Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Cloud-Native Contrail Networking (CN2) Cloud-Native Contrail Networking Feature Guide CN2 Security

Cloud-Native Contrail Networking Feature Guide

keyboard_arrow_up
close
keyboard_arrow_left
Cloud-Native Contrail Networking Feature Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Routing Policies

Release: CN2 23.3
{}
Change Release
date_range 02-May-24
arrow_backward
arrow_forward

SUMMARY Juniper Cloud-Native Contrail Networking (CN2) release 23.3 supports routing policies. Routing Policies modify a route's path and attributes dynamically. With release 23.3, the manipulation and filtering of routes is more granular.

Routing Policies Overview

Contrail uses routing policies to control the flow of network traffic between virtual networks (VNs). Routing policies enable you to define how traffic is forwarded, filtered, and controlled based on certain conditions. Routing policies define conditions (source or destination IP address, packet attributes, routing protocols) packets must meet for the policy to apply.

For more information about routing policies, see Routing Policy.

Routing Policy List Terms

Routing policies contain a set of list terms. List terms are conditions and actions that determine how routing policies handle traffic. Each routing policy can consist of one or more terms. Each terms specifies a set of conditions (match conditions) to be met and the corresponding actions to take if those conditions are fulfilled. A term can be a terminal rule, meaning that upon a match on the specified term, no further terms are evaluated and the route is dropped or accepted, based on the action in that term.

If the term is not a terminal rule, subsequent terms are evaluated for the given route. The following example shows the structure of list terms:

content_copy zoom_out_map
Policy {
     Term-1
     Term-2
}

The following example shows the structure of a term's match conditions and actions:

content_copy zoom_out_map
from {
    match-condition-1
    match-condition-2
    ..
    ..
}
then {
    action
    update-action-1
    update-action-2
    ..
    ..
}

A term cannot contain an any match condition. For example, an empty from cannot be present.

If an any match condition is present, all routes are considered as matching the term. In contrast, the then condition can be empty or the action can be unspecified.

Apply a Routing Policy

A routing policy evaluation has the following key points:

  • If the term of a routing policy consists of multiple match conditions, a route must satisfy all match conditions to apply the action specified in the term.

  • If a term in the policy does not specify a match condition, all routes are evaluated against the match.

  • If a match occurs but the policy does not specify an accept, reject, or next term action, one of the following occurs:

    • The next term, if present, is evaluated.

    • If no other terms are present, the next policy is evaluated.

    • If no other policies are present, the route is accepted. The default routing policy action is “accept”.

  • If a match does not occur with a term in a policy, and subsequent terms in the same policy exist, the next term is evaluated.

  • If a match does not occur with any terms in a policy, and subsequent policies exist, the next policy is evaluated.

  • If a match does not occur by the end of a policy or all policies, the route is accepted.

A routing policy consists of multiple terms. Each term consists of match conditions and actions to apply to matching routes.

Each route is evaluated against the policy as follows:

  1. The route is evaluated against the first term. If it matches, the specified action is taken. If the action is to accept or reject the route, that action is taken and the evaluation of the route ends. If the next term action is specified or if no action is specified, or if the route does not match, the evaluation continues as described above to subsequent terms.

  2. Upon hitting the last non-terminal term of the given routing policy, the route is evaluated against the next policy, if present, in the same manner as described in step 1.

Create a Routing Policy

The following is an exampe virtual network with a routing policy referenced in the routingPolicyReferences field.

content_copy zoom_out_map
apiVersion: core.contrail.juniper.net/v5 
kind: VirtualNetwork 
metadata: 
  creationTimestamp: "2023-08-24T16:52:41Z" 
  finalizers: 
  - virtual-network-id-deallocation.finalizers.core.juniper.net 
  - route-target.finalizers.core.juniper.net 
  - vn-routinginstance-delete.finalizers.core.juniper.net 
  generation: 4 
  labels: 
    back-reference.core.juniper.net/4b55d55948465b8794a75b29ea02b2d4b7cb6f0130c52ae127815c9e: Subnet_rptest-ns_rptest-subnet-1 
    back-reference.core.juniper.net/626783989131f732c144823b1b51ea67fd949c537f8c775e25e530d5: RoutingPolicy_rptest-ns_rptest 
    back-reference.core.juniper.net/dd5f04a405320d130c348a4e6d02cabef25d0633cc1ff4813a3576f9: RoutingPolicy_rptest-ns_rptestCommunityReject 
    core.juniper.net/virtualnetwork: custom-default-podnetwork 
    custom-default-podnetwork-uid: 4761b2bc-7ae0-4c33-8b51-894b665e3ebd 
  name: rptest-vn-1 
  namespace: rptest-ns 
  resourceVersion: "6342" 
  uid: 4761b2bc-7ae0-4c33-8b51-894b665e3ebd 
spec: 
  fabricSNAT: true 
  fqName: 
  - default-domain 
  - rptest-ns 
  - rptest-vn-1 
  podNetwork: true 
  routingPolicyReferences: 
  - apiVersion: core.contrail.juniper.net/v5 
    fqName: 
    - default-domain 
    - rptest-ns 
    - rptest 
    kind: RoutingPolicy 
    name: rptest 
    namespace: rptest-ns 
    uid: 8a142d00-f7fb-4872-85b6-11d6a576d7fe 
  - apiVersion: core.contrail.juniper.net/v5 
    fqName: 
    - default-domain 
    - rptest-ns 
    - rptestCommunityExample 
    kind: RoutingPolicy 
    name: rptestCommunityExample 
    namespace: rptest-ns 
    uid: 7a142d00-f7fb-4872-85b6-11d6a576d7fe 
  v4SubnetReference: 
    apiVersion: core.contrail.juniper.net/v5 
    fqName: 
    - default-domain 
    - rptest-ns 
    - rptest-subnet-1 
    kind: Subnet 
    name: rptest-subnet-1 
    namespace: rptest-ns 
    uid: 4dd9c840-4e72-4125-97a2-f9eb5bfb756a 
  virtualNetworkProperties: 
    forwardingMode: l2_l3 
    rpf: enable 
status: 
  observation: "" 
  state: Success 
  virtualNetworkNetworkId: 4100
Note:

The virtualNetworkProperties.forwardingMode field must be set to l2_l3 or l3. The routing policy feature does not apply to intra-VN connections when the forwarding mode of the VN is L2.

Routing Policies and BGP Extended Communities

Border Gateway Protocol (BGP) extended communities are additional attributes for BGP routes. BGP extended communities provide a method of associating additional information like route target or encapsulation protocol with routes. Creating a routing policy with extended communities makes the policy more granular, enabling you to distribute routes and manage traffic effectively. This makes BGP extended communities ideal for complex, dynamic routes.

CN2 offers extended community support with the import routing policy feature. This feature allows for the use of import routing policy terms to identify extended communities and execute import routing policy actions, such as the addition, adjustment, or removal of these extended communities.

CN2 supports the following extended communities:

  • Route Target

  • Encapsulation

  • Security Group

  • Origin VN

  • MAC Mobility

  • Load Balance

  • Tag

  • Color

For information about these extended communities, see BGP Extended Communities.

Create a Routing Policy With BGP Extended Communities

The following is an example of a routing policy that matches with a BGP extended community. The following example matches for a prefix specified in the termMatchCondition field and attaches the BGP color community (color:0:100) when the prefix is matched.

content_copy zoom_out_map
apiVersion: core.contrail.juniper.net/v5
kind: RoutingPolicy
metadata:
  namespace: color-ns
  name: color-rp-3
spec:
  routingPolicyEntries:
    term:
      - termActionList:
          update:
            asPath:
              expand: {}
            community:
              add: {}
              remove: {}
              set: {}
            extcommunity:
              add:
                community:
                  - color:0:100
              remove: {}
              set: {}
            service:
              add: {}
              remove: {}
              set: {}
        termMatchCondition:
          asPath:
          community:
          communityList:
          communityMatchAll:
          extcommunityList:
          extcommunityMatchAll:
          external:
          family:
          localPref:
          nlriRouteType:
          prefix:
            - prefix: 172.100.70.5/32
              prefixType: exact
          prefixList:

Note the following fields:

  • term: Represents a defined condition and associated actions to execute if term conditons are met.

