Focus

PAN-OS OpenConfig Administrator’s Guide

Routing Policy

Table of Contents

Routing Policy

Get started with the openconfig-routing-policy model using PAN-OS openconfig plugin. Learn about routing policy behaviors and managing routing policies.

Review the deviation file before using the openconfig-routing-policy model to familiarize yourself with supported paths.

Because the openconfig-routing-policy model has no implicit router, PAN-OS uses a unique naming convention to enable the routing policies to apply to the correct virtual router.

When using the openconfig-routing-policy model with PAN-OS:

To avoid conflicts, only use unique redistribution profiles for each routing policy.
Avoid having unused redistribution profiles.
Defined-sets only belong to redistribution profiles.
Policy definitions map to the routing protocols in exports.
In the statements/actions/ospf container, this action affects the export action link in OSPF, not the redistribution profile.
Conditional advertisements are not supported.
You cannot name rules with CIDR/IP.
In conditions, only 1 interface can be added per OSPF area per statement.
Statements and policy definitions refer to the same object, so a delete can only happen at the policy-definition level.

Not every naming element in the naming convention is required for a successful configuration.

The following are generally the steps followed to successfully configure a routing policy with OpenConfig:

Define defined-sets which include neighbor-sets (host IPs) and prefix-sets (network CIDR)
Define policy-definitions that include statements with conditions that reference defined-sets, interfaces, and policy actions.
(Optional) Within the network-instances container of the routing policy, define the 3 connections, source protocol, destination protocol, and IP version that use the policy-definition defined in step 2.

Supported Tags

The following are a list of Protocol Tags available with v1.1’s openconfig-routing-policy model.

ospf
bgp
bgpimporttag
bgpexporttag

OpenConfig Defined Sets

Under the openconfig-routing-policy/defined-sets container the following naming schema directs the container to the appropriate router:

Virtual Router Name+ Protocol Tag + Object Name

The following code block shows an example of the naming conventions applied to do defined sets.


{
            "routing-policy": {
              "defined-sets": {
                "neighbor-sets": {
                  "neighbor-set": [
                    {
                      "config": {
                        "address": [
                            "192.168.11.2"
                        ],
                        "name": "cgd+redis+redis-fr-connect"
                      },
                      "name": "cgd+redis+redis-fr-connect"
                    }
                   ]
                },
                "prefix-sets": {
                  "prefix-set": [
                    {
                      "config": {
                        "mode": "IPV4",
                        "name": "cgd+redis+redis-fr-connect"
                      },
                      "name": "cgd+redis+redis-fr-connect",
                      "prefixes": {
                        "prefix": [
                          {
                            "config": {
                              "ip-prefix": "2.2.2.2/32",
                              "masklength-range": "exact"
                            },
                            "ip-prefix": "2.2.2.2/32",
                            "masklength-range": "exact"
                          }
                        ]
                      }
                    }
                  ]
                }
              },

OpenConfig Policy Definitions

Under the openconfig-routing-policy/policy-definitions container the following naming schema applies to direct the container to the appropriate protocol:

Virutal Router Name+Protocol Tag+ Object Name

The policy statements are defined by the Object Name:

The following code block shows an example of defining policies using the naming convention and previously defined neighbor sets.

              "policy-definitions": {
                "policy-definition": [
                  {
                    "config": {
                      "name": "cgd+bgp+redis-fr-connect"
                    },
                    "name": "cgd+bgp+redis-fr-connect",
                    "statements": {
                      "statement": [
                        {
                          "actions": {
                            "config": {
                              "policy-result": "ACCEPT_ROUTE"
                            },
                            "bgp-actions": {
                              "config": {
                                "set-local-pref": 4000,
                                "set-med": 321,
                                "set-route-origin": "INCOMPLETE"
                              },
                              "set-community": {
                                "config": {
                                  "method": "INLINE",
                                  "options": "REPLACE"
                                },
                                "inline": {
                                  "config": {
                                    "communities": [
                                      "4000:1234"
                                    ]
                                  }
                                }
                              },
                              "set-ext-community": {
                                "config": {
                                  "method": "INLINE",
                                  "options": "REPLACE"
                                },
                                "inline": {
                                  "config": {
                                    "communities": [
                                      "target:4000:1234"
                                    ]
                                  }
                                }
                              }
                            }
                          },
                          "conditions": {
                            "match-interface": {
                              "config": {
                                "interface": "ethernet1/1"
                              }
                            },
                            "match-neighbor-set": {
                              "config": {
                                "neighbor-set": "cgd+redis+redis-fr-connect"
                              }
                            },
                            "match-prefix-set": {
                              "config": {
                                "prefix-set": "cgd+redis+redis-fr-connect"
                              }
                            }
                          },
                          "config": {
                            "name": "redis-fr-connect"
                          },
                          "name": "redis-fr-connect"
                        }
                      ]
                    }
                  }
               ]
          }
      } 
}

