close
keyboard_arrow_left
Table of Contents
- play_arrow Configuring Firewall Filters
- play_arrow Understanding How Firewall Filters Protect Your Network
- Firewall Filters Overview
- Router Data Flow Overview
- Stateless Firewall Filter Overview
- Understanding How to Use Standard Firewall Filters
- Understanding How Firewall Filters Control Packet Flows
- Stateless Firewall Filter Components
- Stateless Firewall Filter Application Points
- How Standard Firewall Filters Evaluate Packets
- Understanding Firewall Filter Fast Lookup Filter
- Understanding Egress Firewall Filters with PVLANs
- Selective Class-based Filtering on PTX Routers
- Guidelines for Configuring Firewall Filters
- Guidelines for Applying Standard Firewall Filters
- Supported Standards for Filtering
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filters
- play_arrow Firewall Filter Match Conditions and Actions
- Overview of Firewall Filters (OCX Series)
- Overview of Firewall Filter Profiles on ACX Series Routers (Junos OS Evolved)
- Understanding Firewall Filter Match Conditions
- Understanding Firewall Filter Planning
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Match Conditions
- Firewall Filter Flexible Match Conditions
- Firewall Filter Nonterminating Actions
- Firewall Filter Terminating Actions
- Firewall Filter Match Conditions and Actions (ACX Series Routers)
- Firewall Filter Match Conditions and Actions in ACX Series Routers (Junos OS Evolved)
- Firewall Filter Match Conditions for Protocol-Independent Traffic
- Firewall Filter Match Conditions for IPv4 Traffic
- Firewall Filter Match Conditions for IPv6 Traffic
- Firewall Filter Match Conditions Based on Numbers or Text Aliases
- Firewall Filter Match Conditions Based on Bit-Field Values
- Firewall Filter Match Conditions Based on Address Fields
- Firewall Filter Match Conditions Based on Address Classes
- Understanding IP-Based Filtering and Selective Port Mirroring of MPLS Traffic
- Firewall Filter Match Conditions for MPLS Traffic
- Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic
- Firewall Filter Match Conditions for VPLS Traffic
- Firewall Filter Match Conditions for Layer 2 CCC Traffic
- Firewall Filter Match Conditions for Layer 2 Bridging Traffic
- Firewall Filter Support on Loopback Interface
- play_arrow Applying Firewall Filters to Routing Engine Traffic
- Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs
- Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List
- Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources
- Example: Configure a Filter to Block Telnet and SSH Access
- Example: Configuring a Filter to Block TFTP Access
- Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags
- Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers
- Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods
- Example: Protecting the Routing Engine with a Packets-Per-Second Rate Limiting Filter
- Example: Configuring a Filter to Exclude DHCPv6 and ICMPv6 Control Traffic for LAC Subscriber
- Port Number Requirements for DHCP Firewall Filters
- Example: Configuring a DHCP Firewall Filter to Protect the Routing Engine
- play_arrow Applying Firewall Filters to Transit Traffic
- Example: Configuring a Filter for Use as an Ingress Queuing Filter
- Example: Configuring a Filter to Match on IPv6 Flags
- Example: Configuring a Filter to Match on Port and Protocol Fields
- Example: Configuring a Filter to Count Accepted and Rejected Packets
- Example: Configuring a Filter to Count and Discard IP Options Packets
- Example: Configuring a Filter to Count IP Options Packets
- Example: Configuring a Filter to Count and Sample Accepted Packets
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Match on Two Unrelated Criteria
- Example: Configuring a Filter to Accept DHCP Packets Based on Address
- Example: Configuring a Filter to Accept OSPF Packets from a Prefix
- Example: Configuring a Stateless Firewall Filter to Handle Fragments
- Configuring a Firewall Filter to Prevent or Allow IPv4 Packet Fragmentation
- Configuring a Firewall Filter to Discard Ingress IPv6 Packets with a Mobility Extension Header
- Example: Configuring an Egress Filter Based on IPv6 Source or Destination IP Addresses
- Example: Configuring a Rate-Limiting Filter Based on Destination Class
- play_arrow Configuring Firewall Filters in Logical Systems
- Firewall Filters in Logical Systems Overview
- Guidelines for Configuring and Applying Firewall Filters in Logical Systems
- References from a Firewall Filter in a Logical System to Subordinate Objects
- References from a Firewall Filter in a Logical System to Nonfirewall Objects
- References from a Nonfirewall Object in a Logical System to a Firewall Filter
- Example: Configuring Filter-Based Forwarding
- Example: Configuring Filter-Based Forwarding on Logical Systems
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Unsupported Firewall Filter Statements for Logical Systems
- Unsupported Actions for Firewall Filters in Logical Systems
- Filter-Based Forwarding for Routing Instances
- Forwarding Table Filters for Routing Instances on ACX Series Routers
- Configuring Forwarding Table Filters
- play_arrow Configuring Firewall Filter Accounting and Logging
- play_arrow Attaching Multiple Firewall Filters to a Single Interface
- Applying Firewall Filters to Interfaces
- Configuring Firewall Filters
- Multifield Classifier Example: Configuring Multifield Classification
- Multifield Classifier for Ingress Queuing on MX Series Routers with MPC
- Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
- Understanding Multiple Firewall Filters in a Nested Configuration
- Guidelines for Nesting References to Multiple Firewall Filters
- Understanding Multiple Firewall Filters Applied as a List
- Guidelines for Applying Multiple Firewall Filters as a List
- Example: Applying Lists of Multiple Firewall Filters
- Example: Nesting References to Multiple Firewall Filters
- Example: Filtering Packets Received on an Interface Set
- play_arrow Attaching a Single Firewall Filter to Multiple Interfaces
- Interface-Specific Firewall Filter Instances Overview
- Interface-Specific Firewall Filter Instances Overview
- Filtering Packets Received on a Set of Interface Groups Overview
- Filtering Packets Received on an Interface Set Overview
- Example: Configuring Interface-Specific Firewall Filter Counters
- Example: Configuring a Stateless Firewall Filter on an Interface Group
- play_arrow Configuring Filter-Based Tunneling Across IP Networks
- Understanding Filter-Based Tunneling Across IPv4 Networks
- Firewall Filter-Based L2TP Tunneling in IPv4 Networks Overview
- Interfaces That Support Filter-Based Tunneling Across IPv4 Networks
- Components of Filter-Based Tunneling Across IPv4 Networks
- Example: Transporting IPv6 Traffic Across IPv4 Using Filter-Based Tunneling
- play_arrow Configuring Service Filters
- Service Filter Overview
- How Service Filters Evaluate Packets
- Guidelines for Configuring Service Filters
- Guidelines for Applying Service Filters
- Example: Configuring and Applying Service Filters
- Service Filter Match Conditions for IPv4 or IPv6 Traffic
- Service Filter Nonterminating Actions
- Service Filter Terminating Actions
- play_arrow Configuring Simple Filters
- play_arrow Configuring Layer 2 Firewall Filters
- Understanding Firewall Filters Used to Control Traffic Within Bridge Domains and VPLS Instances
- Example: Configuring Filtering of Frames by MAC Address
- Example: Configuring Filtering of Frames by IEEE 802.1p Bits
- Example: Configuring Filtering of Frames by Packet Loss Priority
- Example: Configuring Policing and Marking of Traffic Entering a VPLS Core
- Understanding Firewall Filters on OVSDB-Managed Interfaces
- Example: Applying a Firewall Filter to OVSDB-Managed Interfaces
- play_arrow Configuring Firewall Filters for Forwarding, Fragments, and Policing
- Filter-Based Forwarding Overview
- Firewall Filters That Handle Fragmented Packets Overview
- Stateless Firewall Filters That Reference Policers Overview
- Example: Configuring Filter-Based Forwarding on the Source Address
- Example: Configuring Filter-Based Forwarding to a Specific Outgoing Interface or Destination IP Address
- play_arrow Configuring Firewall Filters (EX Series Switches)
- Firewall Filters for EX Series Switches Overview
- Understanding Planning of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Understanding How Firewall Filters Control Packet Flows
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
- Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches
- Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
- Configuring Firewall Filters (CLI Procedure)
- Understanding How Firewall Filters Test a Packet's Protocol
- Understanding Filter-Based Forwarding for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication
- Verifying That Policers Are Operational
- Troubleshooting Firewall Filters
- play_arrow Configuring Firewall Filters (QFX Series Switches, EX4600 Switches, PTX Series Routers)
- Overview of Firewall Filters (QFX Series)
- Understanding Firewall Filter Planning
- Planning the Number of Firewall Filters to Create
- Firewall Filter Match Conditions and Actions (QFX and EX Series Switches)
- Firewall Filter Match Conditions and Actions (QFX10000 Switches)
- Firewall Filter Match Conditions and Actions (PTX Series Routers)
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Configuring Firewall Filters
