- play_arrow Configuring Firewall Filters
- play_arrow Understanding How Firewall Filters Protect Your Network
- Firewall Filters Overview
- Router Data Flow Overview
- Stateless Firewall Filter Overview
- Understanding How to Use Standard Firewall Filters
- Understanding How Firewall Filters Control Packet Flows
- Stateless Firewall Filter Components
- Stateless Firewall Filter Application Points
- How Standard Firewall Filters Evaluate Packets
- Understanding Firewall Filter Fast Lookup Filter
- Understanding Egress Firewall Filters with PVLANs
- Selective Class-based Filtering on PTX Routers
- Guidelines for Configuring Firewall Filters
- Guidelines for Applying Standard Firewall Filters
- Supported Standards for Filtering
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filters
- play_arrow Firewall Filter Match Conditions and Actions
- Overview of Firewall Filters (OCX Series)
- Overview of Firewall Filter Profiles on ACX Series Routers (Junos OS Evolved)
- Understanding Firewall Filter Match Conditions
- Understanding Firewall Filter Planning
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Match Conditions
- Firewall Filter Flexible Match Conditions
- Firewall Filter Nonterminating Actions
- Firewall Filter Terminating Actions
- Firewall Filter Match Conditions and Actions (ACX Series Routers)
- Firewall Filter Match Conditions and Actions in ACX Series Routers (Junos OS Evolved)
- Firewall Filter Match Conditions for Protocol-Independent Traffic
- Firewall Filter Match Conditions for IPv4 Traffic
- Firewall Filter Match Conditions for IPv6 Traffic
- Firewall Filter Match Conditions Based on Numbers or Text Aliases
- Firewall Filter Match Conditions Based on Bit-Field Values
- Firewall Filter Match Conditions Based on Address Fields
- Firewall Filter Match Conditions Based on Address Classes
- Understanding IP-Based Filtering and Selective Port Mirroring of MPLS Traffic
- Firewall Filter Match Conditions for MPLS Traffic
- Firewall Filter Match Conditions for MPLS-Tagged IPv4 or IPv6 Traffic
- Firewall Filter Match Conditions for VPLS Traffic
- Firewall Filter Match Conditions for Layer 2 CCC Traffic
- Firewall Filter Match Conditions for Layer 2 Bridging Traffic
- Firewall Filter Support on Loopback Interface
- play_arrow Applying Firewall Filters to Routing Engine Traffic
- Configuring Logical Units on the Loopback Interface for Routing Instances in Layer 3 VPNs
- Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List
- Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources
- Example: Configure a Filter to Block Telnet and SSH Access
- Example: Configuring a Filter to Block TFTP Access
- Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags
- Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers
- Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods
- Example: Protecting the Routing Engine with a Packets-Per-Second Rate Limiting Filter
- Example: Configuring a Filter to Exclude DHCPv6 and ICMPv6 Control Traffic for LAC Subscriber
- Port Number Requirements for DHCP Firewall Filters
- Example: Configuring a DHCP Firewall Filter to Protect the Routing Engine
- play_arrow Applying Firewall Filters to Transit Traffic
- Example: Configuring a Filter for Use as an Ingress Queuing Filter
- Example: Configuring a Filter to Match on IPv6 Flags
- Example: Configuring a Filter to Match on Port and Protocol Fields
- Example: Configuring a Filter to Count Accepted and Rejected Packets
- Example: Configuring a Filter to Count and Discard IP Options Packets
- Example: Configuring a Filter to Count IP Options Packets
- Example: Configuring a Filter to Count and Sample Accepted Packets
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Set the DSCP Bit to Zero
- Example: Configuring a Filter to Match on Two Unrelated Criteria
- Example: Configuring a Filter to Accept DHCP Packets Based on Address
- Example: Configuring a Filter to Accept OSPF Packets from a Prefix
- Example: Configuring a Stateless Firewall Filter to Handle Fragments
- Configuring a Firewall Filter to Prevent or Allow IPv4 Packet Fragmentation
- Configuring a Firewall Filter to Discard Ingress IPv6 Packets with a Mobility Extension Header
- Example: Configuring an Egress Filter Based on IPv6 Source or Destination IP Addresses
- Example: Configuring a Rate-Limiting Filter Based on Destination Class
- play_arrow Configuring Firewall Filters in Logical Systems
- Firewall Filters in Logical Systems Overview
- Guidelines for Configuring and Applying Firewall Filters in Logical Systems
- References from a Firewall Filter in a Logical System to Subordinate Objects
- References from a Firewall Filter in a Logical System to Nonfirewall Objects
- References from a Nonfirewall Object in a Logical System to a Firewall Filter
- Example: Configuring Filter-Based Forwarding
- Example: Configuring Filter-Based Forwarding on Logical Systems
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods
- Unsupported Firewall Filter Statements for Logical Systems
