Routing

Expand all | Collapse all

Policy Option in Logical LAN

Jump to Best Answer
  • 1.  Policy Option in Logical LAN

    Posted 02-15-2019 20:22

    Hi Team, 

    I am migrating a Cisco router to a Juniper MX-480 and here is the part i am stuck at. I have a Route-Map in Cisco which has 4 policy statement- 

    route-map RM-1 permit 10
    match ip address prefix-list PL-1 PL-2 PL-3 PL-4
    set local-preference 140
    !
    route-map RM-1 permit 20
    match ip address prefix-list PL-5
    match as-path 100
    set local-preference 140
    !
    route-map RM-1 permit 25
    match ip address prefix-list PL_6 PL_7
    match as-path 55
    set local-preference 140
    !
    route-map RM-1 permit 30
    !

    Essentially, we have 4 statements
    1. Matches 4 PL in Logical OR
    2. Matches 1 PL and 1 AS Path in Logical AND and applies Local Pref
    3. Matches 2 PL in OR and then matches the result of them to a AS Path in a Logical AND and applies local pref
    4. Matches everything else

     

    I am not sure how to convert it into Juniper Code. By Juniper's own documentation, any time we use PL in a Policay stetment, then all the statements in that term become Logical OR. 

    To do Logical AND, we would need to use next policy action and create new policy. So essentially my code would look something like this - 

    set policy-options policy-statement RM-1 term term-PL1 from prefix-list PL-1
    set policy-options policy-statement RM-1 term term-PL1 from prefix-list PL-2
    set policy-options policy-statement RM-1 term term-PL1 from prefix-list PL-3
    set policy-options policy-statement RM-1 term term-PL1 from prefix-list PL-4
    set policy-options policy-statement RM-1 term term-PL1 then local-preference 140
    set policy-options policy-statement RM-1 term term-PL1 then accept

    set policy-options policy-statement RM-2 term term-PL2 from policy PL-5
    set policy-options policy-statement RM-2 term term-PL2 then next-policy

    set policy-options policy-statement RM-3 term term-PL1 from policy ap-100
    set policy-options policy-statement RM-3 term term-PL1 then local-preference 140
    set policy-options policy-statement RM-3 term term-PL1 then accept

    set policy-options policy-statement RM-4 term term-1 from PL-6
    set policy-options policy-statement RM-4 term term-1 then next policy

    set policy-options policy-statement RM-5 term term-PL1 from policy ap-55
    set policy-options policy-statement RM-5 term term-PL1 then local-preference 140
    set policy-options policy-statement RM-5 term term-PL1 then accept

    set policy-options policy-statement RM-6 term term-1 from PL-7
    set policy-options policy-statement RM-6 term term-1 then next policy

    set policy-options policy-statement RM-7 term term-PL1 from policy ap-50
    set policy-options policy-statement RM-7 term term-PL1 then local-preference 140
    set policy-options policy-statement RM-7 term term-PL1 then accept

     

    But i will now have to apply 7 Export statements under BGP neighbour where i want to apply this. And that too in proper AND and OR manner. 

     

    Another way i can think of is to have one master Policy option with multiple terms branching out using next policy option set. For Eg - 

    set policy-options policy-statement RM-1 term term-PL1 from prefix-list PL-1
    set policy-options policy-statement RM-1 term term-PL1 from prefix-list PL-2
    set policy-options policy-statement RM-1 term term-PL1 from prefix-list PL-3
    set policy-options policy-statement RM-1 term term-PL1 from prefix-list PL-4
    set policy-options policy-statement RM-1 term term-PL1 then local-preference 140
    set policy-options policy-statement RM-1 term term-PL1 then accept

    set policy-options policy-statement RM-1 term term-PL2 from policy PL-5
    set policy-options policy-statement RM-1 term term-PL2 then next-policy

    set policy-options policy-statement RM-3 term term-PL1 from policy ap-100
    set policy-options policy-statement RM-3 term term-PL1 then local-preference 140
    set policy-options policy-statement RM-3 term term-PL1 then accept

    set policy-options policy-statement RM-1 term term-PL3 from PL-6
    set policy-options policy-statement RM-1 term term-PL3 then next policy

    set policy-options policy-statement RM-5 term term-PL1 from policy ap-55
    set policy-options policy-statement RM-5 term term-PL1 then local-preference 140
    set policy-options policy-statement RM-5 term term-PL1 then accept

    set policy-options policy-statement RM-1 term term-PL4 from PL-7
    set policy-options policy-statement RM-1 term term-PL4 then next policy

    set policy-options policy-statement RM-7 term term-PL1 from policy ap-50
    set policy-options policy-statement RM-7 term term-PL1 then local-preference 140
    set policy-options policy-statement RM-7 term term-PL1 then accept

     

    and i just apply RM1 to the Export statement under BGP neighbour. BUt i am not sure if once branching out using next policy statement, it would go back to the next term in the previous policy statement. 

     

    Any help in this owuld be highly appreciated. 

     

    I also have a TAC case open and intend to spin up a lab to test as well, but want to see if anyone of you have any suggestions. 

     

     



  • 2.  RE: Policy Option in Logical LAN
    Best Answer

    Posted 02-15-2019 23:16

    Hello,

     


    @sriram12 wrote:

     

    I am not sure how to convert it into Juniper Code. By Juniper's own documentation, any time we use PL in a Policay stetment, then all the statements in that term become Logical OR. 

     

     


     

    This is incorrect, please point me to a link which says so and we get it fixed.

