BGP reflects routes while client-to-client-reflection=no

FiFtHeLeMeNt · January 5, 2015, 11:33pm

Hi;
We have a BGP Instance with 2 peers :

> routing bgp instance print
0 *  name="default" as=xxxx router-id=0.0.0.0 redistribute-connected=no redistribute-static=no redistribute-rip=no redistribute-ospf=no redistribute-other-bgp=no out-filter="" client-to-client-reflection=no ignore-as-path-len=no routing-table=""

both peers announce full bgp table to our router. the problem is that when we enable the second peer, our router starts to announce our whole routing table which is learned from first peer to second peer ! this happens while “route-reflect=no” on both peers.
why does it happen ? it should only happen if route reflection is on , right ?

faisali · January 6, 2015, 9:40pm

What is advertised to the Peer is controlled by the Filter in/on the peer configuration.

What do you have defined on the BGP Peer Filter ?

The default behavior is to advertise all active routes…

FiFtHeLeMeNt · January 6, 2015, 9:46pm

default behavior is to advertise all active routes ? it doesnt make sense. I have all redistributions disabled :

redistribute-connected=no redistribute-static=no redistribute-rip=no redistribute-ospf=no redistribute-other-bgp=no

Also reflections are also disabled :

client-to-client-reflection=no

If it is going to advertise all routes, so what are these settings for ?
Is there a documentation explaining this ? or is this a bug ?

faisali · January 6, 2015, 10:35pm

http://wiki.mikrotik.com/wiki/Manual:Routing/BGP

You are looking at the /routing bgp instance … this is for the instance of bgp running on the MT.

the settings for each peer is under /routing bpg peer

You will see from the manual (link above) that there is another property for Filter in both sections… the default allows everything.

FiFtHeLeMeNt · January 6, 2015, 10:43pm

Yes I know about filters. but you say it is normal for mikrotik router to simply announce all my routing table if I have not filtered it ? so why is there route-reflection settings ? why is there redistribution settings ? why is there Networks settings ? because mikrotik is going to announce everything no matter what ! and we can filter out what we dont need ! This logic doesnt make sense to me.
I want my router to ONLY announce the networks which I configure in BGP settings without any out-filtering.

faisali · January 6, 2015, 11:22pm

Take a deep breath, and slow down a bit

The default behavior of the ‘Filters’ is to allow all.
The other settings, each have a function, it is not what you think they do…
e.g. route-reflection is a setting for iBGP, not eBGP
redistribute-other-bgp settings this is for redistributing between different INSTANCES Of BGP, not between external peers.

So, lots of settings to play with … the question is how do you want to use these filters ?
in your current config, since you have not defined any filters, you are allowing everything to flow…

e.g.
This is how I choose to do it :-

/routing bgp name=“default” as=12345 router-id=68.142.xx.xx redistribute-connected=no
redistribute-static=no redistribute-rip=no redistribute-ospf=no
redistribute-other-bgp=no out-filter=snpy-redistribute
client-to-client-reflection=no ignore-as-path-len=no routing-table=“”

/routing bgp peer add
name=“SXX-MXX” instance=default remote-address=68.142.XX.XXX
remote-as=12346 tcp-md5-key=“” nexthop-choice=default multihop=no
route-reflect=yes hold-time=3m ttl=default in-filter=“peer-in” out-filter=“peer-out”
address-families=ip default-originate=never remove-private-as=no
as-override=no passive=no use-bfd=no

/routing filter add
add chain=peer-in match-chain=not-to-specific invert-match=no action=accept set-bgp-prepend-path=“”
add chain=peer-in invert-match=no action=discard set-bgp-prepend-path=“”

add chain=peer-out match-chain=not-to-specific invert-match=no action=accept set-bgp-prepend-path=“”
add chain=peer-out bgp-as-path=^54567_* bgp-communities=“” invert-match=no action=accept set-bgp-prepend-path=“” append-bgp-communities=“”
add chain=peer-out invert-match=no action=discard set-bgp-prepend-path=“”

add chain=not-to-specific prefix=0.0.0.0/0 prefix-length=0-24 invert-match=no action=accept set-bgp-prepend-path=“” append-bgp-communities=“”

in the above example the filter is built with nested chains, I am only showing one chain called not-so-specific… which effectively allows everything.. however if you adjust the prefix value to allow specifc as needed.

FiFtHeLeMeNt · January 6, 2015, 11:57pm

Thank you for your time trying to explain this to me.
I already know about filters and I have resolved my issue with filters. I am just trying to understand how things work.

redistribute-other-bgp settings this is for redistributing between different INSTANCES Of BGP, not between external peers.

well, I dont understand this. can you give me an example ?
from mikrotik documentation :

redistribute-other-bgp : If enabled, this BGP instance will redistribute the information about routes learned by other BGP instances

each external peer has its own bgp instance. I dont understand it when you say it is between different INSTANCES Of BGP and not external peers. so you say instances can exchange routes with each other while there is no peer involved ?
I would appreciate if you give me an example of when this setting can be used effectively to disable BGP route distribution.

FiFtHeLeMeNt · January 7, 2015, 12:07am

OK I get it now. redistribute-other-bgp=no has no effect because both peers are in the same BGP instance. if they were in different BGP instances then this setting could stop them from sharing routes. am I right ?

faisali · January 7, 2015, 12:13am

I have never used that feature / configuration, but yes, that is what my understanding is as well…

faisali · January 7, 2015, 12:16am

it is my understanding that on the MT you can have multiple instances of BGP running on the single router, with each instance being a different ASN… in such case, the redistribute-other-bgp will exchange routes between the two instances.

FiFtHeLeMeNt · January 7, 2015, 1:02am

Thank you for your help. I understand now. Here is what I found out :
If you create two BGP instances with same AS # and assign each peer to a different instance. it will isolate routes and there is no need for a out-filter but the problem is that BGP best route selection will not be done on two received BGP tables. so it is not the proper way to do it.
It should be done with one instance and filtering. but the proper filtering can be done with only one rule :

/routing filter
add action=discard chain=BGPout locally-originated-bgp=no

this rule will completely isolate BGP peers when applied to out filter of peers.

faisali · January 7, 2015, 3:09am

Fair … looks like you are playing / exploring the system and how bgp works…

Your results with the two BGP instances, is as expected, I cannot think of any circumstances in which one would need to do the config (two instances of the same ASN), however I can see the circumstances where it is needed to have a single router run multiple instances of BGP each with it’s own ASN… and yes, the routing tables are expected to not mingle in such a scenario

And yes, there are multiple ways to manage/ filter the prefixes being advertised…
We use the filter on the peer as a consistent way of managing what we choose to advertise and block the rest.
(e.g. a down stream customer, where you only want to receive specific routes from them, and send them the full routing table)