- play_arrow Configuring Firewall Filters
- play_arrow Understanding How Firewall Filters Protect Your Network
- Firewall Filters Overview
- Router Data Flow Overview
- Stateless Firewall Filter Overview
- Understanding How to Use Standard Firewall Filters
- Understanding How Firewall Filters Control Packet Flows
- Stateless Firewall Filter Components
- Stateless Firewall Filter Application Points
- How Standard Firewall Filters Evaluate Packets
- Understanding Firewall Filter Fast Lookup Filter
- Understanding Egress Firewall Filters with PVLANs
- Selective Class-based Filtering on PTX Routers
- Guidelines for Configuring Firewall Filters
- Guidelines for Applying Standard Firewall Filters
- Supported Standards for Filtering
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filters
- play_arrow Firewall Filter Match Conditions and Actions
- Overview of Firewall Filters (OCX Series)
- Overview of Firewall Filter Profiles on ACX Series Routers (Junos OS Evolved)
- Understanding Firewall Filter Match Conditions
- Understanding Firewall Filter Planning
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Match Conditions
- Firewall Filter Flexible Match Conditions
- Firewall Filter Nonterminating Actions
- Firewall Filter Terminating Actions
- Firewall Filter Match Conditions and Actions (ACX Series Routers)
- Firewall Filter Match Conditions and Actions in ACX Series Routers (Junos OS Evolved)
- Firewall Filter Match Conditions for Protocol-Independent Traffic
- Firewall Filter Match Conditions for IPv4 Traffic
- Firewall Filter Match Conditions for IPv6 Traffic
- Firewall Filter Match Conditions Based on Numbers or Text Aliases
- Firewall Filter Match Conditions Based on Bit-Field Values
- Firewall Filter Match Conditions Based on Address Fields
- Firewall Filter Match Conditions Based on Address Classes
- Understanding IP-Based Filtering and Selective Port Mirroring of MPLS Traffic
- Firewall Filter Match Conditions for MPLS Traffic
- Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic
- Firewall Filter Match Conditions for VPLS Traffic
- Firewall Filter Match Conditions for Layer 2 CCC Traffic
- Firewall Filter Match Conditions for Layer 2 Bridging Traffic
- Firewall Filter Support on Loopback Interface
- play_arrow Applying Firewall Filters to Routing Engine Traffic
- Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs
- Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List
- Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources
- Example: Configure a Filter to Block Telnet and SSH Access
- Example: Configuring a Filter to Block TFTP Access
- Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags
- Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers
- Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods
- Example: Protecting the Routing Engine with a Packets-Per-Second Rate Limiting Filter
- Example: Configuring a Filter to Exclude DHCPv6 and ICMPv6 Control Traffic for LAC Subscriber
- Port Number Requirements for DHCP Firewall Filters
- Example: Configuring a DHCP Firewall Filter to Protect the Routing Engine
- play_arrow Applying Firewall Filters to Transit Traffic
- Example: Configuring a Filter for Use as an Ingress Queuing Filter
- Example: Configuring a Filter to Match on IPv6 Flags
- Example: Configuring a Filter to Match on Port and Protocol Fields
- Example: Configuring a Filter to Count Accepted and Rejected Packets
- Example: Configuring a Filter to Count and Discard IP Options Packets
- Example: Configuring a Filter to Count IP Options Packets
- Example: Configuring a Filter to Count and Sample Accepted Packets
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Match on Two Unrelated Criteria
- Example: Configuring a Filter to Accept DHCP Packets Based on Address
- Example: Configuring a Filter to Accept OSPF Packets from a Prefix
- Example: Configuring a Stateless Firewall Filter to Handle Fragments
- Configuring a Firewall Filter to Prevent or Allow IPv4 Packet Fragmentation
- Configuring a Firewall Filter to Discard Ingress IPv6 Packets with a Mobility Extension Header
- Example: Configuring an Egress Filter Based on IPv6 Source or Destination IP Addresses
- Example: Configuring a Rate-Limiting Filter Based on Destination Class
- play_arrow Configuring Firewall Filters in Logical Systems
- Firewall Filters in Logical Systems Overview
- Guidelines for Configuring and Applying Firewall Filters in Logical Systems
- References from a Firewall Filter in a Logical System to Subordinate Objects
- References from a Firewall Filter in a Logical System to Nonfirewall Objects
- References from a Nonfirewall Object in a Logical System to a Firewall Filter
- Example: Configuring Filter-Based Forwarding
- Example: Configuring Filter-Based Forwarding on Logical Systems