- Unsupported Actions for Firewall Filters in Logical Systems
- Filter-Based Forwarding for Routing Instances
- Forwarding Table Filters for Routing Instances on ACX Series Routers
- Configuring Forwarding Table Filters
- play_arrow Configuring Firewall Filter Accounting and Logging
- play_arrow Attaching Multiple Firewall Filters to a Single Interface
- Applying Firewall Filters to Interfaces
- Configuring Firewall Filters
- Multifield Classifier Example: Configuring Multifield Classification
- Multifield Classifier for Ingress Queuing on MX Series Routers with MPC
- Assigning Multifield Classifiers in Firewall Filters to Specify Packet-Forwarding Behavior (CLI Procedure)
- Understanding Multiple Firewall Filters in a Nested Configuration
- Guidelines for Nesting References to Multiple Firewall Filters
- Understanding Multiple Firewall Filters Applied as a List
- Guidelines for Applying Multiple Firewall Filters as a List
- Example: Applying Lists of Multiple Firewall Filters
- Example: Nesting References to Multiple Firewall Filters
- Example: Filtering Packets Received on an Interface Set
- play_arrow Attaching a Single Firewall Filter to Multiple Interfaces
- Interface-Specific Firewall Filter Instances Overview
- Interface-Specific Firewall Filter Instances Overview
- Filtering Packets Received on a Set of Interface Groups Overview
- Filtering Packets Received on an Interface Set Overview
- Example: Configuring Interface-Specific Firewall Filter Counters
- Example: Configuring a Stateless Firewall Filter on an Interface Group
- play_arrow Configuring Filter-Based Tunneling Across IP Networks
- Understanding Filter-Based Tunneling Across IPv4 Networks
- Firewall Filter-Based L2TP Tunneling in IPv4 Networks Overview
- Interfaces That Support Filter-Based Tunneling Across IPv4 Networks
- Components of Filter-Based Tunneling Across IPv4 Networks
- Example: Transporting IPv6 Traffic Across IPv4 Using Filter-Based Tunneling
- play_arrow Configuring Service Filters
- Service Filter Overview
- How Service Filters Evaluate Packets
- Guidelines for Configuring Service Filters
- Guidelines for Applying Service Filters
- Example: Configuring and Applying Service Filters
- Service Filter Match Conditions for IPv4 or IPv6 Traffic
- Service Filter Nonterminating Actions
- Service Filter Terminating Actions
- play_arrow Configuring Simple Filters
- play_arrow Configuring Layer 2 Firewall Filters
- Understanding Firewall Filters Used to Control Traffic Within Bridge Domains and VPLS Instances
- Example: Configuring Filtering of Frames by MAC Address
- Example: Configuring Filtering of Frames by IEEE 802.1p Bits
- Example: Configuring Filtering of Frames by Packet Loss Priority
- Example: Configuring Policing and Marking of Traffic Entering a VPLS Core
- Understanding Firewall Filters on OVSDB-Managed Interfaces
- Example: Applying a Firewall Filter to OVSDB-Managed Interfaces
- play_arrow Configuring Firewall Filters for Forwarding, Fragments, and Policing
- Filter-Based Forwarding Overview
- Firewall Filters That Handle Fragmented Packets Overview
- Stateless Firewall Filters That Reference Policers Overview
- Example: Configuring Filter-Based Forwarding on the Source Address
- Example: Configuring Filter-Based Forwarding to a Specific Outgoing Interface or Destination IP Address
- play_arrow Configuring Firewall Filters (EX Series Switches)
- Firewall Filters for EX Series Switches Overview
- Understanding Planning of Firewall Filters
- Understanding Firewall Filter Match Conditions
- Understanding How Firewall Filters Control Packet Flows
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
- Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches
- Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
- Configuring Firewall Filters (CLI Procedure)
- Understanding How Firewall Filters Test a Packet's Protocol
- Understanding Filter-Based Forwarding for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1X or MAC RADIUS Authentication
- Verifying That Policers Are Operational
- Troubleshooting Firewall Filters
- play_arrow Configuring Firewall Filters (QFX Series Switches, EX4600 Switches, PTX Series Routers)
- Overview of Firewall Filters (QFX Series)
- Understanding Firewall Filter Planning
- Planning the Number of Firewall Filters to Create
- Firewall Filter Match Conditions and Actions (QFX and EX Series Switches)
- Firewall Filter Match Conditions and Actions (QFX10000 Switches)
- Firewall Filter Match Conditions and Actions (PTX Series Routers)
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Configuring Firewall Filters
- Applying Firewall Filters to Interfaces
- Overview of MPLS Firewall Filters on Loopback Interface
- Configuring MPLS Firewall Filters and Policers on Switches
- Configuring MPLS Firewall Filters and Policers on Routers
- Configuring MPLS Firewall Filters and Policers
- Understanding How a Firewall Filter Tests a Protocol
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets
- Understanding Filter-Based Forwarding
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
- Configuring a Firewall Filter to De-Encapsulate GRE or IPIP Traffic
- Verifying That Firewall Filters Are Operational
- Monitoring Firewall Filter Traffic
- Troubleshooting Firewall Filter Configuration
- play_arrow Configuring Firewall Filter Accounting and Logging (EX9200 Switches)
-
- play_arrow Configuring Traffic Policers
- play_arrow Understanding Traffic Policers
- Policer Implementation Overview
- ARP Policer Overview
- Example: Configuring ARP Policer
- Understanding the Benefits of Policers and Token Bucket Algorithms
- Determining Proper Burst Size for Traffic Policers
- Controlling Network Access Using Traffic Policing Overview
- Traffic Policer Types
- Order of Policer and Firewall Filter Operations
- Understanding the Frame Length for Policing Packets
- Supported Standards for Policing
- Hierarchical Policer Configuration Overview
- Understanding Enhanced Hierarchical Policers
- Packets-Per-Second (pps)-Based Policer Overview
- Guidelines for Applying Traffic Policers
- Policer Support for Aggregated Ethernet Interfaces Overview
- Example: Configuring a Physical Interface Policer for Aggregate Traffic at a Physical Interface
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Hierarchical Policers on ACX Series Routers Overview
- Guidelines for Configuring Hierarchical Policers on ACX Series Routers
- Hierarchical Policer Modes on ACX Series Routers
- Processing of Hierarchical Policers on ACX Series Routers
- Actions Performed for Hierarchical Policers on ACX Series Routers
- Configuring Aggregate Parent and Child Policers on ACX Series Routers
- play_arrow Configuring Policer Rate Limits and Actions
- play_arrow Configuring Layer 2 Policers
- Hierarchical Policers
- Configuring a Policer Overhead
- Two-Color and Three-Color Policers at Layer 2
- Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Two-Color Layer 2 Policer for the Pseudowire
- Configuring a Three-Color Layer 2 Policer for the Pseudowire
- Applying the Policers to Dynamic Profile Interfaces
- Attaching Dynamic Profiles to Routing Instances
- Using Variables for Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Policer for the Complex Configuration
- Creating a Dynamic Profile for the Complex Configuration
- Attaching Dynamic Profiles to Routing Instances for the Complex Configuration
- Verifying Layer 2 Traffic Policers on VPLS Connections
- Understanding Policers on OVSDB-Managed Interfaces
- Example: Applying a Policer to OVSDB-Managed Interfaces
- play_arrow Configuring Two-Color and Three-Color Traffic Policers at Layer 3
- Two-Color Policer Configuration Overview
- Basic Single-Rate Two-Color Policers
- Bandwidth Policers
- Prefix-Specific Counting and Policing Actions
- Policer Overhead to Account for Rate Shaping in the Traffic Manager
- Three-Color Policer Configuration Overview
- Applying Policers
- Three-Color Policer Configuration Guidelines
- Basic Single-Rate Three-Color Policers
- Basic Two-Rate Three-Color Policers
- Example: Configuring a Two-Rate Three-Color Policer
- play_arrow Configuring Logical and Physical Interface Traffic Policers at Layer 3
- play_arrow Configuring Policers on Switches
- Overview of Policers
- Traffic Policer Types
- Understanding the Use of Policers in Firewall Filters
- Understanding Tricolor Marking Architecture
- Configuring Policers to Control Traffic Rates (CLI Procedure)
- Configuring Tricolor Marking Policers
- Understanding Policers with Link Aggregation Groups
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
- Example: Using Two-Color Policers and Prefix Lists
- Example: Using Policers to Manage Oversubscription
- Assigning Forwarding Classes and Loss Priority
- Configuring Color-Blind Egress Policers for Medium-Low PLP
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
- Verifying That Two-Color Policers Are Operational
- Verifying That Three-Color Policers Are Operational
- Troubleshooting Policer Configuration
- Troubleshooting Policer Configuration
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
ON THIS PAGE
Example: Configuring Dynamic Routing Policies
This example shows how to configure routing policy objects in a dynamic database that is not subject to the same verification required in the standard configuration database.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
The verification process required to commit configuration changes can entail a significant amount of overhead and time.
The time it takes to commit changes to the dynamic database is much shorter than for the standard configuration database. You can reference these policies and policy objects in routing policies you configure in the standard database. BGP is the only protocol to which you can apply routing policies that reference policies and policy objects configured in the dynamic database. After you configure and commit a routing policy based on the objects configured in the dynamic database, you can quickly update any existing routing policy by making changes to the dynamic database configuration.
