[j-nsp] Need help with stripping of BGP communities

[Alexander Shikoff]

On Tue, Oct 06, 2009 at 02:59:02PM -0400, Stefan Fouant wrote:
> On Tue, Oct 6, 2009 at 1:52 PM, Alexander Shikoff <minotaur at crete.org.ua>wrote:
> 
> > Hello All,
> >
> > I have M10i router and need to strip BGP communities that don't match regex
> > pattern.
> >
> > I've configured BGP community:
> > [edit policy-options]
> > minotaur at br1-gdr.ki# show community Prohibited
> > invert-match;
> > members "^((9002)|(21011)|(13228)):([0-5])$";
> >
> > Then I've created policy-statement and applied it to neighbour's import:
> > [edit]
> > minotaur at br1-gdr.ki# show policy-options policy-statement from-Downstream
> > then {
> >    community delete Prohibited;
> >    next policy;
> > }
> >
> > [edit]
> > minotaur at br1-gdr.ki# show protocols bgp group Downlinks-Default-Only
> > neighbor 91.200.195.18
> > description "Downlink: UOS";
> > import [ from-Downstream from-UOS ];
> > peer-as 42546;
> >
> > But communities that don't match "^((9002)|(21011)|(13228)):([0-5])$" are
> > still associated with prefixes that I receive from downstream:
> >
> > * 91.202.39.0/24 (2 entries, 1 announced)
> >     Accepted
> >     Nexthop: 91.200.195.18
> >     AS path: 42546 42546 42546 42546 44532 44532 I
> >     AS path: Recorded
> >     Communities: 65535:1111 65535:9002
> >
> 
> Your community string match "^((9002)|(21011)|(13228)):([0-5])$" won't work
> here because you are looking for 9002 in the first portion of the community
> string (before the colon :), however, the community string you've received
> from your peer has 9002 in the second portion of the community string (after
> the colon :).  

But my community has invert-match in configuration, so it should match
all communities except
9002:[0-5]
21011:[0-5]
13228:[0-5]

Thus policy should strip all communities including 65535:1111 and 65535:9002.
Is that right?

-- 
MINO-RIPE