Routing Info Source Default Preference Direct 0 Local 0 Static 5 OSPF Internal 10 IS-IS Level 1 Internal 15 IS-IS Level 2 Internal 18 RIP 100 OSPF AS External 150 IS-IS Level 1 External 160 IS-IS Level 2 External 165 BGP 170
Lower numbers are preferred.
Equal-cost load balancing is done by randomly choosing among the equal paths.
master routing instance is primary
An interface can only belong to one routing instance.
discard is silent
Import accepts routing updates, export sends out routing updates.
edit policy-options
Every protocol has a default policy
inet.0 Table
Protocol Import Policy Export Policy BGP accept bgp accept active bgp OSPF accept ospf reject -- floods by default * IS-IS accept is-is reject -- floods by default * RIP accept rip from explicitly configured neighbors reject everything * Link-State Updates are sent and allowed by default; this only prevents routes from other protocols from being exported
Export policy is used to export static route into OSPF.
Two steps: Define policy and apply policy.
Define policy under the edit policy-options hierarchy.
Apply routing policies as import or export policies at different levels (protocol dependent). For OSPF, only protocol-level import and export policies are allowed.
Policy example:
[edit policy-options] user@router# show policy-statement policy-1 { term reject-rfc1918-prefixes { from { route-filter 172.16.0.0/12 orlonger; route-filter 192.168.0.0/16 orlonger; route-filter 10.0.0.0/8 orlonger; } then reject; } }
show route protocol static
show route protocol ospf
show route forwarding-table
show route instance
set instance-type virtual-router
edit routing-options
To configure a static route
Each Routing instances has interfaces, a Zone, with a Routing Policy
Policy contains conditions.
Each condition has match criteria, THEN clause, and either ACCEPT or REJECT
Policy has a "Next Policy" pointer to then go to the next policy.
A policy's internal structure is the same as a firewall filter.
Both policies and firewall filters can have non-terminating actions, such as logging or changing class of service. Those actions can act as an IDS or an IPS.
Packet comes in.
First thing it hits is the POLICER.
Next it hits the FIREWALL FILTER.
Then it hits a DECISION POINT: Is there an EXISTING SESSION?
If not, it's the first packet in a session, and it goes through the FIRST PATH: SCREEN OS, SOURCE NAT, RT LOOKUP, POLICY, EGRESS PORT POLICY, DESTINATION NAT, APPLICATION LAYER GATEWAY, SESSION LOG CACHE.
If the first packet is dropped, all future packets in this session are denied.
All further packets in that session use the SESSION LOG CACHE to go down the FAST PATH.