Routing policy (Class Map and Policy Map in Cisco) allows you to control the flow of routing information to and from the routing table (RT). It can be used to choose which routes to accept or reject from neighbors running dynamic routing protocols. It can control the flow of routing information into the forwarding table (FT).
The Junos OS applies import policies before pacing routes in the routing table while export policies are applied as it exports routes from the routing table (RT) to dynamic routing protocols or to the forwarding table. Only active routes are exported from the routing table.
jadmin@JR-1> configure
Entering configuration mode
Users currently editing the configuration:
jadmin terminal p2 (pid 4022) on since 2020-10-21 01:14:03 SGT, idle 02:46:07
[edit routing-options]
The configuration has been changed but not committed
[edit]
jadmin@JR-1# edit policy-options
[edit policy-options]
jadmin@JR-1# set policy-statement ?
Possible completions:
<policy_name> Name to identify a policy filter
[edit policy-options]
jadmin@JR-1# set policy-statement export-rip-policy ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
dynamic-db Object may exist in dynamic database
> from Conditions to match the source of a route
> term Policy term
> then Actions to take if 'from' and 'to' conditions match
> to Conditions to match the destination of a route
[edit policy-options]
jadmin@JR-1# set policy-statement export-rip-policy term ?
Possible completions:
<term_name>
[edit policy-options]
jadmin@JR-1# set policy-statement export-rip-policy term match-rip-routes ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> from Conditions to match the source of a route
> then Actions to take if 'from' and 'to' conditions match
> to Conditions to match the destination of a route
[edit policy-options]
jadmin@JR-1# set policy-statement export-rip-policy term match-rip-routes from ?
Possible completions:
aggregate-contributor Match more specifics of an aggregate
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
area OSPF area identifier
+ as-path Name of AS path regular expression (BGP only)
+ as-path-group Name of AS path group (BGP only)
color Color (preference) value
color2 Color (preference) value 2
+ community BGP community
> community-count Number of BGP communities
+ condition Condition to match on
> external External route
family
instance Routing protocol instance
+ interface Interface name or address
level IS-IS level
local-preference Local preference associated with a route
metric Metric value
metric2 Metric value 2
metric3 Metric value 3
metric4 Metric value 4
> multicast-scope Multicast scope to match
+ neighbor Neighboring router
+ next-hop Next-hop router
next-hop-type Next-hop type
origin BGP origin attribute
+ policy Name of policy to evaluate
preference Preference value
preference2 Preference value 2
> prefix-list List of prefix-lists of routes to match
> prefix-list-filter List of prefix-list-filters to match
+ protocol Protocol from which route was learned
rib Routing table
> route-filter List of routes to match
route-type Route type
> source-address-filter List of source addresses to match
state Route state
+ tag Tag string
tag2 Tag string 2
[edit policy-options]
jadmin@JR-1# set policy-statement export-rip-policy term match-rip-routes from protocol ?
Possible completions:
[ Open a set of values
access Access server routes
access-internal Internal routes to directly connected clients
aggregate Aggregate routes
bgp BGP
direct Directly connected routes
dvmrp Distance Vector Multicast Routing Protocol
esis End System-to-Intermediate System
isis Intermediate System-to-Intermediate System
l2circuit Layer 2 circuits
l2vpn Layer 2 MPLS virtual private networks
ldp Label Distribution Protocol
local Local system addresses
msdp Multicast Source Discovery Protocol
ospf Open Shortest Path First
ospf2 Open Shortest Path First Version 2
ospf3 Open Shortest Path First Version 3
pim Protocol Independent Multicast
rip Routing Information Protocol
ripng Routing Information Protocol next generation
rsvp Resource Reservation Protocol
rtarget Local route target VPN membership
static Statically defined addresses
[edit policy-options]
jadmin@JR-1# set policy-statement export-rip-policy term match-rip-routes then ?
Possible completions:
accept Accept a route
> aigp-originate Originate a BGP AIGP attribute
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> as-path-expand Prepend AS numbers prior to adding local-as (BGP only)
as-path-prepend Prepend AS numbers to an AS path (BGP only)
class Set class-of-service parameters
> color Color (preference) value
> color2 Color (preference) value 2
> community BGP community properties associated with a route
cos-next-hop-map Set CoS-based next-hop map in forwarding table
damping Define BGP route flap damping parameters
default-action Set default policy action
destination-class Set destination class in forwarding table
> external External route
forwarding-class Set source or destination class in forwarding table
> install-nexthop Choose the next hop to be used for forwarding
label-allocation Set label allocation mode
> load-balance Type of load balancing in forwarding table
> local-preference Local preference associated with a route
> map-to-interface Set output logical interface
> metric Metric value
> metric2 Metric value 2
> metric3 Metric value 3
> metric4 Metric value 4
next Skip to next policy or term
> next-hop Set the address of the next-hop router
origin BGP path origin
> preference Preference value
> preference2 Preference value 2
priority Set priority for route installation
reject Reject a route
source-class Set source class in forwarding table
+ ssm-source List of Sources for SSM mapping
> tag Tag string
> tag2 Tag string 2
trace Log matches to a trace file
[edit policy-options]
jadmin@JR-1# set policy-statement export-rip-policy term match-rip-routes then accept
[edit policy-options]
jadmin@JR-1# show
policy-statement export-rip-policy {
term match-rip-routes {
from protocol rip;
then accept;
}
}
[edit policy-options]
For RIP, you apply import policies at the protocol level and neighbor level hierarchy, whereas you configure export policies only at the group level hierarchy.
[edit policy-options]
jadmin@JR-1# top edit protocols rip
[edit protocols rip]
jadmin@JR-1# set group ?
Possible completions:
<group_name> Group name
[edit protocols rip]
jadmin@JR-1# set group rip-group ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> bfd-liveness-detection Bidirectional Forwarding Detection options
demand-circuit Enable demand circuit on this interface
+ export Export policy
+ import Import policy
max-retrans-time Maximum time to re-transmit a message in demand-circuit
metric-out Default metric of exported routes (1..15)
> neighbor Neighbor configuration
preference Preference of routes learned by this group
route-timeout Delay before routes time out (30..360 seconds)
update-interval Interval between regular route updates (10..60 seconds)
| Pipe through a command
[edit protocols rip]
jadmin@JR-1# set group rip-group export ?
Possible completions:
<value> Export policy
( Open an expression
[ Open a set of values
export-rip-policy
[edit protocols rip]
jadmin@JR-1# set group rip-group export export-rip-routes ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> bfd-liveness-detection Bidirectional Forwarding Detection options
demand-circuit Enable demand circuit on this interface
+ export Export policy
+ import Import policy
max-retrans-time Maximum time to re-transmit a message in demand-circuit
metric-out Default metric of exported routes (1..15)
> neighbor Neighbor configuration
preference Preference of routes learned by this group
route-timeout Delay before routes time out (30..360 seconds)
update-interval Interval between regular route updates (10..60 seconds)
| Pipe through a command
[edit protocols rip]
jadmin@JR-1# set group rip-group export export-rip-routes neighbor ?
Possible completions:
<neighbor_name> Interface name
[edit protocols rip]
jadmin@JR-1# set group rip-group export export-rip-routes neighbor em0.0
[edit protocols rip]
jadmin@JR-1# show
group rip-group {
export export-rip-routes; ## 'export-rip-routes' is not defined
neighbor em0.0;
}
[edit protocols rip]
Building Blocks of Routing Policy
A routing policy contains ordered groups of terms. A term is the basic building block of a Junos OS policy, which are essentially a series of if-then statements.
When evaluating the from statements, the Junos OS performs the evaluation as a logical OR between arguments to a single match criterion and a logical AND between different match criteria. For the from statement to be considered true, the item being evaluated must match at least one of the arguments to each given match criterion.
If a route matches all the conditions in the from statement of a term, the Junos OS executes all action specified in the then statement of the term. Provided that one of those actions is a terminating action, the evaluation of the policy stops.
The accept or reject of routes are terminating actions. Using these terminating actions results in a first-match policy evaluation because Junos OS takes the specified action immediately and performs no further evaluation of the policy.
You can use the insert command to modify the order in which terms appear.
You can select routes based on their prefix, protocol, routing protocol attributes or next-hop.
Prefix List
You can select routes based on their prefix using a prefix-list or a route filter. You can reference prefix-list in multiple terms in single policy or in different policies. You can reuse a prefix-list for both routing policy and firewall filter.
The prefix-list matches the prefix exactly while prefix-list-filter supports match types: exact, longer, orlonger.
jadmin@JR-1> configure
Entering configuration mode
Users currently editing the configuration:
jadmin terminal p2 (pid 4022) on since 2020-10-21 01:14:03 SGT, idle 03:44:45
[edit routing-options]
The configuration has been changed but not committed
[edit]
jadmin@JR-1# edit policy-options
[edit policy-options]
jadmin@JR-1# set prefix-list ?
Possible completions:
<name> Prefix list name
[edit policy-options]
jadmin@JR-1# set prefix-list rfc-1918 ?
Possible completions:
<[Enter]> Execute this command
<prefix> Address prefix
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
apply-path Apply IP prefixes from a configuration statement
dynamic-db Object may exist in dynamic database
| Pipe through a command
[edit policy-options]
jadmin@JR-1# set prefix-list rfc-1918 10.0.0.0/8 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
| Pipe through a command
[edit policy-options]
jadmin@JR-1# set prefix-list rfc-1918 10.0.0.0/8
[edit policy-options]
jadmin@JR-1# set prefix-list rfc-1918 172.16.0.0/12
[edit policy-options]
jadmin@JR-1# set prefix-list rfc-1918 192.168.0.0/16
[edit policy-options]
jadmin@JR-1# set policy-statement ?
Possible completions:
<policy_name> Name to identify a policy filter
export-rip-policy Name to identify a policy filter
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
dynamic-db Object may exist in dynamic database
> from Conditions to match the source of a route
> term Policy term
> then Actions to take if 'from' and 'to' conditions match
> to Conditions to match the destination of a route
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 from ?
Possible completions:
aggregate-contributor Match more specifics of an aggregate
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
area OSPF area identifier
+ as-path Name of AS path regular expression (BGP only)
+ as-path-group Name of AS path group (BGP only)
color Color (preference) value
color2 Color (preference) value 2
+ community BGP community
> community-count Number of BGP communities
+ condition Condition to match on
> external External route
family
instance Routing protocol instance
+ interface Interface name or address
level IS-IS level
local-preference Local preference associated with a route
metric Metric value
metric2 Metric value 2
metric3 Metric value 3
metric4 Metric value 4
> multicast-scope Multicast scope to match
+ neighbor Neighboring router
+ next-hop Next-hop router
next-hop-type Next-hop type
origin BGP origin attribute
+ policy Name of policy to evaluate
preference Preference value
preference2 Preference value 2
> prefix-list List of prefix-lists of routes to match
> prefix-list-filter List of prefix-list-filters to match
+ protocol Protocol from which route was learned
rib Routing table
> route-filter List of routes to match
route-type Route type
> source-address-filter List of source addresses to match
state Route state
+ tag Tag string
tag2 Tag string 2
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 from prefix-list ?
Possible completions:
<prefix-list-name> Name of prefix-list of routes to match
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 from prefix-list rfc-1918
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 then ?
Possible completions:
accept Accept a route
> aigp-originate Originate a BGP AIGP attribute
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> as-path-expand Prepend AS numbers prior to adding local-as (BGP only)
as-path-prepend Prepend AS numbers to an AS path (BGP only)
class Set class-of-service parameters
> color Color (preference) value
> color2 Color (preference) value 2
> community BGP community properties associated with a route
cos-next-hop-map Set CoS-based next-hop map in forwarding table
damping Define BGP route flap damping parameters
default-action Set default policy action
destination-class Set destination class in forwarding table
> external External route
forwarding-class Set source or destination class in forwarding table
> install-nexthop Choose the next hop to be used for forwarding
label-allocation Set label allocation mode
> load-balance Type of load balancing in forwarding table
> local-preference Local preference associated with a route
> map-to-interface Set output logical interface
> metric Metric value
> metric2 Metric value 2
> metric3 Metric value 3
> metric4 Metric value 4
next Skip to next policy or term
> next-hop Set the address of the next-hop router
origin BGP path origin
> preference Preference value
> preference2 Preference value 2
priority Set priority for route installation
reject Reject a route
source-class Set source class in forwarding table
+ ssm-source List of Sources for SSM mapping
> tag Tag string
> tag2 Tag string 2
trace Log matches to a trace file
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 then reject
[edit policy-options]
jadmin@JR-1# set policy-statement pol-2 from prefix-list-filter ?
Possible completions:
<list_name> Name of prefix-list of routes to match
exact Exactly match the prefix length
longer Mask is greater than the prefix length
orlonger Mask is greater than or equal to the prefix length
[edit policy-options]
jadmin@JR-1# set policy-statement pol-2 from prefix-list-filter rfc-1918 ?
Possible completions:
exact Exactly match the prefix length
longer Mask is greater than the prefix length
orlonger Mask is greater than or equal to the prefix length
[edit policy-options]
jadmin@JR-1# set policy-statement pol-2 from prefix-list-filter rfc-1918 orlonger ?
Possible completions:
<[Enter]> Execute this command
accept Accept a route
> aigp-originate Originate a BGP AIGP attribute
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> as-path-expand Prepend AS numbers prior to adding local-as (BGP only)
as-path-prepend Prepend AS numbers to an AS path (BGP only)
class Set class-of-service parameters
> color Color (preference) value
> color2 Color (preference) value 2
> community BGP community properties associated with a route
cos-next-hop-map Set CoS-based next-hop map in forwarding table
damping Define BGP route flap damping parameters
default-action Set default policy action
destination-class Set destination class in forwarding table
dynamic-db Object may exist in dynamic database
> external External route
forwarding-class Set source or destination class in forwarding table
> install-nexthop Choose the next hop to be used for forwarding
label-allocation Set label allocation mode
> load-balance Type of load balancing in forwarding table
> local-preference Local preference associated with a route
> map-to-interface Set output logical interface
> metric Metric value
> metric2 Metric value 2
> metric3 Metric value 3
> metric4 Metric value 4
next Skip to next policy or term
> next-hop Set the address of the next-hop router
origin BGP path origin
> preference Preference value
> preference2 Preference value 2
priority Set priority for route installation
reject Reject a route
source-class Set source class in forwarding table
+ ssm-source List of Sources for SSM mapping
> tag Tag string
> tag2 Tag string 2
trace Log matches to a trace file
| Pipe through a command
[edit policy-options]
jadmin@JR-1# set policy-statement pol-2 from prefix-list-filter rfc-1918 orlonger reject
[edit policy-options]
jadmin@JR-1# show
prefix-list rfc-1918 {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
}
policy-statement export-rip-policy {
term match-rip-routes {
from protocol rip;
then accept;
}
}
policy-statement pol-1 {
from {
prefix-list rfc-1918;
}
then reject;
}
policy-statement pol-2 {
from {
prefix-list-filter rfc-1918 orlonger reject;
}
}
[edit
policy-options]
Route Filters
Route filters are list of prefixes configured within a single routing policy term. Unlike prefix-list, they are not reusable but rather specific to the policy term which they are configured.
They provide a few more match types for selecting prefixes:
- exact - the match type exact means that only routes that match the given prefix exactly match the filter statement.
- orlonger - the match type orlonger means that routes with prefix length greater than or equal to the given prefix length match the filter statement.
- longer - the match type longer means that routes with prefix length greater than the given prefix length match the filter statement.
- upto - the match type upto means that routes with prefix length greater than or equal to the given prefix length, but less than or equal to the upto prefix length match the filter statement.
- prefix-length-range - the match type prefix-length-range means that routes with a prefix length greater than or equal to the first given prefix length, but less than or equal to the second prefix length match the filter statement.
jadmin@JR-1> configure
Entering configuration mode
The configuration has been changed but not committed
[edit]
jadmin@JR-1# edit policy-options
[edit policy-options]
jadmin@JR-1# set policy-statement ?
