[j-nsp] conditions [and negation] in bgp import policies
Michael Hare
michael.hare at wisc.edu
Thu Aug 18 10:45:08 EDT 2016
Anyone have experience using conditions in bgp import policies?
Normally in our core we point v4/v6 default to discard like I suspect most here do. I have default route from a transit provider of last resort that I want to activate "when I need to". With all of its caveats of the approach in general, I'm looking at use 'policy-options condition' to install said default if I believe I've become isolated. In my lab I'm testing with v4 [would use this for v4 as well] and am using 8.8.4.0/24 as a proof of concept.
'if-route-exists' does not have a built in negation so I tried to roll my own as follows. 0.0.0.0/0 is still being rejected [by import policy] despite no 8.8.8.0/24 in the RIB. This occurs even from a BGP clear when I can confirm 8.8.8.0/24 was not in the local RIB during the entire BGP startup process.
I thought about doing a generated route, but I like the safety net idea of requiring the advertisement over BGP from this specific peer to be present.
Thought I'd try asking here before going to JTAC. I respect this may evolve into a "bad idea in general" discussion.
-Michael
==========/=================
########## my config
cooldude at r-mx2010-lab-re1# show policy-options policy-statement conditional-bgp
term google-reachable {
from {
route-filter 0.0.0.0/0 exact;
condition route-to-google-dns;
}
then reject;
}
term google-unreachable {
from {
route-filter 0.0.0.0/0 exact;
}
then {
preference 1;
accept;
}
}
cooldude at r-mx2010-lab-re1# show policy-options condition route-to-google-dns
if-route-exists {
8.8.8.0/24;
table inet.0;
}
############## 8.8.8.0/24 not present
cooldude at r-mx2010-lab-re1# run show route 8.8.8.0/24
{master}[edit]
cooldude at r-mx2010-lab-re1#
################## hidden default
cooldude at r-mx2010-lab-re1# run show route 0.0.0.0/0 exact hidden extensive table inet.0
inet.0: 595731 destinations, 1191437 routes (595721 active, 9 holddown, 3 hidden)
0.0.0.0/0 (3 entries, 1 announced)
State: <FlashAll>
TSI:
KRT in-kernel 0.0.0.0/0 -> {}
OSPF area : 0.0.0.0, LSA ID : 0.0.0.0, LSA type : Extern
Page 0 idx 0, (group iBGP-reflector type Internal) Type 5 val 0x2023c080 (addpath tsi)
Addpath Path ID: 1
Source route: Static
Advertised metrics:
Nexthop: Self
Localpref: 100
AS path: [65010] I
Communities:
(AddPath PathId)
Advertise: 00000007
Path 0.0.0.0 Vector len 4. Val: 0
BGP /-101
Next hop type: Router, Next hop index: 775
Address: 0xaa35900
Next-hop reference count: 1415662
Source: X.Y.33.86
Next hop: X.Y.33.86 via ae1.3106, selected
Session Id: 0x14b
State: <Hidden Ext>
Inactive reason: Unusable path
Local AS: 65010 Peer AS: 3128
Age: 5:00
Validation State: unverified
Task: BGP_3128.X.Y.33.86+52615
AS path: 3128 I
AS path: Recorded
Localpref: 100
Router ID: X.Y.32.2
Hidden reason: rejected by import policy
BGP /-101
Next hop type: Router, Next hop index: 774
Address: 0x26409e0c
Next-hop reference count: 1571275
Source: X.Y.33.76
Next hop: X.Y.33.76 via ae0.3105, selected
Session Id: 0x14c
State: <Hidden Ext>
Inactive reason: Unusable path
Local AS: 65010 Peer AS: 3128
Age: 5:00
Validation State: unverified
Task: BGP_3128.X.Y.33.76+62875
AS path: 3128 I
AS path: Recorded
Localpref: 100
Router ID: X.Y.32.1
Hidden reason: rejected by import policy
More information about the juniper-nsp
mailing list