Community discussions

MikroTik App
 
kargchris
just joined
Topic Author
Posts: 5
Joined: Mon Apr 23, 2018 3:26 pm

V7.5 VPNv4 Route Reflector Problem

Fri Sep 16, 2022 5:04 pm

Hello wonderful community...
I have been testing out v7.5. I tried to implement a L3VPN setup. Either I am doing something wrong or Mikrotik has not developed yet the code correctly.
I noticed when I enable the ibgp-rr role on the RR router tx-messages and rx-messages go crazy, it's like bgp looping some how.
If someone could take a look at my exports and tell If it is a mikrotik bug, or if I am mistaken.
Thank you in advance...

The setup is:
BGP-1--ether1------ether1--BGP-RR--ether2--------ether2--BGP-2

Route Reflector:
[admin@BGP_RR] > export 
# sep/16/2022 13:50:35 by RouterOS 7.5
# software id = 
#
/interface bridge
add name=Loopback protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1_to_BGP1
set [ find default-name=ether2 ] name=ether2_to_BGP2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-1
/routing bgp template
set default address-families=vpnv4 as=65600 disabled=no routing-table=main
/ip address
add address=3.3.3.3 interface=Loopback network=3.3.3.3
add address=172.1.3.2/30 interface=ether1_to_BGP1 network=172.1.3.0
add address=172.2.3.2/30 interface=ether2_to_BGP2 network=172.2.3.0
/ip dhcp-client
add interface=ether1_to_BGP1
/mpls ldp
add disabled=no lsr-id=3.3.3.3 transport-addresses=3.3.3.3
/mpls ldp interface
add disabled=no interface=ether1_to_BGP1 transport-addresses=""
add disabled=no interface=ether2_to_BGP2 transport-addresses=""
/routing bgp connection
add disabled=no local.address=3.3.3.3 .role=ibgp-rr name=bgp1 remote.address=\
    1.1.1.1/32 .as=65600 routing-table=main templates=default
add disabled=no local.address=3.3.3.3 .role=ibgp-rr name=bgp2 remote.address=\
    2.2.2.2/32 .as=65600 routing-table=main templates=default
/routing ospf interface-template
add area=ospf-area-1 disabled=no interfaces=Loopback networks=3.3.3.3/32 \
    passive
add area=ospf-area-1 disabled=no interfaces=ether1_to_BGP1,ether2_to_BGP2 \
    networks=172.1.3.0/30,172.2.3.0/30 type=ptp
/system identity
set name=BGP_RR



BGP_1:
[admin@BGP1] > export 
# sep/16/2022 13:50:16 by RouterOS 7.5
# software id = 
#
/interface bridge
add name=Loopback protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1_to_RR
set [ find default-name=ether3 ] name=ether3_CUST_A
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add interfaces=ether3_CUST_A name=cust_a
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-1
/routing bgp template
set default address-families=vpnv4 as=65600 disabled=no routing-table=main
/ip address
add address=1.1.1.1 interface=Loopback network=1.1.1.1
add address=172.1.3.1/30 interface=ether1_to_RR network=172.1.3.0
add address=192.168.1.1/24 interface=ether3_CUST_A network=192.168.1.0
/ip dhcp-client
add interface=ether1_to_RR
/mpls ldp
add disabled=no lsr-id=1.1.1.1 transport-addresses=1.1.1.1
/mpls ldp interface
add disabled=no interface=ether1_to_RR transport-addresses=""
/routing bgp connection
add disabled=no local.address=1.1.1.1 .role=ibgp-rr-client name=bgp1 \
    remote.address=3.3.3.3/32 .as=65600 routing-table=main templates=default
/routing bgp vpn
add disabled=no export-route-targets=1.1.1.1:1 import-route-targets=1.1.1.1:1 \
    label-allocation-policy=per-vrf redistribute=connected route-distinguisher=\
    1.1.1.1:1 vrf=cust_a
/routing ospf interface-template
add area=ospf-area-1 disabled=no interfaces=Loopback networks=1.1.1.1/32 \
    passive
add area=ospf-area-1 disabled=no interfaces=ether1_to_RR networks=172.1.3.0/30 \
    type=ptp
/system identity
set name=BGP1



BGP_2
[admin@BGP_2] > export 
# sep/16/2022 13:49:33 by RouterOS 7.5
# software id = 
#
/interface bridge
add name=Loopback protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=ether2_to_RR
set [ find default-name=ether3 ] name=ether3_CustA
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add interfaces=ether3_CustA name=cust_a
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-1
/routing bgp template
set default address-families=vpnv4 as=65600 disabled=no routing-table=main
/ip address
add address=2.2.2.2 interface=Loopback network=2.2.2.2
add address=172.2.3.1/30 interface=ether2_to_RR network=172.2.3.0
add address=192.168.2.1/24 interface=ether3_CustA network=192.168.2.0
/ip dhcp-client
add interface=ether1
/mpls ldp
add disabled=no lsr-id=2.2.2.2 transport-addresses=2.2.2.2
/mpls ldp interface
add disabled=no interface=ether2_to_RR transport-addresses=""
/routing bgp connection
add address-families=vpnv4 as=65600 disabled=no local.address=2.2.2.2 .role=\
    ibgp-rr-client name=bgp1 remote.address=3.3.3.3/32 .as=65600 routing-table=\
    main
/routing bgp vpn
add disabled=no export-route-targets=1.1.1.1:1 import-route-targets=1.1.1.1:1 \
    label-allocation-policy=per-vrf redistribute=connected route-distinguisher=\
    1.1.1.1:1 vrf=cust_a
/routing ospf interface-template
add area=ospf-area-1 disabled=no interfaces=Loopback networks=2.2.2.2/32 \
    passive
add area=ospf-area-1 disabled=no interfaces=ether2_to_RR networks=172.2.3.0/30 \
    type=ptp
/system identity
set name=BGP_2
 
User avatar
loloski
Member Candidate
Member Candidate
Posts: 168
Joined: Mon Mar 15, 2021 9:10 pm

Re: V7.5 VPNv4 Route Reflector Problem

Mon Sep 26, 2022 12:51 am

You are not alone, this example is working properly in v6 https://wiki.mikrotik.com/wiki/Manual:L ... PN_example in v7 the prefix advertise by the CE via igp (ospf) flapping on the PE side with a route flag of daY i test this on the most recent v7.6beta8
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1126
Joined: Tue Jun 23, 2015 2:35 pm

Re: V7.5 VPNv4 Route Reflector Problem

Mon Sep 26, 2022 4:43 am

Route Reflector it does work on v7, to make i work u need to play with routing/filter/

from MT wiki:
Also note that next-hop is not changed on route reflection, except when it's set in the filter.


And about VPNv4 is totaly broken on v7
 
User avatar
loloski
Member Candidate
Member Candidate
Posts: 168
Joined: Mon Mar 15, 2021 9:10 pm

Re: V7.5 VPNv4 Route Reflector Problem

Mon Sep 26, 2022 5:20 am

@nichky

if vpn4 is broken in v7 that's explain why it doesn't work because same topology and config is working on v6.
[admin@PE2] > export 
# sep/26/2022 02:14:35 by RouterOS 7.6beta8
# software id = 
#
/interface bridge
add name=lo0
/interface list
add name=vrf1
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip vrf
add interfaces=vrf1 name=vrf1
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks router-id=10.127.0.3
/routing ospf instance
add disabled=no name=default-v2 redistribute=bgp routing-table=vrf1 vrf=vrf1
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=vrf1
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.127.0.3 interface=lo0 network=10.127.0.3
add address=192.168.11.2/24 interface=ether3 network=192.168.11.0
add address=192.168.21.1/24 interface=ether1 network=192.168.21.0
/ip dhcp-client
add interface=ether1
/ip dns
set servers=8.8.8.8
/ip route
add disabled=no dst-address=10.127.0.1/32 gateway=192.168.11.1
add disabled=no dst-address=10.127.0.2/32 gateway=192.168.11.1
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.11.1
/mpls ldp
add disabled=no lsr-id=10.127.0.3 transport-addresses=10.127.0.3
/mpls ldp interface
add disabled=no interface=ether3 transport-addresses=10.127.0.3
/routing bgp connection
add address-families=vpnv4 as=65530 cisco-vpls-nlri-len-fmt=auto-bits connect=yes disabled=no listen=yes local.address=10.127.0.3 .role=ibgp-rr-client multihop=yes name=peer1 output.network=bgp-networks remote.address=10.127.0.2/32 .as=65530 .port=\
    179 router-id=10.127.0.3 routing-table=main templates=default
/routing bgp vpn
add disabled=no export-route-targets=192.168.10.2:111 import-route-targets=192.168.10.2:111 redistribute=connected,ospf route-distinguisher=192.168.10.2:111 vrf=vrf1
/routing ospf interface-template
add area=backbone-v2 disabled=no interfaces=ether1 networks=192.168.21.0/24 priority=1
/system identity
set name=PE2
/system logging
add topics=bgp
/system package update
set channel=testing
/tool romon
set enabled=yes
[admin@PE2] > /routing/bgp/session/
[admin@PE2] /routing/bgp/session> print
Flags: E - established 
 0 E name="peer1-1" 
     remote.address=10.127.0.2 .as=65530 .id=10.127.0.2 .capabilities=mp,rr,gr,as4 .afi=vpnv4 .messages=505427 .bytes=34444261 .eor="" 
     local.role=ibgp-rr-client .address=10.127.0.3 .as=65530 .id=10.127.0.3 .capabilities=mp,rr,gr,as4 .afi=vpnv4 .messages=60593 .bytes=4495673 .eor="" 
     output.procid=21 .network=bgp-networks 
     input.procid=21 ibgp 
     multihop=yes hold-time=3m keepalive-time=1m uptime=28m36s80ms last-started=sep/26/2022 01:46:20 
[admin@PE2] /routing/bgp/session> /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, s, o, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY                   DISTANCE
0  As 0.0.0.0/0        192.168.11.1                     1
1  As 10.127.0.1/32    192.168.11.1                     1
2  As 10.127.0.2/32    192.168.11.1                     1
  DAc 10.127.0.3/32    lo0                              0
  DAc 192.168.11.0/24  ether3                           0
  DAc 192.168.21.0/24  ether1@vrf1                      0
  DAo 192.168.22.0/24  192.168.21.2%ether1@vrf1       110
[admin@PE2] /routing/bgp/session> /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, s, o, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY                   DISTANCE
0  As 0.0.0.0/0        192.168.11.1                     1
1  As 10.127.0.1/32    192.168.11.1                     1
2  As 10.127.0.2/32    192.168.11.1                     1
  DAc 10.127.0.3/32    lo0                              0
  DAc 192.168.11.0/24  ether3                           0
  DAy 192.168.20.0/24  10.127.0.2                       0
  DAc 192.168.21.0/24  ether1@vrf1                      0
  DAo 192.168.22.0/24  192.168.21.2%ether1@vrf1       110
[admin@PE2] /routing/bgp/session> 

