You are on page 1of 37

JUNOS Routing Policy

Course Objectives
u

After completing this course, you should be able to


v v

Describe routing policy features Configure routing policy in a variety of situations Configure advanced routing policy for BGP Manage communities Manage AS path regular expressions Set route damping parameters
Slide 2

Basic Routing Policy

Module Objectives
u

After completing this module, you should be able to describe


v v

v v

v v

When to define routing policies The difference between importing and exporting routes The basic structure of routing policies Match conditions and actions available for policies How to define route filters How to apply routing policy
Slide 4

Overview

Policy Overview
u

Controls routing information transferred between routing table and each routing protocol
v

Incoming routing information can be ignored or changed Outgoing routing information can be suppressed or changed

Some match conditions are protocol specific


Slide 6

When to Apply Policy


u

You do not want to import all learned routes into the routing table You do no want to advertise all learned routes to neighboring routers You want one protocol to receive routes from another protocol You want to modify information associated with a route
Slide 7

Import and Export


Policy filtering is done with respect to the JUNOS routing table u Export policy is applied to active paths in routing table
u
Neighbors
Import

Neighbors Routing Table


Export

Routes

Routes

Protocol PFE

Route Selection Policy

Protocol

Forwarding Table
= Slide 8

Routing Policy
Allow you to filter and control routing information entering and leaving the router u Separate policy for each routing protocol
u
Neighbors
Import Policy #1

Neighbors Routing Table


Export Policy #1

Routes
Import Policy #2

Routes
Export Policy #2

Protocol PFE Forwarding Table


=

Protocol

Slide 9

Routing Policy
u u

Policies contain collections of terms Terms contain a condition and an action to apply to each route
Accept Last Term Reject Next Policy

Accept Route Term Term Reject

Accept

Reject

Slide 10

Routing Policy
u

Policies can be chained together to increase their effectiveness

Accept Route Policy Policy Reject

Accept

Accept Last Policy Default Policy Reject

Accept

Reject

Reject

Slide 11

Match Conditions
u

General
v

Route metrics

Metric Preference Color

v v v v

Interface name Neighbor address Next hop address Protocol

bgp, direct, dvmrp, isis, local, mpls, ospf, pim-dense,pim-sparse, rip, static, aggregate

Slide 12

Match Conditions
u

OSPF
v v

Area ID Tag and tag2 fields Level number Autonomous system path (AS path) Community name Local preference Origin
Slide 13

IS-IS
v

BGP
v v v v

Match Actions
u

Terminate
v v

Accept route Reject (or suppress) route Skip to next policy Skip to next term Log the match to trace file, continue processing term

Flow Control
v v

Trace
v

Slide 14

Match Actions
u

Modify
v v v v

Metric Preference Color Next-hop address

Slide 15

Match Actions
u

Modify
v

OSPF

Area ID Tag and tag2 fields

IS-IS

Level number

Slide 16

Match Actions
u

Modify
v

BGP

Prepend AS path Add, delete, or set community Change route damping parameters Change local preference value Change protocol origin

Slide 17

Default Policies
Different default policies for each protocol being imported or exported u Reaching the end of a policy (or chain of policies) invokes default policy for that protocol
u

Slide 18

Default Policies
u

IS-IS, OSPF, and RIP


v

Import

Import all routes from protocol IS-IS and OSPF cannot override or change this default policy could lead to inconsistent routing

Export

Export routes learned by that protocol Export direct routes for interfaces on which the protocol is explicitly configured

Slide 19

Default Policies
u

BGP
v

Import

Import all routes from protocol

Export

Transmit all routes learned from BGP neighbors to all BGP neighbors Only active routes can be exported

Slide 20

Configuring Policy

Configuring Policy
u u u

Policies are made up of terms Terms are made up of match conditions and actions Match conditions can be split into from and to parts
Match Condition Action Match Condition Term Action

Term

Policy
= Slide 22

Configuring Policy
u

Basic policy syntax


policy-options { policy-statement policy-name { term term-name { from { match-conditions; } to { match-conditions; } then { action ; } } final-action; } }

A policy can have multiple terms

Slide 23

Configuring Policy
u

Example
policy-options { policy-statement advertise-ospf { term pick-ospf { from protocol ospf; then accept; } } } protocols bgp { export advertise-ospf; }

