sample_arista_tp.pol

header {
  comment:: "sample arista traffic policy"
  target:: arista_tp MIXED-TRAFFIC-POLICY mixed
}

term accept-icmp {
  protocol:: icmp
  counter:: icmp-loopback
  icmp-type:: echo-request echo-reply
  action:: accept
}

term wonky-prots {
  protocol:: igmp egp rdp
  counter:: wonky-prots-loopback
  action:: accept
  owner:: foo@arista.com
}

term wonky-prots-except {
  protocol-except:: igmp egp rdp hopopt
  counter:: wonky-prots-loopback
  action:: accept
}

term accept-traceroute {
  comment:: "allow inbound traceroute from any source."
  destination-port:: TRACEROUTE
  protocol:: udp
  counter:: inbound-traceroute
  action:: accept
  expiration:: 2001-12-31
}

term accept-bgp-requests {
  comment:: "Allow BGP requests from peers."
  source-prefix:: configured-neighbors-only
  destination-port:: BGP
  protocol:: tcp
  counter:: bgp-requests
  action:: accept
}

term accept-bgp-replies {
  comment:: "Allow inbound replies to BGP requests."
  source-prefix:: configured-neighbors-only
  source-port:: BGP
  protocol:: tcp
  option:: tcp-established
  counter:: bgp-replies
  action:: accept
}

term accept-ospf {
  comment:: "Allow outbound OSPF traffic from other RFC1918 routers."
  source-address:: INTERNAL
  protocol:: ospf
  counter:: ospf
  action:: accept
}

term LONG_MULTI_LINE_COMMENTS {
  comment:: "this is a sample inet6 edge input filter that has very long comments"
  comment:: "10 this term has several lines in its output."
  comment:: "20 this term has several lines in its output."
  comment:: "30 this term has several lines in its output."
  protocol:: icmp
  action:: accept
}

term allow-vrrp {
  protocol:: vrrp
  counter:: vrrp
  action:: accept
}

term accept-ike {
  source-port:: IKE
  destination-port:: IKE
  protocol:: udp
  counter:: ipsec-ike
  action:: accept
}

term accept-ipsec {
  protocol:: esp
  counter:: ipsec-esp
  action:: accept
}
term accept-pim {
  source-address:: INTERNAL
  protocol:: pim
  action:: accept
}

term accept-igmp {
  source-address:: INTERNAL
  protocol:: igmp
  action:: accept
}

term accept-ssh-requests {
  source-address:: INTERNAL
  destination-port:: SSH
  protocol:: tcp
  counter:: ssh
  action:: accept
}

term accept-ssh-replies {
  source-port:: SSH
  protocol:: tcp
  option:: tcp-established
  counter:: ssh-replies
  action:: accept
}

term accept-snmp-requests {
  source-address:: INTERNAL
  destination-address:: INTERNAL
  destination-port:: SNMP
  protocol:: udp
  action:: accept
}

term accept-dns-replies {
  source-address:: INTERNAL
  destination-address:: INTERNAL
  source-port:: DNS
  protocol:: udp
  option:: established
  counter:: dns-replies
  action:: accept
}

term allow-ntp-request {
  source-address:: NTP_SERVERS
  destination-address:: INTERNAL
  destination-port:: NTP
  protocol:: udp
  counter:: ntp-request
  action:: accept
}

term allow-ntp-replies {
  source-address:: INTERNAL
  destination-address:: NTP_SERVERS
  source-port:: NTP
  protocol:: udp
  option:: established
  counter:: ntp-replies
  action:: accept
}

term allow-radius-replies {
  source-address:: INTERNAL
  destination-address:: INTERNAL
  source-port:: RADIUS
  protocol:: udp
  counter:: radius-replies
  action:: accept
}

term allow-tacacs-requests {
  source-address:: INTERNAL
  destination-address:: TACACS_SERVERS
  destination-port:: TACACS
  protocol:: tcp
  counter:: tacacs-requests
  action:: accept
}

term allow-tacacs-replies {
  source-address:: TACACS_SERVERS
  destination-address:: INTERNAL
  source-port:: TACACS
  protocol:: tcp
  option:: tcp-established
  counter:: tacacs-replies
  action:: accept
}

# feature conflict, will not be rendered
term allow-dns-fragments {
  source-address:: ANY
  source-exclude:: PUBLIC_NAT
  destination-address:: GOOGLE_DNS
  destination-port:: DNS
  protocol:: tcp udp
  option:: is-fragment
  action:: accept
}

# will be rendered
term allow-dns-foo-exc-test {
  source-address:: ANY
  source-exclude:: GOOGLE_DNS
  destination-port:: DNS
  protocol:: tcp udp
  action:: accept
}

term ratelimit-large-dns {
  destination-address:: GOOGLE_DNS
  destination-port:: DNS
  protocol:: udp
  packet-length:: 500-5000
  counter:: large-dns-counter
  action:: accept
}

term invalid-action-next {
  destination-address:: GOOGLE_DNS
  destination-port:: DNS
  protocol:: udp
  packet-length:: 500-5000
  counter:: large-dns-counter
  action:: next
}

term reject-large-dns {
  destination-address:: GOOGLE_DNS
  destination-port:: DNS
  protocol:: udp
  packet-length:: 500-5000
  action:: reject
}

term reject-imap-requests {
  destination-address:: MAIL_SERVERS
  destination-port:: IMAP
  protocol:: tcp
  counter:: reject.imap.requests
  action:: reject-with-tcp-rst
}

term MIXED_INET {
  source-address:: GOOGLE_DNS
  destination-address:: INTERNAL
  protocol:: tcp udp
  action:: accept
}

term INET_MIXED {
  source-address:: INTERNAL
  destination-address:: GOOGLE_DNS
  protocol:: tcp udp
  action:: accept
}

term MIXED_INET6 {
  source-address:: GOOGLE_DNS
  destination-address:: SITELOCAL
  action:: accept
}

term INET6_MIXED {
  source-address:: SITELOCAL
  destination-address:: GOOGLE_DNS
  action:: accept
}

term MIXED_MIXED {
  source-address:: GOOGLE_DNS
  destination-address:: GOOGLE_DNS
  action:: accept
}

term MIXED_ANY {
  source-address:: GOOGLE_DNS
  action:: accept
}
term ANY_MIXED {
  destination-address:: GOOGLE_DNS
  action:: accept
}
term INET_INET {
  source-address:: NTP_SERVERS
  destination-address:: INTERNAL
  action:: accept
}
term INET6_INET6 {
  source-address:: SITELOCAL
  destination-address:: SITELOCAL
  action:: accept
}
term INET_INET6 {
  source-address:: INTERNAL
  destination-address:: SITELOCAL
  action:: accept
}
term INET6_INET {
  source-address:: SITELOCAL
  destination-address:: INTERNAL
  action:: accept
}

term default-discard {
  counter:: default-discard
  action:: deny
}