    In JUNOS policy-statement CLI, the matches of same nature are logicallly ORed and matches of different nature are logically ANDed.

    If if You have this policy:

    set policy-options policy-statement P1 term t1 from prefix-list PXL1
    set policy-options policy-statement P1 term t1 from prefix-list PXL2
    set policy-options policy-statement P1 term t1 from route-filter 10/8 exact
    set policy-options policy-statement P1 term t1 then accept
    set policy-options policy-statement P1 term t2 then reject

    - then it match any route which is defined in prefix-list PLX1, or PXL2 or 10/8 exact route. It does so because match is sought only in the route prefix+netmask, irrespective from where it is received.

     

    If You examine another policy:

    set policy-options policy-statement P1 term t1 from prefix-list PXL1
    set policy-options policy-statement P1 term t1 from prefix-list PXL2
    set policy-options policy-statement P1 term t1 from route-filter 10/8 exact
    set policy-options policy-statement P1 term t1 from neighbor 198.51.100.1
    set policy-options policy-statement P1 term t1 then accept
    set policy-options policy-statement P1 term t2 then reject

    - then it will logically OR PXL1, PXL2, 10/8 ; and then logically AND "neighbor 198.51.100.1".

     In other words, whatever prefix/netmask is contained in PXL1, or PXL2, or 10/8 will also need to come from neighbor 198.51.100.1 to be accepted.

    Hope this makes sense.

    HTH

    Thx
    Alex


    #AcceptasSolution
    #kudos


  • 3.  RE: Policy Option in Logical LAN

    Posted 02-19-2019 07:48

    Alex,

    Here is teh article that i was referencing - 

    https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/policy-configuring-match-conditions-in-routing-policy-terms.html

     

    Below is the excerpt - 

    All conditions in the from and to statements must match for the action to be taken. The match conditions defined in Table 2 are effectively a logical AND operation. Matching in prefix lists and route lists is handled differently. They are effectively a logical OR operation. If you configure a policy that includes some combination of route filters, prefix lists, and source address filters, they are evaluated according to a logical OR operation or a longest-route match lookup.

     

    I took this to mean that if in the terms, there is any PL or Route-Filters, it would be evaluated as LogicalOR. 

     



  • 4.  RE: Policy Option in Logical LAN

     
    Posted 02-19-2019 16:33

    Hi Mukul,

     

    Hope the interpretation of that link is clear now based on Alex's point - all three match conditions mentioned i.e. source-address-filter, prefix-list and route-filter are essentially of the same type and hence logically "ORed".  Different match condition types are logically "ANDed".

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).



  • 5.  RE: Policy Option in Logical LAN

    Posted 02-19-2019 19:06

    it most certainly is. 

    Thank you both of you. Appropriate tags will be added. 



  • 6.  RE: Policy Option in Logical LAN

    Posted 02-21-2019 18:03

     

    i tried applying the policy to my router today and it didn't work. 

    its not setting the Local Pref to 140 for the routes that are matching both the statements and leaving teh local-pref at 100



  • 7.  RE: Policy Option in Logical LAN

     
    Posted 02-21-2019 22:55

    Hi Mukul,

     

    If this is applied this as export policy, we'd check for the LP in RIB-OUT i.e:

    show route advertising-protocol bgp <neighbor-ip>".

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).

     



  • 8.  RE: Policy Option in Logical LAN

     
    Posted 02-22-2019 16:22

    What is the route in question and what are the exact contents of the prefix lists?

     

    Note that if you use simple prefix lists like this the match of the route is pretty much exact.  If you need scopes like up to or longer you will use prefix list filters.

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-list-filter-edit-policy-options.html

     



  • 9.  RE: Policy Option in Logical LAN

     
    Posted 02-15-2019 23:40

    @Sriram,

     

    Agree with Alex.   

    To this effect, the below policy must be the equivalent based on your description.  For example, term 10 matches the route as (PL-1 or PL-2 or PL-3 or PL-4) and applies LP of 140.  If the route does NOT match then moves to term 20 and there the route should match PL-5 AND AS-PATH 55, to apply LP of 140 and so on:

     

    set policy-options policy-statement RM-1 term 10 from prefix-list PL-1
    set policy-options policy-statement RM-1 term 10 from prefix-list PL-2
    set policy-options policy-statement RM-1 term 10 from prefix-list PL-3
    set policy-options policy-statement RM-1 term 10 from prefix-list PL-4
    set policy-options policy-statement RM-1 term 10 then local-preference 140
    set policy-options policy-statement RM-1 term 10 then accept

     

    set policy-options policy-statement RM-1 term 20 from prefix-list PL-5
    set policy-options policy-statement RM-1 term 20 from as-path 100
    set policy-options policy-statement RM-1 term 20 then local-preference 140
    set policy-options policy-statement RM-1 term 20 then accept

     

    set policy-options policy-statement RM-1 term 25 from prefix-list PL-6
    set policy-options policy-statement RM-1 term 25 from prefix-list PL-7
    set policy-options policy-statement RM-1 term 25 from as-path 55
    set policy-options policy-statement RM-1 term 25 then local-preference 140
    set policy-options policy-statement RM-1 term 25 then accept

     

    set policy-options policy-statement RM-1 term 30 from then accept

     

    References:

    https://www.juniper.net/documentation/en_US/junos/topics/concept/policy-routing-policies-evaluation-method.html

    https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/policy-configuring-match-conditions-in-routing-policy-terms.html

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).