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Unsupported Firewall Filter Statements for Logical Systems
- Unsupported Actions for Firewall Filters in Logical Systems
- Filter-Based Forwarding for Routing Instances
- Forwarding Table Filters for Routing Instances on ACX Series Routers
- Configuring Forwarding Table Filters
- play_arrow Configuring Firewall Filter Accounting and Logging
- play_arrow Attaching Multiple Firewall Filters to a Single Interface
- Applying Firewall Filters to Interfaces
- Configuring Firewall Filters
- Multifield Classifier Example: Configuring Multifield Classification
- Multifield Classifier for Ingress Queuing on MX Series Routers with MPC
- Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
- Understanding Multiple Firewall Filters in a Nested Configuration
- Guidelines for Nesting References to Multiple Firewall Filters
- Understanding Multiple Firewall Filters Applied as a List
- Guidelines for Applying Multiple Firewall Filters as a List
- Example: Applying Lists of Multiple Firewall Filters
- Example: Nesting References to Multiple Firewall Filters
- Example: Filtering Packets Received on an Interface Set
- play_arrow Attaching a Single Firewall Filter to Multiple Interfaces
- Interface-Specific Firewall Filter Instances Overview
- Interface-Specific Firewall Filter Instances Overview
- Filtering Packets Received on a Set of Interface Groups Overview
- Filtering Packets Received on an Interface Set Overview
- Example: Configuring Interface-Specific Firewall Filter Counters
- Example: Configuring a Stateless Firewall Filter on an Interface Group
- play_arrow Configuring Filter-Based Tunneling Across IP Networks
- Understanding Filter-Based Tunneling Across IPv4 Networks
- Firewall Filter-Based L2TP Tunneling in IPv4 Networks Overview
- Interfaces That Support Filter-Based Tunneling Across IPv4 Networks
- Components of Filter-Based Tunneling Across IPv4 Networks
- Example: Transporting IPv6 Traffic Across IPv4 Using Filter-Based Tunneling
- per-logical-interface-firewall
- play_arrow Configuring Service Filters
- Service Filter Overview
- How Service Filters Evaluate Packets
- Guidelines for Configuring Service Filters
- Guidelines for Applying Service Filters
- Example: Configuring and Applying Service Filters
- Service Filter Match Conditions for IPv4 or IPv6 Traffic
- Service Filter Nonterminating Actions
- Service Filter Terminating Actions
- play_arrow Configuring Simple Filters
- play_arrow Configuring Layer 2 Firewall Filters
- Understanding Firewall Filters Used to Control Traffic Within Bridge Domains and VPLS Instances
- Example: Configuring Filtering of Frames by MAC Address
- Example: Configuring Filtering of Frames by IEEE 802.1p Bits
- Example: Configuring Filtering of Frames by Packet Loss Priority
- Example: Configuring Policing and Marking of Traffic Entering a VPLS Core
- Understanding Firewall Filters on OVSDB-Managed Interfaces
- Example: Applying a Firewall Filter to OVSDB-Managed Interfaces
- play_arrow Configuring Firewall Filters for Forwarding, Fragments, and Policing
- Filter-Based Forwarding Overview
- Firewall Filters That Handle Fragmented Packets Overview
- Stateless Firewall Filters That Reference Policers Overview
- Example: Configuring Filter-Based Forwarding on the Source Address
- Example: Configuring Filter-Based Forwarding to a Specific Outgoing Interface or Destination IP Address
- play_arrow Configuring Firewall Filters (EX Series Switches)
- Firewall Filters for EX Series Switches Overview
- Understanding Planning of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Understanding How Firewall Filters Control Packet Flows
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
- Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches
- Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
- Configuring Firewall Filters (CLI Procedure)
- Understanding How Firewall Filters Test a Packet's Protocol
- Understanding Filter-Based Forwarding for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication
- Verifying That Policers Are Operational
- Troubleshooting Firewall Filters
- play_arrow Configuring Firewall Filters (QFX Series Switches, EX4600 Switches, PTX Series Routers)
- Overview of Firewall Filters (QFX Series)
- Understanding Firewall Filter Planning
- Planning the Number of Firewall Filters to Create
- Firewall Filter Match Conditions and Actions (QFX and EX Series Switches)
- Firewall Filter Match Conditions and Actions (QFX10000 Switches)
- Firewall Filter Match Conditions and Actions (PTX Series Routers)
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Configuring Firewall Filters
- Applying Firewall Filters to Interfaces
- Overview of MPLS Firewall Filters on Loopback Interface