Possible completions:
<policy_name> Name to identify a policy filter
export-rip-policy Name to identify a policy filter
pol-1 Name to identify a policy filter
pol-2 Name to identify a policy filter
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
dynamic-db Object may exist in dynamic database
> from Conditions to match the source of a route
> term Policy term
> then Actions to take if 'from' and 'to' conditions match
> to Conditions to match the destination of a route
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 term ?
Possible completions:
<term_name>
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 term filter-rfc1918-prefix ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> from Conditions to match the source of a route
> then Actions to take if 'from' and 'to' conditions match
> to Conditions to match the destination of a route
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 term filter-rfc1918-prefix from ?
Possible completions:
aggregate-contributor Match more specifics of an aggregate
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
area OSPF area identifier
+ as-path Name of AS path regular expression (BGP only)
+ as-path-group Name of AS path group (BGP only)
color Color (preference) value
color2 Color (preference) value 2
+ community BGP community
> community-count Number of BGP communities
+ condition Condition to match on
> external External route
family
instance Routing protocol instance
+ interface Interface name or address
level IS-IS level
local-preference Local preference associated with a route
metric Metric value
metric2 Metric value 2
metric3 Metric value 3
metric4 Metric value 4
> multicast-scope Multicast scope to match
+ neighbor Neighboring router
+ next-hop Next-hop router
next-hop-type Next-hop type
origin BGP origin attribute
+ policy Name of policy to evaluate
preference Preference value
preference2 Preference value 2
> prefix-list List of prefix-lists of routes to match
> prefix-list-filter List of prefix-list-filters to match
+ protocol Protocol from which route was learned
rib Routing table
> route-filter List of routes to match
route-type Route type
> source-address-filter List of source addresses to match
state Route state
+ tag Tag string
tag2 Tag string 2
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 term filter-rfc1918-prefix from ?
Possible completions:
aggregate-contributor Match more specifics of an aggregate
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
area OSPF area identifier
+ as-path Name of AS path regular expression (BGP only)
+ as-path-group Name of AS path group (BGP only)
color Color (preference) value
color2 Color (preference) value 2
+ community BGP community
> community-count Number of BGP communities
+ condition Condition to match on
> external External route
family
instance Routing protocol instance
+ interface Interface name or address
level IS-IS level
local-preference Local preference associated with a route
metric Metric value
metric2 Metric value 2
metric3 Metric value 3
metric4 Metric value 4
> multicast-scope Multicast scope to match
+ neighbor Neighboring router
+ next-hop Next-hop router
next-hop-type Next-hop type
origin BGP origin attribute
+ policy Name of policy to evaluate
preference Preference value
preference2 Preference value 2
> prefix-list List of prefix-lists of routes to match
> prefix-list-filter List of prefix-list-filters to match
+ protocol Protocol from which route was learned
rib Routing table
> route-filter List of routes to match
route-type Route type
> source-address-filter List of source addresses to match
state Route state
+ tag Tag string
tag2 Tag string 2
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 term filter-rfc1918-prefix from route-filter ?
Possible completions:
<address> IP address or hostname
address-mask Mask applied to prefix address
exact Exactly match the prefix length
longer Mask is greater than the prefix length
orlonger Mask is greater than or equal to the prefix length
prefix-length-range Mask falls between two prefix lengths
through Route falls between two prefixes
upto Mask falls between two prefix lengths
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 term filter-rfc1918-prefix from route-filter 172.16.0.0/12 ?
Possible completions:
address-mask Mask applied to prefix address
exact Exactly match the prefix length
longer Mask is greater than the prefix length
orlonger Mask is greater than or equal to the prefix length
prefix-length-range Mask falls between two prefix lengths
through Route falls between two prefixes
upto Mask falls between two prefix lengths
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 term filter-rfc1918-prefix from route-filter 172.16.0.0/12 orlonger
jadmin@JR-1# set policy-statement pol-1 term filter-rfc1918-prefix from route-filter 192.168.0.0/16 longer
jadmin@JR-1# set policy-statement pol-1 term filter-rfc1918-prefix from route-filter 10.0.0.0/8 exact
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 then ?
Possible completions:
accept Accept a route
> aigp-originate Originate a BGP AIGP attribute
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> as-path-expand Prepend AS numbers prior to adding local-as (BGP only)
as-path-prepend Prepend AS numbers to an AS path (BGP only)
class Set class-of-service parameters
> color Color (preference) value
> color2 Color (preference) value 2
> community BGP community properties associated with a route
cos-next-hop-map Set CoS-based next-hop map in forwarding table
damping Define BGP route flap damping parameters
default-action Set default policy action
destination-class Set destination class in forwarding table
> external External route
forwarding-class Set source or destination class in forwarding table
> install-nexthop Choose the next hop to be used for forwarding
label-allocation Set label allocation mode
> load-balance Type of load balancing in forwarding table
> local-preference Local preference associated with a route
> map-to-interface Set output logical interface
> metric Metric value
> metric2 Metric value 2
> metric3 Metric value 3
> metric4 Metric value 4
next Skip to next policy or term
> next-hop Set the address of the next-hop router
origin BGP path origin
> preference Preference value
> preference2 Preference value 2
priority Set priority for route installation
reject Reject a route
source-class Set source class in forwarding table
+ ssm-source List of Sources for SSM mapping
> tag Tag string
> tag2 Tag string 2
trace Log matches to a trace file
[edit policy-options]
jadmin@JR-1# set policy-statement pol-1 then reject
[edit policy-options]
jadmin@JR-1# show
prefix-list rfc-1918 {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
}
policy-statement export-rip-policy {
term match-rip-routes {
from protocol rip;
then accept;
}
}
policy-statement pol-1 {
term filter-rfc1918-prefix {
from {
route-filter 172.16.0.0/12 orlonger;
route-filter 192.168.0.0/16 longer;
route-filter 10.0.0.0/8 exact;
}
}
from {
prefix-list rfc-1918;
}
then reject;
}
policy-statement pol-2 {
from {
prefix-list-filter rfc-1918 orlonger reject;
}
}
[edit policy-options]
jadmin@JR-1> test policy ?
