Understanding Policy Expressions
Policy expressions give the policy framework software a different way to evaluate routing policies. A policy expression uses Boolean logical operators with policies. The logical operators establish rules by which the policies are evaluated.
During evaluation of a routing policy in a policy expression, the policy action of accept, reject, or next policy is converted to the value of TRUE or FALSE. This value is then evaluated against the specified logical operator to produce output of either TRUE or FALSE. The output is then converted back to a flow control action of accept, reject, or next policy. The result of the policy expression is applied as it would be applied to a single policy; the route is accepted or rejected and the evaluation ends, or the next policy is evaluated.
Table 1 summarizes the policy actions and their corresponding TRUE and FALSE values and flow control action values. Table 2 describes the logical operators. For complete information about policy expression evaluation, see Policy Expression Evaluation.
You must enclose a policy expression in parentheses. You can
place a policy expression anywhere in the import or export statements and in the from policy statement.
Policy Action |
Conversion Value |
Flow Control Action Conversion Value |
|---|---|---|
Accept |
TRUE |
Accept |
Reject |
FALSE |
Reject |
Next policy |
TRUE |
Next policy |
Logical Operator |
Policy Expression Logic |
How Logical Operator Affects Policy Expression Evaluation |
|---|---|---|
&& (Logical AND) |
Logical AND requires that all values must be TRUE to produce output of TRUE. Routing policy value of TRUE and TRUE produces output of TRUE. Value of TRUE and FALSE produces output of FALSE. Value of FALSE and FALSE produces output of FALSE. |
If the first routing policy returns the value of TRUE, the next policy is evaluated. If the first policy returns the value of FALSE, the evaluation of the expression ends and subsequent policies in the expression are not evaluated. |
|| (Logical OR) |
Logical OR requires that at least one value must be TRUE to produce output of TRUE. Routing policy value of TRUE and FALSE produces output of TRUE. Value of TRUE and TRUE produces output of TRUE. Value of FALSE and FALSE produces output of FALSE. |
If the first routing policy returns the value of TRUE, the evaluation of the expression ends and subsequent policies in the expression are not evaluated. If the first policy returns the value of FALSE, the next policy is evaluated. |
! (Logical NOT) |
Logical NOT reverses value of TRUE to FALSE and of FALSE to TRUE. It also reverses the actions of accept and next policy to reject, and reject to accept. |
If used with the logical AND operator and the first routing policy value of FALSE is reversed to TRUE, the next policy is evaluated. If the value of TRUE is reversed to FALSE, the evaluation of the expression ends and subsequent policies in the expression are not evaluated. If used with the logical OR operator and the first routing policy value of FALSE is reversed to TRUE, the evaluation of the expression ends and subsequent policies in the expression are not evaluated. If the value of TRUE is reversed to FALSE, the next policy is evaluated. If used with a policy and the flow control action is accept or next policy, these actions are reversed to reject. If the flow control action is reject, this action is reversed to accept. |
For more information, see the following sections:
Policy Expression Examples
The following examples show how to use the logical operators to create policy expressions:
Logical AND—In the following example,
policy1is evaluated first. If afterpolicy1is evaluated, a value of TRUE is returned,policy2is evaluated. If a value of FALSE is returned,policy2is not evaluated.export (policy1 && policy2)
Logical OR—In the following example,
policy1is evaluated first. If afterpolicy1is evaluated, a value of TRUE is returned,policy2is not evaluated. If a value of FALSE is returned,policy2is evaluated.export (policy1 || policy2)
Logical OR and logical AND—In the following example,
policy1is evaluated first. If afterpolicy1is evaluated, a value of TRUE is returned,policy2is skipped andpolicy3is evaluated. If afterpolicy1is evaluated, a value of FALSE is returned,policy2is evaluated. Ifpolicy2returns a value of TRUE,policy3is evaluated. Ifpolicy2returns a value of FALSE,policy3is not evaluated.export [(policy1 || policy2) && policy3]
Logical NOT—In the following example,
policy1is evaluated first. If afterpolicy1is evaluated, a value of TRUE is returned, the value is reversed to FALSE andpolicy2is not evaluated. If a value of FALSE is returned, the value is reversed to TRUE andpolicy2is evaluated.export (!policy1 && policy2)
The sequential list [policy1 policy2 policy3] is
not the same as the policy expression (policy1 && policy2
&& policy3).
The sequential list is evaluated on the basis of a route matching
a routing policy. For example, if policy1 matches and the
action is accept or reject, policy2 and policy3 are not evaluated. If policy1 does
not match, policy2 is evaluated and so on until a match
occurs and the action is accept or reject.
The policy expressions are evaluated on the basis of the action
in a routing policy that is converted to the value of TRUE or FALSE
and the logic of the specified logical operator. (For complete information
about policy expression evaluation, see Policy Expression Evaluation.) For example, if policy1 returns a value of FALSE, policy2 and policy3 are not evaluated. If policy1 returns a value of TRUE, policy2 is evaluated. If policy2 returns a value of FALSE, policy3 is not
evaluated. If policy2 returns a value of TRUE, policy3 is evaluated.
You can also combine policy expressions and sequential lists.