DAy 192.168.20.0/24 10.127.0.2 This is the prefix being advertise on the CE via OSPF and it's flapping every now on then in my PE2 side
 
kargchris
just joined
Topic Author
Posts: 5
Joined: Mon Apr 23, 2018 3:26 pm

Re: V7.5 VPNv4 Route Reflector Problem

Thu Oct 06, 2022 5:19 pm

Route Reflector it does work on v7, to make i work u need to play with routing/filter/

from MT wiki:
Also note that next-hop is not changed on route reflection, except when it's set in the filter.


And about VPNv4 is totaly broken on v7

Could you please elaborate what should be added in routing/filter/ in order to make it work?
I don't need to change next-hop in this kind of vpnv4 setup.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1126
Joined: Tue Jun 23, 2015 2:35 pm

Re: V7.5 VPNv4 Route Reflector Problem

Fri Oct 07, 2022 3:25 am

this one of the e.g.

/routing filter rule
add chain=IN-iBGP-R3 disabled=no rule="if (dst==192.168.50.0/24) {set gw 10.0.5.6; accept}"

with nexthop-choice=force-self
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1126
Joined: Tue Jun 23, 2015 2:35 pm

Re: V7.5 VPNv4 Route Reflector Problem

Fri Oct 07, 2022 6:13 am

on v7 that works pretty much same as statically adding route on (ip/route)

I'm not too sure what is your goal, but u can make this work only on the main table not in the VRF. ( i hope that this will be fixed soon)
 
xmasin
just joined
Posts: 5
Joined: Wed Apr 25, 2018 4:02 pm

Re: V7.5 VPNv4 Route Reflector Problem

Thu Nov 10, 2022 1:06 pm

I have same problem with similar topology. Under ROS 6.49.7 all VPNs are working, after upgrade to 7.6 or 7.7.beta network is unstable and routes flaping.
 
abdurrazaqa
just joined
Posts: 15
Joined: Wed Jan 11, 2017 10:40 am
Contact:

Re: V7.5 VPNv4 Route Reflector Problem

Sat Nov 26, 2022 12:31 pm

i think vpnv4 is still broken, i am facing the following issue

R1<----->{MP_BGP(VPNV4)}<----->R2

routes are learned between different vpn instance via the MP-BGP( which is established over main)

When i try to reach from an vrf1 of R2 to vrf1 of R1, this work as expected
but when i try to reach a switch which is directly connected to R1 on vrf1 is not reachable though the same ip on the R1 is reachable
 
abdurrazaqa
just joined
Posts: 15
Joined: Wed Jan 11, 2017 10:40 am
Contact:

Re: V7.5 VPNv4 Route Reflector Problem

Sat Nov 26, 2022 12:56 pm

this issue is resolved by disabling ipv4 fast path..
But without fastpath throughput will be severely affected

Who is online

Users browsing this forum: Ahrefs [Bot] and 1 guest