Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  BGP nested policy failing

    Posted 12-17-2022 02:47
    Any thoughts on why ::/0 is accepted in this example?

    group xx {
        ...
        import [ test1 test2 ];
        ...
    }
    
    policy-statement test1 {
        term deny {
            from policy [ default ];
            then reject;
        }
    }
    
    policy-statement default {
        term deny {
            from {
                family inet6;
                route-filter ::/0 exact;
            }
            then accept;
        }
        then reject;
    }
    
    policy-statement test2 {
    	term allow {
    	    from {
    	        family inet6;
    	    }
    	    then accept;
    	}
    	then reject;
    }
    
    ​


    ------------------------------
    Dan Graham
    ------------------------------


  • 2.  RE: BGP nested policy failing

    Posted 12-17-2022 05:46
    Edited by spuluka 12-17-2022 05:56
    Change this accept to reject and remove that final reject in this policy
            from {
                family inet6;
                route-filter ::/0 exact;
            }
            then accept;​


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: BGP nested policy failing

    Posted 12-17-2022 11:35
    I set to accept based on the below statement, is this not the case?


    "The action specified in a subroutine is used to provide a match condition to the calling policy. If the subroutine specifies an action of accept, the calling policy considers the route to be a match. If the subroutine specifies an action of reject, the calling policy considers the route not to match."

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/policy-configuring-subroutines-in-routing-policy-match-conditions.html

    ------------------------------
    Dan Graham
    ------------------------------



  • 4.  RE: BGP nested policy failing

    Posted 12-18-2022 01:12
    Edited by daa 12-18-2022 02:40
    Changing the action to reject in the sub policy does not change the behavior.

    ------------------------------
    Dan Graham
    ------------------------------



  • 5.  RE: BGP nested policy failing

    Posted 01-03-2023 05:52
    I've almost never seen "bare" ("term-less"? "non-term based"?) policies used*, rather than term-based ones, and you've mixed both in one policy.

    At a (complete) guess, this is tripping up the "sub-routine" use of the policy, and policy default is always returning false.
    Try
    policy-statement default {
        term deny {
            from {
                family inet6;
                route-filter ::/0 exact;
            }
            then accept;
        }
        term last {
            then reject;
        }
    }​
    and personally I would also avoid that mixed use of term/non-term completely;
    policy-statement test2 {
        term allow {
            from {
                family inet6;
            }
            then accept;
        }
        term last {
            then reject;
        }
    }​


    If it's not that, then the only differences between what you've got, and a working policy (correctly rejecting a default) is;
    I don't use "family inet6" or "exact"

    > show configuration policy-options policy-statement SUB_DEFAULT_OR_SHORT_V6
    term MATCH {
        from {
            route-filter ::/0 prefix-length-range /0-/11;
        }
        then accept;
    }
    term LAST_TERM {
        then reject;
    }



    *Other than as "utility" policies, like...

    set policy-options policy-statement ECMP then load-balance per-packet
    set policy-options policy-statement REJECT then reject



  • 6.  RE: BGP nested policy failing

    Posted 01-03-2023 15:58
    I had tested this prior without the use of term-less policies with the same result.

    I will try stripping out the other items to see if that has any affect.

    The policy contains filtering for IPv4 as well.


    Thanks for the input.

    ------------------------------
    Dan Graham
    ------------------------------



  • 7.  RE: BGP nested policy failing

    Posted 01-09-2023 02:50

    Hi!

    So, I tried this using an EBGP connection.

    Here are the configs:

    skhan@vMX5> show configuration policy-options | display set 
    set policy-options policy-statement BGP-DEFAULT-ROUTE-EXPORT from family inet6
    set policy-options policy-statement BGP-DEFAULT-ROUTE-EXPORT from route-filter ::/0 exact
    set policy-options policy-statement BGP-DEFAULT-ROUTE-EXPORT then accept
                          
    skhan@vMX5> show configuration interfaces ge-0/0/0 | display set 
    set interfaces ge-0/0/0 unit 0 family inet address 10.100.56.1/30
    set interfaces ge-0/0/0 unit 0 family inet6 address 2001:db8::1/64
    
    skhan@vMX5> show configuration protocols bgp | display set 
    set protocols bgp group AS-64513 family inet6 unicast
    set protocols bgp group AS-64513 peer-as 64513
    set protocols bgp group AS-64513 neighbor 10.100.56.2 family inet unicast
    set protocols bgp group AS-64513 neighbor 2001:db8::2 family inet6 unicast
    set protocols bgp group AS-64513 neighbor 2001:db8::2 export BGP-DEFAULT-ROUTE-EXPORT

    skhan@vMX6> show configuration protocols bgp | display set 
    set protocols bgp group AS-64513 peer-as 64512
    set protocols bgp group AS-64513 neighbor 10.100.56.1 family inet unicast
    set protocols bgp group AS-64513 neighbor 2001:db8::1 import test1
    set protocols bgp group AS-64513 neighbor 2001:db8::1 import test2
    set protocols bgp group AS-64513 neighbor 2001:db8::1 family inet6 unicast
    
    skhan@vMX6> show configuration policy-options | display set 
    set policy-options policy-statement default term deny from family inet6
    set policy-options policy-statement default term deny from route-filter ::/0 exact
    set policy-options policy-statement default term deny then accept
    set policy-options policy-statement default then reject
    set policy-options policy-statement test1 term deny from policy default
    set policy-options policy-statement test1 term deny then reject
    set policy-options policy-statement test2 term allow from family inet6
    set policy-options policy-statement test2 term allow then accept
    set policy-options policy-statement test2 then reject
    
    skhan@vMX6> show configuration interfaces ge-0/0/0 | display set 
    set interfaces ge-0/0/0 unit 0 family inet address 10.100.56.2/30
    set interfaces ge-0/0/0 unit 0 family inet6 address 2001:db8::2/64

    Just to double check, here are your policies in hierarchical format.

    skhan@vMX6> show configuration policy-options 
    policy-statement default {
        term deny {
            from {
                family inet6;
                route-filter ::/0 exact;
            }
            then accept;
        }
        then reject;
    }
    policy-statement test1 {
        term deny {
            from policy default;
            then reject;
        }
    }
    policy-statement test2 {
        term allow {
            from family inet6;
            then accept;
        }
        then reject;
    }

    RESULTS

    skhan@vMX5> show route advertising-protocol bgp 2001:db8::2  
    
    inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
      Prefix  Nexthop       MED     Lclpref    AS path
    * ::/0                    Self                                    I
    
    
    skhan@vMX6> show route receive-protocol bgp 2001:db8::1 hidden detail 
    
    inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
    
    inet6.0: 5 destinations, 5 routes (4 active, 0 holddown, 1 hidden)
      ::/0 (1 entry, 0 announced)
         Nexthop: 2001:db8::1
         AS path: 64512 I 
         Hidden reason: Rejected by import policy

    Your policies are working, at least in JUNOS 21.1R3.11.



    ------------------------------
    SHAHBAZ KHAN
    ------------------------------