apply-path and apply-flags omit on Junos

I was playing the other day with few interesting knobs/features in Junos.

One of them is apply-path and this one is a chain of configuration keywords that points to a set of prefixes.

The second one is “apply-flags omit” and this one allows you to remove configuration parts from being displayed when “show configuration” is used.

“Apply-flags omit” is hidden on some platforms so you need to type it as autocomplete is not working.

Here are some examples on how these are used


First with apply-path. Suppose that you have a filter protecting your routing-engine that allows BGP traffic from your current BGP peers.

However, you need to make sure that newly added BGP peers in the BGP groups are allowed to establish BGP session automatically without modifying the prefix-list.

You must use this statement in the prefix-list configuration:

 

[edit]
root@r1# show policy-options                            
prefix-list bgp-peers {
    apply-path "protocols bgp group <*> neighbor <*>";
}

[edit]
root@r1# 

 

The current BGP peers are these:

 

[edit]
root@r1# show protocols bgp                     
group INT-IPv4 {
    type internal;
    local-address 172.27.255.1;
    log-updown;
    authentication-key "$9$BVTRcrWLNYgJevgJGDmPBIE"; ## SECRET-DATA
    neighbor 172.27.255.2;
    neighbor 172.27.255.5;
    neighbor 172.27.255.6;
}

[edit]
root@r1#

 

And this is the filter applied on Loopback0:

 

[edit]
root@r1# show firewall 
family inet {
    filter protect-re {
        term 1 {
            from {
                prefix-list {
                    bgp-peers;
                }
            }
            then accept;
        }
        term 2 {
            then accept;
        }
        term OTHER {
            then {
                reject;
            }
        }
    }
}

[edit]
root@r1#

 

And now, if I want to see what is the prefix-list:

 

[edit]
root@r1# show policy-options | display inheritance      
prefix-list bgp-peers {
    ##
    ## apply-path was expanded to:
    ##     172.27.255.2/32; 
    ##     172.27.255.5/32; 
    ##     172.27.255.6/32; 
    ##
    apply-path "protocols bgp group <*> neighbor <*>";
}

[edit]
root@r1#

As you can see, the prefix was automatically updated with the BGP neighbors addresses.

For the second feature, let’s consider this filter:

 

[edit]
root@r1# show firewall 
family inet {
    filter protect-re {
        term 1 {
            from {
                prefix-list {
                    bgp-peers;
                }
            }
            then accept;
        }
        term 2 {
            then accept;
        }
        term OTHER {
            then {
                reject;
            }
        }
    }
}

[edit]
root@r1#

 

And let’s suppose that I don’t want to see it when I issue “show configuration” command.

The reason might be because it’s an extensive configuration output. It’s not the case here and you can hide any Junos configuration hierarchy.

Let’s hide this filter. Use this command:

 

[edit]
root@r1# set firewall family inet filter protect-re apply-flags omit 

[edit]
root@r1#

 

And now, you will see this:

 

[edit]
root@r1# show firewall                                                  
family inet {
    filter protect-re { /* OMITTED */ };
}

[edit]
root@r1#

 

However, you can see the configuration by using “display omit” or “display set”:

 

[edit]
root@r1# show firewall | display omit   
family inet {
    filter protect-re {
        apply-flags omit;
        term 1 {
            from {
                prefix-list {
                    bgp-peers;
                }
            }
            then accept;
        }
        term 2 {
            then accept;
        }
        term OTHER {
            then {
                reject;
            }
        }
    }
}

[edit]
root@r1# show firewall | display set     
set firewall family inet filter protect-re apply-flags omit
set firewall family inet filter protect-re term 1 from prefix-list bgp-peers
set firewall family inet filter protect-re term 1 then accept
set firewall family inet filter protect-re term 2 then accept
set firewall family inet filter protect-re term OTHER then reject

[edit]
root@r1#

 

Nice, isn’t it?

 

The following two tabs change content below.

Paris ARAU

Paris ARAU is a networking professional with strong background on routing and switching technologies. He is a holder of CCIE R&S and dual JNCIE(SP and ENT). The day to day work allows him to dive deeply in networking technologies. Part of the continuously training, he is focusing on Software Defined Network and cloud computing.

Comments

So empty here ... leave a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

Sidebar



%d bloggers like this: