[j-nsp] i suck at bgp import policy - help?

ryanL ryan.landry at gmail.com
Sat Jan 19 19:42:00 EST 2013


stacy smith and todd caine nailed it. needed an implicit reject in my
matching classification. thanks to everyone who replied on and off
list.

fix:

term match-10 {
    from {
        route-filter 0.0.0.0/0 exact;
    }
    then accept;
}
term REJECT {  <-----
    then reject;
}

On Sat, Jan 19, 2013 at 6:30 PM, ryanL <ryan.landry at gmail.com> wrote:
> hi. i am certainly doing something wrong.
>
> on a bgp neighbor i have the following policy:
>
> import ALL-TRANSIT-IN;
>
> i've reduced it to basics, which says:
>
> term DENY-BASICS {
>     from policy DEFAULT-ROUTE;
>     then reject;
> }
> term GENERAL-ACCEPT {
>     then {
>         local-preference 200;
>         community set COMM-TRANSIT;
>         accept;
>     }
> }
>
> where policy DEFAULT-ROUTE is:
>
> from {
>     route-filter 0.0.0.0/0 exact;
> }
> then accept;
>
> accept AND reject = reject, right? i performed a no-term basic test
> for a reject AND reject, which accepted all routes, so i'm pretty sure
> my head isn't too far up my...
>
> anyways, the above policies unfortunately result in all routes being
> received, but not accepted.
>
> Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last
> Up/Dwn State|#Active/Received/Accepted/Damped...
> <removed>          <removed>     163888        184       0       0
> 1:15:38 0/431093/0/0         0/0/0/0
>
> if i remove the DENY-BASICS term, all routes go active and get stamped
> with my community and local-pref value.
>
> i've tried other DENY related terms, such as filtering out long
> as-paths, or just RFC1918, or even just spoofs of my own netblock.
> normal stuff. routes stay hidden due to:
>
>    State: <Hidden Ext>
>    Inactive reason: Unusable path
>
> so, what am i screwing up on here? this is on 12.2R2.4. i'm
> effectively trying to follow the cymru secure junos bgp template,
> among others.
>
> thanks.
>
> ryan


More information about the juniper-nsp mailing list