Mapping of the Routing Policy to Fields in PAN-OS

The following images display the mapping of container in OpenConfig to fields in PAN-OS on a virtual router:

The following displays the mapping of the routing policy in virtual router on the OSPFv2 tab:

Routing Policy Mapping for Redistribution Policies for BGP

The following request:

Creates redistribution policies.
Describes actions for the redistribution policies.
Applies the policies to BGP policies for the virtual router cgd.


				gnmic -u admin -p password --timeout 300s -a firewallIP:9339 -e JSON_IETF set --update-path "/" --update-file routing-policy.json

The following is the contents of the routing-policy.json:

{
            "routing-policy": {
              "defined-sets": {
                "neighbor-sets": {
                  "neighbor-set": [
                    {
                      "config": {
                        "address": [
                          "192.168.11.2"
                        ],
                        "name": "cgd+redis+redis-fr-connect"
                      },
                      "name": "cgd+redis+redis-fr-connect"
                    }
                   ]
                },
                "prefix-sets": {
                  "prefix-set": [
                    {
                      "config": {
                        "mode": "IPV4",
                        "name": "cgd+redis+redis-fr-connect"
                      },
                      "name": "cgd+redis+redis-fr-connect",
                      "prefixes": {
                        "prefix": [
                          {
                            "config": {
                              "ip-prefix": "2.2.2.2/32",
                              "masklength-range": "exact"
                            },
                            "ip-prefix": "2.2.2.2/32",
                            "masklength-range": "exact"
                          }
                        ]
                      }
                    }
                  ]
                }
              },
              "policy-definitions": {
                "policy-definition": [
                  {
                    "config": {
                      "name": "cgd+bgp+redis-fr-connect"
                    },
                    "name": "cgd+bgp+redis-fr-connect",
                    "statements": {
                      "statement": [
                        {
                          "actions": {
                            "config": {
                              "policy-result": "ACCEPT_ROUTE"
                            },
                            "bgp-actions": {
                              "config": {
                                "set-local-pref": 4000,
                                "set-med": 321,
                                "set-route-origin": "INCOMPLETE"
                              },
                              "set-community": {
                                "config": {
                                  "method": "INLINE",
                                  "options": "REPLACE"
                                },
                                "inline": {
                                  "config": {
                                    "communities": [
                                      "4000:1234"
                                    ]
                                  }
                                }
                              },
                              "set-ext-community": {
                                "config": {
                                  "method": "INLINE",
                                  "options": "REPLACE"
                                },
                                "inline": {
                                  "config": {
                                    "communities": [
                                      "target:4000:1234"
                                    ]
                                  }
                                }
                              }
                            }
                          },
                          "conditions": {
                            "match-interface": {
                              "config": {
                                "interface": "ethernet1/1"
                              }
                            },
                            "match-neighbor-set": {
                              "config": {
                                "neighbor-set": "cgd+redis+redis-fr-connect"
                              }
                            },
                            "match-prefix-set": {
                              "config": {
                                "prefix-set": "cgd+redis+redis-fr-connect"
                              }
                            }
                          },
                          "config": {
                            "name": "redis-fr-connect"
                          },
                          "name": "redis-fr-connect"
                        }
                      ]
                    }
                  }
               ]
          }
      } 
}

Routing Policy Mapping for Redistribution Policies for OSPFv2

The following request:

Creates redistribution policies.
Describes actions for the redistribution policies.
Applies the policies to OSPFv2 policies for the virtual router cgd.


				gnmic -u admin -p password --timeout 300s -a firewallIP:9339 -e JSON_IETF set --update-path "/" --update-file routing-policy.json

The following is the contents of the routing-policy.json:

{
            "routing-policy": {
              "policy-definitions": {
                "policy-definition": [
                  {
                    "config": {
                      "name": "cgd+ospfv2+redis-fr-connect"
                    },
                    "name": "cgd+ospfv2+redis-fr-connect",
                    "statements": {
                      "statement": [
                        {
                          "actions": {
                            "ospf-actions": {
                              "set-metric": {
                                "config": {
                                  "metric": 23345,
                                  "metric-type": "EXTERNAL_TYPE_2"
                                }
                              }
                            }
                          },
                          "config": {
                            "name": "redis-fr-connect"
                          },
                          "name": "redis-fr-connect"
                        }
                      ]
                    }
                  }
                ]
              }
            }
}

Platform

System