[Xorp-users] Problem with filtering BGP

Peter Maersk-Moller peter@maersk-moller.net
Tue, 04 Apr 2006 23:34:16 +0200 

Hi Mike

I think I found the problem and a solution to the problem. Got
a little hint from a damn clever guy in Stockholm.

The main task of the router config was to establish BGP peerings with
external peers. However since I din't want to announce networks learned
from each external peer to each other external peer, I needed a "reject"
in the export policy for ebgp peerings of all routes learned through (e)bgp.
However, as documented in 10.8 of the manual

   "An export filter [for BGP] is placed on the RIB branch too"

I read that as an export filter for (e)bgp peerings is also used
for installing routes into the RIB learned through (e)bgp peerings.
Since my bgp export policy needed to reject all routes learned
through (other) bgp peerings, no routes would be installed into the
RIB. An interesting thing though was that while xorp was starting up
and learned routes from bgp peers, these routes was actually
visible (through the unix route command) for a short while 1-5 seconds
and the removed by xorp again.

Now the solution as stated in 10.8 in the manual is to add a policy
to install the learned routes into the RIB. 10.8 suggest a policy like

	from installintorib {
		to {
			neighbor: 0.0.0.0
		}
		then {
			accept
		}
	}

However - that doesn't work. No routes gets installed. I don't understand why.
After a series of trial and errors I found that this solution works.

	from installintorib {
		to {
			neighbor: 127.0.0.1
		}
		then {
			accept
		}
	}

So, is the documentation wrong ? Or do I have a peculiar setup ?
Or do we have a hickup in the source ? BTW, I'm using version xorp 1.2
on Linux 2.6.12.3 SMP.

Mike, if you want, I can still send you the suggested info. Just drop
me a line saying so.

Kind regards

Peter Maersk-Moller
PS, my policy is now

policy {
     network4-list tobeincluded {
         elements: "x.y.z.w/n, a.b.c.d/p"
     }
     policy-statement bgpconnected {
         term acceptown {
             from {
                 protocol: "connected"
                 network4-list: "tobeincluded"
             }
             then {
                 accept
             }
         }
         term torib {
                 to {
                         neighbor: 127.0.0.1
                 }
                 then {
                         accept
                 }
         }
         term rejectall {
                 then {
                         reject
                 }
         }
}

I would recommend that an example similar to my policy is included
in the documentation since bgp peering with peers (without announcing
networks from other peers) is a common task for xorp.


Mike Horn wrote:
> Hi Peter,
> Can you send the output from "show bgp routes", "ifconfig", and "route -n".  In general policies should not stop prefixes that are in the BGP table from being installed in the routing table (the policies should restrict what goes into & out of the BGP table).  Prefixes from the BGP table not getting installed in the routing table is usually caused by an unreachable next-hop.
> If you send the requested information we should be able to determine what is not working.
> 
> -mike
> 
> ----- Original Message -----
> From: Peter Maersk-Moller <peter@maersk-moller.net>
> To: xorp-users@xorp.org
> Sent: Monday, April 3, 2006 7:33:40 PM GMT-0700
> Subject: [Xorp-users] Problem with filtering BGP
> 
> Hi
> 
> I'm trying to export a few networks to all my external BGP peers
> and import all their advertised routes. However all received
> routes on ebgp are not included into the internal (final) routing table.
> So obviously I'm doing something wrong, but what ?
> 
> Here is my policy.
> 
> The list "tobeincluded are the networks to be announced to ebgp peers.
> I do receive a lot of announcements from peers, but none of them ends
> up in the final table and subsequenly can't be seen by the unix
> command # route -n
> 
> What am I doing wrong ?
> 
> The term drop is used to make sure I don't advertise to ebgp peers
> any routes learned from other ebgp peers, but obviously my policy fails.
> 
> What should I do instead ?
> 
> Kind regards
> 
> --PMM
> 
> policy {
>      network4-list tobeincluded {
>          elements: "83.137.32.0/24,83.137.33.0/24"
>      }
>      policy-statement bgpconnected {
>          term acceptown {
>              from {
>                  protocol: "connected"
>                  network4-list: "tobeincluded"
>              }
>              then {
>                  accept
>              }
>          }
>          term drop {
>              from {
>                  protocol: "bgp"
>              }
>              then {
>                  reject
>              }
>          }
>      }
> }
> protocols {
>      bgp {
>          bgp-id: 192.38.7.16
>          local-as: 31397
> 
>          /* export: "static" */
>          export: "bgpconnected"
> .....
> 
> 


-- 
+----------------------------------------------------------+
| Kabel-TV over Internettet   --   http://www.streamtv.dk/ |
+----------------------------------------------------------+