I have a list of things I mean to blog about, and the Junos Apply-Path feature has been on there for way too long without being actions. As I said when I kicked off the “30 Blogs in 30 Days” Challenge, this would be an opportunity for me to blow some dust off my list of overdue posts, and this is certainly one that I am delighted to rediscover.

Junos Apply-Path

The idea is simple. Imagine that you have a list of known SNMP servers that poll your Juniper device. They’re granted readonly access in the configuration, but in addition to specifying those servers you’d also like to add them to a filter for control plane policing.

How do you manage that list of addresses both in the SNMP configuration and in the filter? It’s annoying to have to manage the same addresses in two places, right?

Enter apply-path, Junos OS’ secret weapon to make this stuff really simple. Apply-path allows you to define patterns that match configuration stanzas and extract information from them and pipe them right into a prefix-list. Perhaps an example would be best, so here’s a sample SNMP configuration with a whole bunch of IPs in two groups:

set snmp client-list noc_servers 10.1.1.0/24
set snmp client-list noc_servers 10.1.3.128/26
set snmp client-list noc_servers 10.19.123.128/25
set snmp client-list performance_servers 192.168.1.0/25
set snmp client-list performance_servers 192.168.9.8/31

In order to create a prefix-list containing those exact same hosts, we use an apply-path command like this:

set policy-options prefix-list snmp-sources apply-path "snmp client-list <*> <*>"

The <*> elements, perhaps obviously, mean to match on any value. Thus this command works no matter how many snmp client-list entries you create, and how many hosts and subnets are in each.

Now I can go to my security policy and reference that apply-path prefix-list in my SNMP clause:

set firewall family inet filter cpp term snmp from source-prefix-list snmp-sources
set firewall family inet filter cpp term snmp from protocol tcp
set firewall family inet filter cpp term snmp from protocol udp
set firewall family inet filter cpp term snmp from port snmp

Make sense? It works the same way with other elements in the configuration, too – if you can define the pattern, it can match the IP addresses and pop them into a prefix-list. Want all of your BGP neighbors in a prefix-list? Easy:

set policy-options prefix-list bgp-peers apply-path "protocols bgp group <*> neighbor <*>"

Naturally this is dynamic, so if you add or remove an SNMP server, the prefix-list is updated immediately. This is genius, seriously.

This is by no means a new feature; it’s in the “oldie but goodie” category. If you haven’t discovered apply-path before, you are missing a big time saver. Give it a go!

 

30 Blogs in 30 Days

This post is part of my participation in Etherealmind’s 30 Blogs in 30 Days challenge.