Let us know what you think.

Do you have time for a two-minute survey?

# Understanding Policy Expressions

Policy expressions give the policy framework software a different way to evaluate routing policies. A policy expression uses Boolean logical operators with policies. The logical operators establish rules by which the policies are evaluated.

During evaluation of a routing policy in a policy expression, the policy action of accept, reject, or next policy is converted to the value of TRUE or FALSE. This value is then evaluated against the specified logical operator to produce output of either TRUE or FALSE. The output is then converted back to a flow control action of accept, reject, or next policy. The result of the policy expression is applied as it would be applied to a single policy; the route is accepted or rejected and the evaluation ends, or the next policy is evaluated.

Table 1 summarizes the policy actions and their corresponding TRUE and FALSE values and flow control action values. Table 2 describes the logical operators. For complete information about policy expression evaluation, see Policy Expression Evaluation.

You must enclose a policy expression in parentheses. You can place a policy expression anywhere in the `import` or `export` statements and in the `from policy` statement.

Table 1: Policy Action Conversion Values

Policy Action

Conversion Value

Flow Control Action Conversion Value

Accept

TRUE

Accept

Reject

FALSE

Reject

Next policy

TRUE

Next policy

Table 2: Policy Expression Logical Operators

Logical Operator

Policy Expression Logic

How Logical Operator Affects Policy Expression Evaluation

&& (Logical AND)

Logical AND requires that all values must be TRUE to produce output of TRUE.

Routing policy value of TRUE and TRUE produces output of TRUE. Value of TRUE and FALSE produces output of FALSE. Value of FALSE and FALSE produces output of FALSE.

If the first routing policy returns the value of TRUE, the next policy is evaluated. If the first policy returns the value of FALSE, the evaluation of the expression ends and subsequent policies in the expression are not evaluated.

|| (Logical OR)

Logical OR requires that at least one value must be TRUE to produce output of TRUE.

Routing policy value of TRUE and FALSE produces output of TRUE. Value of TRUE and TRUE produces output of TRUE. Value of FALSE and FALSE produces output of FALSE.

If the first routing policy returns the value of TRUE, the evaluation of the expression ends and subsequent policies in the expression are not evaluated. If the first policy returns the value of FALSE, the next policy is evaluated.

! (Logical NOT)

Logical NOT reverses value of TRUE to FALSE and of FALSE to TRUE. It also reverses the actions of accept and next policy to reject, and reject to accept.

If used with the logical AND operator and the first routing policy value of FALSE is reversed to TRUE, the next policy is evaluated. If the value of TRUE is reversed to FALSE, the evaluation of the expression ends and subsequent policies in the expression are not evaluated.

If used with the logical OR operator and the first routing policy value of FALSE is reversed to TRUE, the evaluation of the expression ends and subsequent policies in the expression are not evaluated. If the value of TRUE is reversed to FALSE, the next policy is evaluated.

If used with a policy and the flow control action is accept or next policy, these actions are reversed to reject. If the flow control action is reject, this action is reversed to accept.

## Policy Expression Examples

The following examples show how to use the logical operators to create policy expressions:

• Logical AND—In the following example, `policy1` is evaluated first. If after `policy1` is evaluated, a value of TRUE is returned, `policy2` is evaluated. If a value of FALSE is returned, `policy2` is not evaluated.

```export (policy1 && policy2)
```
• Logical OR—In the following example, `policy1` is evaluated first. If after `policy1` is evaluated, a value of TRUE is returned, `policy2` is not evaluated. If a value of FALSE is returned, `policy2` is evaluated.

```export (policy1 || policy2)
```
• Logical OR and logical AND—In the following example, `policy1` is evaluated first. If after `policy1` is evaluated, a value of TRUE is returned, `policy2` is skipped and `policy3` is evaluated. If after `policy1` is evaluated, a value of FALSE is returned, `policy2` is evaluated. If `policy2` returns a value of TRUE, `policy3` is evaluated. If `policy2` returns a value of FALSE, `policy3` is not evaluated.

```export [(policy1 || policy2) && policy3]
```
• Logical NOT—In the following example, `policy1` is evaluated first. If after `policy1` is evaluated, a value of TRUE is returned, the value is reversed to FALSE and `policy2` is not evaluated. If a value of FALSE is returned, the value is reversed to TRUE and `policy2` is evaluated.

```export (!policy1 && policy2)
```

The sequential list `[policy1 policy2 policy3]` is not the same as the policy expression ```(policy1 && policy2 && policy3)```.

The sequential list is evaluated on the basis of a route matching a routing policy. For example, if `policy1` matches and the action is `accept` or `reject`, `policy2` and `policy3` are not evaluated. If `policy1` does not match, `policy2` is evaluated and so on until a match occurs and the action is `accept` or `reject`.

The policy expressions are evaluated on the basis of the action in a routing policy that is converted to the value of TRUE or FALSE and the logic of the specified logical operator. (For complete information about policy expression evaluation, see Policy Expression Evaluation.) For example, if `policy1` returns a value of FALSE, `policy2` and `policy3` are not evaluated. If `policy1` returns a value of TRUE, `policy2` is evaluated. If `policy2` returns a value of FALSE, `policy3` is not evaluated. If `policy2` returns a value of TRUE, `policy3` is evaluated.

