On Mon, 22 Jan 2018, Chris Caputo wrote: > To see the communities supported by the SIX route servers, refer to: > > https://www.seattleix.net/route-servers#communities > > Below is how we do it with bird 1.6.3. Not sure about 2.0+. > > I hope this helps and feedback from the community is welcome. > > Chris > > --- > > define myas = SET TO IXP ASN; > define peerPrepend1 = 65001; > define peerPrepend2 = 65002; > define peerPrepend3 = 65003; > > # BGP output filter (based on communities) > # Returning false means don't propagate route to peeras. > # Returning true means do propagate route to peeras. > function bgp_out_comm(int peeras) > { > if ! (source = RTS_BGP ) then return false; > > if (myas,0,peeras) ~ bgp_large_community then return false; > if (myas,1,peeras) ~ bgp_large_community then return true; > if (myas,0,0) ~ bgp_large_community then return false; > > if peeras > 65535 then > { > if (ro,0,peeras) ~ bgp_ext_community then return false; > if (ro,myas,peeras) ~ bgp_ext_community then return true; > if ((ro,0,myas) ~ bgp_ext_community) then return false; > } else { > if ((0,peeras) ~ bgp_community) || ((ro,0,peeras) ~ bgp_ext_community) > then return false; > if ((myas,peeras) ~ bgp_community) || ((ro,myas,peeras) ~ > bgp_ext_community) then return true; > if ((0,myas) ~ bgp_community) || ((ro,0,myas) ~ bgp_ext_community) then > return false; > } > return true; > }
I now believe the above and examples at: https://gitlab.labs.nic.cz/labs/bird/wikis/Route_server_with_community_based_filtering_and_single_RIB https://www.nanog.org/meetings/nanog57/presentations/Wednesday/wed.general.Filip.BIRD.16.pdf and likely elsewhere, are buggy in that 32-bit ASN peers of the route server will be exempt from a standard community deny of (0:IXP_ASN). They shouldn't be. I believe the deny check for both standard and extended communities needs to be outside of the check for a 32-bit ASN peer during the export evaluation. Thus the above should be changed as follows: --- define myas = SET TO IXP ASN; # BGP output filter (based on communities) # Returning false means don't propagate route to peeras. # Returning true means do propagate route to peeras. function bgp_out_comm(int peeras) { if ! (source = RTS_BGP ) then return false; if (myas,0,peeras) ~ bgp_large_community then return false; if (myas,1,peeras) ~ bgp_large_community then return true; if (myas,0,0) ~ bgp_large_community then return false; if peeras > 65535 then { if (ro,0,peeras) ~ bgp_ext_community then return false; if (ro,myas,peeras) ~ bgp_ext_community then return true; } else { if ((0,peeras) ~ bgp_community) || ((ro,0,peeras) ~ bgp_ext_community) then return false; if ((myas,peeras) ~ bgp_community) || ((ro,myas,peeras) ~ bgp_ext_community) then return true; } if ((0,myas) ~ bgp_community) || ((ro,0,myas) ~ bgp_ext_community) then return false; return true; } --- Diff as follows: --- { if (ro,0,peeras) ~ bgp_ext_community then return false; if (ro,myas,peeras) ~ bgp_ext_community then return true; - if ((ro,0,myas) ~ bgp_ext_community) then return false; } else { if ((0,peeras) ~ bgp_community) || ((ro,0,peeras) ~ bgp_ext_community) then return false; if ((myas,peeras) ~ bgp_community) || ((ro,myas,peeras) ~ bgp_ext_community) then return true; - if ((0,myas) ~ bgp_community) || ((ro,0,myas) ~ bgp_ext_community) then return false; } + + if ((0,myas) ~ bgp_community) || ((ro,0,myas) ~ bgp_ext_community) then return false; + return true; } --- Feedback welcome and if agreed, I think the wiki should be updated. Thanks, Chris
