forked from sonic-net/sonic-buildimage
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpolicies.conf.j2
141 lines (141 loc) · 5.17 KB
/
policies.conf.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
!
! template: bgpd/templates/general/policies.conf.j2
!
!
ip prefix-list DEFAULT_IPV4 permit 0.0.0.0/0
ipv6 prefix-list DEFAULT_IPV6 permit ::/0
!
{% if constants.bgp.allow_list is defined and constants.bgp.allow_list.enabled is defined and constants.bgp.allow_list.enabled and constants.bgp.allow_list.drop_community is defined %}
!
!
! please don't remove. 65535 entries are default rules
! which works when allow_list is enabled, but new configuration
! is not applied
!
{% if allow_list_default_action == 'deny' %}
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V4 permit 65535
set community no-export additive
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V6 permit 65535
set community no-export additive
{% else %}
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V4 permit 65535
set community {{ constants.bgp.allow_list.drop_community }} additive
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V6 permit 65535
set community {{ constants.bgp.allow_list.drop_community }} additive
{% endif %}
!
bgp community-list standard allow_list_default_community permit no-export
bgp community-list standard allow_list_default_community permit {{ constants.bgp.allow_list.drop_community }}
!
route-map FROM_BGP_PEER_V4 permit 10
call ALLOW_LIST_DEPLOYMENT_ID_0_V4
on-match next
!
route-map FROM_BGP_PEER_V4 permit 11
match community allow_list_default_community
{% if CONFIG_DB__DEVICE_METADATA and 'localhost' in CONFIG_DB__DEVICE_METADATA and 'type' in CONFIG_DB__DEVICE_METADATA['localhost'] and 'subtype' in CONFIG_DB__DEVICE_METADATA['localhost'] %}
{% if CONFIG_DB__DEVICE_METADATA['localhost']['type'] == 'SpineRouter' and CONFIG_DB__DEVICE_METADATA['localhost']['subtype'] == 'UpstreamLC' %}
on-match next
!
route-map FROM_BGP_PEER_V4 permit 12
match ip address prefix-list DEFAULT_IPV4
!
route-map FROM_BGP_PEER_V4 permit 13
{% if CONFIG_DB__DEVICE_METADATA['localhost']['switch_type'] != 'chassis-packet' %}
set tag {{ constants.bgp.route_do_not_send_appdb_tag }}
{% else %}
set tag {{ constants.bgp.route_eligible_for_fallback_to_default_tag }}
{% endif %}
set community {{ constants.bgp.internal_fallback_community }} additive
{% endif %}
{% endif %}
!
route-map FROM_BGP_PEER_V6 permit 10
call ALLOW_LIST_DEPLOYMENT_ID_0_V6
on-match next
!
route-map FROM_BGP_PEER_V6 permit 11
match community allow_list_default_community
{% if CONFIG_DB__DEVICE_METADATA and 'localhost' in CONFIG_DB__DEVICE_METADATA and 'type' in CONFIG_DB__DEVICE_METADATA['localhost'] and 'subtype' in CONFIG_DB__DEVICE_METADATA['localhost'] %}
{% if CONFIG_DB__DEVICE_METADATA['localhost']['type'] == 'SpineRouter' and CONFIG_DB__DEVICE_METADATA['localhost']['subtype'] == 'UpstreamLC' %}
on-match next
!
route-map FROM_BGP_PEER_V6 permit 12
match ipv6 address prefix-list DEFAULT_IPV6
!
route-map FROM_BGP_PEER_V6 permit 13
{% if CONFIG_DB__DEVICE_METADATA['localhost']['switch_type'] != 'chassis-packet' %}
set tag {{ constants.bgp.route_do_not_send_appdb_tag }}
{% else %}
set tag {{ constants.bgp.route_eligible_for_fallback_to_default_tag }}
{% endif %}
set community {{ constants.bgp.internal_fallback_community }} additive
{% endif %}
{% endif %}
!
{% endif %}
!
!
!
route-map FROM_BGP_PEER_V4 permit 100
!
route-map TO_BGP_PEER_V4 permit 100
call CHECK_IDF_ISOLATION
!
!
route-map FROM_BGP_PEER_V6 permit 1
on-match next
set ipv6 next-hop prefer-global
!
route-map FROM_BGP_PEER_V6 permit 100
!
route-map TO_BGP_PEER_V6 permit 100
call CHECK_IDF_ISOLATION
!
route-map CHECK_IDF_ISOLATION permit 10
!
!
!
{% if CONFIG_DB__DEVICE_METADATA and 'localhost' in CONFIG_DB__DEVICE_METADATA and 'type' in CONFIG_DB__DEVICE_METADATA['localhost'] and 'subtype' in CONFIG_DB__DEVICE_METADATA['localhost'] %}
{% if CONFIG_DB__DEVICE_METADATA['localhost']['type'] == 'SpineRouter' and CONFIG_DB__DEVICE_METADATA['localhost']['subtype'] == 'UpstreamLC' %}
bgp community-list standard ANCHOR_ROUTE_COMMUNITY permit {{ constants.bgp.anchor_route_community }}
bgp community-list standard LOCAL_ANCHOR_ROUTE_COMMUNITY permit {{ constants.bgp.local_anchor_route_community }}
bgp community-list standard ANCHOR_CONTRIBUTING_ROUTE_COMMUNITY permit {{ constants.bgp.anchor_contributing_route_community }}
!
route-map SELECTIVE_ROUTE_DOWNLOAD_V4 deny 10
match community LOCAL_ANCHOR_ROUTE_COMMUNITY
!
route-map SELECTIVE_ROUTE_DOWNLOAD_V4 permit 1000
!
route-map SELECTIVE_ROUTE_DOWNLOAD_V6 deny 10
match community LOCAL_ANCHOR_ROUTE_COMMUNITY
!
route-map SELECTIVE_ROUTE_DOWNLOAD_V6 permit 1000
!
route-map TAG_ANCHOR_COMMUNITY permit 10
set community {{ constants.bgp.local_anchor_route_community }} {{ constants.bgp.anchor_route_community }} additive
!
route-map TO_BGP_PEER_V6 permit 30
match ipv6 address prefix-list ANCHOR_CONTRIBUTING_ROUTES
set community {{ constants.bgp.anchor_contributing_route_community }} additive
on-match next
!
route-map TO_BGP_PEER_V6 permit 40
set comm-list LOCAL_ANCHOR_ROUTE_COMMUNITY delete
!
route-map TO_BGP_PEER_V4 permit 30
match ipv6 address prefix-list ANCHOR_CONTRIBUTING_ROUTES
set community {{ constants.bgp.anchor_contributing_route_community }} additive
on-match next
!
route-map TO_BGP_PEER_V4 permit 40
set comm-list LOCAL_ANCHOR_ROUTE_COMMUNITY delete
!
{% endif %}
{% endif %}
! end of template: bgpd/templates/general/policies.conf.j2
!