[j-nsp] i suck at bgp import policy - help?

Tim Vollebregt tim at interworx.nl
Sat Jan 19 19:04:16 EST 2013


It should work like this, this works like a charm for me:

show policy-options policy-statement mate-in-v4       
term reject-default {
    from policy default-route;
    then reject;
}
then {
    metric add 10;
    next-hop peer-address;
}

show policy-options policy-statement default-route 
from {
    route-filter 0.0.0.0/0 exact;
}
then accept;

default route is not accepted, untill i deactivate the reject-default term.
Software version is 10.4R5.5

Don't you have multiple import policies for that specific peer which are interfering?

Tim

On Jan 19, 2013, at 6:30 PM, ryanL wrote:

> hi. i am certainly doing something wrong.
> 
> on a bgp neighbor i have the following policy:
> 
> import ALL-TRANSIT-IN;
> 
> i've reduced it to basics, which says:
> 
> term DENY-BASICS {
>    from policy DEFAULT-ROUTE;
>    then reject;
> }
> term GENERAL-ACCEPT {
>    then {
>        local-preference 200;
>        community set COMM-TRANSIT;
>        accept;
>    }
> }
> 
> where policy DEFAULT-ROUTE is:
> 
> from {
>    route-filter 0.0.0.0/0 exact;
> }
> then accept;
> 
> accept AND reject = reject, right? i performed a no-term basic test
> for a reject AND reject, which accepted all routes, so i'm pretty sure
> my head isn't too far up my...
> 
> anyways, the above policies unfortunately result in all routes being
> received, but not accepted.
> 
> Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last
> Up/Dwn State|#Active/Received/Accepted/Damped...
> <removed>          <removed>     163888        184       0       0
> 1:15:38 0/431093/0/0         0/0/0/0
> 
> if i remove the DENY-BASICS term, all routes go active and get stamped
> with my community and local-pref value.
> 
> i've tried other DENY related terms, such as filtering out long
> as-paths, or just RFC1918, or even just spoofs of my own netblock.
> normal stuff. routes stay hidden due to:
> 
>   State: <Hidden Ext>
>   Inactive reason: Unusable path
> 
> so, what am i screwing up on here? this is on 12.2R2.4. i'm
> effectively trying to follow the cymru secure junos bgp template,
> among others.
> 
> thanks.
> 
> ryan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list