Junos OS

last person joined: yesterday 

Ask questions and share experiences about Junos OS.

  • 1.  easy route-filter question

    Posted 03-03-2013 23:52

    hello, im rading a book "Junos enterprise routing" and saw some interesting statement about route-filters.

     

    "Consider this route-filter example, and what will happen
    when route 200.0.67.0/24 is evaluated against it:

     

    [edit policy-options policy-statement test_me]
    user@host# show
    from {
    route-filter 200.0.0.0/16 longer reject;
    route-filter 200.0.67.0/24 longer;

    route-filter 200.0.0.0/8 orlonger accept;
    }
    then {
    metric 10;
    accept;
    }

     

    The question is, will route 200.0.67.0/24 match this term, and if so, is it accepted, is it
    rejected, or does it have its metric set to 10 before being accepted? Think carefully, and
    consider how longest matching is performed, along with how the match type comes
    into play.
    If you answered “The route does not match, and is neither accepted, nor rejected, and
    no metric modification is made,” give yourself a well-deserved pat on the back."

     

    The book says that the route (200.0.67.0/24)  will not be 'catched' by this route filter. But it's clearly that the route filter terms first entry will catch the route and reject it "(route-filter 200.0.0.0/16 longer reject)".

     

    do i'm missing something here?

     

    Thanks..

     

     



  • 2.  RE: easy route-filter question

    Posted 03-04-2013 00:20

    The "reject" word can have several meanings:

     

    - In the "then reject" clause, the previously matched route (at the "from" block) is rejected by the policy

    - In the "from ... reject" clause, it means that the route is NOT matched by the term, and it's evaluated by the next term in the policy chain.



  • 3.  RE: easy route-filter question
    Best Answer

    Posted 03-04-2013 01:30

    My two cents:

    http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/how-a-route-list-is-evaluated.html
    http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-collections/config-guide-policy/policy-configuring-route-lists-for-use-in-routing-policy-match-conditions.html

    All policies have default actions in case one of the following situations arises during policy evaluation:
    • A policy does not specify a match condition.
    • A match occurs,but a policy does not specify an action.
    • A match does not occur with a term in apolicy and subsequent terms in the same policy exist.
    • A match does not occur by the end of apolicy

    The policy framework software performs a longest-match lookup, which means that the software searches for the prefix in the list with the longest length.
    The longest-match lookup considers the prefix and prefix length only and NOT the MATCH TYPE. Once an incoming route matches a prefix (longest first), the following occur:
    The route filter stops evaluating other prefixes, even if the match type fails.
    The software examines the match type and action associated with that prefix.
    If a match occurs, the action specified with the prefix is taken. If an action is not specified with the prefix, the action in the then statement is taken.

    In this case
    200.0.67.0/24

    route-filter 200.0.0.0/16 longer reject; does not match- continue evaluation

    route-filter 200.0.67.0/24 longer; The prefix and prefix length is considered the longest match but the match type says do not include this exact prefix/length hence the match is type is a fail therefore go to the the next term or next policy if no terminating action is reached.

    route-filter 200.0.0.0/8 orlonger accept - Not evaluated

    Since this route/prefix is a match 200.0.67.0/24 continue evaluating which means it will be accepted and installed in the routing table since the default action is to accept.
    200.0.67.0/24-/32 would be a match and the metric 10 would be added.
    If the prefix is neither accepted or rejected then what???  it must accepted or rejected.The evaluation will continue until a terminating action of accept or reject is reached at the end of the policy. 



  • 4.  RE: easy route-filter question

    Posted 03-04-2013 04:25

    wow, this is more complex than i thought;)

     

    amonge, this your sentence

    "In the "from ... reject" clause, it means that the route is NOT matched by the term, and it's evaluated by the next term in the policy chain." < i think it's mistaken, other docs says that.:

    "If a FULL  (prefix/mask + match type) match occurs, the action specified with the prefix is taken.         If an action is not specified with the prefix, the action in the then statement is taken"

     

    I think we can simplify all this and say:

     

    if a "full match" wth longest prefix occurs, then do the action specified with prefix.

    If a match occurs only with the prefix, but without match statement.(as in our case)  the software evaluates the next term
    or routing policy... so we didn't had any other term so it was sent to default bgp processing  whose policy is to discard not bgp routes...

     

     



  • 5.  RE: easy route-filter question

    Posted 03-04-2013 04:57
    You are right, my explanation is incorrect. I incorrectly thought it was like the "except" keyword of firewall filter terms. I apologize for the confusion.


  • 6.  RE: easy route-filter question

    Posted 03-04-2013 09:46

     

    This statement  "200.0.67.0/24-/32 would be a match and the metric 10 would be added. " should read:

    "200.0.67.0/25-/32 would be a match and the metric 10 would be added" because the match type was longer.

    And yes, understanding Juniper route evaluation etc.etc is not that easy. We try to simplify it as much as possible, but it gets deep.