[Xorp-hackers] Issue in implementing PER PEER BGP POLICY. kindly help asap.
Santhosh Sundararaman
santhosh at ku.edu
Fri Nov 24 02:01:59 PST 2006
Hi,
I proceeded to do the following tests which have left me more confused.
I removed the PolicyTableFilterOut from the the pipeline of every peer,
except RIB (by changing the plumbing's add_peering method). Now when I
used the filter config mentioned earlier (with neighbor set to
172.16.10.3) to setup the PolicyTableFilterOut of RIB, no filtering
occured. But when I inserted the PolicyFilterTableOut for every peer
back (even now only the policytable of RIB is set with the config,
policytables of other peers have no configuration: allowing all routes)
the routes going to 172.16.10.3 are being blocked although this config
is only in RIB's pipeline.
So from this it looks to me that the config works only when the RIB's
policytable has been configured with it, and the at the same time when
the policytables of other peers are present in the plumbing (just thier
presence in the plumbing seems to be necassary, whether they have been
configured with some filter configuration or they are empty does not
seem to make a difference as long as they are in the plumbing). Is there
some interaction between the PolicyTableFilterOuts of all pipelines with
the RIB pipeline's PolicyTableFilterOut.
These results have left me totally confused. Is this a problem or is it
just the way xorp is supposed to work and I have misunderstood the
export policy implementation. I presumed that the PolicyTableFilterOut
of individual pipelines work independed of the RIB pipeline's
PolicyTableFilterOut or for that matter independed of the entire RIB
pipeline or the local RIB, isn't that so??
Some one kindly bail me out of this situation.
Thanks,
Santhosh
Santhosh Sundararaman wrote:
>Hi,
>I have been trying to implement Per Peer Policy for BGP in xorp by
>modifying the template file and doing changes in the background (Policy,
>BGP) as Atanu had suggested in the bugzilla thread. I was able to get
>the mechanism work for IMPORT policies in BGP. But Im having problems
>with export policies (for now im trying to apply simple export policies
>without any redistribution). After poking around a bit I figured out
>where the problem was, but am not able to understand why the BGP export
>policy tables are behaving the way they are.
>
>Here is what i did. In the bgp.hh file i found that the filters were
>maintained in the object _policy_filters (of type VersionFilters). And
>this object is being used as the filter for all the PolicyTableFilterOut
>(export) tables in the plumbing. After trying several things, I created
>another object _peer_filters (of type VersionFilters) and now I used
>this object as the filter for the PolicyTableFilterOut tables of all the
>pipelines in the plumbing EXCEPT for the RIB's pipeline. The RIB's
>piplene still uses _policy_filters in its PolicyTableFilterOut.
>
>Now irrespective of the filter configuration (in config.boot) the
>filters seems to be working only when it is applied in the
>PolicyTableFilterOut of the RIB's pipeline and policies configured on
>the PolicyTableFilterOut of all other pipelines does not have any effect
>at all.
>
>Here is an example i tried.
>
> network4-list "PrefixesFrom105" {
> elements: "192.168.41.0/24,192.168.42.0/24,192.168.43.0/24"
> }
> policy-statement "BlockRoutesFrom105" {
> term "RoutesFrom105Blocked" {
> to {
> neighbor: 172.16.10.3
> network4-list: "PrefixesFrom105"
> }
> then {
> trace: 1
> reject
> }
> }
> }
>
>Here are my test cases and results
>
>Case 1:
>When this configuration is used to configure _peer_filters (I changed
>the BGPMain::configure_filter method to configure _peer_filters instead
>of _policy_filters and i left _policy_filters unconfigured thereby using
>an empty filter on RIB's export filter table), the filter had no effect
>despite the fact that 172.16.10.3 is the router id of one of the
>established peers.
>
>Case2:
>Now i swapped configurations. I applied the above configuration for
>_policy_filters (effectively applying them to the RIB's export pipeline
>alone) and left _peer_filters empty (the export filter tables in all
>other pipelines except RIB will have no configuration and should let all
>routes through). This is where i noticed unexpected results. I expected
>this filter to have no effect on routes going to 172.16.10.3, as even
>though the filter config blocks routes to 172.16.10.3 it is applied only
>in the export pipeline of RIB and not on others, the other export
>pipelines had empty filters.
> But now the routes in the list were blocked from going to
>172.16.10.3 but other peer and local RIB received the routes, despite
>the fact that the filter config was applied only to the RIB's export
>pipeline.
>
>Case 3:
>Finally i removed the neighbor parameter from the config, letting it
>take default value. Now, when the config was applied to RIB's pipeline
>alone and not to others, the routes were blocked from all the peers and
>from the local RIB. When i swapped the config (with no neighbor set) by
>applying it to all the export pipelines except RIB's and leaving RIB's
>export policy config empty, the config had no effect and the routes were
>getting passed to all the peers and the RIB.
>
> From this it appears to me that RIB pipeline's PolicyTableFilterOut
>seems to be doing the bulk of export filtering (even for other
>pipelines) and the PolicyTableFilterOut in all other pipelines have no
>effect on export filtering at all. Have I overlooked something, or have
>I completely misunderstood Policy implementation in BGP. Kindly help me
>understand why im experiencing this behavior, is it supposed to work
>this way: is the RIB's PolicyTableFilterOut supposed to filter routes
>for all the peer's pipelines?? Kindly help me out!!!
>
>Expecting a response asap.
>
>Thanks,
>Santhosh
>
>_______________________________________________
>Xorp-hackers mailing list
>Xorp-hackers at icir.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/xorp-hackers
>
>
More information about the Xorp-hackers
mailing list