Making Sure a Routing Policy Is Functioning Properly

Problem

You want to ensure that a configured policy is working as intended by logging its actions.

Solution

There are two steps to setting up tracing to see how a configured routing policy is being applied to routes. First, include a trace action in the policy's then clause:

[edit policy-options policy-statement outbound-policy term 1] aviva@Router3# set then trace

Then, set up a tracing file for capturing the output:

[edit routing-options] aviva@Router3# set traceoptions file policy-trace-log size 10m files 10 aviva@Router3# set traceoptions flag policy

 

Discussion

When checking whether a routing policy is working, the first and easiest step is to check the entries in the routing table. Use the show route command on the local router to verify the effects of an imported routing policy and use the command on the neighboring router to check the effect of an export policy (see Recipe 8.1). This command shows the real-time effect of the configured routing policies. If, in examining the routing tables, you find routes you don't expect or that routes are missing, use the JUNOS tracing function to keep a log of which routes a policy has analyzed and taken action on. This is a common way to debug problems that appear to be caused by a routing policy not being applied or not being applied properly.

This recipe shows how to set up policy tracing. The set then trace command adds a tracing action to the policy. This command is part of a larger policy that is being used to verify that the router is matching prefixes on its outbound EBGP links. This policy is already in place on the router, and the trace action is added to help with debugging:

[edit policy-options policy-statement outbound-policy term peer-routes] aviva@Router3# show from { route-filter 192.168.0.0/16 exact; route-filter 192.168.72.0/21 exact; route-filter 192.168.194.0/21 orlonger; route-filter 192.168.157.0/24 exact; route-filter 192.168.228.0/24 exact; } then { as-path-prepend "65520 65520"; trace; accept; }

The set traceoptions command configures a logging file to receive the policy-tracing information. Because routing policy is handled by RPD, you set up a general routing-protocol trace file in the [edit routing-options] hierarchy, not in the [edit policyoptions] hierarchy. This recipe creates a 10 MB file named policy-trace-log. The flag policy is necessary to trace the routing-policy operations. You can also use the all flag, which traces all RPD-related operations, but this can quickly fill the logfile with many messages not related to policy.

The logfile shows the routes that the policy is evaluating:

aviva@Router3> show log policy-trace-log Sep 2 20:13:10 trace_on: Tracing to "/var/log/policy-trace-log" started Sep 2 20:13:10 export: Dest 172.16.32.0 proto BGP Sep 2 20:13:10 policy_match_qual_or: Qualifier proto Sense: 0 Sep 2 20:13:10 policy_match_qual_or: Qualifier proto Sense: 0 Sep 2 20:13:10 export: Dest 192.168.0.0 proto BGP Sep 2 20:13:10 policy_match_qual_or: Qualifier community Sense: 0 Sep 2 20:13:10 policy_match_qual_or: Qualifier community Sense: 0 Sep 2 20:13:10 policy_match_qual_or: Qualifier community Sense: 0 Sep 2 20:13:10 policy_export_trace: Prefix 192.168.0.0/16 term peer-routes --> accept

This output shows an evaluation of two export policies that have been applied to BGP. No routes match the first export policy, but 192.168.0.0/16 matches. The policy_export_trace line shows the policy term that the route matches and the action that was taken (here, accept) as a result of the match.

See Also

Recipe 8.1

Категории