[j-nsp] Strange behavior of BGP policy
Hello, On MX80-48T with JunOS 10.2R1.8 I have a BGP session with downstream configured as follows: minot...@br1-gdr.ki# show routing-instances World protocols bgp group Downstreams neighbor 178.214.196.6 description MHost: World; import [ Local-Pref-400 from-MHost Deny-Rest ]; export to-MHost; peer-as 21098; Filtering of outgoing prefixes is performed via to-MHost policy: minot...@br1-gdr.ki# show policy-options policy-statement to-MHost term Default { from { route-filter 0.0.0.0/0 exact; } then reject; } term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then accept; } then accept; As you can see only route 178.214.192.0/19 from static routes should be redistributed into BGP, but I see another routes (direct, static, OSPF) also being redistributed: minot...@br1-gdr.ki# run show route 178.214.192.0/19 advertising-protocol bgp 178.214.196.6 World.inet.0: 337026 destinations, 668447 routes (60 active, 10 holddown, 3675 hidden) Prefix Nexthop MED LclprefAS path * 178.214.192.0/19SelfI * 178.214.192.0/27Self 2 I * 178.214.192.64/32 SelfI * 178.214.192.65/32 Self 2 I * 178.214.192.68/32 Self 2 I * 178.214.192.69/32 SelfI * 178.214.192.96/28 SelfI * 178.214.192.128/29 SelfI * 178.214.192.136/30 SelfI * 178.214.192.140/30 Self 2 I * 178.214.192.144/30 SelfI * 178.214.193.0/30Self 2 I * 178.214.193.4/30Self 2 I * 178.214.194.0/30Self 2 I * 178.214.194.4/30Self 2 I * 178.214.195.0/24Self 2 I * 178.214.196.4/30SelfI Why does policy accepts another direct/static/OSPF routes? Thanks. -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange behavior of BGP policy
My punt would be to get rid of the last accept statement. Without it your processing should fall through to the default BGP export policy. At the moment I guess you are accepting everything. Best Regards William Jackson Technical Department Sapphire Networks -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Alexander Shikoff Sent: 09 November 2010 11:19 To: juniper-nsp Subject: [j-nsp] Strange behavior of BGP policy Hello, On MX80-48T with JunOS 10.2R1.8 I have a BGP session with downstream configured as follows: minot...@br1-gdr.ki# show routing-instances World protocols bgp group Downstreams neighbor 178.214.196.6 description MHost: World; import [ Local-Pref-400 from-MHost Deny-Rest ]; export to-MHost; peer-as 21098; Filtering of outgoing prefixes is performed via to-MHost policy: minot...@br1-gdr.ki# show policy-options policy-statement to-MHost term Default { from { route-filter 0.0.0.0/0 exact; } then reject; } term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then accept; } then accept; As you can see only route 178.214.192.0/19 from static routes should be redistributed into BGP, but I see another routes (direct, static, OSPF) also being redistributed: minot...@br1-gdr.ki# run show route 178.214.192.0/19 advertising-protocol bgp 178.214.196.6 World.inet.0: 337026 destinations, 668447 routes (60 active, 10 holddown, 3675 hidden) Prefix Nexthop MED LclprefAS path * 178.214.192.0/19SelfI * 178.214.192.0/27Self 2 I * 178.214.192.64/32 SelfI * 178.214.192.65/32 Self 2 I * 178.214.192.68/32 Self 2 I * 178.214.192.69/32 SelfI * 178.214.192.96/28 SelfI * 178.214.192.128/29 SelfI * 178.214.192.136/30 SelfI * 178.214.192.140/30 Self 2 I * 178.214.192.144/30 SelfI * 178.214.193.0/30Self 2 I * 178.214.193.4/30Self 2 I * 178.214.194.0/30Self 2 I * 178.214.194.4/30Self 2 I * 178.214.195.0/24Self 2 I * 178.214.196.4/30SelfI Why does policy accepts another direct/static/OSPF routes? Thanks. -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange behavior of BGP policy