- Configuring MPLS Firewall Filters and Policers on Switches
- Configuring MPLS Firewall Filters and Policers on Routers
- Configuring MPLS Firewall Filters and Policers
- Understanding How a Firewall Filter Tests a Protocol
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets
- Understanding Filter-Based Forwarding
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Configuring a Firewall Filter to De-Encapsulate GRE or IPIP Traffic
- Verifying That Firewall Filters Are Operational
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filter Configuration
- play_arrow Configuring Firewall Filter Accounting and Logging (EX9200 Switches)
-
- play_arrow Configuring Traffic Policers
- play_arrow Understanding Traffic Policers
- Policer Implementation Overview
- ARP Policer Overview
- Example: Configuring ARP Policer
- Understanding the Benefits of Policers and Token Bucket Algorithms
- Determining Proper Burst Size for Traffic Policers
- Control Network Access Using Traffic Policing Overview
- Traffic Policer Types
- Order of Policer and Firewall Filter Operations
- Understanding the Frame Length for Policing Packets
- Supported Standards for Policing
- Hierarchical Policer Configuration Overview
- Understanding Enhanced Hierarchical Policers
- Packets-Per-Second (pps)-Based Policer Overview
- Guidelines for Applying Traffic Policers
- Policer Support for Aggregated Ethernet Interfaces Overview
- Example: Configuring a Physical Interface Policer for Aggregate Traffic at a Physical Interface
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Hierarchical Policers on ACX Series Routers Overview
- Guidelines for Configuring Hierarchical Policers on ACX Series Routers
- Hierarchical Policer Modes on ACX Series Routers
- Processing of Hierarchical Policers on ACX Series Routers
- Actions Performed for Hierarchical Policers on ACX Series Routers
- Configuring Aggregate Parent and Child Policers on ACX Series Routers
- play_arrow Configuring Policer Rate Limits and Actions
- play_arrow Configuring Layer 2 Policers
- Hierarchical Policers
- Configuring a Policer Overhead
- Two-Color and Three-Color Policers at Layer 2
- Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Two-Color Layer 2 Policer for the Pseudowire
- Configuring a Three-Color Layer 2 Policer for the Pseudowire
- Applying the Policers to Dynamic Profile Interfaces
- Attaching Dynamic Profiles to Routing Instances
- Using Variables for Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Policer for the Complex Configuration
- Creating a Dynamic Profile for the Complex Configuration
- Attaching Dynamic Profiles to Routing Instances for the Complex Configuration
- Verifying Layer 2 Traffic Policers on VPLS Connections
- Understanding Policers on OVSDB-Managed Interfaces
- Example: Applying a Policer to OVSDB-Managed Interfaces
- play_arrow Configuring Two-Color and Three-Color Traffic Policers at Layer 3
- Two-Color Policer Configuration Overview
- Basic Single-Rate Two-Color Policers
- Bandwidth Policers
- Prefix-Specific Counting and Policing Actions
- Policer Overhead to Account for Rate Shaping in the Traffic Manager
- Three-Color Policer Configuration Overview
- Applying Policers
- Three-Color Policer Configuration Guidelines
- Basic Single-Rate Three-Color Policers
- Basic Two-Rate Three-Color Policers
- Example: Configuring a Two-Rate Three-Color Policer
- play_arrow Configuring Logical and Physical Interface Traffic Policers at Layer 3
- play_arrow Configuring Policers on Switches
- Overview of Policers
- Traffic Policer Types
- Understanding the Use of Policers in Firewall Filters
- Understanding Tricolor Marking Architecture
- Configuring Policers to Control Traffic Rates (CLI Procedure)
- Configuring Tricolor Marking Policers
- Understanding Policers with Link Aggregation Groups
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
- Example: Using Two-Color Policers and Prefix Lists
- Example: Using Policers to Manage Oversubscription
- Assigning Forwarding Classes and Loss Priority
- Configuring Color-Blind Egress Policers for Medium-Low PLP
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
- Verifying That Two-Color Policers Are Operational
- Verifying That Three-Color Policers Are Operational
- Troubleshooting Policer Configuration
- Troubleshooting Policer Configuration
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
Example: Configuring a Routing Policy for AS Path Prepending
This example shows how to configure a routing policy to prepend the AS path on specific routes advertised by BGP.
Requirements
Before you begin, make sure your router interfaces and protocols are correctly configured. We provide the interface and BGP protocol configuration used in this document.
