for the device template. This field is mandatory and can contain only uppercase and lowercase letters, the digits 0 through 9, hyphens (–), and underscores (_). It cannot contain spaces or any other characters.
5. In the Description field, enter a description for the device template. This field is mandatory, and it can contain any characters and spaces.
6. Continue with Step 4.
If you are editing an existing device template:
1. In the Device tab, click the More Actions icon to the right of the desired template, and click the pencil icon.
2. Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
3. From the Policy drop-down, select the name of a policy that you have configured.
Click the Additional Templates tab located directly beneath the Description field. The screen scrolls to the Additional Templates section.
From the Policy drop-down, select the name of the policy you configured in the above procedure.
To apply a route policy to BGP:
1. Scroll to the Service VPN section.
2. In the Service VPN drop-down, type the service VPN number (a VPN number other than 0 or 512).
3. From Additional VPN Templates, select BGP.
4. From the BGP drop-down, click Create Template or View Template.
5. Select the Neighbor tab, click the plus sign (+), and click More.
6. In Address Family, change the scope to Device Specific. Then, Click On to enable Address Family, Click On to enable Route Policy In, and specify the name of a route policy to apply to prefixes received from the neighbor, or click On to enable Route Policy Out, and specify the name of a route policy to apply to prefixes sent to the neighbor. This name is one that you configured with a policy route-policy command.
7. Click Save to save the neighbor configuration, and then click Save to save the BGP configuration.
To apply a route policy to routes coming from all OSPF neighbors:
1. Scroll to the Service VPN section.
2. In the Service VPN drop-down, type the service VPN number (a VPN number other than 0 or 512).
3. From Additional VPN Templates, select OSPF.
4. Click Create Template or View Template.
5. Select the Advanced tab.
6. In Policy Name, specify the name of a route policy to apply to incoming routes. This name is one that you configured with a policy route-policy command.
7. Click Save.
To apply a route policy before redistributing routes into OSPF:
1. Scroll to the Service VPN section.
2. In the Service VPN drop-down, type the service VPN number (a VPN number other than 0 or 512).
3. From Additional VPN Templates, select OSPF.
4. Click Create Template or View Template.
5. Select the Redistribute tab, click the plus sign (+), and select the protocol from which to redistribute routes into OSPF.
6. Specify the name of a route policy to apply to the routes being redistributed. This name is one that you configured with a policy route-policy command.
7. Click Save.
Click Save (for a new template) or Update (for an existing template).

General CLI Configuration Procedure

To configure a route policy using the CLI:

Create lists of prefixes, as needed:
vEdge(config)# policy lists
vEdge(config-lists)# prefix-list list-name
vEdge(config-lists-list-name)# ip-prefix prefix/length
Create lists of BGP AS paths, and community and extended community attributes, as needed:
vEdge(config)# policy lists
vEdge(config-lists)# as-path-list list-name
vEdge(config-lists-list-name)# as-path path-list
vEdge(config)# policy lists
vEdge(config-lists)# community-list list-name
vEdge(config-lists-list-name)# community [aa:nn | internet | local-as | no-advertise | no-export]
vEdge(config-lists)# ext-community-list list-name
vEdge(config-lists-list-name)# community [rt (aa:nn | ip-address) | soo (aa:nn | ip-address)]

Create a route policy instance:
vEdge(config)# policy route-policy policy-name
vEdge(config-route-policy-policy-name)#
Create a series of match–action pair sequences:
vEdge(config-route-policy-policy-name)# sequence number
vEdge(config-sequence-number)#
The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is).
Define match parameters for routes:
vEdge(config-sequence-number)# match match-parameter
Define actions to take when a match occurs:
vEdge(config-sequence-number)# action reject
vEdge(config-sequence-number)# action accept set parameter
Create additional numbered sequences of match–action pairs within the router policy, as needed.
If a route does not match any of the conditions in one of the sequences, it is rejected by default. To accept nonmatching routes, configure the default action for the policy:
vEdge(config-policy-name)# default-action accept
Apply the policy to a BGP address family, to all OSPF inbound routes, or when redistributing OSPF routes:
vEdge(config)# vpn vpn-id router bgp local-as-number neighbor address
vEdge(config-neighbor)# address-family ipv4-unicast
vEdge(config-address-family-ipv4-unicast)# route-policy policy-name (in | out)

vEdge(config)# vpn vpn-id router ospf
vEdge(config-ospf)# route-policy policy-name in

vEdge(config)# vpn vpn-id router ospf
vEdge(config-ospf)# redistribute (bgp | connected | nat | omp | static) route-policy policy-name

Structural Components of Policy Configuration for Localized Control Policy

Following are the structural components required to configure localized control policy. Each one is explained in more detail in the sections below.

policy
  lists
    as-path-list list-name
      as-path path-list
    community-list list-name
      community [aa:nn | internet | local-as | no-advertise | no-export]
    ext-community-list list-name
      community [rt (aa:nn | ip-address) | soo (aa:nn | ip-address)]
    prefix-list list-name
      ip-prefix prefix/length
  route-policy policy-name
    sequence number
      match
        match-parameters
      action
        reject
        accept
          set parameters
    default-action
      (accept | reject)
 vpn vpn-id router bgp local-as-number neighbor address
   address-family ipv4-unicast
     route-policy policy-name (in | out)
 vpn vpn-id router ospf
   route-policy policy-name in
   redistribute (bgp | connected | nat | omp | static) route-policy policy-name

Lists

Route policy uses the following types of lists to group related items. You configure lists under the policy lists command hierarchy on vEdge routers.

List Type	Description	Command
AS path list	List of one or more BGP AS paths.	as-path-list list-name as-path path-list
Community list	List of one or more BGP community attributes.	community-list list-name community [aa:nn \| internet \| local-as \| no-advertise \| no-export]
Extended community list	List of one or more BGP extended community attributes.	ext-community-list list-name community [rt (aa:nn \| ip-address) \| soo (aa:nn \| ip-address)]
Prefix list	List of one or more IP prefixes. Specify the IP prefixes as follows: • prefix/length—Exactly match a single prefix–length pair. • 0.0.0.0/0—Match any prefix–length pair. • 0.0.0.0/0 le length—Match any IP prefix whose length is less than or equal to length. For example, ip-prefix 0.0.0.0/0 le 16 matches all IP prefixes with lengths from /1 through /16. • 0.0.0.0/0 ge length—Match any IP prefix whose length is greater than or equal to length. For example, ip-prefix 0.0.0.0 ge 25 matches all IP prefixes with lengths from /25 through /32. • 0.0.0.0/0 ge length1 le length2, or 0.0.0.0 le length2 ge length1—Match any IP prefix whose length is greater than or equal to length1 and less than or equal to length2. For example, ip-prefix 0.0.0.0/0 ge 20 le 24 matches all /20, /21, /22, /23, and /24 prefixes. Also, ip-prefix 0.0.0.0/0 le 24 ge 20 matches the same prefixes. If length1 and length2 are the same, a single IP prefix length is matched. For example, ip-prefix 0.0.0.0/0 ge 24 le 24 matches only /24 prefixes.	prefix-list list-name ip-prefix prefix/length

Sequences

A localized control policy contains sequences of match–action pairs. The sequences are numbered to set the order in which a route is analyzed by the match–action pairs in the policy. You configure sequences with the route-policy sequence command.

Each sequence in a localized control policy can contain one match command and one action

Match Parameters

For route policy routes, you can configure these parameters under the match command:

Description	Command	Value or Range
IP prefix or prefixes from which the route was learned	address list-name	Name of an IP prefix list
BGP AS paths	as-path list-name	Name of an AS path list
BGP communities	community list-name	Name of a BGP community list
BGP extended communities	ext-community list-name	Name of a BGP extended community list
Route metric	metric number	0 through 4294967295
Next hop	next-hop list-name	Name of an IP prefix list
OMP tag for OSPF	omp-tag number	0 through 4294967295
BGP origin code	origin origin	egp (default), igp, incomplete
OSPF tag value	ospf-tag number	0 through 4294967295
Peer address	peer address	IP address

Action Parameters

When a route matches the conditions in the match portion of a route policy, the route can be accepted or rejected:

Description	Command	Value or Range
Accept the route. An accepted route is eligible to be modified by the additional parameters configured in the action portion of the policy configuration.	accept	—
Discard the packet.	reject	—

For a route that is accepted, the following actions can be configured:

Description	Parameter	Value or Range
Set the AS number in which a BGP route aggregator is located and the IP address of the route aggregator.	set aggregator as-number ip-address	0 through 65535
Set an AS number or a series of AS numbers to exclude from the AS path or to prepend to the AS path.	set as‑path (exclude \| prepend) as‑number	0 through 65535
Set the BGP atomic aggregate attribute.	set atomic-aggregate	—
Set the BGP community value.	set community value	[aa:nn \| internet \| local-as \| no-advertise \| no-export]
Set the BGP local preference.	set local-preference number	0 through 4294967295
Set the metric value.	set metric number	0 through 4294967295
Set the metric type.	set metric-type type	type1, type2
Set the next-hop address.	set next-hop ip-address	IP address
Set the OMP tag for OSPF to use.	set omp-tag number	0 through 4294967295
Set the BGP origin code.	set origin origin	egp, igp (default), incomplete
Set the IP address from which the route was learned.	set originator ip-address	IP address
Set the OSPF tag value.	set ospf-tag number	0 through 4294967295
Set the BGP weight.	set weight number	0 through 4294967295

To display the OMP and OSPF tag values associated with a route, use the show ip routes detail command.

Defining the Default Action

If a route being evaluated does not match any of the match conditions in a control policy, a default action is applied to this route. By default, the route is rejected. To modify this behavior, include the default-action accept command in the control policy.

Applying Route Policy for BGP

For a route policy to take effect for BGP, you must apply it to an address family. Currently, the Viptela software supports only the IPv4 address family, so you apply route policy with this command:

vEdge(config)# vpn vpn-id router bgp local-as-number neighbor address address-family ipv4-unicast route-policy policy-name (in | out)

Applying the policy in the inbound direction (in) affects routes being received by BGP. Applying the policy in the outbound direction (out) affects routes being advertised by BGP.

Applying Route Policy for OSPF

For a route policy to take effect for OSPF, you can apply it to all inbound traffic:

vEdge(config)# vpn vpn-id router ospf route-policy policy-name in

You can also apply the policy when redistributing routes into OSPF:

vEdge(config)# vpn vpn-id router ospf redistribute (bgp | connected | nat | omp | static) route-policy policy-name

Additional Information

Localized Control Policy