Policy-chain test
- Lab topology
lo0.0 Interface vMX-3 is connected to the network segment
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
10.1.1.0/24
10.2.1.0/24
172.16.0.0/24
- Configuration requirements
to perform the above summary route R3:
192.168.0.0/16
10.0.0.0/8
the 172.16.0.0/16
Requirements:
R3 192.168.0.0/16 only advertise routes to the polymerizable Rl
R3 polymerization advertised route to 192.168.0.0/16 10.0.0.0/16 and R2 (deny other routes)
- Column configuration case
vMX-1配置
root@vMX-1# run show configuration
version 14.1R1.10;
system {
root-authentication {
encrypted-password "$1$a0zjPx7P$4Va9RcsxrIuHWJz.fhmrS0"; ## SECRET-DATA
}
interfaces {
ge-0/0/2 {
unit 0 {
family inet {
address 202.103.13.1/24;
}
}
}
}
routing-options {
autonomous-system 100;
}
protocols {
bgp {
group ebgp-peer {
type external;
log-updown;
neighbor 202.103.13.3 {
peer-as 300;
}
}
}
}
vMX-2配置
[edit]
root@vMX-2# run show configuration
version 14.1R1.10;
system {
host-name vMX-2;
root-authentication {
encrypted-password "$1$QsSbO49u$DmMrWquAJ739RmUFn3CLo1"; ## SECRET-DATA
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 202.103.23.2/24;
}
}
}
}
routing-options {
autonomous-system 200;
}
protocols {
bgp {
group ebgp-peer {
type external;
log-updown;
neighbor 202.103.23.3 {
peer-as 300;
}
}
}
}
vMX-3配置
root@vMX-3# run show configuration
version 14.1R1.10;
system {
host-name vMX-3;
root-authentication {
encrypted-password "$1$QYBXvplE$9SwS1OUd9MaGzBo0f3I760"; ## SECRET-DATA
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 202.103.23.3/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 202.103.13.3/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.1.3/24;
address 192.168.2.3/24;
address 192.168.3.3/24;
address 10.1.1.3/24;
address 10.2.1.3/24;
address 172.16.0.3/24;
}
}
}
}
routing-options {
aggregate {
route 192.168.0.0/16;
route 10.0.0.0/8;
route 172.16.0.0/16;
}
autonomous-system 300;
}
protocols {
bgp {
group ebgp-peer {
type external;
log-updown;
neighbor 202.103.23.2 {
export [ to-R1 to-R2 default-policy ];
peer-as 200;
}
neighbor 202.103.13.1 {
export [ to-R1 default-policy ];
peer-as 100;
}
}
}
}
policy-options {
policy-statement default-policy {
then reject;
}
policy-statement to-R1 {
from {
protocol aggregate;
route-filter 192.168.0.0/16 exact;
}
then accept;
}
policy-statement to-R2 {
from {
protocol aggregate;
route-filter 10.0.0.0/8 exact;
}
then accept;
}
}
View vMX-1 routing table
[Edit]
root @ # vMX-1 RUN Show route
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
- = Active Route, - = Last Active, * = Both
192.168.0.0/16 *[BGP/170] 00:33:02, localpref 100
AS path: 300 I, validation-state: unverified
to 202.103.13.3 via ge-0/0/2.0
202.103.13.0/24 [Direct/0] 00:56:38
via ge-0/0/2.0
202.103.13.1/32 [Local/0] 00:56:38
Local via ge-0/0/2.0
View vMX-2 routing table
[Edit]
root @ # vMX-2 RUN Show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
- = Active Route, - = Last Active, * = Both
10.0.0.0/8 *[BGP/170] 00:32:38, localpref 100
AS path: 300 I, validation-state: unverified
to 202.103.23.3 via ge-0/0/0.0
192.168.0.0/16 [BGP/170] 00:32:38, localpref 100
AS path: 300 I, validation-state: unverified
to 202.103.23.3 via ge-0/0/0.0
202.103.23.0/24 [Direct/0] 00:52:45
via ge-0/0/0.0
202.103.23.2/32 *[Local/0] 00:52:45
Local via ge-0/0/0.0
View vMX-3 routing table
[Edit]
root @ # vMX-3 RUN Show route
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
- = Active Route, - = Last Active, * = Both
10.0.0.0/8 [Aggregate/130] 00:33:39
Reject
10.1.1.0/24 [Direct/0] 00:39:47
via lo0.0
10.1.1.3/32 [Local/0] 00:39:47
Local via lo0.0
10.2.1.0/24 [Direct/0] 00:39:47
via lo0.0
10.2.1.3/32 [Local/0] 00:39:47
Local via lo0.0
172.16.0.0/16 [Aggregate/130] 00:33:39
Reject
172.16.0.0/24 [Direct/0] 00:39:47
via lo0.0
172.16.0.3/32 [Local/0] 00:39:47
Local via lo0.0
192.168.0.0/16 [Aggregate/130] 00:33:39
Reject
192.168.1.0/24 [Direct/0] 00:40:36
via lo0.0
192.168.1.3/32 [Local/0] 00:40:36
Local via lo0.0
192.168.2.0/24 [Direct/0] 00:40:18
via lo0.0
192.168.2.3/32 [Local/0] 00:40:18
Local via lo0.0
192.168.3.0/24 [Direct/0] 00:39:47
via lo0.0
192.168.3.3/32 [Local/0] 00:39:47
Local via lo0.0
202.103.13.0/24 [Direct/0] 00:51:32
via ge-0/0/2.0
202.103.13.3/32 [Local/0] 00:51:32
Local via ge-0/0/2.0
202.103.23.0/24 [Direct/0] 00:51:32
via ge-0/0/0.0
202.103.23.3/32 *[Local/0] 00:51:32
Local via ge-0/0/0.0
root@vMX-3# run show route protocol aggregate
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
- = Active Route, - = Last Active, * = Both
10.0.0.0/8 [Aggregate/130] 00:34:03
Reject
172.16.0.0/16 [Aggregate/130] 00:34:03
Reject
192.168.0.0/16 *[Aggregate/130] 00:34:03
Reject
vMX-3 will 192.168.0.0/16 route advertised to vMX-1, the next hop own
[Edit]
root @ # vMX-3 RUN-Protocol BGP Show route Advertising, 202.103.13.1
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
- 192.168.0.0/16 Self I
vMX-3 will 192.168.0.0/16,10.0.0.0/8 routes advertised to vMX-2, the next hop own
root @ vMX-3 # run show route advertising-protocol bgp 202.103.23.2
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
- 10.0.0.0/8 Self I
- 192.168.0.0/16 Self I
So far all of the requirements have been met.