Routing

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  FBF Based on BGP community

    Posted 03-05-2013 07:04

    I understand that this can be done but not quite sure on the specifics.

     

    I have the following scenario:

     

    I have a BGP feed that sends me routes that get tagged with community X:X.

    on another interface I want to do the following filtering:

      if traffic has a src/dst = a BGP route with community X:X then discard

      else pass.

     

    I understand that this can be done with FBF, this is in the master instance with no VRFs.

     

    I have seen the thread a bit further down and thus have the following:

     

    set routing-options forwarding-table export TESTING-MARKER
    
    
    set policy-options community TESTING-COMM members 1234:1234
    
    
    set policy-options policy-statement TESTING-MARKER term one from community TESTING-COMM
    set policy-options policy-statement TESTING-MARKER term one then source-class TESTING
    
    
    set firewall family inet filter Inbound-Filter term unwanted-TESTING from source-class TESTING
    set firewall family inet filter Inbound-Filter term unwanted-TESTING then discard
    
    
    set forwarding-options family inet filter input Inbound-Filter
    
    

    Questions regarding this:

    Do I need an accept clause on the forwarding table filter ( will it default deny )?

    By applying this to the forwarding table I no longer have to worry about on which interface the packets come from?

     

    many thanks


    #FBFBGPcommunity


  • 2.  RE: FBF Based on BGP community
    Best Answer

    Posted 03-05-2013 09:11

    Q> Do I need an accept clause on the forwarding table filter ( will it default deny )?

    A> Correct

     

    Q> By applying this to the forwarding table I no longer have to worry about on which interface the packets come from?

    A> Correct



  • 3.  RE: FBF Based on BGP community

    Posted 03-08-2013 15:43

    FBF is used for a more specific purpose of forwarding traffic to a destination if a condition is met.

    I think a simpler way is to create a routing policy with match conditions from protocol bgp and community <community> then reject

    term else-accept

    then accept.

    Apply this as an inport policy on the interface that the bgp routes are coming in on and prevent them from even being installed in the RIB-local in the first place. like this: 

    [edit policy-options]
    admin@router-1# show
    policy-statement bgp-com-reject {
           term rej-com {
                 from {
                       protocol bgp;
                       community rej-comm;
                 }
                 then reject;
            }
            term else-accept {
                 then accept;
            }
    }
    community rej-comm members 1234:1234

     


    [edit protocols bgp group External]
    admin@router-1# show
    type external;
    local-address 172.20.16.2;
    peer-as 46;
    neighbor 172.20.16.1 {
           import bgp-com-reject;
    }

     

    I dont have a way of testing but it maybe should work.



  • 4.  RE: FBF Based on BGP community

    Posted 03-12-2013 01:36

    Thanks fior the feed back, but that wasnt what I was looking for:

     

    The idea is to make a firewall filter to work on transit traffic based on attributes of BGP routing updates.

     

    apparently on IOS you can achieve with uRPF but have had mixed experiences with uRPF....

     

    so this works nicely.