[j-nsp] Translating Cisco to Juniper/policy-statements

nachocheeze at gmail.com nachocheeze at gmail.com
Mon Jul 23 20:02:17 EDT 2007 

Just a friendly reminder, if you're going to use the "IOS to JunOS"
tool, go with the caveats Juniper gives on the page, and make sure you
understand everything.

Also, like most translators, it won't be as precise or compact as if
you'd written it yourself by hand.  Make sure you understand why
everything is there (and test it) before implementing into a
production network.

-------------------------------------------------

The IOS to JUNOS Translator (I2J) converts FULL IOS Configuration
files for both 75xx and 12xxx platforms into Juniper Networks JUNOS
format.

Not all IOS commands are translated and some may be translated
incorrectly. Hand reviewing the output is ABSOLUTELY NECESSARY.

Although most IOS commands can be input singularly, this is NOT
recommended or supported.

-----------------------------------------------------------------------------


On 7/22/07, Gunjan GANDHI (BR/EPA) <gunjan.gandhi at ericsson.com> wrote:
> I2J
> https://i2j.juniper.net/release/index.jsp
>
> Cheers
> //Gunjan
>
> policy-options {
>     as-path path-20-accept "111+|222+|222+2221+|333+";
>     community UPSTREAM-OUT-1 members 1234:567;
>     policy-statement ap-20 {
>         term accept-term {
>             from as-path path-20-accept;
>             then accept;
>         }
>         term ios-implicit-deny {
>             then reject;
>         }
>     }
>     policy-statement pl-AS111-BLOCK {
>         term term-1 {
>             from route-filter 1.2.3.4/19 exact;
>             then accept;
>         }
>         term ios-implicit-deny {
>             then reject;
>         }
>     }
>     policy-statement pl-AS222-BLOCK {
>         term ios-implicit-deny {
>             then reject;
>         }
>     }
>     policy-statement pl-AS2221-BLOCK {
>         term ios-implicit-deny {
>             then reject;
>         }
>     }
>     policy-statement pl-AS333-BLOCK {
>         term term-1 {
>             from route-filter 12.14.15.16/21 exact;
>             then accept;
>         }
>         term ios-implicit-deny {
>             then reject;
>         }
>     }
>     policy-statement pl-AS3331-BLOCK {
>         term term-1 {
>             from route-filter 18.19.20.21/19 exact;
>             then accept;
>         }
>         term ios-implicit-deny {
>             then reject;
>         }
>     }
>     policy-statement rm-UPSTREAM-OUT {
>         term term-1 {
>             from policy [ pl-AS111-BLOCK pl-AS222-BLOCK pl-AS2221-BLOCK
> ap-20 ];
>             then accept;
>         }
>         term term-2 {
>             from policy [ pl-AS333-BLOCK pl-AS3331-BLOCK ap-20 ];
>             then {
>                 community set UPSTREAM-OUT-1;
>                 accept;
>             }
>         }
>         term ios-implicit-deny {
>             then reject;
>         }
>     }
> }
>
>
> Lines that could not be converted are in red.
> Lines with warnings or comments are in blue.
> Lines with previously shown errors or warnings are in magenta.
> FPC / PIC / Port numbers MUST ALWAYS be changed to match your Juniper
> Networks hardware.
>
> 1:route-map UPSTREAM-OUT permit 10
> 2:  match ip address prefix-list AS111-BLOCK AS222-BLOCK AS2221-BLOCK
> There is no prefix-list named: AS2221-BLOCK. Creating a reject policy
> with that name
> 3:  match as-path 20
> 4:!
> 5:route-map UPSTREAM-OUT permit 15
> 6:  match ip address prefix-list AS333-BLOCK AS3331-BLOCK
> 7:  match as-path 20
> 8:  set community 1234:567
> 9:!
> 10:ip as-path access-list 20 permit ^(_111)+$
> 11:ip as-path access-list 20 permit ^(_222)+$
> 12:ip as-path access-list 20 permit ^(_222)+(_2221)+$
> 13:ip as-path access-list 20 permit ^(_333)+$
> 14:ip as-path access-list 20 permit ^(_333)+(_3331)+$ !
> Cannot convert regular expressions that have a $ at the beginning or
> middle
> 15:ip prefix-list AS111-BLOCK seq 5 permit 1.2.3.4/19
> 16:ip prefix-list AS222-BLOCK seq 5 permit 5.6.7.8/24 ip prefix-list
> AS2221-BLOCK seq 5 permit 9.10.11.12/19
> Line not yet supported by I2J
> 17:ip prefix-list AS333-BLOCK seq 5 permit 12.14.15.16/21
> 18:ip prefix-list AS3331-BLOCK seq 5 permit 18.19.20.21/19
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Nick Kraal
> Sent: Sunday, 22 July 2007 11:16 PM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] Translating Cisco to Juniper/policy-statements
>
> Hi there,
>
> What is the best-current-way to configure the following Cisco-speak to
> JUNOS.
>
> Thanks in advance,
>
> -nick/
>
> route-map UPSTREAM-OUT permit 10
>   match ip address prefix-list AS111-BLOCK AS222-BLOCK AS2221-BLOCK
>   match as-path 20
> !
> route-map UPSTREAM-OUT permit 15
>   match ip address prefix-list AS333-BLOCK AS3331-BLOCK
>   match as-path 20
>   set community 1234:567
> !
> ip as-path access-list 20 permit ^(_111)+$ ip as-path access-list 20
> permit ^(_222)+$ ip as-path access-list 20 permit ^(_222)+(_2221)+$ ip
> as-path access-list 20 permit ^(_333)+$ ip as-path access-list 20 permit
> ^(_333)+(_3331)+$ !
> ip prefix-list AS111-BLOCK seq 5 permit 1.2.3.4/19 ip prefix-list
> AS222-BLOCK seq 5 permit 5.6.7.8/24 ip prefix-list AS2221-BLOCK seq 5
> permit 9.10.11.12/19 ip prefix-list AS333-BLOCK seq 5 permit
> 12.14.15.16/21 ip prefix-list AS3331-BLOCK seq 5 permit 18.19.20.21/19
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list