Re: Invalid ROA

20 Apr 2020


      Thanks, it worked. So the community isn't needed? I tried 'show route table
t_0002_as2 where bgp_large_community  ~ [(1,1101,13)]' and it prints:
Table t_0002_as2:

Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka <maria.matejka@nic.cz>
ha scritto:
...
show route all filtered
shows only routes from master4 and master6 tables
to show routes from this protocol, use
show route table t_0002_as2 all filtered
Maria
On 4/20/20 2:50 PM, Fabiano D'Agostino wrote:
...
Yes, I just enabled it:
protocol bgp {
     ...
     ipv4{
            import keep fitlered;
            import limit 250 action restart;
            import filter filter_rpki;
            table t_0002_as2;
    }
}
RPKI is working because if I check the syslog I find the invalid printed
prefixes, but 'show route all filtered' doesn't show anything.
Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka
<maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> ha scritto:
And do you have
    import keep filtered;
    in your config?
    Maria
On 4/20/20 11:19 AM, Fabiano D'Agostino wrote:
     > Hi,
     > In my route server bird.conf I did this:
     > define FILTERED_RPKI_INVALID = (1,1101,13);
     >
     > filter filter_rpki{
     > if roa_check(..)=ROA_INVALID then
     > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;}
     > }
     >
     > But when I do 'show route all filtered' I get nothing, I also
    tried with
     > 'show route bgp_large_community ~ [(1,1101,13)]' and I have the
    same result.
     > Because I would like to have some statistics about
     > VALID/INVALID/UNKOWN prefixes and I saw that I could use the
    'show route
     > stats' command.
     >
     > Thanks,
     >
     > Fabiano
     >
     > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay
     > <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>
    <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>> ha
scritto:
     >
     >     On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote:
     >      > Thanks!
     >      > But can I also use birdc to check rejected prefixes?
     >
     >     If you add a community, it will be visible with `show route
all
     >     filtered`
     >
     >      > Anyway why do you suggest to use
bgp_path.last_noaggregated?
     >
     >     Because you don’t want to check ROA against another ASN in the
     >     aggregated path.
     >
     >     --
     >     Alarig
     >