Possible completions:
<policy> Policy name
jadmin@JR-1> test policy pol-1 ?
Possible completions:
<prefix> Destination prefix
jadmin@JR-1>
test policy pol-1 192.168.0.0/16 //
YOU CAN ALSO TEST THE EFFECTIVENESS OF THE CONFIGURED POLICY; NOTE THE DEFAULT
IS ACCEPT ALL ROUTES
Common Actions
The accept and reject are some common terminating actions since they cause the evaluation of the policy to stop and accept or reject the route.
The default-action accept and default-action reject do not cause the evaluation policy to stop, but overrule the default policy's accept or reject determination.
The next term and next policy causes the Junos OS to evaluate the next term or next policy, respectively.
Other
common actions modify routing protocol attributes such as BGP community, route
preference, etc.
Defining Routing Policy
Two steps to define a routing policy:
- Define the routing policy under edit policy-options hierarchy level
- Apply the routing policy
jadmin@JR-1> configure
Entering configuration mode
Users currently editing the configuration:
jadmin terminal v0 (pid 1480) on since 2020-10-21 12:35:46 SGT, idle 00:18:40
[edit]
[edit]
jadmin@JR-1# edit policy-options
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
dynamic-db Object may exist in dynamic database
> from Conditions to match the source of a route
> term Policy term
> then Actions to take if 'from' and 'to' conditions match
> to Conditions to match the destination of a route
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 term ?
Possible completions:
<term_name>
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 term allow-local-routes ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> from Conditions to match the source of a route
> then Actions to take if 'from' and 'to' conditions match
> to Conditions to match the destination of a route
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 term allow-local-routes from ?
Possible completions:
aggregate-contributor Match more specifics of an aggregate
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
area OSPF area identifier
+ as-path Name of AS path regular expression (BGP only)
+ as-path-group Name of AS path group (BGP only)
color Color (preference) value
color2 Color (preference) value 2
+ community BGP community
> community-count Number of BGP communities
+ condition Condition to match on
> external External route
family
instance Routing protocol instance
+ interface Interface name or address
level IS-IS level
local-preference Local preference associated with a route
metric Metric value
metric2 Metric value 2
metric3 Metric value 3
metric4 Metric value 4
> multicast-scope Multicast scope to match
+ neighbor Neighboring router
+ next-hop Next-hop router
next-hop-type Next-hop type
origin BGP origin attribute
+ policy Name of policy to evaluate
preference Preference value
preference2 Preference value 2
> prefix-list List of prefix-lists of routes to match
> prefix-list-filter List of prefix-list-filters to match
+ protocol Protocol from which route was learned
rib Routing table
> route-filter List of routes to match
route-type Route type
> source-address-filter List of source addresses to match
state Route state
+ tag Tag string
tag2 Tag string 2
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 term allow-local-routes from protocol ?
Possible completions:
[ Open a set of values
access Access server routes
access-internal Internal routes to directly connected clients
aggregate Aggregate routes
bgp BGP
direct Directly connected routes
dvmrp Distance Vector Multicast Routing Protocol
esis End System-to-Intermediate System
isis Intermediate System-to-Intermediate System
l2circuit Layer 2 circuits
l2vpn Layer 2 MPLS virtual private networks
ldp Label Distribution Protocol
local Local system addresses
msdp Multicast Source Discovery Protocol
ospf Open Shortest Path First
ospf2 Open Shortest Path First Version 2
ospf3 Open Shortest Path First Version 3
pim Protocol Independent Multicast
rip Routing Information Protocol
ripng Routing Information Protocol next generation
rsvp Resource Reservation Protocol
rtarget Local route target VPN membership
static Statically defined addresses
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 term allow-local-routes from protocol direct
jadmin@JR-1# set policy-statement pol1 term ?
Possible completions:
<term_name>
allow-local-routes
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 term allow-local-routes then ?
Possible completions:
accept Accept a route
> aigp-originate Originate a BGP AIGP attribute
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> as-path-expand Prepend AS numbers prior to adding local-as (BGP only)
as-path-prepend Prepend AS numbers to an AS path (BGP only)
class Set class-of-service parameters
> color Color (preference) value
> color2 Color (preference) value 2
> community BGP community properties associated with a route
cos-next-hop-map Set CoS-based next-hop map in forwarding table
damping Define BGP route flap damping parameters
default-action Set default policy action
destination-class Set destination class in forwarding table
> external External route
forwarding-class Set source or destination class in forwarding table
> install-nexthop Choose the next hop to be used for forwarding
label-allocation Set label allocation mode
> load-balance Type of load balancing in forwarding table
> local-preference Local preference associated with a route
> map-to-interface Set output logical interface
> metric Metric value
> metric2 Metric value 2
> metric3 Metric value 3
> metric4 Metric value 4
next Skip to next policy or term
> next-hop Set the address of the next-hop router
origin BGP path origin
> preference Preference value
> preference2 Preference value 2
priority Set priority for route installation
reject Reject a route
source-class Set source class in forwarding table
+ ssm-source List of Sources for SSM mapping
> tag Tag string
> tag2 Tag string 2
trace Log matches to a trace file
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 term allow-local-routes then accept
jadmin@JR-1# set policy-statement pol1 term allow-static from protocol static
jadmin@JR-1# set policy-statement pol1 term allow-static from route-filter ?
