Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Slax script to avoid adding a policy statement to BGP without a "then" statement

0

0
Article ID: KB33337 KB Last Updated: 16 Nov 2018Version: 1.0 Summary:

Customers may sometimes forget to configure a then statement under a policy statement and export that policy under the Border Gateway Protocol (BGP). This may result in unexpected routing actions due to the default routing policies that are used. See Default Routing Policies for more information.

This article explains that a SLAX script can be added to check the policy statements that are exported under BGP, and configured to result in a commit failure if a then statement is not present in such a policy.

 

Symptoms:

Using default routing policies may lead to unexpected BGP routing actions and/or incorrectly advertised routes.

 

Cause:

This is because a then statement was not added under the exported policy statement.

 

Solution:

Configure a SLAX script to check the policy statements that are exported under BGP. If a then statement is not present, the script will ensure that commit fails.

To add the commit script, perform the following steps:

  1. Log in to shell as the root user.
user@Router-re0> start shell user root   
Password:
root@Router-re0:/var/home/labroot #

  1. Create a file under ​/var/db/scripts/commit.

root@Router-re0:/var/home/labroot # cd /var/db/scripts/commit
root@Router-re0:/var/db/scripts/commit # vi check-bgp-policy.slax

  1. Paste the following lines and save the file (wq).

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";
param $po = commit-script-input/configuration/policy-options;

match configuration {
    apply-templates protocols/bgp;
}

match export {
    param $test = .;

    for-each ($po/policy-statement[name == $test]/term) {
        if (from && not(then/accept)) {
        <xnm:error> {
                call jcs:edit-path($dot = $test);
                call jcs:statement($dot = $test);
                <message> "Check the policy you just created and applied to BGP does not have a then statement, please check it";
                }
        }
    }
}

  1. Exit from shell and apply the commit script to the configuration:

set system scripts commit file check-bgp-policy.slax
 

Example

lab@Router-re0# show policy-options policy-statement testfrom
term 1 {
    from {
        route-filter 0.0.0.0/0 exact;
    }
}

[edit]
lab@Router-re0# show protocols bgp
export testfrom;

[edit]
lab@Router-re0# commit check
re0:
[edit protocols bgp export]
  'export testfrom;'

Check the policy you just created and applied to BGP does not have a then statement, please check it
error: 1 error reported by commit scripts
error: commit script failure

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search