  • extcommunity: add:: Specifies an extended community to add to the route.

    community: Contains the extended community string color:0:100.

  • termMatchCondition: Specifies the conditions that must be satisfied for the actions in the term to take effect.

  • asPath, community, localPref: Specifies additional term match conditions to match with the route.

  • prefix: A match condition that specifies that the term will match with routes with the exact prefix 172.100.70.5/32.

The following table provides addition information about the fields of a routing policy.

Table 1: Create a Routing Policy

Field

Guidelines

Name

Enter a name for the routing policy.

Term(s)

Community

Select the community string to match for the routing policy. The community string is represented with accept-own, no-advertise, no-export, no-export-subconfed, no-reoriginate..

Match All

Select the check box to match all the community strings.

Extended Community

Select the extended community string to match for the routing policy.

Match All

Select the check box to match the extended community strings.

Protocol

Select the protocol for the routing policy which is an array of path source or path protocol to match. The protocols are interface, aggregate, bgp, BGPaaS, interface-static, service-chain, service-interface, static, and xmpp. A path is considered as matching this condition if the path protocol is one of protocols in the list.

Prefixes

Select a list of prefixes to match.

Each prefix in the list is represented as prefix and match type, where the prefix match type can be:

  • exact

  • orlonger

  • longer

Example: 10.1.0.0/16 orlonger

A route matches this condition if its prefix matches any of the prefixes in the list.

Then

Actions

Select the actions to be performed on the matching routes. The supported actions and the values are listed in the Table 2.

Policy Actions

Table 2: Policy Actions
Action Value
action

Reject-Reject the route that matches this term. No more terms are evaluated after hitting this term.

Accept-Accept the route that matches this term. No more terms are evaluated after hitting this term.

Next-This is the default action taken upon matching the policy term. The route is updated according to the update specified in the policy action. Next terms present in the routing policy are processed on the route. If there are no more terms in the policy, the next routing policy is processed, if present.

add community

Add a list of community to the existing community.

The community is of type unsigned 32 bit integer:unsigned 32 bit integer.

For example, 64512:55555.

add extended community

Add a list of extended community to the existing community.

 An eight octet string representation of value type:administrator:assigned-number where type is two octets, administrator is four octets, and assigned-number is two octets or it can be a hexadecimal representation of the community like: 0xFFffA101.

as-path

Select different AS paths to control routing decisions

Unsigned 32-bit integer representing the as-path.

For example, 444.

local-preference

Select the local preference to distinguish routes and take further action.

Unsigned 32-bit integer representing local-preference.

For example, 444.

med

Select the MED of the BgpPath.

Unsigned 32-bit integer representing the MED.

For example, 444.

remove community

Remove a list of community (if present) from the existing community.

 The community is of type unsigned 32 bit integer:unsigned 32 bit integer.

remove extended community

Remove a list of extended community (if present) from the existing community.

 An eight octet string representation of value type:administrator:assigned-number where type is two octets, administrator is four octets, and assigned-number is two octets or it can be a hexadecimal representation of the community like: 0xFFffA101.

set community

Set a list of community.

 The community is of type unsigned 32 bit integer:unsigned 32 bit integer.

set extended community

Set a list of extended community.

 An eight octet string representation of value type:administrator:assigned-number where type is two octets, administrator is four octets, and assigned-number is two octets or it can be a hexadecimal representation of the community like: 0xFFffA101.

Related Documentation

arrow_backward PREVIOUS Configure Management and Control Plane Authentication with TLS Encryption
NEXT arrow_forward Global Security Policy
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top