Because Junos OS does not validate configuration changes to the dynamic database, when you use this feature, you should test and verify all configuration changes before committing them.
Figure 1 shows the sample network.
The example includes three routers with external BGP (EBGP) sessions established. Only Device R1 makes use of the dynamic database.
On Device R0’s fe-1/2/1 interface, multiple IPv4 interfaces are configured, and
a routing policy injects these prefixes into BGP, using the from interface fe-1/2/1.0 policy condition as a shorthand method for specifying all of the IP addresses configured
on Device R0’s fe-1/2/1 interface.
Likewise, on Device R2’s fe-1/2/3 interface, multiple IPv4 addresses are configured, and a routing policy injects these prefixes into BGP. Device R2’s configuration is slightly different from Device R0’s in that Device R2’s configuration demonstrates the use of a prefix list.
On Device R1, in the dynamic database, two prefix lists are defined, one for the interface addresses learned from Device R0 and another for the interface addresses learned from Device R2. Device R1’s standard database contains routing policies with prefix lists that are similar to those defined in the dynamic database.
In its peer session with Device R0, Device R1 has the static-database policies applied. In contrast, in its peer session with Device R2, Device R1’s configuration references the dynamic database.
The results of these different configurations are analyzed in the Verification section.
CLI Quick Configuration shows the configuration for all of the devices in Figure 1.
The section #configuration776__policy-dynamic-st describes the steps on Device R1’s dynamic database.
The section #configuration776__policy-standard-st describes the steps on Device R1’s standard database.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks, change any details
necessary to match your network configuration, and then copy and paste the commands into the
CLI at the [edit] hierarchy level.
Device R0
set interfaces fe-1/2/0 unit 0 family inet address 10.0.0.1/30 set interfaces fe-1/2/1 unit 0 family inet address 172.16.4.1/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.3.1/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.2.1/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.1.1/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.5.1/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.6.1/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.7.1/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.8.1/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.9.1/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.10.1/24 set interfaces lo0 unit 0 family inet address 10.255.14.151/32 set protocols bgp group ext type external set protocols bgp group ext neighbor 10.0.0.2 export t2 set protocols bgp group ext neighbor 10.0.0.2 peer-as 200 set policy-options policy-statement t2 from interface fe-1/2/0.0 set policy-options policy-statement t2 from interface fe-1/2/1.0 set policy-options policy-statement t2 then accept set routing-options router-id 10.255.14.151 set routing-options autonomous-system 100
Device R1 Dynamic Database
[edit dynamic] set policy-options prefix-list dyn_prfx1 172.16.1.0/24 set policy-options prefix-list dyn_prfx1 172.16.2.0/24 set policy-options prefix-list dyn_prfx1 172.16.3.0/24 set policy-options prefix-list dyn_prfx1 172.16.4.0/24 set policy-options prefix-list dyn_prfx1 172.16.5.0/24 set policy-options prefix-list dyn_prfx1 172.16.6.0/24 set policy-options prefix-list dyn_prfx1 172.16.7.0/24 set policy-options prefix-list dyn_prfx1 172.16.8.0/24 set policy-options prefix-list dyn_prfx2 172.16.2.0/24 set policy-options prefix-list dyn_prfx2 172.16.3.0/24 set policy-options prefix-list dyn_prfx2 172.16.4.0/24 set policy-options prefix-list dyn_prfx2 172.16.5.0/24 set policy-options prefix-list dyn_prfx2 172.16.6.0/24 set policy-options policy-statement dyn_policy1 term t1 from prefix-list dyn_prfx1 set policy-options policy-statement dyn_policy1 term t1 then accept set policy-options policy-statement dyn_policy1 term t2 then reject set policy-options policy-statement dyn_policy2 term t1 from prefix-list dyn_prfx2 set policy-options policy-statement dyn_policy2 term t1 then accept set policy-options policy-statement dyn_policy2 term t2 then reject
Device R1 Standard Database
set interfaces fe-1/2/0 unit 0 family inet address 10.0.0.2/30 set interfaces fe-1/2/2 unit 0 family inet address 10.1.0.1/30 set interfaces fe-1/2/1 unit 0 family inet address 172.16.4.2/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.3.2/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.2.2/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.1.2/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.5.2/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.6.2/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.7.2/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.8.2/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.9.2/24 set interfaces fe-1/2/1 unit 0 family inet address 172.16.10.2/24 set interfaces fe-1/2/3 unit 0 family inet address 172.16.22.2/24 set interfaces fe-1/2/3 unit 0 family inet address 172.16.23.2/24 set interfaces fe-1/2/3 unit 0 family inet address 172.16.24.2/24 set interfaces fe-1/2/3 unit 0 family inet address 172.16.25.2/24 set interfaces fe-1/2/3 unit 0 family inet address 172.16.26.2/24 set interfaces lo0 unit 0 family inet address 192.168.0.2/32 set protocols bgp group to_r0 idle-after-switch-over 300 set protocols bgp group to_r0 neighbor 10.0.0.1 import dyn_policy1 set protocols bgp group to_r0 neighbor 10.0.0.1 export dyn_policy2 set protocols bgp group to_r0 neighbor 10.0.0.1 peer-as 100 set protocols bgp group to_R2 import static_policy1 set protocols bgp group to_R2 export static_policy2 set protocols bgp group to_R2 idle-after-switch-over 300 set protocols bgp group to_R2 neighbor 10.1.0.2 peer-as 300 set policy-options prefix-list static_prfx1 172.16.22.0/24 set policy-options prefix-list static_prfx1 172.16.23.0/24 set policy-options prefix-list static_prfx1 172.16.24.0/24 set policy-options prefix-list static_prfx1 172.16.25.0/24 set policy-options prefix-list static_prfx2 172.16.1.0/24 set policy-options prefix-list static_prfx2 172.16.2.0/24 set policy-options prefix-list static_prfx2 172.16.3.0/24 set policy-options prefix-list static_prfx2 172.16.4.0/24 set policy-options policy-statement dyn_policy1 dynamic-db set policy-options policy-statement dyn_policy2 dynamic-db set policy-options policy-statement static_policy1 term t1 from prefix-list static_prfx1 set policy-options policy-statement static_policy1 term t1 then accept set policy-options policy-statement static_policy1 term t2 then reject set policy-options policy-statement static_policy2 term t1 from prefix-list static_prfx2 set policy-options policy-statement static_policy2 term t1 then accept set policy-options policy-statement static_policy2 term t2 then reject set routing-options autonomous-system 200
Device R2
set interfaces fe-1/2/2 unit 0 family inet address 10.1.0.2/30 set interfaces fe-1/2/3 unit 0 family inet address 172.16.22.1/24 set interfaces fe-1/2/3 unit 0 family inet address 172.16.23.1/24 set interfaces fe-1/2/3 unit 0 family inet address 172.16.24.1/24 set interfaces fe-1/2/3 unit 0 family inet address 172.16.25.1/24 set interfaces fe-1/2/3 unit 0 family inet address 172.16.26.1/24 set interfaces lo0 unit 0 family inet address 192.168.0.3/32 set protocols bgp group to_vin neighbor 10.1.0.1 export p1 set protocols bgp group to_vin neighbor 10.1.0.1 peer-as 200 set policy-options prefix-list ppx1 172.16.22.0/24 set policy-options prefix-list ppx1 172.16.23.0/24 set policy-options prefix-list ppx1 172.16.24.0/24 set policy-options prefix-list ppx1 172.16.25.0/24 set policy-options prefix-list ppx1 172.16.26.0/24 set policy-options policy-statement p1 term t1 from family inet set policy-options policy-statement p1 term t1 from prefix-list ppx1 set policy-options policy-statement p1 term t1 then accept set routing-options autonomous-system 300
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Use the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Device R1’s dynamic database:
Enter configuration mode for the dynamic database.
content_copy zoom_out_mapuser@R1> configure dynamic Entering configuration mode [edit dynamic]
Create a prefix list for the interface addresses learned from Device R0.
content_copy zoom_out_map[edit dynamic policy-options prefix-list dyn_prfx1] user@R1# set 172.16.1.0/24 user@R1# set 172.16.2.0/24 user@R1# set 172.16.3.0/24 user@R1# set 172.16.4.0/24 user@R1# set 172.16.5.0/24 user@R1# set 172.16.6.0/24 user@R1# set 172.16.7.0/24 user@R1# set 172.16.8.0/24
Create a prefix list for the interface addresses learned from Device R2.
content_copy zoom_out_map[edit dynamic policy-options prefix-list dyn_prfx2] user@R1# set 172.16.2.0/24 user@R1# set 172.16.3.0/24 user@R1# set 172.16.4.0/24 user@R1# set 172.16.5.0/24 user@R1# set 172.16.6.0/24
Configure the routing policies.
content_copy zoom_out_map[edit dynamic policy-options policy-statement dyn_policy1] user@R1# set term t1 from prefix-list dyn_prfx1 user@R1# set term t1 then accept user@R1# set term t2 then reject user@R1# set term t1 from prefix-list dyn_prfx2 user@R1# set term t1 then accept user@R1# set term t2 then reject
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Use the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure Device R1’s standard database:
Create the router interfaces.