You can also combine policy expressions and sequential lists. In the following example, if `policy1` returns a value of FALSE, `policy2` is evaluated. If `policy2` returns a value of TRUE and contains a `next policy` action, `policy3` is evaluated. If `policy2` returns a value of TRUE but does not contain an action, including a `next policy` action, `policy3` is still evaluated (because if you do not specify an action, next term or next policy are the default actions). If `policy2` returns a value of TRUE and contains an `accept` action, `policy3` is not evaluated.

```export [(policy1 || policy2) policy3]
```

## Policy Expression Evaluation

During evaluation, the policy framework software converts policy actions to values of TRUE or FALSE, which are factors in determining the flow control action that is performed upon a route. However, the software does not actually perform a flow control action on a route until it evaluates an entire policy expression.

The policy framework software evaluates a policy expression as follows:

1. The software evaluates a route against the first routing policy in a policy expression and converts the specified or default action to a value of TRUE or FALSE. (For information about the policy action conversion values, see Table 1.)

2. The software takes the value of TRUE or FALSE and evaluates it against the logical operator used in the policy expression (see Table 2). Based upon the logical operator used, the software determines whether or not to evaluate the next policy, if one is present.

The policy framework software uses a shortcut method of evaluation: if the result of evaluating a policy predetermines the value of the entire policy expression, the software does not evaluate the subsequent policies in the expression. For example, if the policy expression uses the logical AND operator and the evaluation of a policy returns the value of FALSE, the software does not evaluate subsequent policies in the expression because the final value of the expression is guaranteed to be FALSE no matter what the values of the unevaluated policies.

3. The software performs Step 1 and Step 2 for each subsequent routing policy in the policy expression, if they are present and it is necessary to evaluate them.

4. After evaluating the last routing policy, if it is appropriate, the software evaluates the value of TRUE or FALSE obtained from each routing policy evaluation. Based upon the logical operator used, it calculates an output of TRUE or FALSE.

5. The software converts the output of TRUE or FALSE back to an action. (For information about the policy action conversion values, see Table 1.) The action is performed.

If each policy in the expression returned a value of TRUE, the software converts the output of TRUE back to the flow control action specified in the last policy. For example, if the policy expression `(policy1 && policy2)` is specified and `policy1` specifies `accept` and `policy2` specifies `next term`, the `next term` action is performed.

If an action specified in one of the policies manipulates a route characteristic, the policy framework software carries the new route characteristic forward during the evaluation of the remaining policies. For example, if the action specified in the first policy of a policy expression sets a route’s metric to 500, this route matches the criteria of `metric 500` defined in the next policy. However, if a route characteristic manipulation action is specified in a policy located in the middle or the end of a policy expression, it is possible, because of the shortcut evaluation, that the policy is never evaluated and the manipulation of the route characteristic never occurs.

## Evaluating Policy Expressions

The following sample routing policy uses three policy expressions:

```
policy-options {
policy-statement policy-A {
from {
route-filter 10.10.0.0/16 orlonger;
}
then reject;
}
}
policy-options {
policy-statement policy-B {
from {
route-filter 10.20.0.0/16 orlonger;
}
then accept;
}
}
protocols {
bgp {
neighbor 192.168.1.1 {
export (policy-A && policy-B);
}
neighbor 192.168.2.1 {
export (policy-A || policy-B);
}
neighbor 192.168.3.1 {
export (!policy-A);
}
}
}
```

The policy framework software evaluates the transit BGP route 10.10.1.0/24 against the three policy expressions specified in the sample routing policy as follows:

• (policy-A && policy-B)—10.10.1.0/24 is evaluated against `policy-A`. 10.10.1.0/24 matches the route list specified in `policy-A`, so the specified action of `reject` is returned. `reject` is converted to a value of FALSE, and FALSE is evaluated against the specified logical AND. Because the result of FALSE is certain no matter what the results of the evaluation of `policy-B` are (in policy expression logic, any result AND a value of FALSE produces the output of FALSE), `policy-B` is not evaluated and the output of FALSE is produced. The FALSE output is converted to `reject`, and 10.10.1.0/24 is rejected.

• (policy-A || policy-B)—10.10.1.0/24 is evaluated against `policy-A`. 10.10.1.0/24 matches the route list specified in `policy-A`, so the specified action of `reject` is returned. `reject` is converted to a value of FALSE, then FALSE is evaluated against the specified logical OR. Because logical OR requires at least one value of TRUE to produce an output of TRUE, 10.10.1.0/24 is evaluated against `policy-B`. 10.10.1.0/24 does not match `policy-B`, so the default action of `next-policy` is returned. The `next-policy` is converted to a value of TRUE, then the value of FALSE (for `policy-A` evaluation) and TRUE (for `policy-B` evaluation) are evaluated against the specified logical OR. In policy expression logic, FALSE OR TRUE produce an output of TRUE. The output of TRUE is converted to `next-policy`. (TRUE is converted to `next-policy` because `next-policy` was the last action retained by the policy framework software.) `policy-B` is the last routing policy in the policy expression, so the action specified by the default export policy for BGP is taken.

• (!policy-A)—10.10.1.0/24 is evaluated against `policy-A`. 10.10.1.0/24 matches the route list specified in `policy-A`, so the specified action of `reject` is returned. `reject` is converted to a value of FALSE, and FALSE is evaluated against the specified logical NOT. The value of FALSE is reversed to an output of TRUE based on the rules of logical NOT. The output of TRUE is converted to `accept`, and route 10.10.1.0/24 is accepted.