Slide 24

Configuring Policy
u

The same sample, written another way


policy-options { policy-statement advertise-ospf { from protocol ospf; then accept; } } protocols bgp { export advertise-ospf; }

Slide 25

Applying policy

Applying Policy
u u

Most routing protocols have global import and export filtering points LinkLink -state protocols (IS(IS -IS and OSPF) have only export filtering points
protocols { isis { export [ policy-list ]; } ospf { export [ policy-list ]; } }

Slide 27

Applying Policy
u

BGP has three filtering points


v v v

Global Groups of neighbors Individual neighbors

BGP policy evaluation is no hierarchical


v

Neighbor policy overrides group and global policies Group policy overrides global policy

Slide 28

Applying Policy
u

BGP global filter syntax


protocols { bgp { export [ policy-list ] import [ policy-list ] } }

u BGP

sample

protocols { bgp { export local-customers; import [ as-47-filter martian-filter ]; } }


= Slide 29

Applying Policy : Complex BGP Example


protocols { bgp { export local-customers; group meganet -inc { type external; peer-as 47; import [ martian -filter long -prefix -filter as -47-filter ]; neighbor 1.2.2.4; neighbor 1.2.2.5; } group problem -child { type external ; peer-as 54; export kill -private -addresses; import [ as -47-filter long -prefix martian-filter ]; neighbor 1.2.2.6; neighbor 1.2.2.7 { import [ reject -unwanted as -666 -routes ]; } } } Slide 30 =}

Route Matching

Route Filters
[..] term term-name { from { route-filter prefix/prefix-length match-type <actions>; [..] } then action; }

u u

MatchMatch -type may be


v Exact, orlonger orlonger, , longer, upto upto, , through

Multiple route filters in a single term u Evaluation of route filters has special rules
= Slide 32

Match Types - exact


u

Exactly match a single prefix and prefix length


term sample { from route-filter 192.168/16 exact; then accept; }

Includes
192.168.0.0/16

Excludes
Everything else

Slide 33

Match Types orlonger


Greater than or equal to u Match a range of routes having the mostmost significant bits in common as described by the prefix length
u
term sample { from route-filter 192.168/16 orlonger; then accept; }

Includes
192.168.0.0/16 192.168.12.4/30 192.168.0.0/17 192.168.12.128/32 192.168.4.0/24
=

Excludes
192.168.0.0/8 192.169.1.0/24 192.170.0.0/16

Slide 34

Match Types longer


Match a range of routes having the mostmost significant bit in common as described by the prefix length, except the exact match u Greater than
u
term sample { from route-filter 192.168/16 longer; then accept; }

Includes
192.168.12.4/30 192.168.0.0/17 192.168.12.128/32 192.168.4.0/24
=

Excludes
192.0.0.0/8 192.170.0.0/16 192.169.1.0/24 192.168.0.0/16

Slide 35

Match Types upto


u

Match a range of routes having the mostmost significant bits in common as described by the first prefix length, but not exceeding the second prefix length
term sample { from route-filter 192.168/16 upto /24; then accept; }

Includes
192.168.0.0/16 192.168.0.0/17 192.168.4.0/24
=

Excludes
192.0.0.0/8 192.170.0.0/16 192.169.1.0/24 192.168.5.4/30

192.168.12.128/32
Slide 36

Match Types through


Match a contiguous set of routes from the first prefixprefix -prefix length pair to the second prefixprefixprefix length pair u Not used very often covers a corner case
u
term sample { from route-filter 192.168/16 through 192.168.16/24; then accept; }

Includes
192.168.0.0/16 192.168.0.0/17 192.168.0.0/18
=

Excludes
192.168.0.0/19 192.168.16.0/20 192.168.128.0/17 192.168.192.0/18 192.168.5.4/30
Slide 37

192.168.0.0/20 192.168.224.0/19

Route Filter Match Action


term term-name { from { route-filter dest-prefix match-type <actions>; route-filter dest-prefix match-type <actions>; [] } then then <actions>; }

If the route matches the filter and action is specified, it takes effect immediately and the then then portion of the term is ignored u If one or more patterns match and no action is specified, the then then portion is executed
u
= Slide 38

Route Filter Match Action


term term-name { from { route-filter dest-prefix match-type <actions>; route-filter dest-prefix match-type <actions>; [] } <then actions>; }