content_copy zoom_out_map[edit interfaces] user@R1# set fe-1/2/0 unit 0 family inet address 10.0.0.2/30 user@R1# set fe-1/2/2 unit 0 family inet address 10.1.0.1/30 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.4.2/24 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.3.2/24 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.2.2/24 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.1.2/24 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.5.2/24 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.6.2/24 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.7.2/24 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.8.2/24 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.9.2/24 user@R1# set fe-1/2/1 unit 0 family inet address 172.16.10.2/24 user@R1# set fe-1/2/3 unit 0 family inet address 172.16.2.2/24 user@R1# set fe-1/2/3 unit 0 family inet address 172.16.3.2/24 user@R1# set fe-1/2/3 unit 0 family inet address 172.16.4.2/24 user@R1# set fe-1/2/3 unit 0 family inet address 172.16.5.2/24 user@R1# set fe-1/2/3 unit 0 family inet address 172.16.6.2/24 user@R1# set lo0 unit 0 family inet address 192.168.0.2/32
Create routing policies that reference the policies in the dynamic database.
content_copy zoom_out_map[edit policy-options] user@R1# set policy-statement dyn_policy1 dynamic-db user@R1# set policy-statement dyn_policy2 dynamic-db
Configure BGP peering with Device R0.
content_copy zoom_out_map[edit protocols bgp group to_r0] user@R1# set neighbor 10.0.0.1 peer-as 100
Apply the dynamic database policies to the BGP peering with Device R0.
content_copy zoom_out_map[edit protocols bgp group to_r0] user@R1# set neighbor 10.0.0.1 import dyn_policy1 user@R1# set neighbor 10.0.0.1 export dyn_policy2
Configure a prefix list for prefixes learned from Device R0.
content_copy zoom_out_map[edit policy-options prefix-list static_prfx2] user@R1# set 172.16.1.0/24 user@R1# set 172.16.2.0/24 user@R1# set 172.16.3.0/24 user@R1# set 172.16.4.0/24
Configure a prefix list for prefixes learned from Device R2.
content_copy zoom_out_map[edit policy-options prefix-list static_prfx1] user@R1# set 172.16.2.0/24 user@R1# set 172.16.3.0/24 user@R1# set 172.16.4.0/24 user@R1# set 172.16.5.0/24
Configure the static database policies.
content_copy zoom_out_map[edit policy-options policy-statement static_policy1] user@R1# set term t1 from prefix-list static_prfx1 user@R1# set term t1 then accept user@R1# set term t2 then reject [edit policy-options policy-statement static_policy2] user@R1# set term t1 from prefix-list static_prfx2 user@R1# set term t1 then accept user@R1# set term t2 then reject
Configure BGP peering with Device R2.
content_copy zoom_out_map[edit protocols bgp group to_R2] user@R1# set neighbor 10.1.0.2 peer-as 300
Apply the static database policies to the BGP peering with Device R2.
content_copy zoom_out_map[edit protocols bgp group to_R2] user@R1# set import static_policy1 user@R1# set export static_policy2
(Optional) Configure the router not to reestablish the BGP peering sessions after an active nonstop routing switchover either for a specified period or until you manually reestablish the session.
This statement is particularly useful with dynamic routing policies because the dynamic database is not synchronized with the backup Routing Engine when nonstop active routing (NSR) is enabled. As a result, if a switchover to a backup Routing Engine occurs, import and export policies running on the primary Routing Engine at the time of the switchover might no longer be available. Therefore, you might want to prevent a BGP peering session from automatically being reestablished as soon as a switchover occurs.
content_copy zoom_out_map[edit protocols bgp] user@R1# set group to_r0 idle-after-switch-over 300 user@R1# set group to_R2 idle-after-switch-over 300
Configure the autonomous system (AS) number.
content_copy zoom_out_map[edit routing-options] user@R1# set routing-options autonomous-system 200
Results
Confirm your configuration by entering the show command from configuration
mode in the dynamic database, and the show interfaces, show protocols, show policy-options and show routing-options commands from configuration
mode in the standard database. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
Device R1 Dynamic
[edit dynamic]
user@R1# show
policy-options {
prefix-list dyn_prfx1 {
172.16.1.0/24;
172.16.2.0/24;
172.16.3.0/24;
172.16.4.0/24;
172.16.5.0/24;
172.16.6.0/24;
172.16.7.0/24;
172.16.8.0/24;
}
prefix-list dyn_prfx2 {
172.16.2.0/24;
172.16.3.0/24;
172.16.4.0/24;
172.16.5.0/24;
172.16.6.0/24;
}
policy-statement dyn_policy1 {
term t1 {
from {
prefix-list dyn_prfx1;
}
then accept;
}
term t2 {
then reject;
}
}
policy-statement dyn_policy2 {
term t1 {
from {
prefix-list dyn_prfx2;
}
then accept;
}
term t2 {
then reject;
}
}
}
Device R1 Standard
[edit]
user@R1# show interfaces
fe-1/2/0 {
unit 0 {
family inet {
address 10.0.0.2/30;
}
}
}
fe-1/2/1 {
unit 0 {
family inet {
address 172.16.4.2/24;
address 172.16.3.2/24;
address 172.16.2.2/24;
address 172.16.1.2/24;
address 172.16.5.2/24;
address 172.16.6.2/24;
address 172.16.7.2/24;
address 172.16.8.2/24;
address 172.16.9.2/24;
address 172.16.10.2/24;
}
}
}
fe-1/2/2 {
unit 0 {
family inet {
address 10.1.0.1/30;
}
}
}
fe-1/2/3 {
unit 0 {
family inet {
address 172.16.2.2/24;
address 172.16.3.2/24;
address 172.16.4.2/24;
address 172.16.5.2/24;
address 172.16.6.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.0.2/32;
}
}
}
user@R1# show protocols
bgp {
group to_r0 {
idle-after-switch-over 300;
neighbor 10.0.0.1 {
import dyn_policy1;
export dyn_policy2;
peer-as 100;
}
}
group to_R2 {
import static_policy1;
export static_policy2;
idle-after-switch-over 300;
neighbor 10.1.0.2 {
peer-as 300;
}
}
}
user@R1# show policy-options
prefix-list static_prfx1 {
172.16.2.0/24;
172.16.3.0/24;
172.16.4.0/24;
172.16.5.0/24;
}
prefix-list static_prfx2 {
172.16.1.0/24;
172.16.2.0/24;
172.16.3.0/24;
172.16.4.0/24;
}
policy-statement dyn_policy1 {
dynamic-db;
}
policy-statement dyn_policy2 {
dynamic-db;
}
policy-statement static_policy1 {
term t1 {
from {
prefix-list static_prfx1;
}
then accept;
}
term t2 {
then reject;
}
}
policy-statement static_policy2 {
term t1 {
from {
prefix-list static_prfx2;
}
then accept;
}
term t2 {
then reject;
}
}
user@R1# show routing-options autonomous-system 200;
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Checking the Configured Policies on Device R1
- Checking the Routes Advertised from Device R0 to Device R1
- Checking the Routes That Device R1 Is Receiving from Device R0
- Checking the Routes Advertised from Device R2 to Device R1
- Checking the Routes That Device R1 Is Receiving from Device R2
- Checking the Routes That Device R1 Is Advertising to Device R0
- Checking the Routes That Device R1 Is Advertising to Device R2
Checking the Configured Policies on Device R1
Purpose
Verify that Device R1 has the dynamic and static policies in effect.
Action
From Device R1, enter the show policy command.
user@R1> show policy Configured policies: dyn_policy1 dyn_policy2 static_policy1 static_policy2 dyn_policy1 dyn_policy2
Meaning
The dynamic policies are listed two times because they are configured two times, the first and central configuration in the dynamic database. The secondary configuration is in the static database, where the dynamic database is referenced, as shown here:
Configured in the Dynamic Database
policy-statement dyn_policy1 {
term t1 {
from {
prefix-list dyn_prfx1;
}
then accept;
}
term t2 {
then reject;
}
}
policy-statement dyn_policy2 {
term t1 {
from {
prefix-list dyn_prfx2;
}
then accept;
}
term t2 {
then reject;
}
}
Referenced from the Static Database
policy-statement dyn_policy1 {
dynamic-db;
}
policy-statement dyn_policy2 {
dynamic-db;
}
Checking the Routes Advertised from Device R0 to Device R1
Purpose
Verify that Device R0’s routing policy is working.
Action
From Device R0, enter the show route advertising-protocol bgp command,
using the neighbor address for Device R1.
user@R0> show route advertising-protocol bgp 10.0.0.2 inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.1.0/24 Self I * 172.16.2.0/24 Self I * 172.16.3.0/24 Self I * 172.16.4.0/24 Self I * 172.16.5.0/24 Self I * 172.16.6.0/24 Self I * 172.16.7.0/24 Self I * 172.16.8.0/24 Self I * 172.16.9.0/24 Self I * 172.16.10.0/24 Self I * 10.0.0.0/30 Self I
Meaning
Device R0 is sending the expected routes to Device R1.
Checking the Routes That Device R1 Is Receiving from Device R0
Purpose
Verify that Device R1’s import routing policy is working.
Action
From Device R1, enter the show route receive-protocol bgp command,
using the neighbor address for Device R0.
user@R1> show route receive-protocol bgp 10.0.0.1 inet.0: 35 destinations, 51 routes (35 active, 0 holddown, 4 hidden) Prefix Nexthop MED Lclpref AS path 172.16.1.0/24 10.0.0.1 100 I 172.16.2.0/24 10.0.0.1 100 I 172.16.3.0/24 10.0.0.1 100 I 172.16.4.0/24 10.0.0.1 100 I 172.16.5.0/24 10.0.0.1 100 I 172.16.6.0/24 10.0.0.1 100 I 172.16.7.0/24 10.0.0.1 100 I 172.16.8.0/24 10.0.0.1 100 I
Meaning
Some of the routes that are sent by Device R0 are not received by Device R1.
