Hi All,

We were trying to suppress specific external routes into Routing-tables( Yes Tables, Juniper's you see ;) ). So in-order to achieve this wrote multiple policies  for importing routes-into ospf. This created a sort of glitch? What was that Glitch and what is the final understanding of nested-policy we shall see.
 

 

new_3

 

Let us see the default policy on R2 Device and see what happens here.

I have this configuration of ospf on R2

 

[edit]
lab@mxb2# show protocols ospf | display set
set protocols ospf import o1
set protocols ospf import o2
set protocols ospf import o3
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0

[edit]
lab@mxb2#

[edit]
lab@mxb2# show policy-options | display set
set policy-options policy-statement o1 term 1 from protocol ospf
set policy-options policy-statement o1 term 1 from route-filter 1.1.11.0/24 exact
set policy-options policy-statement o1 term 1 from route-filter 1.1.12.0/24 exact
set policy-options policy-statement o1 term 1 then accept
set policy-options policy-statement o1 term 2 then reject
set policy-options policy-statement o2 term 1 from route-filter 2.2.3.0/24 exact
set policy-options policy-statement o2 term 2 from route-filter 2.2.4.0/24 exact
set policy-options policy-statement o2 term 2 then accept
set policy-options policy-statement o3 term 1 from route-filter 2.2.1.0/24 exact
set policy-options policy-statement o3 term 1 from route-filter 2.2.2.0/24 exact
set policy-options policy-statement o3 term 1 then accept
set policy-options policy-statement o3 term 2 then reject

 

As we can see, there are three policies imported. Let us see how router process interprets this

i have included two routes 1.1.11.0/24 and 1.1.12.0/24 which are not present to math in o1 on purpose

 

Even though i have other two import policies in the protocol ospf, because of explicit reject there is a loopbreak, and hence it wont go for other policies in ospf

[edit]
lab@mxb2# run show route protocol ospf

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

224.0.0.5/32 *[OSPF/10] 00:14:08, metric 1
MultiRecv

[edit]
lab@mxb2# run show ospf neighbor
Address Interface State ID Pri Dead
13.13.12.1 ge-0/0/0.0 Full 13.13.12.1 128 32

[edit]
lab@mxb2# run show ospf database

OSPF database, Area 0.0.0.0
Type ID Adv Rtr Seq Age Opt Cksum Len
Router 13.13.12.1 13.13.12.1 0x80000008 143 0x22 0xf19a 36
Router *13.13.12.2 13.13.12.2 0x80000007 142 0x22 0xeba0 36
Network *13.13.12.2 13.13.12.2 0x80000005 142 0x22 0x9501 32
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 1.1.1.0 13.13.12.1 0x80000002 264 0x22 0xa2e4 36
Extern 1.1.2.0 13.13.12.1 0x80000001 870 0x22 0x99ed 36
Extern 1.1.3.0 13.13.12.1 0x80000001 870 0x22 0x8ef7 36
Extern 1.1.4.0 13.13.12.1 0x80000001 870 0x22 0x8302 36
Extern 2.2.0.0 13.13.12.1 0x80000001 870 0x22 0x96f0 36
Extern 2.2.1.0 13.13.12.1 0x80000001 870 0x22 0x8bfa 36
Extern 2.2.2.0 13.13.12.1 0x80000001 870 0x22 0x8005 36
Extern 2.2.3.0 13.13.12.1 0x80000001 870 0x22 0x750f 36

 

Now, lets tweak the policy and add another term which says for next policy

 

Now there is a change in the policy termination of first statement, instead of reject i have asked it to go to next-policy

set policy-options policy-statement o1 term 1 from protocol ospf
set policy-options policy-statement o1 term 1 from route-filter 1.1.11.0/24 exact
set policy-options policy-statement o1 term 1 from route-filter 1.1.12.0/24 exact
set policy-options policy-statement o1 term 1 then accept

set policy-options policy-statement o1 term 2 then next policy

set policy-options policy-statement o2 term 1 from route-filter 2.2.3.0/24 exact
set policy-options policy-statement o2 term 1 then accept
set policy-options policy-statement o2 term 2 from route-filter 2.2.4.0/24 exact
set policy-options policy-statement o2 term 2 then accept
set policy-options policy-statement o2 term 3 then reject
set policy-options policy-statement o3 term 1 from route-filter 2.2.1.0/24 exact
set policy-options policy-statement o3 term 1 from route-filter 2.2.2.0/24 exact
set policy-options policy-statement o3 term 1 then accept
set policy-options policy-statement o3 term 2 then reject

sure enough, the results are expected as we think

[edit]
lab@mxb2# run show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.3.0/24 *[OSPF/150] 00:03:55, metric 0, tag 0
> to 13.13.12.1 via ge-0/0/0.0
2.2.4.0/24 *[OSPF/150] 00:03:09, metric 0, tag 0
> to 13.13.12.1 via ge-0/0/0.0
13.13.12.0/24 *[Direct/0] 04:05:29
> via ge-0/0/0.0
13.13.12.2/32 *[Local/0] 04:05:30
Local via ge-0/0/0.0
224.0.0.5/32 *[OSPF/10] 00:23:39, metric 1
MultiRecv

Now the Big question is What if i keep the policy as it is and now i will not import o2 policy into ospf

if that is the case, the o1 will not be a match but it will refer to o2 via term next policy.

[edit]
lab@mxb2# commit
commit complete

[edit]
lab@mxb2# run show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.1.0/24 *[OSPF/150] 00:00:02, metric 0, tag 0
> to 13.13.12.1 via ge-0/0/0.0
2.2.2.0/24 *[OSPF/150] 00:00:02, metric 0, tag 0
> to 13.13.12.1 via ge-0/0/0.0
13.13.12.0/24 *[Direct/0] 04:07:05
> via ge-0/0/0.0
13.13.12.2/32 *[Local/0] 04:07:06
Local via ge-0/0/0.0
224.0.0.5/32 *[OSPF/10] 00:25:15, metric 1
MultiRecv

as we can see, the import policy here in next policy chain will be overridden by the import policy which we give in protocol.

As in this case , even though policy options have o1 o2 and o3 and o1 has next-policy as a terminating action, if that is not imported into ospf or for that matter if not kept in proper import order, it will skip to next policy in OSPF but not in policy chain

Regards
Rakesh Madupu