❦ 17 février 2016 21:07 GMT, Alexander Arseniev <arsen...@btinternet.com> :
> True, one cannot match on "next-hop" in "condition", only on exact > prefix+table name. > But this can be done using "route isolation" approach. > So, the overall approach is: > 1/ create a separate table and leak a 0/0 route there matching on 0/0 > exact + next-hop ("isolate the interested route"). Use > "instance-import" + policy. > 2/ create condition > > policy-options { > condition default-to-upstream { > if-route-exists { > 0.0.0.0/0; > table isolate-0/0.inet.0; > } > } > > 3/ use condition to match & reject the specifics: > > policy-options { > policy-statement reject-same-nh-as-0/0 { > term 1 { > from { > protocol bgp; > route-filter 0/0 longer; > condition default-to-upstream; > next-hop 198.18.1.1; > } > then reject; > } > term 2 { > from { > protocol bgp; > route-filter 0/0 longer; > next-hop 198.18.1.1; > } > then accept; > } Just by curiosity, I tried your approach and it almost work. However, for some reason, the condition can match when there is no route in the associated table. I didn't do exactly as you proposed, so maybe I am doing something wrong. I am not really interested in getting to the bottom of this matter. I just post my current configuration in case somebody is interested: https://github.com/vincentbernat/network-lab/blob/d984d6c5f847b96a131b240d91346b46bfaecac9/lab-vmx-fullview/vMX1.conf#L106-L115 If I enable term 4, it catches all routes whose next-hop is 192.0.2.129 despite the condition being false. In the RIB, I have many routes whose next-hop is 192.0.2.129: root@vMX1# run show route next-hop 192.0.2.129 inet.0: 1110 destinations, 1869 routes (1110 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 [BGP/140] 00:38:12, MED 10, localpref 100 AS path: 65002 ?, validation-state: unverified > to 192.0.2.129 via ge-0/0/1.0 [OSPF/150] 00:37:31, metric 10, tag 0 > to 192.0.2.129 via ge-0/0/1.0 1.0.240.0/20 *[BGP/140] 00:38:12, MED 10, localpref 100 AS path: 65002 3257 3356 4651 9737 23969 I, validation-state: unverified > to 192.0.2.129 via ge-0/0/1.0 1.1.1.0/24 *[BGP/140] 00:38:12, MED 10, localpref 100 AS path: 65002 8758 15576 6772 13030 226 I, validation-state: unverified > to 192.0.2.129 via ge-0/0/1.0 [...] But none of them make it to the FIB: root@vMX1# run show route forwarding-table matching 1.1.1.0/24 Routing table: default.inet Internet: Routing table: __master.anon__.inet Internet: The peer.inet.0 table is empty: root@vMX1# run show route summary Autonomous system number: 64512 Router ID: 192.0.2.128 inet.0: 1110 destinations, 1869 routes (1110 active, 0 holddown, 0 hidden) Direct: 3 routes, 3 active Local: 3 routes, 3 active OSPF: 2 routes, 1 active BGP: 1861 routes, 1103 active upstream.inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) BGP: 1 routes, 1 active Adding a static route to peer.inet.0 doesn't help (I added a discard route). Switching the default to the peer doesn't change anything (term 3 also matches anything). Tested on vMX 14.1R1. Maybe a bug in if-route-exists? -- Use the fundamental control flow constructs. - The Elements of Programming Style (Kernighan & Plauger) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp