[j-nsp] commands converted from Cisco IOS
C. Hagel
nanog at lordkron.net
Mon Mar 7 13:21:05 EST 2005
Actually what is happening is, as Craig had said, BGP is being kicked to
the "next policy" as stated in your config. This is not "next-term"
which would be a "then reject" according to the config you supplied. If
you kick something to a "next-policy" and there is no other policy
defined (as you have stated is your case) it will go to the default
policy at the end of the string, which simply would say "then accept".
This is a policy that is implimented in Junos by defualt.
On Mon, 7 Mar 2005 11:49:01 -0500
"TechSupport" <techsupport at isaacmorris.com> wrote:
T> Dear Craig,
T>
T> You said 'from-bgp' is saying if the route is from protocol BGP, then
T> it is evaluated through the next policy in the chain. But there is not
T> policy after 'from-bgp' except for the deny by default. Does that mean
T> all BGP packets will be denied under my current config?
T>
T>
T> version 7.1R1.3;
T> system {
T> host-name traffic;
T> domain-name isaacmorris.com;
T> time-zone America/New_York;
T> root-authentication {
T> encrypted-password "$1$tRMtSdRC$MSTI0s4n7jwz22wCVMm3f/";
T> }
T> name-server {
T> 198.6.1.122;
T> 198.6.1.142;
T> }
T> services {
T> ssh;
T> web-management {
T> http;
T> }
T> }
T> syslog {
T> file messages {
T> any any;
T> }
T> }
T> }
T> interfaces {
T> fe-0/0/0 {
T> unit 0 {
T> family inet {
T> address 192.168.1.244/24;
T> }
T> }
T> }
T> t1-0/0/2 {
T> encapsulation frame-relay;
T> lmi {
T> lmi-type ansi;
T> }
T> t1-options {
T> line-encoding b8zs;
T> framing esf;
T> }
T> unit 0 {
T> description "MCI T1 [bandwidth.com]";
T> point-to-point;
T> dlci 500;
T> family inet {
T> address 208.192.182.138/30;
T> }
T> }
T> }
T> lo0 {
T> unit 0 {
T> family inet {
T> address 127.0.0.1/32;
T> }
T> }
T> }
T> }
T> routing-options {
T> router-id 65.198.234.1;
T> autonomous-system 31916;
T> }
T> protocols {
T> bgp {
T> log-updown;
T> group jweb-bgp {
T> type external;
T> local-address 208.192.182.138;
T> neighbor 208.192.182.137 {
T> description "MCI T1 [bandwidth.com]";
T> export bgp-redistributes;
T> remove-private;
T> peer-as 701;
T> }
T> }
T> }
T> }
T> policy-options {
T> policy-statement bgp-redistributes {
T> term sourced-bgp-network {
T> from {
T> route-filter 65.198.234.0/24 exact;
T> }
T> then accept;
T> }
T> term from-bgp {
T> from protocol bgp;
T> then next policy;
T> }
T> term ios-implicit-deny {
T> then reject;
T> }
T> }
T> }
T>
T>
T>
T> Thanks,
T> Albert
T>
T>
T> -----Original Message-----
T> From: Craig Pierantozzi [mailto:tozz at arpa.bind.com]
T> Sent: Sunday, March 06, 2005 11:24 PM
T> To: TechSupport
T> Cc: juniper-nsp at puck.nether.net
T> Subject: Re: [j-nsp] commands converted from Cisco IOS
T>
T> JunOS has the concept of a policy chain which is multiple
T> policies that can be evaluated. Example:
T>
T> export [ policy1 policy2 ]
T>
T> In general, a route is evaluated against the terms in a
T> policy and if it matches, an action is taken. No other
T> term or policy is evaluated after the match. Below, the term
T> 'from-bgp' is saying if the route is from protocol BGP, then
T> it is evaluated through the next policy in the chain.
T>
T> The last term is a catch all for routes that are not matched
T> in any term above and they are denied.
T>
T> Check out the topics listed at:
T>
T> http://www.juniper.net/techpubs/software/junos/junos70/swconfig70-policy
T> /html/policy-overview-framework13.html
T>
T> regards
T> -craig
T>
T>
T> * Thus spake TechSupport (techsupport at isaacmorris.com):
T>
T> > Dear All,
T> >
T> >
T> >
T> > Thank you in advance for your help.
T> >
T> > I am new to Junos.
T> >
T> > I took my startup-config from my 2650 and translated it to Junos. I
T> > understand the whole thing expect for the last 2 statements under
T> > Policy-Options:
T> >
T> >
T> >
T> > term from-bgp {
T> > from protocol bgp;
T> > then next policy;
T> > }
T> > term ios-implicit-deny {
T> > then reject;
T> > }
T> >
T> >
T> >
T> > Could someone explain the function of these lines?
T> >
T> >
T> >
T> > Thanks,
T> >
T> > Albert
T> >
T> > _______________________________________________
T> > juniper-nsp mailing list juniper-nsp at puck.nether.net
T> > http://puck.nether.net/mailman/listinfo/juniper-nsp
T>
T> _______________________________________________
T> juniper-nsp mailing list juniper-nsp at puck.nether.net
T> http://puck.nether.net/mailman/listinfo/juniper-nsp
--
<>
More information about the juniper-nsp
mailing list