This example was updated and re-validated on Junos release 22.1R1.
Overview
In this example, you create a routing policy called prependpolicy1 and a term called prependterm1. The routing policy prepends AS number 65001 three times to routes that match the 172.16.0.0/12, 192.168.0.0/16, and 10.0.0.0/8 prefixes, when the mask length is equal to or longer than the specified mask. The result is a match occurs when the route's mask length is equal to or longer than the specified network mask. The prependpolicy1 policy is applied as an export policy to the BGP routes advertised by R1 in AS 65001 to R2 in AS number 65000. Routes that don't match the specified prefix ranges do not undergo AS path prepending.
Topology
In the topology EBGP peering is configured between R1 and R2. Direct interface peering to the 10.1.23.0/24 subnet addresses is used. R1 belongs to AS number 65001 and is configured to prepend its AS number to a specific set of matching routes when advertised to R2.
By adding AS numbers to the AS path the route becomes less likely to be selected for forwarding. This might be done by the owner of AS 65001 to reduce the amount of ingress traffic it receives from the operator of AS 65000.
In this example we demonstrate AS path prepending through an export policy. You can also use an import policy to match on routes for attribute manipulation. In general its a best practice to only prepend your local AS number to routes. Prepending AS numbers that belong to remote networks can lead to unexpected results.
For details on BGP paths selection see Understanding BGP Path Selection.
Configuration
Procedure
CLI Quick Configuration
In this section we focus on the configuration of the R1 device. Refer to the appendix for the complete configurations of all devices used in this example.
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
In this example we assign three test prefixes to an unused interface on R1. A
fourth test prefix is assigned to R1's loopback address. This provides four
direct routes that can be advertised into BGP. Our policy uses a combination
of protocol direct and route-filter
statements to control which prefixes undergo AS path prepending.
set system host-name R1 set interfaces xe-0/0/0:1 unit 0 family inet address 10.1.23.1/24 set interfaces xe-0/0/0:0 unit 0 family inet address 10.255.1.1/30 set interfaces xe-0/0/0:0 unit 0 family inet address 172.16.0.1/24 set interfaces xe-0/0/0:0 unit 0 family inet address 10.200.1.1/24 set interfaces lo0 unit 0 family inet address 192.168.0.1/32 set policy-options policy-statement prependpolicy1 term prependterm1 from protocol direct set policy-options policy-statement prependpolicy1 term prependterm1 from route-filter 172.16.0.0/16 orlonger set policy-options policy-statement prependpolicy1 term prependterm1 from route-filter 192.168.0.0/24 orlonger set policy-options policy-statement prependpolicy1 term prependterm1 from route-filter 10.255.1.0/24 orlonger set policy-options policy-statement prependpolicy1 term prependterm1 then as-path-prepend "65001 65001 65001" set policy-options policy-statement prependpolicy1 term prependterm1 then accept set policy-options policy-statement prependpolicy1 term else from protocol direct set policy-options policy-statement prependpolicy1 term else from route-filter 10.200.0.0/16 orlonger set policy-options policy-statement prependpolicy1 term else then accept set routing-options autonomous-system 65001 set routing-options router-id 192.168.0.1 set protocols bgp group ebgp type external set protocols bgp group ebgp export prependpolicy1 set protocols bgp group ebgp peer-as 65000 set protocols bgp group ebgp neighbor 10.1.23.2
Step-by-Step Procedure
The following steps requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Use the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To create a routing policy that prepends AS numbers to specific routes:
Configure the peering and loopback interfaces.
content_copy zoom_out_mapuser@R1# [edit] set interfaces xe-0/0/0:1 unit 0 family inet address 10.1.23.1/24 set interfaces lo0 unit 0 family inet address 192.168.0.1/32
Configure the AS number, RID, and the external BGP peer group. You define the prependpolicy1 policy in the next step. The policy is applied as an export policy to affect the routes advertised by R1.
content_copy zoom_out_mapuser@R1# [edit] set routing-options autonomous-system 65001 set routing-options router-id 192.168.0.1 set protocols bgp group ebgp type external set protocols bgp group ebgp export prependpolicy1 set protocols bgp group ebgp peer-as 65000 set protocols bgp group ebgp neighbor 10.1.23.2
Configure the prependpolicy1 policy. The use of
or-longerswitch to the route filter statements allows a match when the mask length is equal to or longer than the specified mask. Other options likeexactmatch only when the prefix and mask lengths are equal. The else term demonstrates how a route that does not match the prependterm1 term is advertised without AS path prepending by matching the else term.content_copy zoom_out_mapuser@R1# [edit] set policy-options policy-statement prependpolicy1 term prependterm1 from protocol direct set policy-options policy-statement prependpolicy1 term prependterm1 from route-filter 172.16.0.0/16 orlonger set policy-options policy-statement prependpolicy1 term prependterm1 from route-filter 192.168.0.0/24 orlonger set policy-options policy-statement prependpolicy1 term prependterm1 from route-filter 10.255.1.0/24 orlonger set policy-options policy-statement prependpolicy1 term prependterm1 then as-path-prepend "65001 65001 65001" set policy-options policy-statement prependpolicy1 term prependterm1 then accept set policy-options policy-statement prependpolicy1 term else from protocol direct set policy-options policy-statement prependpolicy1 term else from route-filter 10.200.0.0/16 orlonger set policy-options policy-statement prependpolicy1 term else then accept
Note:When you enter multiple AS numbers, you must separate each number with a space. Enclose the string of AS numbers in double quotation marks.
Define test routes. In our sample topology we assign prefixes to an unused interface that is operationally up. This provides direct routes for BGP to advertise for testing the operation of the export policy.
content_copy zoom_out_mapuser@R1# [edit] set interfaces xe-0/0/0:0 unit 0 family inet address 10.255.1.1/30 set interfaces xe-0/0/0:0 unit 0 family inet address 172.16.0.1/24 set interfaces xe-0/0/0:0 unit 0 family inet address 10.200.1.1/24
Results
Confirm your configuration by entering the show policy-options, show protocols bgp, show routing-options, and show interfaces commands from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
user@R1#[edit]
user@R1# show policy-options
policy-statement prependpolicy1 {
term prependterm1 {
from {
protocol direct;
route-filter 172.16.0.0/16 orlonger;
route-filter 192.168.0.0/24 orlonger;
route-filter 10.255.1.0/24 orlonger;
}
then {
as-path-prepend "65001 65001 65001";
accept;
}
}
term else {
from {
protocol direct;
route-filter 10.200.0.0/16 orlonger;
}
then accept;
}
}
[edit]
user@R1# show protocols bgp
group ebgp {
type external;
export direct;
peer-as 65000;
neighbor 10.1.23.2;
}
[edit]
user@R1# show routing-options
autonomous-system 65001;
router-id 192.168.0.1
user@R1# show interfaces xe-0/0/0:0
unit 0 {
family inet {
address 10.255.1.1/30;
address 172.16.0.1/24;
address 10.200.1.1/24;
}
}
[edit]
user@R1# show interfaces xe-0/0/0:1
unit 0 {
family inet {
address 10.1.23.1/24;
}
}
[edit]
user@R1# show interfaces lo0
unit 0 {
family inet {
address 192.168.0.1/32;
}
}If you are done configuring the R1 device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying the AS Prepending Policy
- Verifying Routing Policy Application and BGP Peering
- Verify AS Path Prepending
Verifying the AS Prepending Policy
Purpose
Verify that the policy is configured on the device, and that the appropriate routes are specified to prepend with AS numbers.
Action
From operational mode, enter the show policy prependpolicy1 command.
user@R1> show policy prependpolicy1
Policy prependpolicy1: [CHANGED/RESOLVED/]
Term prependterm1:
from proto Direct
route filter:
172.16.0.0/16 orlonger
192.168.0.0/24 orlonger
10.255.1.0/24 orlonger
then aspathprepend 65001 65001 65001 accept
Term else:
from proto Direct
route filter:
10.200.0.0/16 orlonger
then accept
The policy displays the correct match conditions and actions.
Verifying Routing Policy Application and BGP Peering
Purpose
Verify the routing policy is applied as an export policy to the EBGP peer group. This step also confirms the BGP session to R2 is correctly established.
Action
From operational mode, enter the show bgp neighbor 10.1.23.2 command.
user@R1> show bgp neighbor 10.1.23.2 Peer: 10.1.23.2+49642 AS 65000 Local: 10.1.23.1+179 AS 65001 Group: ebgp Routing-Instance: master Forwarding routing-instance: master Type: External State: Established Flags: <Sync> Last State: OpenConfirm Last Event: RecvKeepAlive Last Error: None Export: [ prependpolicy1 ] Options: <PeerAS Refresh> Options: <GracefulShutdownRcv> Holdtime: 90 Preference: 170 Graceful Shutdown Receiver local-preference: 0 Number of flaps: 1 Last flap event: RecvNotify Error: 'Cease' Sent: 0 Recv: 1 Peer ID: 192.168.0.2 Local ID: 192.168.0.1 Active Holdtime: 90 . . . Input messages: Total 2498 Updates 1 Refreshes 0 Octets 47510 Output messages: Total 2500 Updates 3 Refreshes 0 Octets 47620 Output Queue[1]: 0 (inet.0, inet-unicast)
The command output confirms the BGP session is established and that R1 has applied the prependpolicy1 policy as export.
Verify AS Path Prepending
Purpose
Verify the export policy works as design to prepend AS numbers to matching routes.
Action
From operational mode, enter the show route protocol bgp command on R2. Alternatively, use the show route advertising-protocol bgp 10.1.23.2 at R1 to display details about the routes it advertises to R2.
user@R2> show route protocol bgp
inet.0: 14 destinations, 14 routes (14 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.200.1.0/24 *[BGP/170] 00:04:46, localpref 100
AS path: 65001 I, validation-state: unverified
> to 10.1.23.1 via xe-0/0/0:0.0
10.255.1.0/30 *[BGP/170] 00:04:46, localpref 100
AS path: 65001 65001 65001 65001 I, validation-state: unverified
> to 10.1.23.1 via xe-0/0/0:0.0
172.16.0.0/24 *[BGP/170] 00:04:46, localpref 100
AS path: 65001 65001 65001 65001 I, validation-state: unverified
> to 10.1.23.1 via xe-0/0/0:0.0
192.168.0.1/32 *[BGP/170] 00:04:46, localpref 100
AS path: 65001 65001 65001 65001 I, validation-state: unverified
> to 10.1.23.1 via xe-0/0/0:0.0
The routes show the expected AS path prepending. Note that the 10.200.1.0/24 route only has one instance of AS number 65001. This route does not match the route filter statements in the prependterm1 of the prependpolicy1 policy and so does not undergo any prepending.
R1's view of the BGP routes it advertises to R2 is provided for completeness:
user@R1> show route advertising-protocol bgp 10.1.23.2
inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 10.200.1.0/24 Self I
* 10.255.1.0/30 Self 65001 65001 65001 [65001] I
* 172.16.0.0/24 Self 65001 65001 65001 [65001] I
* 192.168.0.1/32 Self 65001 65001 65001 [65001] IAppendix Full Configurations
The full configuration for R1.
set system host-name R1 set interfaces xe-0/0/0:0 unit 0 family inet address 10.255.1.1/30 set interfaces xe-0/0/0:0 unit 0 family inet address 172.16.0.1/24 set interfaces xe-0/0/0:0 unit 0 family inet address 10.200.1.1/24 set interfaces xe-0/0/0:1 unit 0 family inet address 10.1.23.1/24 set interfaces lo0 unit 0 family inet address 192.168.0.1/32 set policy-options policy-statement prependpolicy1 term prependterm1 from protocol direct set policy-options policy-statement prependpolicy1 term prependterm1 from route-filter 172.16.0.0/16 orlonger set policy-options policy-statement prependpolicy1 term prependterm1 from route-filter 192.168.0.0/24 orlonger set policy-options policy-statement prependpolicy1 term prependterm1 from route-filter 10.255.1.0/24 orlonger set policy-options policy-statement prependpolicy1 term prependterm1 then as-path-prepend "65001 65001 65001" set policy-options policy-statement prependpolicy1 term prependterm1 then accept set policy-options policy-statement prependpolicy1 term else from protocol direct set policy-options policy-statement prependpolicy1 term else from route-filter 10.200.0.0/16 orlonger set policy-options policy-statement prependpolicy1 term else then accept set routing-options router-id 192.168.0.1 set routing-options autonomous-system 65001 set protocols bgp group ebgp type external set protocols bgp group ebgp export prependpolicy1 set protocols bgp group ebgp peer-as 65000 set protocols bgp group ebgp neighbor 10.1.23.2
The full configuration for R2.
set system host-name R2 set interfaces xe-0/0/0:0 unit 0 family inet address 10.1.23.2/24 set interfaces lo0 unit 0 family inet address 192.168.0.2/32 set routing-options router-id 192.168.0.2 set routing-options autonomous-system 65000 set protocols bgp group ebgp type external set protocols bgp group ebgp peer-as 65001 set protocols bgp group ebgp neighbor 10.1.23.1
