[j-nsp] route-filter ... longer: not working?
Stacy W. Smith
stacy at acm.org
Thu May 19 11:17:28 EDT 2005
I'm not sure we have enough information to determine the problem. Does
the trace show that 2002::/16 is being rejected by this policy or a
later policy in the chain? What are the rest of the policies in the
policy chain? Is 2002::/16 a BGP learned route?
2002::/16 should not be matched by the provided policy. Here's why:
You can think of a route being evaluated against the route-filter in
two stages. Stage one determines the route-filter line with the longest
prefix that overlaps the route being evaluated. Then stage two
determines if the route being evaluated matches the qualifier. If stage
one passes, but stage two does not, the route does not go back to stage
one for the next longest matching route-filter line. Instead the entire
series of route-filters is considered a failure and the term is
finished with the route.
For 2002::/16 stage one matches the "route-filter 2002::/16 longer"
line, but stage two doesn't match the "longer" qualifier. The from
clause does not match and the next policy should be evaluated.
When tested I get the behavior I just described. 2002::/16 does not
match the ipv6-ebgp-filter policy and is accepted by default "accept
all" policy of "test policy".
lab at host> show route table inet6.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2002::/16 *[Static/5] 00:10:28
Reject
lab at host> show configuration policy-options
policy-statement ipv6-ebgp-filter {
from {
family inet6;
route-filter ::/8 orlonger;
route-filter 2001:db8::/32 orlonger;
route-filter 2001:5001:103::/48 orlonger;
route-filter 2002::/16 longer;
route-filter fe00::/9 orlonger;
route-filter ff00::/8 orlonger;
route-filter 0::/0 upto /48 next policy;
}
then {
trace;
reject;
}
}
lab at host> test policy ipv6-ebgp-filter 2002::/16
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2002::/16 *[Static/5] 00:10:35
Reject
Policy ipv6-ebgp-filter: 1 prefix accepted, 0 prefix rejected
lab at host>
--Stacy
On 19 May 2005, at 08:03, Daniel Roesen wrote:
> Hi,
>
> ok, I give up. Why is the route 2002::/16 being rejected by this
> policy:
>
> policy-statement ipv6-ebgp-filter {
> from {
> family inet6;
> route-filter ::/8 orlonger;
> route-filter 2001:db8::/32 orlonger;
> route-filter 2001:5001:103::/48 orlonger;
> route-filter 2002::/16 longer;
> route-filter fe00::/9 orlonger;
> route-filter ff00::/8 orlonger;
> route-filter 0::/0 upto /48 next policy;
> }
> then {
> trace;
> reject;
> }
> }
>
> In my book, it should pass and only more-specifics in 2002::/16 should
> be rejected. I heard that prefix-length-range /17-/128 exhibits the
> same problem.
>
>
> Best regards,
> Daniel
>
> --
> CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list