[j-nsp] i suck at bgp import policy - help?
ryanL
ryan.landry at gmail.com
Sat Jan 19 19:42:00 EST 2013
stacy smith and todd caine nailed it. needed an implicit reject in my
matching classification. thanks to everyone who replied on and off
list.
fix:
term match-10 {
from {
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term REJECT { <-----
then reject;
}
On Sat, Jan 19, 2013 at 6:30 PM, ryanL <ryan.landry at gmail.com> wrote:
> hi. i am certainly doing something wrong.
>
> on a bgp neighbor i have the following policy:
>
> import ALL-TRANSIT-IN;
>
> i've reduced it to basics, which says:
>
> term DENY-BASICS {
> from policy DEFAULT-ROUTE;
> then reject;
> }
> term GENERAL-ACCEPT {
> then {
> local-preference 200;
> community set COMM-TRANSIT;
> accept;
> }
> }
>
> where policy DEFAULT-ROUTE is:
>
> from {
> route-filter 0.0.0.0/0 exact;
> }
> then accept;
>
> accept AND reject = reject, right? i performed a no-term basic test
> for a reject AND reject, which accepted all routes, so i'm pretty sure
> my head isn't too far up my...
>
> anyways, the above policies unfortunately result in all routes being
> received, but not accepted.
>
> Peer AS InPkt OutPkt OutQ Flaps Last
> Up/Dwn State|#Active/Received/Accepted/Damped...
> <removed> <removed> 163888 184 0 0
> 1:15:38 0/431093/0/0 0/0/0/0
>
> if i remove the DENY-BASICS term, all routes go active and get stamped
> with my community and local-pref value.
>
> i've tried other DENY related terms, such as filtering out long
> as-paths, or just RFC1918, or even just spoofs of my own netblock.
> normal stuff. routes stay hidden due to:
>
> State: <Hidden Ext>
> Inactive reason: Unusable path
>
> so, what am i screwing up on here? this is on 12.2R2.4. i'm
> effectively trying to follow the cymru secure junos bgp template,
> among others.
>
> thanks.
>
> ryan
More information about the juniper-nsp
mailing list