Possible completions:
<address> IP address or hostname
address-mask Mask applied to prefix address
exact Exactly match the prefix length
longer Mask is greater than the prefix length
orlonger Mask is greater than or equal to the prefix length
prefix-length-range Mask falls between two prefix lengths
through Route falls between two prefixes
upto Mask falls between two prefix lengths
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 term allow-static from route-filter 172.18.1.0/24 ?
Possible completions:
address-mask Mask applied to prefix address
exact Exactly match the prefix length
longer Mask is greater than the prefix length
orlonger Mask is greater than or equal to the prefix length
prefix-length-range Mask falls between two prefix lengths
through Route falls between two prefixes
upto Mask falls between two prefix lengths
[edit policy-options]
jadmin@JR-1# set policy-statement pol1 term allow-static from route-filter 172.18.1.0/24 exact
jadmin@JR-1# set policy-statement pol1 term allow-static from route-filter 172.18.0.0/16 orlonger
jadmin@JR-1# set policy-statement pol1 term allow-static then accept
jadmin@JR-1# set policy-statement pol1 term allow-rip from protocol rip
jadmin@JR-1# set policy-statement pol1 term allow-rip then accept
[edit policy-options]
jadmin@JR-1# show
policy-statement pol1 {
term allow-local-routes {
from protocol direct;
then accept;
}
term allow-static {
from {
protocol static;
route-filter 172.18.1.0/24 exact;
route-filter 172.18.0.0/16 orlonger;
}
then accept;
}
term allow-rip {
from protocol rip;
then accept;
}
}
[edit
policy-options]
Applying Routing Policy
Depending on the routing protocol, you can apply import and export policies at multiple hierarchy levels. Note OSPF only allows protocol-level export and import policies to maintain a consistent Link State Database (LSDB).
The Junos OS apply the most specific import and export policy. Import and export policies at higher configuration hierarchy levels are applied at the lower levels if no other policy exist. If you configure a policy at a lower hierarchy level, the system apply that policy.
[edit policy-options]
jadmin@JR-1# top edit protocols ospf
[edit protocols ospf]
jadmin@JR-1# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> area Configure an OSPF area
> backup-spf-options Configure options for backup SPF
> database-protection Configure database protection attributes
disable Disable OSPF
+ export Export policy
external-preference Preference of external routes
> graceful-restart Configure graceful restart attributes
+ import Import policy (for external routes or setting priority)
no-nssa-abr Disable full NSSA functionality at ABR
no-rfc-1583 Disable RFC1583 compatibility
> overload Set the overload mode (repel transit traffic)
preference Preference of internal routes
prefix-export-limit Maximum number of prefixes that can be exported
reference-bandwidth Bandwidth for calculating metric defaults
rib-group Routing table group for importing OSPF routes
> spf-options Configure options for SPF
> topology Topology parameters
> traceoptions Trace options for OSPF
> traffic-engineering Configure traffic engineering attributes
[edit protocols ospf]
jadmin@JR-1# set export pol1 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> area Configure an OSPF area
> backup-spf-options Configure options for backup SPF
> database-protection Configure database protection attributes
disable Disable OSPF
+ export Export policy
external-preference Preference of external routes
> graceful-restart Configure graceful restart attributes
+ import Import policy (for external routes or setting priority)
no-nssa-abr Disable full NSSA functionality at ABR
no-rfc-1583 Disable RFC1583 compatibility
> overload Set the overload mode (repel transit traffic)
preference Preference of internal routes
prefix-export-limit Maximum number of prefixes that can be exported
reference-bandwidth Bandwidth for calculating metric defaults
rib-group Routing table group for importing OSPF routes
> spf-options Configure options for SPF
> topology Topology parameters
> traceoptions Trace options for OSPF
> traffic-engineering Configure traffic engineering attributes
| Pipe through a command
[edit protocols ospf]
jadmin@JR-1# set export pol1 area 0.0.0.0 ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> area-range Configure area ranges
> context-identifier Configure context identifier in support of edge protection
> interface Include an interface in this area
> label-switched-path Configuration for advertisement of a label-switched path
+ network-summary-export Export policy for Type 3 Summary LSAs
+ network-summary-import Import policy for Type 3 Summary LSAs
no-context-identifier-advertisement Disable context identifier advertisments in this area
> peer-interface Configuration for peer interface
> virtual-link Configure virtual links
[edit protocols ospf]
jadmin@JR-1# set export pol1 area 0.0.0.0 interface em0.0 passive
[edit protocols ospf]
jadmin@JR-1# show
export pol1;
area 0.0.0.0 {
interface em0.0 {
passive;
}
}
[edit protocols ospf]
Policy Chaining
You can cascade or chain a policy to solve a complex set of route manipulation task in a modular manner.
The Junos OS evaluates policies from left to right based on the order in which they are applied to a routing protocol. It checks the match criteria of each policy and performs the associated action when a match occurs. If the first policy does not match or if the match is associated with a nonterminating action, it evaluates the route against the next policy in the chain. This pattern repeats itself for all policies in the chain. The Junos OS ultimately applies the default policy for a given protocol when no terminating actions occur while evaluating the user-defined policy chain.
