Invalid ROA

Maria Matejka maria.matejka at nic.cz
Mon Apr 20 15:00:42 CEST 2020 

	show route all filtered

shows only routes from master4 and master6 tables

to show routes from this protocol, use

	show route table t_0002_as2 all filtered

Maria

On 4/20/20 2:50 PM, Fabiano D'Agostino wrote:
> Yes, I just enabled it:
> protocol bgp {
>      ...
>      ipv4{
>             import keep fitlered;
>             import limit 250 action restart;
>             import filter filter_rpki;
>             table t_0002_as2;
>     }
> }
> 
> RPKI is working because if I check the syslog I find the invalid printed 
> prefixes, but 'show route all filtered' doesn't show anything.
> 
> Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka 
> <maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>> ha scritto:
> 
>     And do you have
>     import keep filtered;
>     in your config?
>     Maria
> 
>     On 4/20/20 11:19 AM, Fabiano D'Agostino wrote:
>      > Hi,
>      > In my route server bird.conf I did this:
>      > define FILTERED_RPKI_INVALID = (1,1101,13);
>      >
>      > filter filter_rpki{
>      > if roa_check(..)=ROA_INVALID then
>      > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;}
>      > }
>      >
>      > But when I do 'show route all filtered' I get nothing, I also
>     tried with
>      > 'show route bgp_large_community ~ [(1,1101,13)]' and I have the
>     same result.
>      > Because I would like to have some statistics about
>      > VALID/INVALID/UNKOWN prefixes and I saw that I could use the
>     'show route
>      > stats' command.
>      >
>      > Thanks,
>      >
>      > Fabiano
>      >
>      > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay
>      > <alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>
>     <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>>> ha scritto:
>      >
>      >     On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote:
>      >      > Thanks!
>      >      > But can I also use birdc to check rejected prefixes?
>      >
>      >     If you add a community, it will be visible with `show route all
>      >     filtered`
>      >
>      >      > Anyway why do you suggest to use bgp_path.last_noaggregated?
>      >
>      >     Because you don’t want to check ROA against another ASN in the
>      >     aggregated path.
>      >
>      >     --
>      >     Alarig
>      >
>

More information about the Bird-users mailing list