- Applying Firewall Filters to Interfaces
- Overview of MPLS Firewall Filters on Loopback Interface
- Configuring MPLS Firewall Filters and Policers on Switches
- Configuring MPLS Firewall Filters and Policers on Routers
- Configuring MPLS Firewall Filters and Policers
- Understanding How a Firewall Filter Tests a Protocol
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets
- Understanding Filter-Based Forwarding
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Configuring a Firewall Filter to De-Encapsulate GRE or IPIP Traffic
- Verifying That Firewall Filters Are Operational
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filter Configuration
- play_arrow Configuring Firewall Filter Accounting and Logging (EX9200 Switches)
-
- play_arrow Configuring Traffic Policers
- play_arrow Understanding Traffic Policers
- Policer Implementation Overview
- ARP Policer Overview
- Example: Configuring ARP Policer
- Understanding the Benefits of Policers and Token Bucket Algorithms
- Determining Proper Burst Size for Traffic Policers
- Controlling Network Access Using Traffic Policing Overview
- Traffic Policer Types
- Order of Policer and Firewall Filter Operations
- Understanding the Frame Length for Policing Packets
- Supported Standards for Policing
- Hierarchical Policer Configuration Overview
- Understanding Enhanced Hierarchical Policers
- Packets-Per-Second (pps)-Based Policer Overview
- Guidelines for Applying Traffic Policers
- Policer Support for Aggregated Ethernet Interfaces Overview
- Example: Configuring a Physical Interface Policer for Aggregate Traffic at a Physical Interface
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Hierarchical Policers on ACX Series Routers Overview
- Guidelines for Configuring Hierarchical Policers on ACX Series Routers
- Hierarchical Policer Modes on ACX Series Routers
- Processing of Hierarchical Policers on ACX Series Routers
- Actions Performed for Hierarchical Policers on ACX Series Routers
- Configuring Aggregate Parent and Child Policers on ACX Series Routers
- play_arrow Configuring Policer Rate Limits and Actions
- play_arrow Configuring Layer 2 Policers
- Hierarchical Policers
- Configuring a Policer Overhead
- Two-Color and Three-Color Policers at Layer 2
- Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Two-Color Layer 2 Policer for the Pseudowire
- Configuring a Three-Color Layer 2 Policer for the Pseudowire
- Applying the Policers to Dynamic Profile Interfaces
- Attaching Dynamic Profiles to Routing Instances
- Using Variables for Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Policer for the Complex Configuration
- Creating a Dynamic Profile for the Complex Configuration
- Attaching Dynamic Profiles to Routing Instances for the Complex Configuration
- Verifying Layer 2 Traffic Policers on VPLS Connections
- Understanding Policers on OVSDB-Managed Interfaces
- Example: Applying a Policer to OVSDB-Managed Interfaces
- play_arrow Configuring Two-Color and Three-Color Traffic Policers at Layer 3
- Two-Color Policer Configuration Overview
- Basic Single-Rate Two-Color Policers
- Bandwidth Policers
- Prefix-Specific Counting and Policing Actions
- Policer Overhead to Account for Rate Shaping in the Traffic Manager
- Three-Color Policer Configuration Overview
- Applying Policers
- Three-Color Policer Configuration Guidelines
- Basic Single-Rate Three-Color Policers
- Basic Two-Rate Three-Color Policers
- Example: Configuring a Two-Rate Three-Color Policer
- play_arrow Configuring Logical and Physical Interface Traffic Policers at Layer 3
- play_arrow Configuring Policers on Switches
- Overview of Policers
- Traffic Policer Types
- Understanding the Use of Policers in Firewall Filters
- Understanding Tricolor Marking Architecture
- Configuring Policers to Control Traffic Rates (CLI Procedure)
- Configuring Tricolor Marking Policers
- Understanding Policers with Link Aggregation Groups
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
- Example: Using Two-Color Policers and Prefix Lists
- Example: Using Policers to Manage Oversubscription
- Assigning Forwarding Classes and Loss Priority
- Configuring Color-Blind Egress Policers for Medium-Low PLP
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
- Verifying That Two-Color Policers Are Operational
- Verifying That Three-Color Policers Are Operational
- Troubleshooting Policer Configuration
- Troubleshooting Policer Configuration
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
list Table of Contents
ON THIS PAGE
Example: Configuring Communities in a Routing Policy
date_range
24-Nov-23
A community is a route attribute used by BGP to administratively group routes with similar properties.