Case Study: Advertise default static route into OSPF routing policy
jadmin@JR1> configure
Entering configuration mode
Users currently editing the configuration:
root terminal v0 (pid 1488) on since 2020-10-25 10:26:47 UTC, idle 00:53:36
[edit system login]
[edit]
jadmin@JR1# edit routing-options
[edit routing-options]
jadmin@JR1# set static route 0.0.0.0/0 next-hop 10.1.1.10
[edit routing-options]
jadmin@JR1# top edit policy-options
[edit policy-options]
jadmin@JR1# set policy-statement ?
Possible completions:
<policy_name> Name to identify a policy filter
[edit policy-options]
jadmin@JR1# set policy-statement default-route-ospf ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
dynamic-db Object may exist in dynamic database
> from Conditions to match the source of a route
> term Policy term
> then Actions to take if 'from' and 'to' conditions match
> to Conditions to match the destination of a route
[edit policy-options]
jadmin@JR1# set policy-statement default-route-ospf term ?
Possible completions:
<term_name>
[edit policy-options]
jadmin@JR1# set policy-statement default-route-ospf term default-static ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> from Conditions to match the source of a route
> then Actions to take if 'from' and 'to' conditions match
> to Conditions to match the destination of a route
[edit policy-options]
jadmin@JR1# set policy-statement default-route-ospf term default-static from ?
Possible completions:
aggregate-contributor Match more specifics of an aggregate
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
area OSPF area identifier
+ as-path Name of AS path regular expression (BGP only)
+ as-path-group Name of AS path group (BGP only)
color Color (preference) value
color2 Color (preference) value 2
+ community BGP community
> community-count Number of BGP communities
+ condition Condition to match on
> external External route
family
instance Routing protocol instance
+ interface Interface name or address
level IS-IS level
local-preference Local preference associated with a route
metric Metric value
metric2 Metric value 2
metric3 Metric value 3
metric4 Metric value 4
> multicast-scope Multicast scope to match
+ neighbor Neighboring router
+ next-hop Next-hop router
next-hop-type Next-hop type
origin BGP origin attribute
+ policy Name of policy to evaluate
preference Preference value
preference2 Preference value 2
> prefix-list List of prefix-lists of routes to match
> prefix-list-filter List of prefix-list-filters to match
+ protocol Protocol from which route was learned
rib Routing table
> route-filter List of routes to match
route-type Route type
> source-address-filter List of source addresses to match
state Route state
+ tag Tag string
tag2 Tag string 2
[edit policy-options]
jadmin@JR1# set policy-statement default-route-ospf term default-static from protocol ?
Possible completions:
[ Open a set of values
access Access server routes
access-internal Internal routes to directly connected clients
aggregate Aggregate routes
bgp BGP
direct Directly connected routes
dvmrp Distance Vector Multicast Routing Protocol
esis End System-to-Intermediate System
isis Intermediate System-to-Intermediate System
l2circuit Layer 2 circuits
l2vpn Layer 2 MPLS virtual private networks
ldp Label Distribution Protocol
local Local system addresses
msdp Multicast Source Discovery Protocol
ospf Open Shortest Path First
ospf2 Open Shortest Path First Version 2
ospf3 Open Shortest Path First Version 3
pim Protocol Independent Multicast
rip Routing Information Protocol
ripng Routing Information Protocol next generation
rsvp Resource Reservation Protocol
rtarget Local route target VPN membership
static Statically defined addresses
[edit policy-options]
jadmin@JR1# set policy-statement default-route-ospf term default-static from protocol static
jadmin@JR1# set policy-statement default-route-ospf term default-static from route-filter ?
Possible completions:
<address> IP address or hostname
address-mask Mask applied to prefix address
exact Exactly match the prefix length
longer Mask is greater than the prefix length
orlonger Mask is greater than or equal to the prefix length
prefix-length-range Mask falls between two prefix lengths
through Route falls between two prefixes
upto Mask falls between two prefix lengths
[edit policy-options]
jadmin@JR1# set policy-statement default-route-ospf term default-static from route-filter 0.0.0.0/0 ?
Possible completions:
address-mask Mask applied to prefix address
exact Exactly match the prefix length
longer Mask is greater than the prefix length
orlonger Mask is greater than or equal to the prefix length
prefix-length-range Mask falls between two prefix lengths
through Route falls between two prefixes
upto Mask falls between two prefix lengths
[edit policy-options]
jadmin@JR1# set policy-statement default-route-ospf term default-static from route-filter 0.0.0.0/0 exact
jadmin@JR1# set policy-statement default-route-ospf term default-static then ?
