Hi!
So, I tried this using an EBGP connection.
Here are the configs:
skhan@vMX5> show configuration policy-options | display set
set policy-options policy-statement BGP-DEFAULT-ROUTE-EXPORT from family inet6
set policy-options policy-statement BGP-DEFAULT-ROUTE-EXPORT from route-filter ::/0 exact
set policy-options policy-statement BGP-DEFAULT-ROUTE-EXPORT then accept
skhan@vMX5> show configuration interfaces ge-0/0/0 | display set
set interfaces ge-0/0/0 unit 0 family inet address 10.100.56.1/30
set interfaces ge-0/0/0 unit 0 family inet6 address 2001:db8::1/64
skhan@vMX5> show configuration protocols bgp | display set
set protocols bgp group AS-64513 family inet6 unicast
set protocols bgp group AS-64513 peer-as 64513
set protocols bgp group AS-64513 neighbor 10.100.56.2 family inet unicast
set protocols bgp group AS-64513 neighbor 2001:db8::2 family inet6 unicast
set protocols bgp group AS-64513 neighbor 2001:db8::2 export BGP-DEFAULT-ROUTE-EXPORT
skhan@vMX6> show configuration protocols bgp | display set
set protocols bgp group AS-64513 peer-as 64512
set protocols bgp group AS-64513 neighbor 10.100.56.1 family inet unicast
set protocols bgp group AS-64513 neighbor 2001:db8::1 import test1
set protocols bgp group AS-64513 neighbor 2001:db8::1 import test2
set protocols bgp group AS-64513 neighbor 2001:db8::1 family inet6 unicast
skhan@vMX6> show configuration policy-options | display set
set policy-options policy-statement default term deny from family inet6
set policy-options policy-statement default term deny from route-filter ::/0 exact
set policy-options policy-statement default term deny then accept
set policy-options policy-statement default then reject
set policy-options policy-statement test1 term deny from policy default
set policy-options policy-statement test1 term deny then reject
set policy-options policy-statement test2 term allow from family inet6
set policy-options policy-statement test2 term allow then accept
set policy-options policy-statement test2 then reject
skhan@vMX6> show configuration interfaces ge-0/0/0 | display set
set interfaces ge-0/0/0 unit 0 family inet address 10.100.56.2/30
set interfaces ge-0/0/0 unit 0 family inet6 address 2001:db8::2/64
Just to double check, here are your policies in hierarchical format.
skhan@vMX6> show configuration policy-options
policy-statement default {
term deny {
from {
family inet6;
route-filter ::/0 exact;
}
then accept;
}
then reject;
}
policy-statement test1 {
term deny {
from policy default;
then reject;
}
}
policy-statement test2 {
term allow {
from family inet6;
then accept;
}
then reject;
}
RESULTS
skhan@vMX5> show route advertising-protocol bgp 2001:db8::2
inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* ::/0 Self I
skhan@vMX6> show route receive-protocol bgp 2001:db8::1 hidden detail
inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
inet6.0: 5 destinations, 5 routes (4 active, 0 holddown, 1 hidden)
::/0 (1 entry, 0 announced)
Nexthop: 2001:db8::1
AS path: 64512 I
Hidden reason: Rejected by import policy
Your policies are working, at least in JUNOS 21.1R3.11.
------------------------------
SHAHBAZ KHAN
------------------------------
Original Message:
Sent: 12-17-2022 02:46
From: Dan Graham
Subject: BGP nested policy failing
Any thoughts on why ::/0 is accepted in this example?
group xx { ... import [ test1 test2 ]; ...}policy-statement test1 { term deny { from policy [ default ]; then reject; }}policy-statement default { term deny { from { family inet6; route-filter ::/0 exact; } then accept; } then reject;}policy-statement test2 { term allow { from { family inet6; } then accept; } then reject;}
------------------------------
Dan Graham
------------------------------