Routing Policy
Table of Contents
Expand all | Collapse all
Routing Policy
Get started with the openconfig-routing-policy model using PAN-OS openconfig plugin. Learn about routing policy behaviors and managing routing policies.
Review the deviation file before using the
openconfig-routing-policy model to familiarize yourself with supported paths.
Because the openconfig-routing-policy model has no implicit router, PAN-OS
uses a unique naming convention to enable the routing policies to apply to the correct
virtual router.
When using the openconfig-routing-policy model with PAN-OS:
- To avoid conflicts, only use unique redistribution profiles for each routing policy.
- Avoid having unused redistribution profiles.
- Defined-sets only belong to redistribution profiles.
- Policy definitions map to the routing protocols in exports.
- In the statements/actions/ospf container, this action affects the export action link in OSPF, not the redistribution profile.
- Conditional advertisements are not supported.
- You cannot name rules with CIDR/IP.
- In conditions, only 1 interface can be added per OSPF area per statement.
- Statements and policy definitions refer to the same object, so a delete can only happen at the policy-definition level.
Not every naming element in the naming convention is required for a successful
configuration.
The following are generally the steps followed to successfully configure a routing policy
with OpenConfig:
- Define defined-sets which include neighbor-sets (host IPs) and prefix-sets (network CIDR)
- Define policy-definitions that include statements with conditions that reference defined-sets, interfaces, and policy actions.
- (Optional) Within the network-instances container of the routing policy, define the 3 connections, source protocol, destination protocol, and IP version that use the policy-definition defined in step 2.
Supported Tags
The following are a list of Protocol Tags available with v1.1’s
openconfig-routing-policy model.
- ospf
- bgp
- bgpimporttag
- bgpexporttag
OpenConfig Defined Sets
Under the openconfig-routing-policy/defined-sets container the following naming
schema directs the container to the appropriate router:
Virtual Router Name+ Protocol Tag + Object Name
The following code block shows an example of the naming conventions applied to do
defined sets.
{ "routing-policy": { "defined-sets": { "neighbor-sets": { "neighbor-set": [ { "config": { "address": [ "192.168.11.2" ], "name": "cgd+redis+redis-fr-connect" }, "name": "cgd+redis+redis-fr-connect" } ] }, "prefix-sets": { "prefix-set": [ { "config": { "mode": "IPV4", "name": "cgd+redis+redis-fr-connect" }, "name": "cgd+redis+redis-fr-connect", "prefixes": { "prefix": [ { "config": { "ip-prefix": "2.2.2.2/32", "masklength-range": "exact" }, "ip-prefix": "2.2.2.2/32", "masklength-range": "exact" } ] } } ] } },
OpenConfig Policy Definitions
Under the openconfig-routing-policy/policy-definitions container the following naming
schema applies to direct the container to the appropriate protocol:
Virutal Router Name+Protocol Tag+ Object Name
The policy statements are defined by the Object Name:
The following code block shows an example of defining policies using the naming
convention and previously defined neighbor sets.
"policy-definitions": { "policy-definition": [ { "config": { "name": "cgd+bgp+redis-fr-connect" }, "name": "cgd+bgp+redis-fr-connect", "statements": { "statement": [ { "actions": { "config": { "policy-result": "ACCEPT_ROUTE" }, "bgp-actions": { "config": { "set-local-pref": 4000, "set-med": 321, "set-route-origin": "INCOMPLETE" }, "set-community": { "config": { "method": "INLINE", "options": "REPLACE" }, "inline": { "config": { "communities": [ "4000:1234" ] } } }, "set-ext-community": { "config": { "method": "INLINE", "options": "REPLACE" }, "inline": { "config": { "communities": [ "target:4000:1234" ] } } } } }, "conditions": { "match-interface": { "config": { "interface": "ethernet1/1" } }, "match-neighbor-set": { "config": { "neighbor-set": "cgd+redis+redis-fr-connect" } }, "match-prefix-set": { "config": { "prefix-set": "cgd+redis+redis-fr-connect" } } }, "config": { "name": "redis-fr-connect" }, "name": "redis-fr-connect" } ] } } ] } } }
Mapping of the Routing Policy to Fields in PAN-OS
The following images display the mapping of container in OpenConfig to fields in
PAN-OS on a virtual router:
The following displays the mapping of the routing policy in virtual router on the
OSPFv2 tab:
Routing Policy Mapping for Redistribution Policies for BGP
The following request:
- Creates redistribution policies.
- Describes actions for the redistribution policies.
- Applies the policies to BGP policies for the virtual router cgd.
gnmic -u admin -p password --timeout 300s -a firewallIP:9339 -e JSON_IETF set --update-path "/" --update-file routing-policy.json
The following is the contents of the routing-policy.json:
{ "routing-policy": { "defined-sets": { "neighbor-sets": { "neighbor-set": [ { "config": { "address": [ "192.168.11.2" ], "name": "cgd+redis+redis-fr-connect" }, "name": "cgd+redis+redis-fr-connect" } ] }, "prefix-sets": { "prefix-set": [ { "config": { "mode": "IPV4", "name": "cgd+redis+redis-fr-connect" }, "name": "cgd+redis+redis-fr-connect", "prefixes": { "prefix": [ { "config": { "ip-prefix": "2.2.2.2/32", "masklength-range": "exact" }, "ip-prefix": "2.2.2.2/32", "masklength-range": "exact" } ] } } ] } }, "policy-definitions": { "policy-definition": [ { "config": { "name": "cgd+bgp+redis-fr-connect" }, "name": "cgd+bgp+redis-fr-connect", "statements": { "statement": [ { "actions": { "config": { "policy-result": "ACCEPT_ROUTE" }, "bgp-actions": { "config": { "set-local-pref": 4000, "set-med": 321, "set-route-origin": "INCOMPLETE" }, "set-community": { "config": { "method": "INLINE", "options": "REPLACE" }, "inline": { "config": { "communities": [ "4000:1234" ] } } }, "set-ext-community": { "config": { "method": "INLINE", "options": "REPLACE" }, "inline": { "config": { "communities": [ "target:4000:1234" ] } } } } }, "conditions": { "match-interface": { "config": { "interface": "ethernet1/1" } }, "match-neighbor-set": { "config": { "neighbor-set": "cgd+redis+redis-fr-connect" } }, "match-prefix-set": { "config": { "prefix-set": "cgd+redis+redis-fr-connect" } } }, "config": { "name": "redis-fr-connect" }, "name": "redis-fr-connect" } ] } } ] } } }
Routing Policy Mapping for Redistribution Policies for OSPFv2
The following request:
- Creates redistribution policies.
- Describes actions for the redistribution policies.
- Applies the policies to OSPFv2 policies for the virtual router cgd.
gnmic -u admin -p password --timeout 300s -a firewallIP:9339 -e JSON_IETF set --update-path "/" --update-file routing-policy.json
The following is the contents of the routing-policy.json:
{ "routing-policy": { "policy-definitions": { "policy-definition": [ { "config": { "name": "cgd+ospfv2+redis-fr-connect" }, "name": "cgd+ospfv2+redis-fr-connect", "statements": { "statement": [ { "actions": { "ospf-actions": { "set-metric": { "config": { "metric": 23345, "metric-type": "EXTERNAL_TYPE_2" } } } }, "config": { "name": "redis-fr-connect" }, "name": "redis-fr-connect" } ] } } ] } } }