Possible completions:
accept Accept a route
> aigp-originate Originate a BGP AIGP attribute
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> as-path-expand Prepend AS numbers prior to adding local-as (BGP only)
as-path-prepend Prepend AS numbers to an AS path (BGP only)
class Set class-of-service parameters
> color Color (preference) value
> color2 Color (preference) value 2
> community BGP community properties associated with a route
cos-next-hop-map Set CoS-based next-hop map in forwarding table
damping Define BGP route flap damping parameters
default-action Set default policy action
destination-class Set destination class in forwarding table
> external External route
forwarding-class Set source or destination class in forwarding table
> install-nexthop Choose the next hop to be used for forwarding
label-allocation Set label allocation mode
> load-balance Type of load balancing in forwarding table
> local-preference Local preference associated with a route
> map-to-interface Set output logical interface
> metric Metric value
> metric2 Metric value 2
> metric3 Metric value 3
> metric4 Metric value 4
next Skip to next policy or term
> next-hop Set the address of the next-hop router
origin BGP path origin
> preference Preference value
> preference2 Preference value 2
priority Set priority for route installation
reject Reject a route
source-class Set source class in forwarding table
+ ssm-source List of Sources for SSM mapping
> tag Tag string
> tag2 Tag string 2
trace Log matches to a trace file
[edit policy-options]
jadmin@JR1# set policy-statement default-route-ospf term default-static then accept
[edit policy-options]
jadmin@JR1# show
policy-statement default-route-ospf {
term default-static {
from {
protocol static;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
}
[edit policy-options]
jadmin@JR1# top edit protocols ospf
[edit protocols ospf]
jadmin@JR1# set export ?
Possible completions:
<value> Export policy
( Open an expression
[ Open a set of values
default-route-ospf
[edit protocols ospf]
jadmin@JR1# set export default-route-ospf
[edit protocols ospf]
jadmin@JR1# show
export default-route-ospf; // EXPORT (INJECT) DEFAULT STATIC ROUTE FROM ROUTING TABLE INTO OSPF
area 0.0.0.0 {
interface em0.0 {
passive;
}
interface em1.0;
interface lo0.0;
}
[edit protocols ospf]
jadmin@JR1# commit and-quit
commit complete
Exiting
configuration mode
jadmin@JR2> show route protocol ospf
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[OSPF/150] 00:01:51, metric 0, tag 0 // JR2 INSTALLS EXTERNAL OSPF ROUTE (PREFERENCE 150)
> to 172.25.1.1 via em0.0
10.1.1.0/24 *[OSPF/10] 00:33:51, metric 2
> to 172.25.1.1 via em0.0
172.20.1.1/32 *[OSPF/10] 00:33:51, metric 1
> to 172.25.1.1 via em0.0
224.0.0.5/32 *[OSPF/10] 00:38:09, metric 1
MultiRecv
jadmin@JR2> show route protocol ospf ?
Possible completions:
<[Enter]> Execute this command
<destination> IP address and optional prefix length of destination
active-path Show active paths
advertising-protocol Show information in format intended for particular routing protocol
all Show all entries, including hidden entries
aspath-regex BGP AS path regular expression for entries to match
best Show longest matching route
brief Display brief output
ccc Name of entry in MPLS table with a circuit cross-connect interface
+ community Identifier for community (can include wildcards)
community-name Name of configured community policy to match
damping Show entries subjected to particular kind of route damping
detail Display detailed output
exact Show routes that match exactly
extensive Display extensive output
hidden Show hidden entries
inactive-path Show inactive paths
inactive-prefix Show inactive route destinations
label Label of entry in MPLS routing table
label-switched-path Name of LSP tunnel associated with entries
logical-system Name of logical system, or 'all'
match-prefix Regular expression to match formatted prefix
next-hop IP address of next hop that is destination for entries
no-community Show entries with no associated community
output Show entries sent out a particular interface
private Show private table routes
range Show all entries in prefix range
rd-prefix Route distinguisher with ip prefix (rd:prefix)
receive-protocol Show information in format received from particular routing protocol
source-gateway IP address of source router for entries
static-label-switched-path Name of static LSP tunnel associated with entries
table Name of routing table
terse Display terse output
| Pipe through a command
jadmin@JR2> show route protocol ospf exact ?
Possible completions:
<[Enter]> Execute this command
<destination> IP address and optional prefix length of destination
active-path Show active paths
advertising-protocol Show information in format intended for particular routi
ng protocol
all Show all entries, including hidden entries
aspath-regex BGP AS path regular expression for entries to match
brief Display brief output
ccc Name of entry in MPLS table with a circuit cross-connect
interface
+ community Identifier for community (can include wildcards)
community-name Name of configured community policy to match
damping Show entries subjected to particular kind of route damping
detail Display detailed output
extensive Display extensive output
hidden Show hidden entries
inactive-path Show inactive paths
inactive-prefix Show inactive route destinations
label Label of entry in MPLS routing table
label-switched-path Name of LSP tunnel associated with entries
logical-system Name of logical system, or 'all'
match-prefix Regular expression to match formatted prefix
next-hop IP address of next hop that is destination for entries
no-community Show entries with no associated community
output Show entries sent out a particular interface
private Show private table routes
rd-prefix Route distinguisher with ip prefix (rd:prefix)
receive-protocol Show information in format received from particular routing protocol
source-gateway IP address of source router for entries
static-label-switched-path Name of static LSP tunnel associated with entries
table Name of routing table
terse Display terse output
| Pipe through a command
jadmin@JR2> show route protocol ospf exact 0/0
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[OSPF/150] 00:02:11, metric 0, tag 0
> to 172.25.1.1 via em0.0
Below are the configurations for JR1 and JR2, respectively.
JR1
edit routing-options
set static route 0.0.0.0/0 next-hop 10.1.1.10
top edit policy-options
set policy-statement default-route-ospf term default-static from protocol static
set policy-statement default-route-ospf term default-static from route-filter 0.0.0.0/0 exact
set policy-statement default-route-ospf term default-static then accept
show
top edit protocols ospf
set export default-route-ospf
show
commit and-quit
JR2
show route protocol ospf
show route protocol ospf exact 0/0
No comments:
Post a Comment