Logical OR function

u u

Multiple filters with similar prefixes the longest prefix Action associated with longest filter is performed
Slide 39

Test Your Knowledge


Which action is taken when 10.0.67.43/32 is evaluated by this policy?
policy-statement pop-quiz { from { route-filter 10.0.0.0/16 orlonger accept; route-filter 10.0.67.0/24 orlonger; route-filter 10.0.0.0/8 orlonger reject; } then { metric 10; accept; } }
=

Slide 40

Routing Filter Example


u

What are all the unwanted route?


v Default v Loopbacks v Private address v Multicast v Reserved networks policy-statement reject-unwanted-route{ from { route-filter 0/0 exact; route-filter 127/8 orlonger; route-filter 10/8 orlonger; route-filter 172.16/12 orlonger; route-filter 192.168/16 orlonger; route-filter 224/3 orlonger; route-filter 192.0/16 orlonger; } then reject; }

#Default #Loopbacks #Reserved A block #Reserved B block #Reserved C block #Multicast #IANA reserved-2

Slide 41

Routing Filter Example


u

Add an AS multiple times to the beginning of a route route s AS path


policy-options { policy-statement prepend{ from { route-filter 24.1.0.0/16 exact accept; route-filter 128.105.0.0/16 exact { as-path-prepend 3 3 3 ; accept; } route-filter 24.0.0.0/16 exact accept; } } }

Slide 42

Checkpoint
u

Can you now state


v v v v v v

Strip away some unwanted prefixes The difference between importing and exporting routes ? The basic structure of routing policies? The match conditions and actions available for policies? How to define route filters? How to apply routing policy?

Slide 43

Advanced Routing Policy

Module Objectives
u

After completing this course, you should be able to


v

Policy commands applied to BGP communities AS path regular expressions Damping parameters How to test and view policies

Slide 45

Communities

BGP Communities
u u u u u

Group destinations that share a common property Perform action on entire group Community associations sent in BGP update message Multiple communities can be associated with a single destination With routing policy, you can
v v v

Crate a community Match communities using regular expressions Set, add, or delete communities
Slide 47

Creating Communities
u

Define at policy-options level


[edit policy -options] user@host# set community name members [community-ids ]

Where
v v

name

community -ids

identifies community specifies one or more members

as-number : community -value u

Example
policy-options { community foobar members 64512:666 community no-internal -BGP member [64512:111 64512:222] }

Logical AND function


= Slide 48

Well-known Communities
u

Support for well-known community names, defined in RFC 1997


v

v v

no-export --- Dont advertise outside of BGP confederation no-advertise --- Dont advertise to other BGP peers no-export-subconfed --- Dont advertise to external BGP peers, including peers in other members ASs inside a BGP confederation

Specify the well-known community as a community ID within a community name


policy -options { community do-not-export members no -export }

Slide 49

Community Matching Example


policy-options { policy-statement do-not-send-these-routes{ from community no-transit; then reject; } community no-transit members 64512:666; } protocol { bgp { export [ do-not-send-these-routes ]; } }
= Slide 50

Community Actions
u Three possible actions
v

add --- Add the community to current set of communities delete --- Delete the community to current set of communities set --- Set the community, replacing any exting ones

u Example
policy-options { policy-statement accept-but-do-not-export { from route -filter 192.11/16 orlonger; then { community add do-not-export; accept; } } community do-not-export members no-export; }
Slide 51

AS Path Matching

AS Path Matching
u

Define routing policy matches based on the AS path Match all or portions of the AS path Use regular expressions to define pattern matching on the AS path

Slide 53

AS Path Regular Expressions


u Define

at policy-options level

[edit policy-option] user@host# set as-path name regular-expressions

u Where
v v

name identifies the regular expressions regular-expressions consist of term <operator>

Slide 54

AS Path Regular Expressions


u Regular u Term
v v

expressions consist of

term [operator]

Mandatory Any single AS number


set as-path path-name 701

An AS path
set as-path path-name 701 2685

Wildcard character ., which matches any single AS number


set as-path path-name 701 . 2685
Slide 55

AS Path Regular Expressions


u Regular

expressions consist of

term [operator]

u Operator
v v

Optional Defines pattern-matching operations applied to the term Can include one or more term-operator pairs
as-path match-path 701? 2685*

