Configuring a Tunnel Selector
A tunnel selector comprises if-match and apply clauses. The if-match clause defines route filtering rules, whereas the apply clause applies a tunnel policy to routes matching the preceding rules.
Context
A tunnel selector allows routes to recurse to proper tunnels as expected.
Perform the following steps on the PE or ASBR where a tunnel policy needs to be applied.
Procedure
- Run system-view
The system view is displayed.
- Run tunnel-selector tunnel-selector-name { permit | deny } node node
- (Optional) Configure the if-match clause.
Run the following commands as needed to configure one or more route filtering rules for the current tunnel selector node. If you skip this step, all VPNv4, VPNv6, and labeled BGP-IPv4 routes are permitted.
- To match the IPv4 next hops of routes, run the if-match ip next-hop { acl { acl-number | acl-name } | ip-prefix ip-prefix-name } command.
The acl { acl-number | acl-name } parameter can be used only if either or both of the following steps have been performed:- Configure a basic ACL rule.
- Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]
The ACL view is displayed.
Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | vpn-instance vpn-instance-name ] *
A basic ACL rule is configured.
- Run acl { name basic-acl-name { basic | [ basic ] number basic-acl-number } | [ number ] basic-acl-number } [ match-order { config | auto } ]
- Configure an advanced ACL rule.
Run acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ]
The ACL view is displayed.
Run rule [ rule-id ] [ name rule-name ] { deny | permit } ip [ destination { destination-ip-address { destination-wildcard | 0 } | any } | source { source-ip-address { source-wildcard | 0 } | any } | time-range time-name] *
An advanced ACL rule is configured.
The rules for using the permit and deny keywords are as follows:If the action specified in an ACL rule is permit, a route that has matched this rule is considered to have passed the check by the if-match clause.
If the action specified in an ACL rule is deny, a route that has matched this rule is considered to have failed the check by the if-match clause.
If a route has not matched any ACL rules, the route is considered to have failed the check by the if-match clause.
If an ACL does not contain any rules, all routes are considered to have failed the check by the if-match clause.
In a tunnel-selector where the first node is a permit node, if a route has passed the check by the if-match clause, the system will take the action specified in the apply clause on this route. If the route has not passed the check by the if-match clause, the system will take the action specified in the apply clause in the next node in the tunnel-selector.
In a tunnel-selector where the first node is a deny node, if a route has passed the check by the if-match clause, the system will not take the action specified in the apply clause on this route. If the route has not passed the check by the if-match clause, the system will take the action specified in the apply clause in the next node in the tunnel-selector.
- Configure a basic ACL rule.
- To match the IPv4 next hops of routes, run the if-match ip next-hop { acl { acl-number | acl-name } | ip-prefix ip-prefix-name } command.
- Run apply tunnel-policy tunnel-policy-name
A tunnel policy is applied to the routes.
- (Optional) Run the apply segment-routing ipv6 best-effort command to enable the function to recurse routes based on their SID attributes.
- Run commit
The configuration is committed.