Hi Alexander, When using this policy you are doing the following: -Reject sending default route -Sending prefix 178.214.192.0/19 -Accepting all other advertisements by BGP it's default behaviour. I think this would be fine: show policy-options policy-statement to-MHost term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then next policy; } term reject { then reject; } Regards, Tim policy-options policy-statement to-MHost term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then accept; then next policy; } term reject { then reject; } On 09-11-10 11:18, Alexander Shikoff wrote: Hello, On MX80-48T with JunOS 10.2R1.8 I have a BGP session with downstream configured as follows: minot...@br1-gdr.ki# show routing-instances World protocols bgp group Downstreams neighbor 178.214.196.6 description MHost: World; import [ Local-Pref-400 from-MHost Deny-Rest ]; export to-MHost; peer-as 21098; Filtering of outgoing prefixes is performed via to-MHost policy: minot...@br1-gdr.ki# show policy-options policy-statement to-MHost term Default { from { route-filter 0.0.0.0/0 exact; } then reject; } term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then accept; } then accept; As you can see only route 178.214.192.0/19 from static routes should be redistributed into BGP, but I see another routes (direct, static, OSPF) also being redistributed: minot...@br1-gdr.ki# run show route 178.214.192.0/19 advertising-protocol bgp 178.214.196.6 World.inet.0: 337026 destinations, 668447 routes (60 active, 10 holddown, 3675 hidden) Prefix Nexthop MED LclprefAS path * 178.214.192.0/19SelfI * 178.214.192.0/27Self 2 I * 178.214.192.64/32 SelfI * 178.214.192.65/32 Self 2 I * 178.214.192.68/32 Self 2 I * 178.214.192.69/32 SelfI * 178.214.192.96/28 SelfI * 178.214.192.128/29 SelfI * 178.214.192.136/30 SelfI * 178.214.192.140/30 Self 2 I * 178.214.192.144/30 SelfI * 178.214.193.0/30Self 2 I * 178.214.193.4/30Self 2 I * 178.214.194.0/30Self 2 I * 178.214.194.4/30Self 2 I * 178.214.195.0/24Self 2 I * 178.214.196.4/30SelfI Why does policy accepts another direct/static/OSPF routes? Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange behavior of BGP policy
Hi Alexander, * Alexander Shikoff Filtering of outgoing prefixes is performed via to-MHost policy: minot...@br1-gdr.ki# show policy-options policy-statement to-MHost term Default { from { route-filter 0.0.0.0/0 exact; } then reject; } term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then accept; } then accept; - this makes the policy-statement accept all prefixes. (except for 0.0.0.0/0) As you can see only route 178.214.192.0/19 from static routes should be redistributed into BGP, but I see another routes (direct, static, OSPF) also being redistributed: [...] Why does policy accepts another direct/static/OSPF routes? Remove the out-of-term «then accept» and I think it'll behave the way you want, provided that the «Deny-Rest» statement does what its name suggests. Best regards, -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com Tel: +47 21 54 41 27 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange behavior of BGP policy
On Tue, Nov 09, 2010 at 12:18:37PM +0200, Alexander Shikoff wrote: Filtering of outgoing prefixes is performed via to-MHost policy: minot...@br1-gdr.ki# show policy-options policy-statement to-MHost term Default { from { route-filter 0.0.0.0/0 exact; } then reject; } term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then accept; } then accept; As you can see only route 178.214.192.0/19 from static routes should be redistributed into BGP, but I see another routes (direct, static, OSPF) also being redistributed: Because other direct/static/ospf routes match final 'then accept' statement. You may either just change 'then accept' to 'then reject', or, if you need to provide full-view to your customer, rewrite final term as term transit { from protocol bgp; then accept; } then reject; -- In theory, there is no difference between theory and practice. But, in practice, there is. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange behavior of BGP policy
