[Xorp-users] Problem with filtering BGP
Peter Maersk-Moller
peter@maersk-moller.net
Wed, 05 Apr 2006 00:15:13 +0200
Hi Mike
Turned out I was to fast. The ebgp learned routes are installed
(into the kernel), but removed shortly after. Here is the requested
data. Suggestions are very welcome. Can't figure out what is wrong.
My policy is
policy {
network4-list tobeincluded {
elements: "83.137.32.0/24,83.137.33.0/24"
}
policy-statement bgpconnected {
term acceptown {
from {
protocol: "connected"
network4-list: "tobeincluded"
}
then {
accept
}
}
term torib {
to {
neighbor: 0.0.0.0..127.0.0.1
}
then {
accept
}
}
term rejectall {
then {
reject
}
}
}
--------------------------------------------------------------------
root@dix:/usr/local/depot/2.6.6-i686/xorp-1.2/etc# xorpsh
Welcome to XORP on dix
root@dix> show bgp routes
Status Codes: * valid route, > best route
Origin Codes: i IGP, e EGP, ? incomplete
Prefix Nexthop Peer AS Path
------ ------- ---- -------
*> 81.161.128.0/18 192.38.7.12 82.211.224.37 31661 i
*> 82.211.224.0/19 192.38.7.12 82.211.224.37 31661 i
*> 87.72.0.0/16 192.38.7.12 82.211.224.37 31661 i
*> 195.135.216.0/22 192.38.7.12 82.211.224.37 31661 i
*> 81.88.0.0/20 192.38.7.75 172.16.16.31 15782 i
*> 81.186.240.0/20 192.38.7.75 172.16.16.31 15782 i
*> 85.235.0.0/20 192.38.7.75 172.16.16.31 15782 34965 34965 i
*> 85.235.16.0/20 192.38.7.75 172.16.16.31 15782 i
*> 193.108.42.0/23 192.38.7.75 172.16.16.31 15782 20574 i
*> 193.235.206.0/24 192.38.7.75 172.16.16.31 15782 i
*> 194.126.249.0/24 192.38.7.75 172.16.16.31 15782 34936 i
*> 213.185.0.0/19 192.38.7.75 172.16.16.31 15782 i
*> 217.72.48.0/20 192.38.7.75 172.16.16.31 15782 i
*> 62.61.134.0/24 192.38.7.64 62.61.128.99 15516 i
*> 62.61.135.0/24 192.38.7.64 62.61.128.99 15516 i
*> 62.61.128.0/19 192.38.7.64 62.61.128.99 15516 i
*> 82.147.224.0/19 192.38.7.64 62.61.128.99 15516 i
*> 85.24.0.0/17 192.38.7.64 62.61.128.99 15516 i
*> 83.137.32.0/24 83.137.32.1 0.0.0.0 i
*> 83.137.33.0/24 83.137.33.146 0.0.0.0 i
*> 80.89.16.0/20 192.38.7.58 10.10.3.3 31027 i
*> 83.97.96.0/21 192.38.7.58 10.10.3.3 31027 31130 i
*> 83.136.88.0/21 192.38.7.58 10.10.3.3 31027 i
*> 83.151.128.0/18 192.38.7.58 10.10.3.3 31027 i
*> 85.27.128.0/20 192.38.7.58 10.10.3.3 31027 34705 i
*> 85.218.128.0/18 192.38.7.58 10.10.3.3 31027 i
*> 87.116.0.0/18 192.38.7.58 10.10.3.3 31027 35637 35589 i
*> 88.83.64.0/19 192.38.7.58 10.10.3.3 31027 35637 ?
*> 193.0.56.0/22 192.38.7.58 10.10.3.3 31027 25111 i
*> 193.0.60.0/24 192.38.7.58 10.10.3.3 31027 25111 i
*> 193.17.206.0/24 192.38.7.58 10.10.3.3 31027 ?
*> 193.27.2.0/24 192.38.7.58 10.10.3.3 31027 31130 i
*> 193.43.216.0/23 192.38.7.58 10.10.3.3 31027 35637 ?
*> 193.47.71.0/24 192.38.7.58 10.10.3.3 31027 ?
*> 193.47.191.0/24 192.38.7.58 10.10.3.3 31027 ?
*> 193.163.84.0/22 192.38.7.58 10.10.3.3 31027 i
*> 193.163.88.0/21 192.38.7.58 10.10.3.3 31027 i
*> 195.10.207.0/24 192.38.7.58 10.10.3.3 31027 ?
*> 195.14.14.0/24 192.38.7.58 10.10.3.3 31027 39026 i
*> 195.140.132.0/22 192.38.7.58 10.10.3.3 31027 34932 i
*> 217.195.176.0/20 192.38.7.58 10.10.3.3 31027 34932 i
root@dix>
root@dix:/usr/local/depot/2.6.6-i686/xorp-1.2/etc# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:81:56:B2:A8
inet addr:83.137.33.146 Bcast:83.137.33.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:682479403 errors:4 dropped:0 overruns:0 frame:2
TX packets:3870319 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4173392875 (3980.0 Mb) TX bytes:827260665 (788.9 Mb)
Base address:0xa000 Memory:f4020000-f4040000
eth0:1 Link encap:Ethernet HWaddr 00:E0:81:56:B2:A8
inet addr:10.0.0.3 Bcast:10.0.0.7 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0xa000 Memory:f4020000-f4040000
eth1 Link encap:Ethernet HWaddr 00:03:47:07:E0:AD
inet addr:192.38.7.16 Bcast:192.38.7.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13214027 errors:0 dropped:0 overruns:0 frame:0
TX packets:1147594 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1664918278 (1587.7 Mb) TX bytes:845140487 (805.9 Mb)
Memory:f5000000-f5020000
eth2 Link encap:Ethernet HWaddr 00:E0:81:56:B2:A9
inet addr:83.137.32.1 Bcast:83.137.32.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:123458390 errors:2 dropped:0 overruns:0 frame:1
TX packets:206576783 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1575500647 (1502.5 Mb) TX bytes:2693271218 (2568.5 Mb)
Base address:0xb400 Memory:f2020000-f2040000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:91393729 errors:0 dropped:0 overruns:0 frame:0
TX packets:91393729 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3020260663 (2880.3 Mb) TX bytes:3020260663 (2880.3 Mb)
pimreg Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING NOARP MTU:1472 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
root@dix:/usr/local/depot/2.6.6-i686/xorp-1.2/etc# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
130.226.1.23 83.137.32.2 255.255.255.255 UGH 0 0 0 eth2
130.226.1.22 83.137.32.2 255.255.255.255 UGH 0 0 0 eth2
239.255.0.22 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
239.255.0.13 0.0.0.0 255.255.255.255 UH 0 0 0 eth2
130.226.1.22 83.137.33.4 255.255.255.254 UG 1 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.248 U 0 0 0 eth0
130.226.208.128 83.137.33.2 255.255.255.128 UG 1 0 0 eth0
83.137.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
83.137.32.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.38.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 83.137.33.2 0.0.0.0 UG 50 0 0 eth0
root@dix> show route table ipv4 unicast final
0.0.0.0/0 [static(1)/50]
> to 83.137.33.2 via eth0/eth0
83.137.32.0/24 [connected(0)/0]
> via eth2/eth2
83.137.33.0/24 [connected(0)/0]
> via eth0/eth0
192.38.7.0/24 [connected(0)/0]
> via eth1/eth1
130.226.208.128/25 [static(1)/1]
> to 83.137.33.2 via eth0/eth0
130.226.1.22/31 [static(1)/1]
> to 83.137.33.4 via eth0/eth0
127.0.0.1/32 [connected(0)/0]
> via discard0/discard0
root@dix>
root@dix> show route table ipv4 unicast ebgp
root@dix>
NOTE THIS IS EMPTY <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Peter Maersk-Moller wrote:
> Hi Mike
>
> I think I found the problem and a solution to the problem. Got
> a little hint from a damn clever guy in Stockholm.
>
> The main task of the router config was to establish BGP peerings with
> external peers. However since I din't want to announce networks learned
> from each external peer to each other external peer, I needed a "reject"
> in the export policy for ebgp peerings of all routes learned through
> (e)bgp.
> However, as documented in 10.8 of the manual
>
> "An export filter [for BGP] is placed on the RIB branch too"
>
> I read that as an export filter for (e)bgp peerings is also used
> for installing routes into the RIB learned through (e)bgp peerings.
> Since my bgp export policy needed to reject all routes learned
> through (other) bgp peerings, no routes would be installed into the
> RIB. An interesting thing though was that while xorp was starting up
> and learned routes from bgp peers, these routes was actually
> visible (through the unix route command) for a short while 1-5 seconds
> and the removed by xorp again.
>
> Now the solution as stated in 10.8 in the manual is to add a policy
> to install the learned routes into the RIB. 10.8 suggest a policy like
>
> from installintorib {
> to {
> neighbor: 0.0.0.0
> }
> then {
> accept
> }
> }
>
> However - that doesn't work. No routes gets installed. I don't
> understand why.
> After a series of trial and errors I found that this solution works.
>
> from installintorib {
> to {
> neighbor: 127.0.0.1
> }
> then {
> accept
> }
> }
>
> So, is the documentation wrong ? Or do I have a peculiar setup ?
> Or do we have a hickup in the source ? BTW, I'm using version xorp 1.2
> on Linux 2.6.12.3 SMP.
>
> Mike, if you want, I can still send you the suggested info. Just drop
> me a line saying so.
>
> Kind regards
>
> Peter Maersk-Moller
> PS, my policy is now
>
> policy {
> network4-list tobeincluded {
> elements: "x.y.z.w/n, a.b.c.d/p"
> }
> policy-statement bgpconnected {
> term acceptown {
> from {
> protocol: "connected"
> network4-list: "tobeincluded"
> }
> then {
> accept
> }
> }
> term torib {
> to {
> neighbor: 127.0.0.1
> }
> then {
> accept
> }
> }
> term rejectall {
> then {
> reject
> }
> }
> }
>
> I would recommend that an example similar to my policy is included
> in the documentation since bgp peering with peers (without announcing
> networks from other peers) is a common task for xorp.
--
+----------------------------------------------------------+
| Kabel-TV over Internettet -- http://www.streamtv.dk/ |
+----------------------------------------------------------+