JunOS_2_routingessentials

JUNOS Routing Essentials

The match type orlonger means that routes within the specified prefix with a prefix length greater than or equal to the given prefix length match the filter statement. So, the exact route 192.168.0.0/16 on the slide matches the statement. In addition, all routes that are subsets of 192.168.0.0/16 and that have prefix lengths between /17 and /32 also match. For example, the following prefixes match the statement: 192.168.0.0/16, 192.168.65.0/24, 192.168.24.89/32, 192.168.128/18, and 192.168.0.0/17. The following prefixes do not match the statement: 10.0.0.0/16, 192.167.0.0/17, 192.168.0.0/15, and 200.123.45.0/24.

Routing Policy and Firewall Filters • Chapter 3–13

JUNOS Routing Essentials

longer Reproduction

The match type longer means that routes within the specified prefix with a prefix length greaterforthan the given prefix length match the filter statement. (The longer and orlonger match types differ only in that th specified prefix itself matches the orlonger match type, but not the longer match type.) From the example on the slide, all utes that are subsets of 192.168.0.0/16 and have prefix lengths between /17 and /32 match, while 192.168.0.0/16 does not.

Notupto

The upto match type is similar to the orlonger match type, except that it provides an upper limit to the acceptable prefix length. The match type upto means that routes within the specified prefix with a prefix length greater than or equal to the given prefix’s length, but less than or equal to the upto prefix length, match the filter statement. Thus, using the example on the slide, the exact route 192.168.0.0/16 matches the statement. All routes that are subsets of 192.168.0.0/16 and have prefix lengths between /17 and /24 (inclusive) also match. The following prefixes match the statement: 192.168.0.0/16, 192.168.65.0/24, 192.168.128.0/18, and 192.168.0.0/17. The following prefixes do not match the statement: 192.168.0.0/ 25, 192.168.24.89/32, 10.0.0.0/16, 192.167.0.0/17, and 200.123.45/24.

Chapter 3–14 • Routing Policy and Firewall Filters

JUNOS Routing Essentials

prefix-lengthReproduction-range

The prefix-length-range match type is similar to the upto match type, except that it p ovides both a lower and an upper limit to the acceptable prefix length. The match type p efix-length-range means that routes within the specified prefix with a p efix length greater than or equal to the first given prefix length, but less than

forequal to the second prefix length, match the filter statement. Thus, using the example n the slide, all routes that are subsets of 192.168.0.0/16 and that have prefix lengths between /20 and /24 (inclusive) match. The following prefixes match he statement: 192.168.0.0/20, 192.168.128.0/21, and 192.168.64.0/24. The

Notf llowing prefixes do not match the statement: 192.168.0.0/16, 192.168.24.89/32, 10.0.0.0/16, 192.167.0.0/17, 200.123.45/24, and 192.168.128.0/18.

Continued on next page.

Routing Policy and Firewall Filters • Chapter 3–15

JUNOS Routing Essentials

through

The through match type is very different than the other match types. The through match type matches all prefixes directly along the radix tree between two specified prefixes. The second prefix must be a subset of the first prefix. This match type matches the second (more specific) prefix and all prefixes of which it is a subset that are also equal to or more specific than the first prefix. In other words, this match type matches the second (more specific) prefix, the next most specific prefix of which it is a part, the next most specific prefix of which that one is a part, and so on, until reaching the first specified prefix. In the example on the slide, 192.168.16.0/20 matches. Because 192.168.16.0/20 is a subset of 192.168.0.0/19, 192.168.0.0/18, 192.168.0.0/17, and 192.168.0.0/16 and all those prefixes are also equal to or more specific than 192.168.0.0/16, they also match. No other prefixes match this example.

As another example, consider the statement from route-filter

Chapter 3–16 • Routing Policy and Firewall Filters

JUNOS Routing Essentials

Route Filter Match Typ s

The diagram the slide illustrates the different route filter match types.

forleast specific entry. Once the software finds a match, it then evaluates the route Notagainst the route filter match type. If a match exists, the route matches the route

filter. If the prefix does not match the route filter, the comparison fails even if the prefix might match a less specific entry in the route filter. We suggest you read the “How a Route List is Evaluated” section in the JUNOS Policy Framework Configuration Guide before using route lists.

Routing Policy and Firewall Filters • Chapter 3–17

JUNOS Routing Essentials

Common Actions Reproduction

Some common routing policy actions include the terminating actions of accept and reject. These a e named terminating actions because they cause the evaluation of the policy (and policy chain) to stop and the route to be accepted or rejected. The nonterminating equivalents of default-action accept and default-action

Other common actions modify protocol attributes such as BGP communities, route preference, and many others.

Chapter 3–18 • Routing Policy and Firewall Filters

Routing Policy and Firewall Filters • Chapter 3–19

JUNOS Routing Essentials

Applying Routing Policy

configuration hierarchy apply to lower levels of the configuration if no other policy configuration exists at that level. However, if you configure a policy at a lower level, the system applies only that policy.

Chapter 3–20 • Routing Policy and Firewall Filters

JUNOS Routing Essentials

Policy ChainingReproduction

You can cascade policies to form a chain of policy processing. You can create this

chain of policies to solve a complex set of route manipulation tasks in a modular mannerfor.

JUNOS S ftwa e evaluates policies from left to right based on the order in which they are applied to a routing protocol. JUNOS Software checks the match criteria of each

Notpolicy and performs the associated action when a match occurs. If the first policy does not match if the match is associated with a nonterminating action, JUNOS Software evaluates the route against the next policy in the chain. This pattern repeats itself for all policies in the chain. JUNOS Software ultimately applies the default policy for a given protocol when no terminating actions occur while evaluating the user-defined policy chain. We defined the default routing policies earlier in this chapter.

Policy processing stops once a route meets a terminating action—unless you are grouping policies with Boolean operators. Grouping policies for logical operations, such as AND or OR, is a subject that is beyond the scope of this class.

Continued on next page.

Routing Policy and Firewall Filters • Chapter 3–21

JUNOS Routing Essentials

Policy Chaining (contd.)

As previously mentioned, individual policies can comprise multiple terms. Terms are individual match and action pairs that you can name numerically or symbolically.

JUNOS Software lists terms sequentially from top to bottom and evaluates them in that manner. The software checks each term for its match criteria. When a match occurs, the software performs the associated action. If no match exists in the first term, the software checks the second term. If no match exists in the second term, JUNOS Software checks the third term. This pattern repeats itself for all terms. If no match exists in the last term, JUNOS Software checks the next applied policy and then, eventually, the default policy for the protocol.

When it finds a match within a term, JUNOS Software takes the corresponding action. If the action is a terminating action, the processing of the terms and the applied policies stops—otherwise processing continues.

JUNOS Software also supports flow-control actions that affect the fl w of policy

Chapter 3–22 • Routing Policy and Firewall Filters