Except for the pipe (|) and dash ( - ), which are placed between terms
as-path match-path 701 | 2685
Slide 56

Regular Expression Operator


Operator Match...
{m,n} {m} {m,} * + ? | At least m and at most n repetitions of the AS path term; m must be smaller than n(and positive) Exactly m repetitions of the AS path term. m or more repetitions of the AS path term Zero or more repetitions of term ; This is equivalent to {0,}. One or more repetitions of an AS path term; This is equivalent to {1,}. Zero or one repetition of an AS path term; This is equivalent to {0,1}. One of the two AS psth terms on either side of the pipe.
Slide 57

Test Your Knowledge


What does this policy do?
policy-options { policy-statement inbound-1 { from as-path match-path-1 then accept; } policy-statement inbound-2 { from as-path match-path-2 then accept; } as-path match-path-1 701 2685 as-path match-path-2 . 2685 }
= Slide 58

Test Your Knowledge


What does this policy do?
policy-options { policy-statement expect-multiples { from as-path from-somewhere then accept; } as-path from-somewhere 701{1,6} (2685|1234) }

Slide 59

Test Your Knowledge


How does following policy evaluate the prefix 212.33/16 with AS path 701 701 702 is evaluated by this policy?
policy-options { policy-statement unsure { from as-path oh-my; then { add community no-transit; accept; } } community no-transit 65002:888; as-path oh-my 701+ (2685|1234)? . }
= Slide 60

Route Damping

Route Damping
u

Reduce the number of update messages sent between BGP peers Generally applied to EBGP routes
v

Can also be used with confederations

Configured by creating a named set of damping parameters that you apply as damping policy action Must enable BGP damping first

Slide 62

Damping Figure of Merit


u u

New route given a figure of merit of 0 Figure of merit increases with each incident
v v v

Withdrawn route 1000 Readvertised route 1000 Path attribute change 500

Route is suppressed when figure of merit exceeds suppress threshold


v

Default suppress threshold is 3000

Route is reused when figure of merit drops below reuse threshold


v

Default reuse threshold is 750

Slide 63

Damping Figure of Merit


u

Exponential decay
v

Reduces figure of merit over time Default is 60 minutes Stops increasing when ceiling is reached Determined by formula Not explicitly configurable

Maximum suppression time limit


v

Maximum figure of merit


v v v

Slide 64

Damping - Configuration
u Defining

damping parameters is similar to defining a community


policy-options { damping name { half-life minutes; max-suppress minutes; reuse number; suppress number; disable; } }

Slide 65

Damping - Example
policy -options { policy -statement damp { from { route-filter 11/8 exact damping high; route-filter 15/8 exact damping medium; } then accept; } damping high { half-life 15; suppress 3000; reuse 2500; max-suppress 50; } damping medium { half-life 3; max-suppress 4; } }
= Slide 66

Test and View Policies

Test Policy
u

Given the policy


policy-options { policy-statement lab-routes { from { route-filter default exact reject; route-filter 10.0.0.0/8 orlonger accept; } then reject; } }

u u

Test it against all routes in table


user@host# test policy lab-routes 0.0.0.0/0

Test it against a specific route


user@host# test policy lab-routes 10.49.0.0/16
Slide 68

Test Policy
u

Use the show policy command to view each policy


user@host> show policy
Configured policies: lab-routes

user@host> show policy lab-routes Policy lab-routes: from 0.0.0.0/0 reject 10.0.0.0/8 orlonger accept 192.0.2.0/24 orlonger accpt then reject user@host>
= Slide 69

More Advanced Routing Policy

Policy Subroutines
u u u

Call other policies from within a policy Good for evaluating the same route filters in multiple policies Called policies return success or failure
[edit policy options]
policy-statement martian-filter { from policy common-martians; then reject; }

Slide 71

Policy Evaluation Rules


u u

Alters standard left-to-right evaluation Introduces boolean logic to evaluation rules


v v v

AND (&&) OR (||) NOT (!)


(policy1 || policy2) (policy1 && policy2) (!policy1 && policy2) ((policy1 || policy2) && policy3)

export export export export

Slide 72

Check point
u

Can you now describe


v

Policy commands applied to


BGP communities? AS path regular expressions? Damping parameters?

v v

How to test and view policies? More advanced features


Subroutines? Evaluation Rules?

Slide 73

You might also like