[j-nsp] Juniper Policy-Fu needed

Rafael Rodriguez packetjockey at gmail.com
Wed Oct 5 12:15:15 EDT 2011


Hello list,

My Juniper Policy-Fu is not (yet) strong enough.

The Juniper Policy Framework Guide has been great but I have a couple
questions I hope the list can help with.

1) Within policy sub-routines, does "default-action accept" and
"default-action reject" have the same affect (returning TRUE or FALSE to the
calling policy) as just the regular "accept" and "reject" actions?  I
haven't been able to find documentation that speaks to this.  It almost
seems like policies that are called directly/chained need to be written
differently from policies you plan on using as a sub-routine.

2) Is it possible to write a single policy that can be used directly/chained
and in a sub-routine?  Can the "default-action" and regular "accept" and
"reject" be used together?  Can you mix a "default-action accept" with a
regular "reject"?  If so, I'd love to see an example.

3) Are all none terminating actions listed in sub-routines performed
regardless of the returned TRUE or FALSE?  I've read mixed things about
this.

4) As far as routing policies go (thinking BGP here), I'm a big fan on
setting the default action of a protocol (via policy) to reject.  Currently
doing this with a "default-action reject" being processed first.  I then
have common policies chained together on import and export.  Instead of
chaining policies on the import and export statements, is it possible to
perform the 'chaining' in a single 'master' policy that calls a bunch of
common sub-routines that are reused?  How would the idea of changing the
default protocol action to reject fit into this type of 'master' policy?

Thanks in advance.

Cheers,
RR


More information about the juniper-nsp mailing list