RE: Question for Juniper Config Expert

From: Scott Morris (swm@emanon.com)
Date: Fri May 20 2005 - 15:42:28 GMT-3

Well... You would need a separate filter for each of your peers (unless you
have multiple peers going to the same AS number). But you can have multiple
filters. However, I don't see what would be wrong with "(65001)+" which
would treat the entire entry 65001 and allow one or more of them.

You can create multiple as-path-group entries and then match different ones
within your policy:

+ policy-options {
+ as-path-group MyFriends {
+ as-path AS65001 "(65001)+";
+ as-path AS65002 "(65002)+";
+ as-path AS65003 "(65003)+";
+ }
+ }

Then in your import filter, just match on the group (any entry) instead of
the specifics.

HTH,

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
nenad pudar
Sent: Friday, May 20, 2005 2:12 PM
To: swm@emanon.com
Cc: Steve Ohnmacht; ccielab@groupstudy.com
Subject: Re: Question for Juniper Config Expert

Generic filter list that will match only the routes from neighboring AS +
eventually prepends of the same

So if neighbor is AS65001 then routes from 65001 (65001 65001 ....) will
have lp of 92

Specifying something like 65001+ is not a option since must be generic and
be able to be applied for all peers regardless of AS number

According the Juniper there is no way to accomplish above.
The work around specified below is as-path list which allows a single AS
in as-path.

That means it will work for 65001 but will not 65001 65001 which to me is
acceptable

On 5/20/05, Scott Morris <swm@emanon.com> wrote:
> What?
>
> Let's step back a bit... What specifically are you trying to accomplish?
>
> You can get MUCH bigger and more entertaining than filtering a single AS.
> If you have anything longer, or including a space, you'll need to put
> it in quotes though!
>
> Scott
>
> -----Original Message-----
> From: nenad pudar [mailto:nenad.pudar@gmail.com]
> Sent: Friday, May 20, 2005 1:51 PM
> To: Steve Ohnmacht
> Cc: swm@emanon.com; ccielab@groupstudy.com
> Subject: Re: Question for Juniper Config Expert
>
> Thanks everybody
>
> Apparently the max we can get is
> as-path 60 .;
> This allows only single AS and not covers the prepending.
> According to Juniper people this is max that we can do.
>
> Actual policy looks like this
>
> policy-statement PEER-IMPORT-AS-65001 {
> term filter-default {
> from {
> route-filter 0.0.0.0/0 through 0.0.0.0/32;
> }
> then reject;
> }
> term filter-longer-than-24 {
> from {
> route-filter 0.0.0.0/0 prefix-length-range /25-/32;
> }
> then reject;
> }
> term leak-protect {
> from as-path 61;
> then {
> metric 0;
> local-preference 80;
> community add xxxx:86;
> community add ct8-comm;
> next policy;
> }
> }
> term AS65001-local-routes {
> from as-path 60;
> then {
> metric 0;
> local-preference 92;
> community add xxxx:86;
> community add ct8-comm;
> next policy;
> }
> }
> term default {
> then {
> metric 0;
> local-preference 90;
> community add xxxx:86;
> community add ct8-comm;
>
>
> nenad
>
> On 5/19/05, Steve Ohnmacht <gs.ohnmacht@gmail.com> wrote:
> > Definately agree with you that Junos policies are interesting to say
> > the least. Also IMO they can be pretty powerful as well... In the
> > hacked example I gave, I was just basing it off the the ip as-path
> > config provided. I see you took it a step further and actually
> > applied it to bgp... :-)
> >
> > Talk to you guys later....
> >
> > On 5/18/05, Scott Morris <swm@emanon.com> wrote:
> > > I think the definitions you are creating there are like
> > > as-path-group
> names.
> > > You can simple name something in the policy:
> > >
> > > Policy-options {
> > > null-as "()";
> > > policy-statement my-routes {
> > > term just-me {
> > > from {
> > > protocol bgp;
> > > as-path null-as;
> > > then accept;
> > > }
> > > term no-more {
> > > then reject;
> > > }
> > > }
> > > Protocol {
> > > bgp {
> > > neighbor x.x.x.x {
> > > export my-routes;
> > > }
> > > }
> > > }
> > >
> > > (Obviously you can make up your own term matches however you need
> > > to)
> > >
> > > Otherwise, the deny-all isn't really necessary since you logically
> reject
> > > them in the next stanza anyway. Policy routing on the Junos is quite
> > > entertaining to think through how things are or are not matched!
> > >
> > >
http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy/htm
l/policy-extend-match-config3.html#1094490
> > >
> > > It may simply be semantic differences in newer versions of Junos.
> > > Like you said, you had older configs around!
> > >
> > > Cheers,
> > >
> > > Scott
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > > Behalf Of Steve Ohnmacht
> > > Sent: Wednesday, May 18, 2005 7:17 PM
> > > To: nenad pudar
> > > Cc: ccielab@groupstudy.com
> > > Subject: Re: Question for Juniper Config Expert
> > >
> > > It's been awhile since I've touched a juniper, but I'll take a
> > > crack at this one... For junipers you would create a policy under
> > > the policy-options section of the config, with your config below,
> > > a juniper example would something like this:
> > >
> > > Take this for what it's worth no guarantees.... :) Also, with
> > > junipers any route manipualtion is done via "JUNOS policies". I
> > > had to look at some old configs i have saved for reference... HTH...
> > >
> > > policy-options {
> > > as-path xxx-permit "^[0-9]+$"; <--- you may be able to
> > > represent your regex with just an atom "."
> > > as-path xxx-deny ".*";
> > > policy-statement xxxx {
> > > term permit {
> > > from as-path xxx-permit;
> > > then accept;
> > > }
> > > term deny {
> > > from as-path xxx-deny;
> > > then reject;
> > > }
> > > term deny-everything-else {
> > > then reject;
> > > }
> > > }
> > > }
> > >
> > >
> > > On 5/18/05, nenad pudar <nenad.pudar@gmail.com> wrote:
> > > > Hi
> > > > I need to create generic filter list using regexp that will
> > > > allow only routes from neighboring AS (+ eventually prepend from
> > > > that
> > > > AS)
> > > >
> > > > I am not looking for as-path from one specific AS but rather the
> > > > generic filter list that can be applied for all existing and new
> > > > bgp neighbors
> > > >
> > > > One of the way to configure this on Cisco router is ip as-path
> > > > access-list xxx permit ^[0-9]+$ deny .*
> > > >
> > > >
> > > > thanks
> > > >
> > > > nenad
> > > >
> > > > nenad
> > > >
> > > > ________________________________________________________________
> > > > __ _____ Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > __________________________________________________________________
> > > __ ___ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:59 GMT-3