Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 115
Registered: ‎05-21-2016
0 Kudos

Command "set policy-options policy-statement IMPORT_POLICY term EXPLICIT_DENY then reject" in MX960

Hi Anyone can explain the below command? The command is always at end of group of commands. The word "EXPLICIT_DENY" could be any word. Without this command, what would happen? Thank you

 

 

set policy-options policy-statement IMPORT_POLICY term EXPLICIT_DENY then reject

 

 

Highlighted
Distinguished Expert
Posts: 4,698
Registered: ‎03-30-2009
0 Kudos

Re: Command "set policy-options policy-statement IMPORT_POLICY term EXPLICIT_DENY then reject" in MX960

There is a hierarchy to the policy setup.

 

IMPORT_POLICY is the name of the entire policy which is made up of one or more terms

 

EXPLICIT_DENY is the name of the last term in the policy you are looking at.

 

Both the policy name and the term names are free form text that can be whatever the user wants.  And do not perform any action by themselves.  Only the active methods and match conditions of the policy have affect.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Distinguished Expert
Posts: 2,183
Registered: ‎08-21-2009
0 Kudos

Re: Command "set policy-options policy-statement IMPORT_POLICY term EXPLICIT_DENY then reject" in MX960

Hello there,


eesunj wrote:

Without this command, what would happen? Thank you

 

 

set policy-options policy-statement IMPORT_POLICY term EXPLICIT_DENY then reject

 

 


It depends on where this policy is applied.

Without this policy/term, the default protocol policy is the last one and it determines the end result.

https://www.juniper.net/documentation/en_US/junos/topics/concept/policy-routing-policies-actions-def...

For instance, if this policy/term is NOT applied to BGP export, then ALL active BGP routes are exported.

HTH

Thx
Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Contributor
Posts: 115
Registered: ‎05-21-2016
0 Kudos

Re: Command "set policy-options policy-statement IMPORT_POLICY term EXPLICIT_DENY then reject" in MX960

Hi aarseniev, You are answering my question. but I have not understood it completely. Can you give a little bit more explanation? thank you

Trusted Expert
Posts: 544
Registered: ‎08-15-2012
0 Kudos

Re: Command "set policy-options policy-statement IMPORT_POLICY term EXPLICIT_DENY then reject" in MX960

Hi, 

 

This is an explicit default statement having no matching conditions but an action, hence traffic not matched by above terms would be processed this term.  In your case 'reject', hence EXPLICIT_DENY.

 

An anology is 'if - elseif - else' conditions. The explicit_deny is similar to 'else' condition.

 

If the explicit default term is not configured, each specific protocols have implicit/default policies with specific action as defined in:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16502

 

Cheers,

Ashvin