I guess you want a reject instead of the last accept, rgds, Christian Le 09/11/2010 11:18, Alexander Shikoff a écrit : Hello, On MX80-48T with JunOS 10.2R1.8 I have a BGP session with downstream configured as follows: minot...@br1-gdr.ki# show routing-instances World protocols bgp group Downstreams neighbor 178.214.196.6 description MHost: World; import [ Local-Pref-400 from-MHost Deny-Rest ]; export to-MHost; peer-as 21098; Filtering of outgoing prefixes is performed via to-MHost policy: minot...@br1-gdr.ki# show policy-options policy-statement to-MHost term Default { from { route-filter 0.0.0.0/0 exact; } then reject; } term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then accept; } then accept; As you can see only route 178.214.192.0/19 from static routes should be redistributed into BGP, but I see another routes (direct, static, OSPF) also being redistributed: minot...@br1-gdr.ki# run show route 178.214.192.0/19 advertising-protocol bgp 178.214.196.6 World.inet.0: 337026 destinations, 668447 routes (60 active, 10 holddown, 3675 hidden) Prefix Nexthop MED LclprefAS path * 178.214.192.0/19SelfI * 178.214.192.0/27Self 2 I * 178.214.192.64/32 SelfI * 178.214.192.65/32 Self 2 I * 178.214.192.68/32 Self 2 I * 178.214.192.69/32 SelfI * 178.214.192.96/28 SelfI * 178.214.192.128/29 SelfI * 178.214.192.136/30 SelfI * 178.214.192.140/30 Self 2 I * 178.214.192.144/30 SelfI * 178.214.193.0/30Self 2 I * 178.214.193.4/30Self 2 I * 178.214.194.0/30Self 2 I * 178.214.194.4/30Self 2 I * 178.214.195.0/24Self 2 I * 178.214.196.4/30SelfI Why does policy accepts another direct/static/OSPF routes? Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange behavior of BGP policy
you have then accept on the of policy to-MHost so all other routes will be accepted ( the reject will announce only 178.214.192.0/19 from static ) Tomas Dne 09/11/2010 11:18, Alexander Shikoff napsal(a): Hello, On MX80-48T with JunOS 10.2R1.8 I have a BGP session with downstream configured as follows: minot...@br1-gdr.ki# show routing-instances World protocols bgp group Downstreams neighbor 178.214.196.6 description MHost: World; import [ Local-Pref-400 from-MHost Deny-Rest ]; export to-MHost; peer-as 21098; Filtering of outgoing prefixes is performed via to-MHost policy: minot...@br1-gdr.ki# show policy-options policy-statement to-MHost term Default { from { route-filter 0.0.0.0/0 exact; } then reject; } term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then accept; } then accept; As you can see only route 178.214.192.0/19 from static routes should be redistributed into BGP, but I see another routes (direct, static, OSPF) also being redistributed: minot...@br1-gdr.ki# run show route 178.214.192.0/19 advertising-protocol bgp 178.214.196.6 World.inet.0: 337026 destinations, 668447 routes (60 active, 10 holddown, 3675 hidden) Prefix Nexthop MED LclprefAS path * 178.214.192.0/19SelfI * 178.214.192.0/27Self 2 I * 178.214.192.64/32 SelfI * 178.214.192.65/32 Self 2 I * 178.214.192.68/32 Self 2 I * 178.214.192.69/32 SelfI * 178.214.192.96/28 SelfI * 178.214.192.128/29 SelfI * 178.214.192.136/30 SelfI * 178.214.192.140/30 Self 2 I * 178.214.192.144/30 SelfI * 178.214.193.0/30Self 2 I * 178.214.193.4/30Self 2 I * 178.214.194.0/30Self 2 I * 178.214.194.4/30Self 2 I * 178.214.195.0/24Self 2 I * 178.214.196.4/30SelfI Why does policy accepts another direct/static/OSPF routes? Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Strange behavior of BGP policy
Thanks a lot to all who replied! On Tue, Nov 09, 2010 at 01:57:00PM +0300, Alexandre Snarskii wrote: On Tue, Nov 09, 2010 at 12:18:37PM +0200, Alexander Shikoff wrote: Filtering of outgoing prefixes is performed via to-MHost policy: minot...@br1-gdr.ki# show policy-options policy-statement to-MHost term Default { from { route-filter 0.0.0.0/0 exact; } then reject; } term Itself { from { protocol static; route-filter 178.214.192.0/19 exact; } then accept; } then accept; As you can see only route 178.214.192.0/19 from static routes should be redistributed into BGP, but I see another routes (direct, static, OSPF) also being redistributed: Because other direct/static/ospf routes match final 'then accept' statement. You may either just change 'then accept' to 'then reject', or, if you need to provide full-view to your customer, rewrite final term as term transit { from protocol bgp; then accept; } then reject; -- In theory, there is no difference between theory and practice. But, in practice, there is. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- MINO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp