policy-statement
Syntax (with terms)
policy-statement policy-name {
term term-name {
from {
as-path-neighbors (as-list | as-list-group);
as-path-origins (as-list | as-list-group);
as-path-transits (as-list | as-list-group);
as-path-unique-count count (equal | orhigher | orlower);
as-path-calc-length count (equal | orhigher | orlower);
community BGP community;
family family-name;
match-conditions;
neighbor address;
policy subroutine-policy-name;
prefix-list prefix-list-name;
prefix-list-filter prefix-list-name match-type <actions>;
programmed;
protocol protocol-name;
route-filter destination-prefix match-type <actions> invert-match;
validation-database-instance {
database <database-name> state (valid|invalid|unknown);
state (valid|invalid|unknown);
}
source-address-filter source-prefix match-type <actions>;
tag value;
traffic-engineering;
}
to {
match-conditions;
policy subroutine-policy-name;
}
then actions;
}
then {
advertise-locator;
aggregate-bandwidth;
dynamic-tunnel-attributes dynamic-tunnel-attributes;
limit-bandwidth limit-bandwidth;
multipath-resolve;
no-entropy-label-capability;
prefix-attribute-flags;
prefix-segment {
index index;
node-segment;
}
priority (high | medium | low);
resolution-map map-name;
set-down-bit
srv6 sid-value;
}
}
Syntax (without terms)
The policy statement configuration can be used without terms. An example configuration is as below.
policy-statement policy-name from <match-condition> then <action>Hierarchy Level
[edit dynamic-profiles profile-name policy-options], [edit logical-systems logical-system-name policy-options], [edit policy-options]
Description
Define a routing policy, including subroutine policies.
A term is a named structure in which match conditions and actions are defined. Routing policies are made up of one or more terms. Each routing policy term is identified by a term name. The name can contain letters, numbers, and hyphens (-) and can be up to 255 characters long. To include spaces in the name, enclose the entire name in double quotation marks.
Each term contains a set of match conditions and a set of actions:
-
Match conditions are criteria that a route must match before the actions can be applied. If a route matches all criteria, one or more actions are applied to the route.
-
Actions specify whether to accept or reject the route, control how a series of policies are evaluated, and manipulate the characteristics associated with a route.
Generally, a router compares a route against the match conditions of each term in a
routing policy, starting with the first and moving through the terms in the order in
which they are defined, until a match is made and an explicitly configured or
default action of accept or reject is taken. If
none of the terms in the policy match the route, the router compares the route
against the next policy, and so on, until either an action is taken or the default
policy is evaluated.
If none of the match conditions of each term evaluates to true, the final action is
executed. The final action is defined in an unnamed term. Additionally, you can
define a default action (either accept or reject)
that overrides any action intrinsic to the protocol.
The order of match conditions in a term is not relevant, because a route must match all match conditions in a term for an action to be taken.
To list the routing policies under the [edit policy-options]
hierarchy level by policy-statement policy-name
in alphabetical order, enter the show policy-options configuration
command.
The statements are explained separately.
Options
actions—(Optional) One or more actions to take if
the conditions match. The actions are described in Configuring Flow Control Actions.
family family-name—(Optional) Specify an address
family protocol. Specify inet for IPv4. Specify
inet6 for 128-bit IPv6, and to enable interpretation of IPv6
router filter addresses. For IS-IS traffic, specify iso. For IPv4
multicast VPN traffic, specify inet-mvpn. For IPv6 multicast VPN
traffic, specify inet6-mvpn. For multicast-distribution-tree (MDT)
IPv4 traffic, specify inet-mdt. For BGP route target VPN traffic,
specify route-target. For traffic engineering, specify
traffic-engineering.
When family is not specified, the routing device or routing
instance uses the address family or families carried by BGP. If multiprotocol
BGP (MP-BGP) is enabled, the policy defaults to the protocol family or families
carried in the network layer reachability information (NLRI) as configured in
the family statement for BGP. If
MP-BGP is not enabled, the policy uses the default BGP address family unicast
IPv4.
from—(Optional) Match a route based on its source address.
as-path-origins
(as-list |
as-list-group)—Compares
the AS that originated the route. Evaluates if the right most AS number on the AS
path belongs to the as-list or as-list-group
specified in the as-path-origins configuration statement. In the
case where the route has been aggregated, and the location of the originating AS
contains an AS-set, the as-path-origins operator evaluates to true
if any AS contained in the AS-set belongs to the as-list or
as-list-group specified in the as-path-origins
configuration statement.
as-path-neighbors
(as-list |
as-list-group)—Compares
the neighbor AS in the AS path. Evaluates if the first AS number on the AS path
matches the as-list or as-list-group specified in
the as-path-neighbors configuration statement. If the neighboring
AS location happens to be an AS-set, the as-path-neighbors operator
evaluates to true if any AS contained in the AS-set belongs to the
as-list or as-list-group specified in the
as-path-neighbors configuration statement.
as-path-transits (as-list | as-list-group)—Compares any AS in the
AS-Path. Evaluates when any AS belongs to the as-list or
as-list-group specified in the as-path-transit
configuration statement. In the case of AS-set, the as-path-transit
operator compares all the ASes in the AS-set.
as-path-calc-length count (equal | orhigher |
orlower)—(Optional) Specify a number from 0 through 1024 to filter
routes based on the number of calculated autonomous systems (ASs) in the AS
path.
-
ASs in a sequence count as 1.
-
AS sets count as 1.
-
BGP confederation segments count as 0.
as-path-unique-count count (equal | orhigher |
orlower)—(Optional) Specify a number from 0 through 1024 to filter
routes based on the total number of unique non-BGP confederation autonomous systems
(ASs) in the AS path.
Duplicate AS numbers are ignored for the count.
advertise-locator—(Optional) Enable IS-IS to summarize and advertise
locator prefixes.
Range: 0-255
aggregate-bandwidth—(Optional) Enable BGP to advertise aggregate
outbound link bandwidth for load balancing.
dynamic-tunnel-attributes
dynamic-tunnel-attributes—(Optional) Choose a set of
defined dynamic tunnel attributes for forwarding traffic over V4oV6 tunnels.
match-conditions—(Optional in
from statement; required in to statement) One
or more conditions to use to make a match. The qualifiers are described in Routing Policy Match Conditions.
multipath-resolve
multipath-resolve–(Optional) Enable the use of
all paths for resolution over the specified prefix.
limit-bandwidth limit-bandwidth—(Optional)
Specify the limit for advertised aggregate outbound link bandwidth for load
balancing.
-
Range: 0 through 4,294,967,295 bytes
no-entropy-label-capability—(Optional) Disable the entropy label
capability advertisement at egress or transit routes specified in the policy.
neighbor—(Optional) Specify a neighbor for route filtering.
priority (high | medium | low)—(Optional) Configure the priority for
an IS-IS route to change the default order in which the routes are installed in the
routing table, in the event of a network topology change.
policy subroutine-policy-name—Use another policy
as a match condition within this policy. The name identifying the subroutine policy
can contain letters, numbers, and hyphens (-) and can be up to 255 characters long.
To include spaces in the name, enclose it in quotation marks (“ ”). Policy names
cannot take the form __.*-internal__, as this form is reserved. For
information about how to configure subroutines, see Understanding Policy Subroutines in Routing Policy Match Conditions.
policy-name—Name that identifies the policy. The
name can contain letters, numbers, and hyphens (-) and can be up to 255 characters
long. To include spaces in the name, enclose it in quotation marks (“ ”).
prefix-list prefix-list-name—Name of a list of
IPv4 or IPv6 prefixes.
prefix-list-filter prefix-list-name—Name of a
prefix list to evaluate using qualifiers;
match-type is the type of match, and
actions is the action to take if the
prefixes match.
programmed—(Optional) Allow policy matches for routes injected by
JET APIs.
protocol protocol-name—Name of the protocol used
to control traffic engineering database import at the originating
point.
For example,
protocol srv6 matches SRv6 routes. Note that SRv6
routes are added to the routing infrastructure by BGP. To view all SRv6 routes, run
show route protocol srv6.