The routes 172.16.9.0/24, 172.16.10.0/24, and 10.0.0.0/30 are missing. This is because Device
R1’s import policy, applied to the BGP peering session with Device R0 using the import dyn_policy1 statement, specifically defines a prefix list limited to the following
routes:
prefix-list dyn_prfx1 {
172.16.1.0/24;
172.16.2.0/24;
172.16.3.0/24;
172.16.4.0/24;
172.16.5.0/24;
172.16.6.0/24;
172.16.7.0/24;
172.16.8.0/24;
}
Checking the Routes Advertised from Device R2 to Device R1
Purpose
Verify that Device R2’s routing policy is working.
Action
From Device R2, enter the show route advertising-protocol bgp command,
using the neighbor address for Device R1.
user@R2> show route advertising-protocol bgp 10.1.0.1 inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.2.0/24 Self I * 172.16.3.0/24 Self I * 172.16.4.0/24 Self I * 172.16.5.0/24 Self I * 172.16.6.0/24 Self I
Meaning
Device R2 is sending the expected routes to Device R1.
Checking the Routes That Device R1 Is Receiving from Device R2
Purpose
Verify that Device R1’s import routing policy is working.
Action
From Device R1, enter the show route receive-protocol bgp command,
using the neighbor address for Device R0.
user@R1> show route receive-protocol bgp 10.1.0.2 inet.0: 35 destinations, 51 routes (35 active, 0 holddown, 4 hidden) Prefix Nexthop MED Lclpref AS path 172.16.2.0/24 10.1.0.2 300 I 172.16.3.0/24 10.1.0.2 300 I 172.16.4.0/24 10.1.0.2 300 I 172.16.5.0/24 10.1.0.2 300 I
Meaning
One of the routes that is sent by Device R2 is not received by Device R1. The
route 172.16.6.0/24 is missing. This is because Device R1’s import policy, applied to
the BGP peering session with Device R2 using the import static_policy1 statement,
specifically defines a prefix list limited to the following routes:
prefix-list static_prfx1 {
172.16.2.0/24;
172.16.3.0/24;
172.16.4.0/24;
172.16.5.0/24;
}
Checking the Routes That Device R1 Is Advertising to Device R0
Purpose
Verify that Device R1’s export routing policy is working.
Action
From Device R1, enter the show route advertising-protocol bgp command,
using the neighbor address for Device R0.
user@R1> show route advertising-protocol bgp 10.0.0.1 inet.0: 35 destinations, 51 routes (35 active, 0 holddown, 4 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.2.0/24 Self I * 172.16.3.0/24 Self I * 172.16.4.0/24 Self I * 172.16.5.0/24 Self I * 172.16.6.0/24 Self I
Meaning
Perhaps unexpectedly, the route that Device R1 did not receive through BGP from Device R2 (172.16.6.0/24) is nonetheless being advertised by Device R1 through BGP to Device R0. This is happening for two reasons. The first reason is that route 172.16.6.0/24 is in Device R1’s routing table, albeit as a direct route, as shown here:
user@R1> show route 172.16.6.0/24 protocol direct
inet.0: 35 destinations, 51 routes (35 active, 0 holddown, 4 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.6.0/24 *[Direct/0] 2d 22:51:41
> via fe-1/2/3.0The second reason is that Device R1’s export policy, applied to the BGP peering
session with Device R0 using the export dyn_policy2 statement, specifically defines
a prefix list limited to the following routes:
prefix-list dyn_prfx2 {
172.16.2.0/24;
172.16.3.0/24;
172.16.4.0/24;
172.16.5.0/24;
172.16.6.0/24;
}
Note the inclusion of 172.16.6.0/24.
Checking the Routes That Device R1 Is Advertising to Device R2
Purpose
Verify that Device R1’s export routing policy is working.
Action
From Device R1, enter the show route advertising-protocol bgp command,
using the neighbor address for Device R2.
user@R1> show route advertising-protocol bgp 10.1.0.2 inet.0: 35 destinations, 51 routes (35 active, 0 holddown, 4 hidden) Prefix Nexthop MED Lclpref AS path * 172.16.1.0/24 Self I * 172.16.2.0/24 Self I * 172.16.3.0/24 Self I * 172.16.4.0/24 Self I
Meaning
Device R1 is sending the expected routes to Device R2. Device R1’s export
policy, applied to the BGP peering session with Device R2 using the export static_policy2 statement, specifically defines a prefix list limited to the following routes:
prefix-list static_prfx2 {
172.16.1.0/24;
172.16.2.0/24;
172.16.3.0/24;
172.16.4.0/24;
}
