ON THIS PAGE
Example: Configuring Policy Chains and Route Filters
A policy chain is the application of multiple policies within a specific section of the configuration. A route filter is a collection of match prefixes.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
An example of a policy chain applied to BGP is as follows:
user@R1# show protocols bgp group int { type internal; local-address 192.168.0.1; export [ adv-statics adv-large-aggregates adv-small-aggregates ]; neighbor 192.168.0.2; neighbor 192.168.0.3; }
The adv-statics
, adv-large-aggregates
,
and adv-small-aggregates
policies, in addition to the default
BGP policy, make up the policy chain applied to the BGP peers of Device
R1. Two of the policies demonstrate route filters with different match
types. The other policy matches all static routes, so no route filter
is needed.
user@R1# show policy-options policy-statement adv-large-aggregates { term between-16-and-18 { from { protocol aggregate; route-filter 172.16.0.0/16 upto /18; } then accept; } } policy-statement adv-small-aggregates { term between-19-and-24 { from { protocol aggregate; route-filter 172.16.0.0/16 prefix-length-range /19-/24; } then accept; } } policy-statement adv-statics { term statics { from protocol static; then accept; } }
Optionally, you can convert this policy chain into a single multiterm policy for the internal BGP (IBGP) peers. If you do this, one of the advantages of a policy chain is lost—the ability to reuse policies for different purposes.
Figure 1 displays Device R1
in AS 64510 with its IBGP peers, Device R2 and Device R3. Device R1
also has external BGP (EBGP) connections to Device R4 in AS 64511
and Device R5 in AS 64512. The current administrative policy within
AS 64510 is to send the customer static routes only to other IBGP
peers. Any EBGP peer providing transit service only receives aggregate
routes with mask lengths smaller than 18 bits. Any EBGP peer providing
peering services receives all customer routes and all aggregates whose
mask length is larger than 19 bits. Each portion of these administrative
policies is configured in a separate routing policy within the [edit policy-opitons]
configuration hierarchy. These policies
provide the administrators of AS 64510 with multiple configuration
options for advertising routes to peers.
Device R4 is providing transit service to AS 64510, which allows the AS to advertise its assigned routing space to the Internet. On the other hand, the peering service provided by Device R5 allows AS 64510 to route traffic directly between the autonomous systems (ASs) for all customer routes.
Topology
Figure 1 shows the sample network.
CLI Quick Configuration shows the configuration for all of the devices in Figure 1.
The section Procedure describes the steps on Device R1.
Configuration
CLI Quick Configuration
To quickly configure
this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match
your network configuration, and then copy and paste the commands into
the CLI at the [edit]
hierarchy level.
Device R1
set interfaces fe-1/2/0 unit 0 description to_R2 set interfaces fe-1/2/0 unit 0 family inet address 10.0.0.1/30 set interfaces fe-1/2/2 unit 0 description to_R3 set interfaces fe-1/2/2 unit 0 family inet address 10.0.0.5/30 set interfaces fe-1/2/3 unit 0 description to_R4 set interfaces fe-1/2/3 unit 0 family inet address 10.1.0.5/30 set interfaces fe-1/2/1 unit 0 description to_R5 set interfaces fe-1/2/1 unit 0 family inet address 10.0.0.10/30 set interfaces lo0 unit 0 family inet address 192.168.0.1/32 set protocols bgp group int type internal set protocols bgp group int local-address 192.168.0.1 set protocols bgp group int export adv-statics set protocols bgp group int export adv-large-aggregates set protocols bgp group int export adv-small-aggregates set protocols bgp group int neighbor 192.168.0.2 set protocols bgp group int neighbor 192.168.0.3 set protocols bgp group to_64511 type external set protocols bgp group to_64511 export adv-large-aggregates set protocols bgp group to_64511 neighbor 10.1.0.6 peer-as 64511 set protocols bgp group to_64512 type external set protocols bgp group to_64512 export adv-small-aggregates set protocols bgp group to_64512 export adv-statics set protocols bgp group to_64512 neighbor 10.0.0.9 peer-as 64512 set protocols ospf area 0.0.0.0 interface fe-1/2/0.0 set protocols ospf area 0.0.0.0 interface fe-1/2/2.0 set protocols ospf area 0.0.0.0 interface lo0.0 passive set policy-options policy-statement adv-large-aggregates term between-16-and-18 from protocol aggregate