Actually you really can use logical structures ; it's different from subroutines, and is called Policy Expressions.
By example here we use such beast (you'll use the logical operators NOT/OR/AND: ! || &&):
Here we match only bgp communities, but could match other stuff and set other attributes.
Original Message:
Sent: 03-28-2024 14:31
From: ANDREY LEO
Subject: Branching in JunOS policies
Gotcha, that makes sub routines even more useful!
Would definitely require some careful hierarchical and logic policy structuring architecture to get the most use out of it though.
Thanks for the info!
------------------------------
ANDREY LEO
Original Message:
Sent: 03-28-2024 14:20
From: Olivier Benghozi
Subject: Branching in JunOS policies
About the «then» clause in the subroutine:
- for non-terminating actions (setting localpref, community, tag, preference...): they are only effective if the final result of the term of the main/calling policy really accepts the route
- the terminating action in the subroutine (accept, reject) doesn't stop the evaluation in the main policy, it's just that this «from policy blah» line comes back to the main term/policy with:
- a «FALSE, doesn't match» for a reject
- a «TRUE, does match» for an accept. In this case it's necessary and actually isn't terminating at all.
So if the subroutine sets attribute A, does come back with a TRUE («accept»), and the main policy finally accepts the route («accept», or by default for BGP) and its «then» clause sets attribute B, you will have both attributes A and B for the accepted routes.
------------------------------
Olivier Benghozi
Original Message:
Sent: 03-28-2024 14:04
From: ANDREY LEO
Subject: Branching in JunOS policies
Ah I didn't know that, so you're saying the "then" clause from the subroutine
} then { local-preference 30950; accept; } }
will actually set the local-preference value, WHILST a route is being evaluated by the master policy (vpn-MyVRF-export)?
So say the route was 10.14.11.0/24 learnt via RIP with a preference of 254,
It will end up with a local-preference of 30950 and have communities "vpn-MyVRF-target" and "All-RouteSource-local" added to it?
Or, does it only use the sub routine to match the route, ignoring the values in the accept clause, meaning it will only add the communities leaving the LP untouched?
------------------------------
ANDREY LEO
Original Message:
Sent: 03-28-2024 08:50
From: Olivier Benghozi
Subject: Branching in JunOS policies
Hi Andrey,
when you write that «You can reference another policy within a policy (Juniper call it a subroutine), but that only allows you to match against things.»:
Actually you can well use a subroutine to SET stuff within the subpolicy (localpref, community, and so on). We use this to set always the same localprefs for VRF export routes by example, depending of their source protocol:
policy-statement vpn-MyVRF-export { term default-direct-static-rip-bgp { from { protocol [ static aggregate direct bgp rip ripng ]; policy [ Sub-static-to-bgp Sub-direct-to-bgp Sub-rip-to-bgp Sub-bgp-accept ]; } then { community add vpn-MyVRF-target; community add All-RouteSource-local; accept; }........}
... with subroutines like this (in which the «accept» doesn't really accept the route, since it's within a subroutine, but just sets the result of the boolean value at «true»):
policy-statement Sub-rip-to-bgp { term backup { from { protocol [ rip ripng ]; preference 254; } then { local-preference 30950; accept; } } term protocol { from protocol [ rip ripng ]; then { local-preference 31000; accept; } }}
------------------------------
Olivier Benghozi
Original Message:
Sent: 03-27-2024 06:32
From: ANDREY LEO
Subject: Branching in JunOS policies
Hey Scott,
I don't think you can quite do it in that way, the processing order is either "next term" or "next policy".
You can reference another policy within a policy (Juniper call it a subroutine), but that only allows you to match against things.
However, what is the exact logic behind the code you pasted?
Do you set communities a, b, and c if there's some common attribute matched, or, do you set each one based on some specific attributes matched?
You can always create a term at the bottom of a policy set that says to add community 10
#The following will only match 1 of route filters and set one community before moving to the next policy to add community 10.
#Use this if all attributes are different.
=====================================================================================================
set policy-options policy-statement community-manipulation term a from route-filter 10.0.0.0/16 exact
set policy-options policy-statement community-manipulation term a then community set 1
set policy-options policy-statement community-manipulation term a then next policy
set policy-options policy-statement community-manipulation term b from route-filter 172.16.0.0/12 orlonger
set policy-options policy-statement community-manipulation term b then community set 2
set policy-options policy-statement community-manipulation term b then next policy
set policy-options policy-statement community-manipulation term c from route-filter 192.168.0.0/16 orlonger
set policy-options policy-statement community-manipulation term c then community set 3
set policy-options policy-statement community-manipulation term c then next policy
set policy-options policy-statement community-manipulation then reject
set policy-options policy-statement add-community-10 then community add 10
set policy-options policy-statement add-community-10 then accept
set protocols bgp group RR import community-manipulation
set protocols bgp group RR import add-community-10
=====================================================================================================
#And if your matched attributes can be related, you would have to use next term instead until you get to the bottom of the policy.
#A prefix has the potential to match one or more of the route filters specified, meaning it can have one or more communities set, before eventually moving to the next policy to have community 10 added:
=====================================================================================================
set policy-options policy-statement community-manipulation term a from route-filter 10.0.0.0/16 orlonger
set policy-options policy-statement community-manipulation term a then community set 1
set policy-options policy-statement community-manipulation term a then next term
set policy-options policy-statement community-manipulation term b from route-filter 10.2.40.0/24 orlonger
set policy-options policy-statement community-manipulation term b then community set 2
set policy-options policy-statement community-manipulation term b then next term
set policy-options policy-statement community-manipulation term c from route-filter 10.10.120.77/32 exact
set policy-options policy-statement community-manipulation term c then community set 3
set policy-options policy-statement community-manipulation term c then next policy
set policy-options policy-statement community-manipulation then reject
set policy-options policy-statement add-community-10 then community add 10
set policy-options policy-statement add-community-10 then accept
set protocols bgp group RR import community-manipulation
set protocols bgp group RR import add-community-10
=====================================================================================================
#Of course you can mix and match both concepts to make more complex policies and terms, but that will be up to your requirements and setup.
But yes, sadly, I don't believe there is a way to arbitrarily skip between policies and terms.
Here are some links from the official material which may be able to help:
------------------------------
ANDREY LEO
Original Message:
Sent: 03-26-2024 04:02
From: SCOTT AITKEN
Subject: Branching in JunOS policies
Hi all,
Cisco route maps have a branching command (continue <n>
) where n
is another stanza in the route map. One use case for this is performing a common operation after a switch:
psuedocode:
case v:
a: set community 1, goto common
b: set community 2, goto common
c: set community 3, goto common
goto end
common:
add community 10
end:
Does JunOS have a way of doing this other than copying the common actions into each switch?
Thanks.
------------------------------
SCOTT AITKEN
------------------------------