Requirements
No special configuration beyond device initialization is required before configuring this example.
- Updated and revalidated using vMX on Junos OS Release 21.1R1.
Overview
One main role of the community attribute is to be an administrative tag value used to associate routes together. Generally, these routes share some common properties, but that is not required. Communities are a flexible tool within BGP. An individual community value can be assigned to a single route or multiple routes. A route can be assigned a single community value or multiple values. Networks use the community attribute to assist in implementing administrative routing policies. A route’s assigned value can allow it to be accepted into the network, or rejected from the network, or allow it to modify attributes.
Figure 1 shows device R1, device R2, and device R3 as internal BGP (IBGP) peers in autonomous system (AS) 64510. Device R4 is advertising the 172.16.0.0/21 address space from AS 64511.
Topology
Figure 1: Topology for Regular BGP Communities
The specific routes received by device R1 from device R4 are as follows:
content_copy zoom_out_map
user@R1> show route receive-protocol bgp 10.0.0.13
inet.0: 24 destinations, 28 routes (24 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 172.16.0.0/24 10.0.0.13 64511 I
* 172.16.1.0/24 10.0.0.13 64511 I
* 172.16.2.0/24 10.0.0.13 64511 I
* 172.16.3.0/24 10.0.0.13 64511 I
172.16.4.0/24 10.0.0.13 64511 I
172.16.5.0/24 10.0.0.13 64511 I
172.16.6.0/24 10.0.0.13 64511 I
172.16.7.0/24 10.0.0.13 64511 I
The administrators of AS 64511 want to receive certain user traffic from device R1, and other user traffic from device R3. To accomplish this administrative goal, device R4 attaches the community value of 64511:1 to some routes that it sends and attaches the community value 64511:3 to other routes that it sends. Routing policies within AS 64510 are configured using a community match criterion to change the local preference of the received routes to new values that alter the BGP route selection algorithm. The route with the highest local preference value is preferred.
On device R1, routes with the 64511:1 community value are assigned a local preference of 200, and routes with the 64511:3 community value are assigned a local preference of 50. On device R3, the reverse is done so that routes with the 64511:3 community value are assigned a local preference of 200, and routes with the 64511:1 community value are assigned a local preference of 50. This information is then communicated through IBGP by both device R1 and device R3 to device R2.
CLI Quick Configuration shows the configuration for all of the devices in Figure 1.
The section Step By Step Configuration describes the configuration steps on devices R1 and R4.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a
text file, remove any line breaks, change any details necessary to match your
network configuration, and then copy and paste the commands into the CLI at the
[edit] hierarchy level.
Device R1
content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/30 set interfaces ge-0/0/1 unit 0 family inet address 10.1.0.5/30 set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.14/30 set interfaces lo0 unit 0 family inet address 192.168.0.1/32 set policy-options policy-statement change-local-preference term find-R1-routes from community R1_PREFERRED set policy-options policy-statement change-local-preference term find-R1-routes then local-preference 200 set policy-options policy-statement change-local-preference term find-R3-routes from community R3_PREFERRED set policy-options policy-statement change-local-preference term find-R3-routes then local-preference 50 set policy-options policy-statement send-direct term 1 from protocol direct set policy-options policy-statement send-direct term 1 from route-filter 10.0.0.12/30 exact set policy-options policy-statement send-direct term 1 then accept set policy-options community R3_PREFERRED members 64511:3 set policy-options community R1_PREFERRED members 64511:1 set protocols bgp group int type internal set protocols bgp group int local-address 192.168.0.1 set protocols bgp group int export send-direct set protocols bgp group int neighbor 192.168.0.2 set protocols bgp group int neighbor 192.168.0.3 set protocols bgp group ext type external set protocols bgp group ext import change-local-preference set protocols bgp group ext peer-as 64511 set protocols bgp group ext neighbor 10.0.0.13 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 set protocols ospf area 0.0.0.0 interface lo0.0 passive set routing-options router-id 192.168.0.1 set routing-options autonomous-system 64510
Device R2