set policy-options policy-statement adv-large-aggregates term between-16-and-18 from route-filter 172.16.0.0/16 upto /18 set policy-options policy-statement adv-large-aggregates term between-16-and-18 then accept set policy-options policy-statement adv-small-aggregates term between-19-and-24 from protocol aggregate set policy-options policy-statement adv-small-aggregates term between-19-and-24 from route-filter 172.16.0.0/16 prefix-length-range /19-/24 set policy-options policy-statement adv-small-aggregates term between-19-and-24 then accept set policy-options policy-statement adv-statics term statics from protocol static set policy-options policy-statement adv-statics term statics then accept set routing-options static route 172.16.1.16/28 discard set routing-options static route 172.16.1.32/28 discard set routing-options static route 172.16.1.48/28 discard set routing-options static route 172.16.1.64/28 discard set routing-options aggregate route 172.16.0.0/16 set routing-options aggregate route 172.16.1.0/24 set routing-options router-id 192.168.0.1 set routing-options autonomous-system 64510
Device R2
set interfaces fe-1/2/0 unit 0 description to_R1 set interfaces fe-1/2/0 unit 0 family inet address 10.0.0.2/30 set interfaces fe-1/2/1 unit 0 description to_R3 set interfaces fe-1/2/1 unit 0 family inet address 10.1.0.1/30 set interfaces lo0 unit 0 family inet address 192.168.0.2/32 set protocols bgp group int type internal set protocols bgp group int local-address 192.168.0.2 set protocols bgp group int neighbor 192.168.0.1 export send-static-aggregate set protocols bgp group int neighbor 192.168.0.3 set protocols ospf area 0.0.0.0 interface fe-1/2/0.0 set protocols ospf area 0.0.0.0 interface fe-1/2/1.0 set protocols ospf area 0.0.0.0 interface lo0.0 passive set policy-options policy-statement send-static-aggregate term 1 from protocol static set policy-options policy-statement send-static-aggregate term 1 from protocol aggregate set policy-options policy-statement send-static-aggregate term 1 then accept set routing-options static route 172.16.2.16/28 discard set routing-options static route 172.16.2.32/28 discard set routing-options static route 172.16.2.48/28 discard set routing-options static route 172.16.2.64/28 discard set routing-options aggregate route 172.16.2.0/24 set routing-options aggregate route 172.16.0.0/16 set routing-options router-id 192.168.0.2 set routing-options autonomous-system 64510
Device R3
set interfaces fe-1/2/1 unit 0 description to_R2 set interfaces fe-1/2/1 unit 0 family inet address 10.1.0.2/30 set interfaces fe-1/2/2 unit 0 description to_R1 set interfaces fe-1/2/2 unit 0 family inet address 10.0.0.6/30 set interfaces lo0 unit 0 family inet address 192.168.0.3/32 set protocols bgp group int type internal set protocols bgp group int local-address 192.168.0.3 set protocols bgp group int neighbor 192.168.0.1 export send-static-aggregate set protocols bgp group int neighbor 192.168.0.2 set protocols ospf area 0.0.0.0 interface fe-1/2/2.0 set protocols ospf area 0.0.0.0 interface fe-1/2/1.0 set protocols ospf area 0.0.0.0 interface lo0.0 passive set policy-options policy-statement send-static-aggregate from protocol static set policy-options policy-statement send-static-aggregate from protocol aggregate set policy-options policy-statement send-static-aggregate then accept set routing-options static route 172.16.3.16/28 discard set routing-options static route 172.16.3.32/28 discard set routing-options static route 172.16.3.48/28 discard set routing-options static route 172.16.3.64/28 discard set routing-options aggregate route 172.16.0.0/16 set routing-options aggregate route 172.16.3.0/24 set routing-options router-id 192.168.0.3 set routing-options autonomous-system 64510
Device R4
set interfaces fe-1/2/3 unit 0 description to_R1 set interfaces fe-1/2/3 unit 0 family inet address 10.1.0.6/30 set interfaces lo0 unit 0 family inet address 192.168.0.4/32 set protocols bgp group ext type external set protocols bgp group ext peer-as 64510 set protocols bgp group ext neighbor 10.1.0.5 set routing-options autonomous-system 64511
Device R5
set interfaces fe-1/2/1 unit 0 description to_R1 set interfaces fe-1/2/1 unit 0 family inet address 10.0.0.9/30 set interfaces lo0 unit 0 family inet address 192.168.0.5/32 set protocols bgp group ext type external set protocols bgp group ext neighbor 10.0.0.10 peer-as 64510 set routing-options autonomous-system 64512
Procedure
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Device R1:
Configure the device interfaces.
[edit interfaces] user@R1# set fe-1/2/0 unit 0 description to_R2 user@R1# set fe-1/2/0 unit 0 family inet address 10.0.0.1/30 user@R1# set fe-1/2/2 unit 0 description to_R3 user@R1# set fe-1/2/2 unit 0 family inet address 10.0.0.5/30 user@R1# set fe-1/2/3 unit 0 description to_R4 user@R1# set fe-1/2/3 unit 0 family inet address 10.1.0.5/30 user@R1# set fe-1/2/1 unit 0 description to_R5 user@R1# set fe-1/2/1 unit 0 family inet address 10.0.0.10/30 user@R1# set lo0 unit 0 family inet address 192.168.0.1/32
Configure the IBGP connections to Device R2 and Device R3.
[edit protocols bgp group int] user@R1# set type internal user@R1# set local-address 192.168.0.1 user@R1# set neighbor 192.168.0.2 user@R1# set neighbor 192.168.0.3
Apply the export policies for the internal peers.
[edit protocols bgp group int] user@R1# set export adv-statics user@R1# set export adv-large-aggregates user@R1# set export adv-small-aggregates
Configure the EBGP connection to Device R4.
[edit protocols bgp group to_64511] user@R1# set type external user@R1# set neighbor 10.1.0.6 peer-as 64511
Apply the export policy for Device R4.
[edit protocols bgp group to_64511] user@R1# set export adv-large-aggregates
Configure the EBGP connection to Device R5.
[edit protocols bgp group to_64512] user@R1# set type external user@R1# set neighbor 10.0.0.9 peer-as 64512
Apply the export policies for Device R5.
[edit protocols bgp group to_64512] user@R1# set export adv-small-aggregates user@R1# set export adv-statics
Configure OSPF connections to Device R2 and Device R3.
[edit protocols ospf area 0.0.0.0] user@R1# set interface fe-1/2/0.0 user@R1# set interface fe-1/2/2.0 user@R1# set interface lo0.0 passive
Configure the routing policies.
[edit policy-options policy-statement adv-large-aggregates term between-16-and-18] user@R1# set from protocol aggregate user@R1# set from route-filter 172.16.0.0/16 upto /18 user@R1# set then accept [edit policy-options policy-statement adv-small-aggregates term between-19-and-24] user@R1# set from protocol aggregate user@R1# set from route-filter 172.16.0.0/16 prefix-length-range /19-/24 user@R1# set then accept [edit policy-options policy-statement adv-statics term statics] user@R1# set from protocol static user@R1# set then accept
Configure the static and aggregate routes.
[edit routing-options static] user@R1# set route 172.16.1.16/28 discard user@R1# set route 172.16.1.32/28 discard user@R1# set route 172.16.1.48/28 discard user@R1# set route 172.16.1.64/28 discard [edit routing-options aggregate] user@R1# set route 172.16.0.0/16 user@R1# set route 172.16.1.0/24
Configure the autonomous system (AS) number and router ID.
[edit routing-options] user@R1# set router-id 192.168.0.1 user@R1# set autonomous-system 64510
Results
From configuration mode, confirm your configuration
by entering the show interfaces
, show protocols
, show policy-options
, and show routing-options
commands. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
user@R1# show interfaces fe-1/2/0 { unit 0 { description to_R2; family inet { address 10.0.0.1/30; } } } fe-1/2/2 { unit 0 { description to_R3; family inet { address 10.0.0.5/30; } } } fe-1/2/3 { unit 0 { description to_R4; family inet { address 10.1.0.5/30; } } } fe-1/2/1 { unit 0 { description to_R5; family inet { address 10.0.0.10/30; } } } lo0 { unit 0 { family inet { address 192.168.0.1/32; } } }
user@R1# show protocols bgp { group int { type internal; local-address 192.168.0.1; export [ adv-statics adv-large-aggregates adv-small-aggregates ]; neighbor 192.168.0.2; neighbor 192.168.0.3; } group to_64511 { type external; export adv-large-aggregates; neighbor 10.1.0.6 { peer-as 64511; } } group to_64512 { type external; export [ adv-small-aggregates adv-statics ]; neighbor 10.0.0.9 { peer-as 64512; } } } ospf { area 0.0.0.0 { interface fe-1/2/0.0; interface fe-1/2/2.0; interface lo0.0 { passive; } } }
user@R1# show policy-options policy-statement adv-large-aggregates { term between-16-and-18 { from { protocol aggregate; route-filter 172.16.0.0/16 upto /18; } then accept; } } policy-statement adv-small-aggregates { term between-19-and-24 { from { protocol aggregate; route-filter 172.16.0.0/16 prefix-length-range /19-/24; } then accept; } } policy-statement adv-statics { term statics { from protocol static; then accept; } }
user@R1# show routing-options static { route 172.16.1.16/28 discard; route 172.16.1.32/28 discard; route 172.16.1.48/28 discard; route 172.16.1.64/28 discard; } aggregate { route 172.16.0.0/16; route 172.16.1.0/24; } router-id 192.168.0.1; autonomous-system 64510;
If you are done configuring the device, enter commit
from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying the Route Advertisement to Device R4
- Checking Where the Longer Routes Are Originating
- Blocking the More Specific Routes
- Verifying the Route Advertisement to Device R5
Verifying the Route Advertisement to Device R4
Purpose
On Device R1, make sure that the customer routes are advertised to Device R4.
Action
user@R1> show route advertising-protocol bgp 10.1.0.6 inet.0: 29 destinations, 31 routes (29 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.0.0/16 Self I * 172.16.2.0/24 Self I * 172.16.2.16/28 Self I * 172.16.2.32/28 Self I * 172.16.2.48/28 Self I * 172.16.2.64/28 Self I * 172.16.3.0/24 Self I * 172.16.3.16/28 Self I * 172.16.3.32/28 Self I * 172.16.3.48/28 Self I * 172.16.3.64/28 Self I
Meaning
The adv-large-aggregates
policy is applied
to the peering session with Device R4 to advertise the aggregate routes
with a subnet mask length between 16 and 18 bits. The 172.16.0.0/16
aggregate route is being sent as defined by the administrative policy,
but a number of other routes with larger subnet masks are also being
sent to Device R4.
Checking Where the Longer Routes Are Originating
Purpose
On Device R1, find where the other routes are coming from.
Action
user@R1> show route 172.16.3.16/28 inet.0: 29 destinations, 31 routes (29 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 172.16.3.16/28 *[BGP/170] 20:16:00, localpref 100, from 192.168.0.3 AS path: I, validation-state: unverified > to 10.0.0.6 via fe-1/2/2.0
Meaning
Device R1 has learned this route through its BGP session with Device R3. Because it is an active BGP route, it is automatically advertised by the BGP default policy. Remember that the default policy is always applied to the end of every policy chain. What is needed is a policy to block the more specific routes from being advertised.
