Hey, currently configuring a VyOS based BGP Router.
Sort of confused how the rules are supposed to work. I’m used to the accept/reject from BIRD, but not sure how to do the equivalent of reject.
IE I have a as-path filter, and I want to reject anything that isn’t in there.
I guess I can do something like “on-match goto 1000” and then make rule 1000 action permit?
But for on-match to work, do I still need action permit?
Is there some more elegant way to do this?
Route-maps have an implicit deny, so if you have a single rule with action permit, matching on that as-path filter, then anything not matching it will be denied.
Thanks, I have several rules behind each other, first matches a as-path rule, then check RPKI, etc.
So if the as-path doesn’t match, I want it to reject as it COULD match RPKI and then go through.
For RPKI I have the same thing, if it is valid, then allow it to go to the next rule, otherwise reject.
Luckily for RPKI I can do match rpki invalid → action deny. But for as-path it’s harder.
Gotcha, so I assume you only want to allow NLRIs with a match on the as-path, and drop everything else. If it does match that as-path, you want to do further processing. For that, you’d just have something like this for your first 2 rules:
set policy route-map BGP_RM_IN rule 10 action 'permit'
set policy route-map BGP_RM_IN rule 10 match as-path 'someaspath'
set policy route-map BGP_RM_IN rule 10 on-match goto 1000
set policy route-map BGP_RM_IN rule 20 action 'deny'
Everything matching the as-path will hit on rule 10, and be sent to rule 1000 for further processing. If they don’t have that as-path in their as-path, then they hit rule 20, which denies the prefixes.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.