content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/30 set interfaces ge-0/0/1 unit 0 family inet address 10.1.0.1/30 set interfaces lo0 unit 0 family inet address 192.168.0.2/32 set protocols bgp group int type internal set protocols bgp group int local-address 192.168.0.2 set protocols bgp group int neighbor 192.168.0.1 set protocols bgp group int neighbor 192.168.0.3 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 set protocols ospf area 0.0.0.0 interface lo0.0 passive set routing-options router-id 192.168.0.2 set routing-options autonomous-system 64510
Device R3
content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.6/30 set interfaces ge-0/0/1 unit 0 family inet address 10.1.0.2/30 set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.10/30 set interfaces lo0 unit 0 family inet address 192.168.0.3/32 set policy-options policy-statement change-local-preference term find-R3-routes from community R3_PREFERRED set policy-options policy-statement change-local-preference term find-R3-routes then local-preference 200 set policy-options policy-statement change-local-preference term find-R1-routes from community R1_PREFERRED set policy-options policy-statement change-local-preference term find-R1-routes then local-preference 50 set policy-options policy-statement send-direct term 1 from protocol direct set policy-options policy-statement send-direct term 1 from route-filter 10.0.0.8/30 exact set policy-options policy-statement send-direct term 1 then accept set policy-options community R1_PREFERRED members 64511:1 set policy-options community R3_PREFERRED members 64511:3 set protocols bgp group int type internal set protocols bgp group int local-address 192.168.0.3 set protocols bgp group int export send-direct set protocols bgp group int neighbor 192.168.0.1 set protocols bgp group int neighbor 192.168.0.2 set protocols bgp group ext type external set protocols bgp group ext import change-local-preference set protocols bgp group ext peer-as 64511 set protocols bgp group ext neighbor 10.0.0.9 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set protocols ospf area 0.0.0.0 interface lo0.0 passive set routing-options router-id 192.168.0.3 set routing-options autonomous-system 64510
Device R4
content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.13/30 set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.9/30 set interfaces lo0 unit 0 family inet address 192.168.0.4/32 set policy-options policy-statement send-static term 1 from protocol static set policy-options policy-statement send-static term 1 from route-filter 172.16.0.0/24 exact set policy-options policy-statement send-static term 1 from route-filter 172.16.1.0/24 exact set policy-options policy-statement send-static term 1 from route-filter 172.16.2.0/24 exact set policy-options policy-statement send-static term 1 from route-filter 172.16.3.0/24 exact set policy-options policy-statement send-static term 1 then community add R1_PREFERRED set policy-options policy-statement send-static term 1 then accept set policy-options policy-statement send-static term 2 from protocol static set policy-options policy-statement send-static term 2 from route-filter 172.16.4.0/24 exact set policy-options policy-statement send-static term 2 from route-filter 172.16.5.0/24 exact set policy-options policy-statement send-static term 2 from route-filter 172.16.6.0/24 exact set policy-options policy-statement send-static term 2 from route-filter 172.16.7.0/24 exact set policy-options policy-statement send-static term 2 then community add R3_PREFERRED set policy-options policy-statement send-static term 2 then accept set policy-options policy-statement send-static term 3 then reject set policy-options community R3_PREFERRED members 64511:3 set policy-options community R1_PREFERRED members 64511:1 set protocols bgp group to-R1 type external set protocols bgp group to-R1 export send-static set protocols bgp group to-R1 peer-as 64510 set protocols bgp group to-R1 neighbor 10.0.0.14 set protocols bgp group to-R3 type external set protocols bgp group to-R3 export send-static set protocols bgp group to-R3 peer-as 64510 set protocols bgp group to-R3 neighbor 10.0.0.10 set routing-options router-id 192.168.0.4 set routing-options autonomous-system 64511 set routing-options static route 172.16.0.0/24 reject set routing-options static route 172.16.1.0/24 reject set routing-options static route 172.16.2.0/24 reject set routing-options static route 172.16.3.0/24 reject set routing-options static route 172.16.4.0/24 reject set routing-options static route 172.16.5.0/24 reject set routing-options static route 172.16.6.0/24 reject set routing-options static route 172.16.7.0/24 reject
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure device R1:
Configure the interfaces.
content_copy zoom_out_map[edit interfaces] user@R1# set ge-0/0/0 unit 0 family inet address 10.0.0.1/30 user@R1# set ge-0/0/1 unit 0 family inet address 10.1.0.5/30 user@R1# set ge-0/0/2 unit 0 family inet address 10.0.0.14/30 user@R1# set lo0 unit 0 family inet address 192.168.0.1/32
Configure internal gateway protocol (IGP) connections to devices R2 and R3.
content_copy zoom_out_map[edit protocols ospf area 0.0.0.0] user@R1# set interface ge-0/0/0.0 user@R1# set interface ge-0/0/1.0 user@R1# set interface lo0.0 passive
Configure the IBGP connections to devices R2 and R3.
content_copy zoom_out_map[edit protocols bgp group int] user@R1# set type internal user@R1# set local-address 192.168.0.1 user@R1# set export send-direct user@R1# set neighbor 192.168.0.2 user@R1# set neighbor 192.168.0.3
Configure the EBGP connection to device R4.
content_copy zoom_out_map[edit protocols bgp group ext] user@R1# set type external user@R1# set import change-local-preference user@R1# set peer-as 64511 user@R1# set neighbor 10.0.0.13
Configure the policy
send-direct.This policy is referenced in the IBGP configuration and enables device R2 to have external reachability. An alternative is to configure a
next-hop selfpolicy on device R1 and device R3.content_copy zoom_out_map[edit policy-options policy-statement send-direct term 1] user@R1# set from protocol direct user@R1# set from route-filter 10.0.0.12/30 exact user@R1# set then accept
Configure the policy that changes the local preference for routes with specified community tags.
content_copy zoom_out_map[edit policy-options ] user@R1# set policy-statement change-local-preference term find-R1-routes from community R1_PREFERRED user@R1# set policy-statement change-local-preference term find-R1-routes then local-preference 200 user@R1# set policy-statement change-local-preference term find-R3-routes from community R3_PREFERRED user@R1# set policy-statement change-local-preference term find-R3-routes then local-preference 50 user@R1# set community R3_PREFERRED members 64511:3 user@R1# set community R1_PREFERRED members 64511:1
Configure the autonomous system (AS) number and router ID.
content_copy zoom_out_map[edit routing-options] user@R1# set router-id 192.168.0.1 user@R1# set autonomous-system 64510
To configure device R4:
Configure the interfaces.
content_copy zoom_out_map[edit interfaces] user@R4# set ge-0/0/0 unit 0 family inet address 10.0.0.13/30 user@R4# set ge-0/0/1 unit 0 family inet address 10.0.0.9/30 user@R4# set lo0 unit 0 family inet address 192.168.0.4/32
Configure the EBGP connection to device R1 and device R3.
content_copy zoom_out_map[edit protocols bgp] user@R4# set group to-R1 type external user@R4# set group to-R1 export send-static user@R4# set group to-R1 peer-as 64510 user@R4# set group to-R1 neighbor 10.0.0.14 user@R4# set group to-R3 type external user@R4# set group to-R3 export send-static user@R4# set group to-R3 peer-as 64510 user@R4# set group to-R3 neighbor 10.0.0.10
Configure the community tags.
content_copy zoom_out_map[edit policy-options ] user@R4# set community R3_PREFERRED members 64511:3 user@R4# set community R1_PREFERRED members 64511:1
Configure the policy
send-static.This policy is referenced in the EBGP connections to device R1 and device R3. The policy attaches the 64511:1 (PREFERRED) community to some routes and the 64511:3 (NOT_PREFERRED) community to other routes.
content_copy zoom_out_map[edit policy-options] user@R4# set policy-statement send-static term 1 from protocol static user@R4# set policy-statement send-static term 1 from route-filter 172.16.0.0/24 exact user@R4# set policy-statement send-static term 1 from route-filter 172.16.1.0/24 exact user@R4# set policy-statement send-static term 1 from route-filter 172.16.2.0/24 exact user@R4# set policy-statement send-static term 1 from route-filter 172.16.3.0/24 exact user@R4# set policy-statement send-static term 1 then community add R1_PREFERRED user@R4# set policy-statement send-static term 1 then accept user@R4# set policy-statement send-static term 2 from protocol static user@R4# set policy-statement send-static term 2 from route-filter 172.16.4.0/24 exact user@R4# set policy-statement send-static term 2 from route-filter 172.16.5.0/24 exact user@R4# set policy-statement send-static term 2 from route-filter 172.16.6.0/24 exact user@R4# set policy-statement send-static term 2 from route-filter 172.16.7.0/24 exact user@R4# set policy-statement send-static term 2 then community add R3_PREFERRED user@R4# set policy-statement send-static term 2 then accept user@R4# set policy-statement send-static term 3 then reject
Configure the static routes.
content_copy zoom_out_map[edit routing-options static] user@R4# set route 172.16.0.0/24 reject user@R4# set route 172.16.1.0/24 reject user@R4# set route 172.16.2.0/24 reject user@R4# set route 172.16.3.0/24 reject user@R4# set route 172.16.4.0/24 reject user@R4# set route 172.16.5.0/24 reject user@R4# set route 172.16.6.0/24 reject user@R4# set route 172.16.7.0/24 reject
Configure the autonomous system (AS) number and router ID.
content_copy zoom_out_map[edit routing-options] user@R4# set router-id 192.168.0.4 user@R4# set autonomous-system 64511
Results
From configuration mode, confirm your configuration by entering the
show interfaces, show protocols,
show policy-options, and show
routing-options commands. If the output does not display the
intended configuration, repeat the instructions in this example to correct
the configuration.
Device R1
content_copy zoom_out_map
user@R1# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.0.1/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.0.5/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.0.0.14/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.0.1/32;
}
}
}
content_copy zoom_out_map
user@R1# show protocols
bgp {
group int {
type internal;
local-address 192.168.0.1;
export send-direct;
neighbor 192.168.0.2;
neighbor 192.168.0.3;
}
group ext {
type external;
import change-local-preference;
peer-as 64511;
neighbor 10.0.0.13;
}
}
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
interface lo0.0 {
passive;
}
}
}
content_copy zoom_out_map
user@R1# show policy-options
policy-statement change-local-preference {
term find-R1-routes {
from community R1_PREFERRED;
then {
local-preference 200;
}
}
term find-R3-routes {
from community R3_PREFERRED;
then {
local-preference 50;
}
}
}
policy-statement send-direct {
term 1 {
from {
protocol direct;
route-filter 10.0.0.12/30 exact;
}
then accept;
}
}
community R3_PREFERRED members 64511:3;
community R1_PREFERRED members 64511:1;
content_copy zoom_out_map
user@R1# show routing-options router-id 192.168.0.1; autonomous-system 64510;
Device R4
content_copy zoom_out_map
user@R4# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.0.13/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.0.9/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.0.4/32;
}
}
}
content_copy zoom_out_map
user@R4# show protocols
bgp {
group to-R1 {
type external;
export send-static;
peer-as 64510;
neighbor 10.0.0.14;
}
group to-R3 {
type external;
export send-static;
peer-as 64510;
neighbor 10.0.0.10;
}
}
content_copy zoom_out_map
user@R4# show policy-options
policy-statement send-static {
term 1 {
from {
protocol static;
route-filter 172.16.0.0/24 exact;
route-filter 172.16.1.0/24 exact;
route-filter 172.16.2.0/24 exact;
route-filter 172.16.3.0/24 exact;
}
then {
community add R1_PREFERRED;
accept;
}
}
term 2 {
from {
protocol static;
route-filter 172.16.4.0/24 exact;
route-filter 172.16.5.0/24 exact;
route-filter 172.16.6.0/24 exact;
route-filter 172.16.7.0/24 exact;
}
then {
community add R3_PREFERRED;
accept;
}
}
term 3 {
then reject;
}
}
community R3_PREFERRED members 64511:3;
community R1_PREFERRED members 64511:1;
content_copy zoom_out_map
user@R4# show routing-options
router-id 192.168.0.4;
autonomous-system 64511;
static {
route 172.16.0.0/24 reject;
route 172.16.1.0/24 reject;
route 172.16.2.0/24 reject;
route 172.16.3.0/24 reject;
route 172.16.4.0/24 reject;
route 172.16.5.0/24 reject;
route 172.16.6.0/24 reject;
route 172.16.7.0/24 reject;
}
If you are done configuring the devices, enter commit from
configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the Routes Sent on Device R4
Purpose
On device R4, check the routes sent to device R1 and device R3.
Action
content_copy zoom_out_map
user@R4> show route advertising-protocol bgp 10.0.0.14 extensive
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
* 172.16.0.0/24 (1 entry, 1 announced)
BGP group to-R1 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:1
* 172.16.1.0/24 (1 entry, 1 announced)
BGP group to-R1 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:1
* 172.16.2.0/24 (1 entry, 1 announced)
BGP group to-R1 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:1
* 172.16.3.0/24 (1 entry, 1 announced)
BGP group to-R1 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:1
* 172.16.4.0/24 (1 entry, 1 announced)
BGP group to-R1 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:3
* 172.16.5.0/24 (1 entry, 1 announced)
BGP group to-R1 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:3
* 172.16.6.0/24 (1 entry, 1 announced)
BGP group to-R1 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:3
* 172.16.7.0/24 (1 entry, 1 announced)
BGP group to-R1 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:3
content_copy zoom_out_map
user@R4> show route advertising-protocol bgp 10.0.0.10 extensive
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
* 172.16.0.0/24 (1 entry, 1 announced)
BGP group to-R3 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:1
* 172.16.1.0/24 (1 entry, 1 announced)
BGP group to-R3 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:1
* 172.16.2.0/24 (1 entry, 1 announced)
BGP group to-R3 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:1
* 172.16.3.0/24 (1 entry, 1 announced)
BGP group to-R3 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:1
* 172.16.4.0/24 (1 entry, 1 announced)
BGP group to-R3 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:3
* 172.16.5.0/24 (1 entry, 1 announced)
BGP group to-R3 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:3
* 172.16.6.0/24 (1 entry, 1 announced)
BGP group to-R3 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:3
* 172.16.7.0/24 (1 entry, 1 announced)
BGP group to-R3 type External
Nexthop: Self
AS path: [64511] I
Communities: 64511:3
Meaning
Device R4 has tagged the routes with the communities 64511:1 and 64511:3 and sent them to device R1 and R3.
Verifying the Routes Received on Device R2
Purpose
On device R2, check the routes received from device R1 and device R3.
Action
content_copy zoom_out_map
user@R2> show route receive-protocol bgp 192.168.0.1 inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 10.0.0.12/30 192.168.0.1 100 I * 172.16.0.0/24 10.0.0.13 200 64511 I * 172.16.1.0/24 10.0.0.13 200 64511 I * 172.16.2.0/24 10.0.0.13 200 64511 I * 172.16.3.0/24 10.0.0.13 200 64511 I
content_copy zoom_out_map
user@R2> show route receive-protocol bgp 192.168.0.3 inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 10.0.0.8/30 192.168.0.3 100 I * 172.16.4.0/24 10.0.0.9 200 64511 I * 172.16.5.0/24 10.0.0.9 200 64511 I * 172.16.6.0/24 10.0.0.9 200 64511 I * 172.16.7.0/24 10.0.0.9 200 64511 I
content_copy zoom_out_map
user@R2> show route match-prefix 172.16.*
inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.0.0/24 *[BGP/170] 1w3d 00:02:11, localpref 200, from 192.168.0.1
AS path: 64511 I, validation-state: unverified
> to 10.0.0.1 via ge-0/0/0.0
172.16.1.0/24 *[BGP/170] 1w3d 00:02:11, localpref 200, from 192.168.0.1
AS path: 64511 I, validation-state: unverified
> to 10.0.0.1 via ge-0/0/0.0
172.16.2.0/24 *[BGP/170] 1w3d 00:02:11, localpref 200, from 192.168.0.1
AS path: 64511 I, validation-state: unverified
> to 10.0.0.1 via ge-0/0/0.0
172.16.3.0/24 *[BGP/170] 1w3d 00:02:11, localpref 200, from 192.168.0.1
AS path: 64511 I, validation-state: unverified
> to 10.0.0.1 via ge-0/0/0.0
172.16.4.0/24 *[BGP/170] 1w3d 00:01:50, localpref 200, from 192.168.0.3
AS path: 64511 I, validation-state: unverified
> to 10.1.0.2 via ge-0/0/1.0
172.16.5.0/24 *[BGP/170] 1w3d 00:01:50, localpref 200, from 192.168.0.3
AS path: 64511 I, validation-state: unverified
> to 10.1.0.2 via ge-0/0/1.0
172.16.6.0/24 *[BGP/170] 1w3d 00:01:50, localpref 200, from 192.168.0.3
AS path: 64511 I, validation-state: unverified
> to 10.1.0.2 via ge-0/0/1.0
172.16.7.0/24 *[BGP/170] 1w3d 00:01:50, localpref 200, from 192.168.0.3
AS path: 64511 I, validation-state: unverified
> to 10.1.0.2 via ge-0/0/1.0
Meaning
Device R2 has the routes with the expected local preferences and the expected active routes, as designated by the asterisks (*).