Blocking the More Specific Routes
Purpose
Create a policy called not-larger-than-18
that rejects all routes within the 172.16.0.0 /16 address space
that have a subnet mask length greater than or equal to 19 bits. This
ensures that all aggregates with a mask between 16 and 18 bits are
advertised, thus accomplishing the goal of the administrative policy.
Action
On Device R1, configure the
not-larger-than-18
policy.[edit policy-options policy-statement not-larger-than-18 term reject-greater-than-18-bits] user@R1# set from route-filter 172.16.0.0/16 prefix-length-range /19-/32 user@R1# set then reject
On Device R1, apply the policy to the peering session with Device R4.
[edit protocols bgp group to_64511] user@R1# set export not-larger-than-18 user@R1# commit
On Device R1, check which routes are advertised to Device R4.
user@R1> show route advertising-protocol bgp 10.1.0.6 inet.0: 29 destinations, 31 routes (29 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.0.0/16 Self I
Meaning
The policy chain is working correctly. Only the 172.16.0.0 /16 route is advertised to Device R4.
Verifying the Route Advertisement to Device R5
Purpose
On Device R1, make sure that the customer routes are advertised to Device R5.
Device R5 is Device R1’s EBGP peer in AS 64512. The administrative
policy states that this peer receives only aggregate routes larger
than 18 bits in length and all customer routes. In anticipation of
encountering a problem similar to the problem on Device R4, you can
create a policy called not-smaller- than-18
that rejects
all aggregates with mask lengths between 16 and 18 bits.
Action
On Device R2, configure an aggregate route for 172.16.128.0/17.
[edit routing-options aggregate] user@R2# set route 172.16.128.0/17 discard user@R2# commit
On Device R1, check which routes are advertised to Device R5.
user@R1> show route advertising-protocol bgp 10.0.0.9 inet.0: 30 destinations, 32 routes (30 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.1.0/24 Self I * 172.16.1.16/28 Self I * 172.16.1.32/28 Self I * 172.16.1.48/28 Self I * 172.16.1.64/28 Self I * 172.16.2.0/24 Self I * 172.16.2.16/28 Self I * 172.16.2.32/28 Self I * 172.16.2.48/28 Self I * 172.16.2.64/28 Self I * 172.16.3.0/24 Self I * 172.16.3.16/28 Self I * 172.16.3.32/28 Self I * 172.16.3.48/28 Self I * 172.16.3.64/28 Self I * 172.16.128.0/17 Self I
The aggregate route 172.16.128.0/17 is advertised, in violation of the administrative policy
On Device R1, configure the
not-smaller-than-18
policy.[edit policy-options policy-statement not-smaller-than-18 term reject-less-than-18-bits] user@R1# set from protocol aggregate user@R1# set from route-filter 172.16.0.0/16 upto /18 user@R1# set then reject
On Device R1, apply the policy to the peering session with Device R5.
[edit protocols bgp group to_64512] user@R1# set export not-smaller-than-18 user@R1# commit
On Device R1, check which routes are advertised to Device R5.
user@R1> show route advertising-protocol bgp 10.0.0.9 inet.0: 29 destinations, 31 routes (29 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.1.0/24 Self I * 172.16.1.16/28 Self I * 172.16.1.32/28 Self I * 172.16.1.48/28 Self I * 172.16.1.64/28 Self I * 172.16.2.0/24 Self I * 172.16.2.16/28 Self I * 172.16.2.32/28 Self I * 172.16.2.48/28 Self I * 172.16.2.64/28 Self I * 172.16.3.0/24 Self I * 172.16.3.16/28 Self I * 172.16.3.32/28 Self I * 172.16.3.48/28 Self I * 172.16.3.64/28 Self I
Meaning
The policy chain is working correctly. Only aggregate routes larger than 18 bits in length and all customer routes are advertised to Device R5.