In the following example, if policy1 returns a value of
FALSE, policy2 is evaluated. If policy2 returns
a value of TRUE and contains a next policy action, policy3 is evaluated. If policy2 returns a value
of TRUE but does not contain an action, including a next policy action, policy3 is still evaluated (because if you do
not specify an action, next term or next policy are the default actions).
If policy2 returns a value of TRUE and contains an accept action, policy3 is not evaluated.
export [(policy1 || policy2) policy3]
Policy Expression Evaluation
During evaluation, the policy framework software converts policy actions to values of TRUE or FALSE, which are factors in determining the flow control action that is performed upon a route. However, the software does not actually perform a flow control action on a route until it evaluates an entire policy expression.
The policy framework software evaluates a policy expression as follows:
The software evaluates a route against the first routing policy in a policy expression and converts the specified or default action to a value of TRUE or FALSE. (For information about the policy action conversion values, see Table 1.)
The software takes the value of TRUE or FALSE and evaluates it against the logical operator used in the policy expression (see Table 2). Based upon the logical operator used, the software determines whether or not to evaluate the next policy, if one is present.
The policy framework software uses a shortcut method of evaluation: if the result of evaluating a policy predetermines the value of the entire policy expression, the software does not evaluate the subsequent policies in the expression. For example, if the policy expression uses the logical AND operator and the evaluation of a policy returns the value of FALSE, the software does not evaluate subsequent policies in the expression because the final value of the expression is guaranteed to be FALSE no matter what the values of the unevaluated policies.
The software performs Step 1 and Step 2 for each subsequent routing policy in the policy expression, if they are present and it is necessary to evaluate them.
After evaluating the last routing policy, if it is appropriate, the software evaluates the value of TRUE or FALSE obtained from each routing policy evaluation. Based upon the logical operator used, it calculates an output of TRUE or FALSE.
The software converts the output of TRUE or FALSE back to an action. (For information about the policy action conversion values, see Table 1.) The action is performed.
If each policy in the expression returned a value of TRUE, the software converts the output of TRUE back to the flow control action specified in the last policy. For example, if the policy expression
(policy1 && policy2)is specified andpolicy1specifiesacceptandpolicy2specifiesnext term, thenext termaction is performed.If an action specified in one of the policies manipulates a route characteristic, the policy framework software carries the new route characteristic forward during the evaluation of the remaining policies. For example, if the action specified in the first policy of a policy expression sets a route’s metric to 500, this route matches the criteria of
metric 500defined in the next policy. However, if a route characteristic manipulation action is specified in a policy located in the middle or the end of a policy expression, it is possible, because of the shortcut evaluation, that the policy is never evaluated and the manipulation of the route characteristic never occurs.
Evaluating Policy Expressions
The following sample routing policy uses three policy expressions:
[edit]
policy-options {
policy-statement policy-A {
from {
route-filter 10.10.0.0/16 orlonger;
}
then reject;
}
}
policy-options {
policy-statement policy-B {
from {
route-filter 10.20.0.0/16 orlonger;
}
then accept;
}
}
protocols {
bgp {
neighbor 192.168.1.1 {
export (policy-A && policy-B);
}
neighbor 192.168.2.1 {
export (policy-A || policy-B);
}
neighbor 192.168.3.1 {
export (!policy-A);
}
}
}
The policy framework software evaluates the transit BGP route 10.10.1.0/24 against the three policy expressions specified in the sample routing policy as follows:
(policy-A && policy-B)—10.10.1.0/24 is evaluated against
policy-A. 10.10.1.0/24 matches the route list specified inpolicy-A, so the specified action ofrejectis returned.rejectis converted to a value of FALSE, and FALSE is evaluated against the specified logical AND. Because the result of FALSE is certain no matter what the results of the evaluation ofpolicy-Bare (in policy expression logic, any result AND a value of FALSE produces the output of FALSE),policy-Bis not evaluated and the output of FALSE is produced. The FALSE output is converted toreject, and 10.10.1.0/24 is rejected.(policy-A || policy-B)—10.10.1.0/24 is evaluated against
policy-A. 10.10.1.0/24 matches the route list specified inpolicy-A, so the specified action ofrejectis returned.rejectis converted to a value of FALSE, then FALSE is evaluated against the specified logical OR. Because logical OR requires at least one value of TRUE to produce an output of TRUE, 10.10.1.0/24 is evaluated againstpolicy-B. 10.10.1.0/24 does not matchpolicy-B, so the default action ofnext-policyis returned. Thenext-policyis converted to a value of TRUE, then the value of FALSE (forpolicy-Aevaluation) and TRUE (forpolicy-Bevaluation) are evaluated against the specified logical OR. In policy expression logic, FALSE OR TRUE produce an output of TRUE. The output of TRUE is converted tonext-policy. (TRUE is converted tonext-policybecausenext-policywas the last action retained by the policy framework software.)policy-Bis the last routing policy in the policy expression, so the action specified by the default export policy for BGP is taken.(!policy-A)—10.10.1.0/24 is evaluated against
policy-A. 10.10.1.0/24 matches the route list specified inpolicy-A, so the specified action ofrejectis returned.rejectis converted to a value of FALSE, and FALSE is evaluated against the specified logical NOT. The value of FALSE is reversed to an output of TRUE based on the rules of logical NOT. The output of TRUE is converted toaccept, and route 10.10.1.0/24 is accepted.