Starting in Junos OS Release 19.1R1, you can specify options to match label IS-IS and
label OSPF routes using the l-isis and l-ospf
options, respectively. The isis options matches all IS-IS routes,
excluding labelled IS-IS routes. The ospf option matches all OSPF
routes, including OSPFv2, OSPFv3 and labelled OSPF routes.
resolution-map—(Optional) Set resolution map modes. A given
resolution-map can be shared across multiple policy-statements.
route-filter
destination-prefix match-type
<actions>—(Optional) List of routes on
which to perform an immediate match;
destination-prefix is the IPv4 or IPv6 route
prefix to match, match-type is the type of match
(see
Configuring Route Lists), and
actions is the action to take if the
destination-prefix matches.
When invert-match
match-type is configured, it will return true if
the route doesn't pass any prefixes defined in the
route-filter-list. When you add the
invert-match
match-type, you only need to provide a list of prefixes it
should not match instead of a list of prefixes it should.
source-address-filter
source-prefix match-type
<actions>—(Optional) Unicast source
addresses in multiprotocol BGP (MBGP) and Multicast Source Discovery Protocol (MSDP)
environments on which to perform an immediate match.
source-prefix is the IPv4 or IPv6 route
prefix to match, match-type is the type of match
(see Configuring Route Lists), and
actions is the action to take if the
source-prefix matches.
tag
value—(Optional) A numeric value that identifies
a route. You can tag certain routes to prioritize them over other routes. In the
event of a network topology change, Junos OS updates these routes in the routing
table before updating other routes with lower priority. You can also tag some routes
to identify and reject them based on your requirement.
term term-name—Name that identifies the term. The
term name must be unique in the policy. It can contain letters, numbers, and hyphens
(-) and can be up to 64 characters long. To include spaces in the name, enclose the
entire name in quotation marks (“ ”). A policy statement can include multiple terms.
We recommend that you name all terms. However, you do have the option to include an
unnamed term which must be the final term in the policy. To configure an unnamed
term, omit the term statement when defining match conditions and
actions.
to—(Optional) Match a route based on its destination address or the
protocols into which the route is being advertised.
then—(Optional) Actions to take on matching routes. The actions are
described in Configuring Flow Control Actions and Configuring Actions That Manipulate Route Characteristics.
set-down-bit—(Optional) Configure this option to aggregate leaked
locator routes using routing policies.
srv6 SID value - Enter the Segment Routing over
IPv6 (SRv6) SID value. You use this configuration to define SID values for routes,
which can also be SRv6 routes.
validation-database-instance—(Optional) Name to identify a
validation-state with database name.database-name
<database-name>—(Optional) Route Validation Database name to be
looked at. state (valid|invalid|unknown)—(Optional) Name to
identify a validation-state
Required Privilege Level
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
Release Information
Statement introduced before Junos OS Release 7.4.
Support for configuration in the dynamic database introduced in Junos OS Release 9.5.
Support for configuration in the dynamic database introduced in Junos OS Release 9.5 for EX Series switches.
inet-mdt option introduced in Junos OS Release 10.0R2.
route-target option introduced in Junos OS Release 12.2.
protocol and traffic-engineering options introduced
in Junos OS Release 14.2.
no-entropy-label-capability option introduced in Junos OS Release
15.1.
priority and tag value options
introduced in Junos OS Release 17.1.
as-path-unique-count option introduced in Junos OS Release
17.2R1.
prefix-segment option introduced in Junos OS Release 17.2R1 for MX
Series routers, PTX Series routers, QFX5100 switches, and QFX10000 switches.
multipath-resolve and dynamic-tunnel-attributes
options introduced in Junos OS Release 17.3R1.
aggregate-bandwidth and limit-bandwidth
limit-bandwidth options introduced in Junos OS
Release 17.4R1 for MX Series, PTX Series, and QFX Series.
l-isis and l-ospf keywords at the
protocol option is introduced in Junos OS Release 19.1R1.
resolution-map statement introduced in Junos OS Release 19.2R1-S1 on
MX and PTX Series routers.
lsp and lsp-regex options introduced in Junos OS
Release 19.4R1.
as-path-neighbors, as-path-origins, and
as-path-transits statements introduced in Junos OS Release
21.3R1.
advertise-locator and set-down-bit options
introduced in Junos OS Release 22.2R1.