Invalid ROA
Fabiano D'Agostino
fabiano.dagostino96 at gmail.com
Mon Apr 20 15:47:31 CEST 2020
Thanks, I did it but it is still not working. Nevermind I will use 'show
route filtered'.
Il giorno lun 20 apr 2020 alle ore 15:27 Maria Matejka <maria.matejka at nic.cz>
ha scritto:
> The tilde operator is not symmetric, although it visually seems to be.
> It can be (at least in this case) vaguely interpreted as »left operand
> is contained by the right operand«.
>
> In other words, exchange the operands of the tilde.
>
> Maria
>
> On 4/20/20 3:19 PM, Fabiano D'Agostino wrote:
> > Thanks, it worked. So the community isn't needed? I tried 'show route
> > table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and it
> prints:
> > Table t_0002_as2:
> >
> > Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka
> > <maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>> ha scritto:
> >
> > show route all filtered
> >
> > shows only routes from master4 and master6 tables
> >
> > to show routes from this protocol, use
> >
> > show route table t_0002_as2 all filtered
> >
> > Maria
> >
> > On 4/20/20 2:50 PM, Fabiano D'Agostino wrote:
> > > Yes, I just enabled it:
> > > protocol bgp {
> > > ...
> > > ipv4{
> > > import keep fitlered;
> > > import limit 250 action restart;
> > > import filter filter_rpki;
> > > table t_0002_as2;
> > > }
> > > }
> > >
> > > RPKI is working because if I check the syslog I find the invalid
> > printed
> > > prefixes, but 'show route all filtered' doesn't show anything.
> > >
> > > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka
> > > <maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>
> > <mailto:maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>>> ha
> scritto:
> > >
> > > And do you have
> > > import keep filtered;
> > > in your config?
> > > Maria
> > >
> > > On 4/20/20 11:19 AM, Fabiano D'Agostino wrote:
> > > > Hi,
> > > > In my route server bird.conf I did this:
> > > > define FILTERED_RPKI_INVALID = (1,1101,13);
> > > >
> > > > filter filter_rpki{
> > > > if roa_check(..)=ROA_INVALID then
> > > > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;}
> > > > }
> > > >
> > > > But when I do 'show route all filtered' I get nothing, I
> also
> > > tried with
> > > > 'show route bgp_large_community ~ [(1,1101,13)]' and I
> > have the
> > > same result.
> > > > Because I would like to have some statistics about
> > > > VALID/INVALID/UNKOWN prefixes and I saw that I could use
> the
> > > 'show route
> > > > stats' command.
> > > >
> > > > Thanks,
> > > >
> > > > Fabiano
> > > >
> > > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay
> > > > <alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>
> > <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>>
> > > <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>
> > <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>>>> ha
> > scritto:
> > > >
> > > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino
> wrote:
> > > > > Thanks!
> > > > > But can I also use birdc to check rejected prefixes?
> > > >
> > > > If you add a community, it will be visible with `show
> > route all
> > > > filtered`
> > > >
> > > > > Anyway why do you suggest to use
> > bgp_path.last_noaggregated?
> > > >
> > > > Because you don’t want to check ROA against another
> > ASN in the
> > > > aggregated path.
> > > >
> > > > --
> > > > Alarig
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20200420/f9ae2d55/attachment.htm>
More information about the Bird-users
mailing list