Community discussions

MikroTik App
 
MarcB
just joined
Topic Author
Posts: 10
Joined: Thu Nov 28, 2013 11:59 am

BGP see if Max Prefix has been tripped

Thu Nov 28, 2013 2:28 pm

Hi Guys,
Not sure if anyone has found a way to find out if the Maximum Prefix Limit has been tripped by a eBGP peer?

We have spoken to MikroTik regarding the Maximum Prefix Limit and they have said the following:-
In current version we will not change behavior.. maybe in new routing if there will be max-prefix option at all.

According to RFC when max prefix limit is reached, connection should be closed, which is what RouterOS is doing. In log messages you will see message that max prefix limit is reached and connection closed.
This implies that they are thinking of removing the Maximum Prefix Limit from RouterOS completely as they think it would be better to filter the prefixes received from external peers.
I don't think this will help and I feel that the Maximum Prefix Limit is a VERY important part of any router.
Even if we filtered incoming prefixes it would help, but some peers who we connect with announce 8000+ prefixes to us which would mean a lot of filtering.

If someone has some examples of how they filter incoming routes from external eBGP peers on Public Internet Exchanges (like LINX or DE-CIX) could they share there filters so others can benefit from this.
We are keen to learn more about the filtering capabilities in RouterOS and how to apply the best filters to prefixes received from eBGP peers.

Filters would be great if you only received a few routes from external peers, but some of our peers announce their routes and their customers routes which can add up to a lo of prefixes received.
We don't want to miss any prefixes, but we want to make sure we (and other MikroTik users) don't suffer from a route leak being received from our eBGP peers.

I hope someone will be able to help and shed some light on this.

Kind regards,
Marc
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7044
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: BGP see if Max Prefix has been tripped

Thu Nov 28, 2013 7:34 pm

Filtering by AS path. Routes coming from your clients will always contain their AS number in the path.
So you need to set up set of filter rules which allows advertisements containing specific set of AS numbers. As path can be filtered with regular expressions.
 
MarcB
just joined
Topic Author
Posts: 10
Joined: Thu Nov 28, 2013 11:59 am

Re: BGP see if Max Prefix has been tripped

Thu Nov 28, 2013 8:00 pm

Hi Guys,
So if we peer with AS11 and they are announcing 100 routes to us, then we can do a filter rule to allow any prefixes originating from AS11.

If they suddenly started announcing routes from AS12 then they would be blocked by the filters, which is fine.

But if they leaked routes (by mistake) which has happened many times before then they would originate from their AS Number so the filter would allow them through.
This is a big problem and is exactly why the Maximum Prefix Limit needs to stay in MikroTik RouterOS.

We understand that if one of their upstream peers leaked routes then the filters would work as we would only allow routes through from AS11.


On another note if AS11 peered with AD555, AS666 and AS777 then we would see routes originating from:-
AS11, AS555
AS11, AS666
AS11,AS777
We know we can put filters in place to accept these prefixes as well, but if any of the above AS Numbers leak routes then the filters would allow them through whereas the Maximum Prefix Limit would close the connection if routes were leaked by mistake which were on a large scale (i.e. someone did not aggregate properly for a large netblock like a /8, /12 or /16.

We desperately need a way to see if the Maximum Prefix Limit has been tripped by a peer in the same way as we can from Cisco and Juniper.
Currently MikroTik simply closes the session and logs the message to syslog or to the memory, it would be much easier if we can issue a command like /routing bgp peer print brief which also shows the status of the session and prefix count received from the eBGP peer.

I'm also not sure if the MikroTik can put an output message to Syslog to say that the Maximum Prefix Limit has reached 90% of the value set as this would help when managing peers who are getting close to the Maximum Prefix Limit which has been set.

Kind regards,
Marc

Who is online

Users browsing this forum: No registered users and 18 guests