Route-Policy Implementation and Applications
Components
A route-policy is a complicated filter, which can match route attributes and change route attributes when conditions are met.
In Figure 1, a route-policy consists of node ID, matching mode, if-match clause (condition statement), and apply clause (action statement).
Node ID
A route-policy can contain multiple nodes. Routes must follow the following rules when matching a route-policy:
- Sequential match: The system checks routing entries against nodes in ascending order of node ID. Therefore, you need to specify node IDs in the required sequence.
- Unique match: The relationship between all nodes in a route-policy is "OR". This means that if a route matches one node in a route-policy, the route matches this route-policy and does not need to match the other nodes in this route-policy.
Matching mode
Two node matching modes are available: permit and deny.
- permit: If a route matches a node, the actions defined by the apply clauses of this node are performed on this route, and the system does not match this route against the next node. If a route does not match a node, the system matches this route against the next node.
- deny: If a route matches all the if-match clauses of a node, this route is denied by this node, the system does not match this route against the next node, and the actions defined by the apply clauses of this node will not be performed on this route. If a route does not match the if-match clauses of a node, the system matches this route against the next node.
A route-policy in permit mode that does not contain if-match and apply clauses is often set behind multiple deny nodes to allow all other routes to pass through.
if-match clause (condition statement)
if-match clauses define matching conditions. Each node in a route-policy can contain multiple or no if-match clauses. If a permit node does not contain any if-match clause, this node matches all routes.
apply clause (action statement)
apply clauses define actions. When routes are filtered against a route-policy, the system sets attributes for the routes according to the actions defined by apply clauses. Each node in a route-policy can contain multiple or no apply clauses. If you only need to filter routes but do not need to set attributes for routes, apply clauses do not need to be used.
Matching Rules
The matching rules of each node in a route-policy depend on the following factors:
- Matching mode of the node in the route-policy: permit or deny
- Matching conditions (permit or deny) defined by if-match clauses (for example, IP prefix list or ACL) of the node
The following table describes possible matching results for each node.
| Rule (Matching Rule Contained in if-match Clauses) | Mode (Matching Mode of a Node) |
Matching Result |
|---|---|---|
permit |
permit |
|
deny |
|
|
deny |
permit |
|
deny |
|
- If a route fails to match any node, the route is denied by the route-policy.
- If all the nodes in the route-policy are set in deny mode, all the routes to be filtered are denied by the route-policy.
Among the preceding four combinations, the first two combinations are easy to understand and commonly used. The last two combinations are a little difficult to understand, and the following example describes the third combination for your reference.
Assume that the matching condition of if-match clauses in a node is deny and the matching condition of this node is permit. The configuration is as follows:
# acl number 2001 rule 5 deny source 172.16.16.0 0 //Deny 172.16.16.0 # acl number 2002 rule 5 permit source 172.16.16.0 0 //Permit 172.16.16.0 # route-policy RP permit node 10 //In this node, the route 172.16.16.0 is denied and the system matches it against the next node. if-match acl 2001 # route-policy RP permit node 20 //In this node, the route 172.16.16.0 is permitted. if-match acl 2002 #
The route 172.16.16.0 is denied by node 10, and the system matches this route against the next node 20. This route is permitted by node 20 and so is permitted by this route-policy.