BGP session over 31 bit subnet

lz1dsb · July 16, 2014, 3:58pm

I stumbled upon this thread
http://forum.mikrotik.com/t/point-to-point-31-addresses/29492/1
and as it’s a bit old, I’ve decided to start another one.

So the scenario is pretty simple:
I have a Cisco router on one end of the connection, on the other end, there’s the MikroTik router.
The requirement is to use a VLAN and /31 subnet. i also have to run a BGP session over that connection.

I’ve build a sample topology in GNS3 and here’s the configuration:

Cisco router
interface Loopback0
ip address 8.8.8.8 255.255.255.0
!
interface Loopback1
ip address 8.8.4.4 255.255.255.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.2958
description BGP session to client
encapsulation dot1Q 2958
ip address 212.6.82.0 255.255.255.254
!
!
router bgp 123
no synchronization
bgp router-id 212.6.82.0
bgp log-neighbor-changes
network 8.8.4.0 mask 255.255.255.0
network 8.8.8.0 mask 255.255.255.0
neighbor 212.6.82.1 remote-as 60483
no auto-summary
MikroTik router
/interface vlan
add interface=ether1 name=vlan-2958 vlan-id=2958

/ip address
add address=212.6.82.1/31 interface=vlan-2958 network=212.6.82.0
add address=149.13.0.1/25 interface=Loopback0 network=149.13.0.0

/routing bgp instance
set default as=60483 router-id=212.6.82.1
/routing bgp network
add network=149.13.0.0/25 synchronize=no
/routing bgp peer
add name=PE remote-address=212.6.82.0 remote-as=123

The result:

Both devices are reachable.
The BGP session establishes:
PE#show ip bgp summary
BGP router identifier 212.6.82.0, local AS number 123
BGP table version is 8, main routing table version 8
3 network entries using 351 bytes of memory
3 path entries using 156 bytes of memory
3/2 BGP path/bestpath attribute entries using 372 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 903 total bytes of memory
BGP activity 5/2 prefixes, 5/2 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
212.6.82.1 4 60483 56 51 8 0 0 00:44:24 1

[admin@KA-CE002] > routing bgp peer print
Flags: X - disabled, E - established

INSTANCE REMOTE-ADDRESS REMOTE-AS

0 E default 212.6.82.0 123

But there’s the funny part. Whatever I advertise from the Cisco IOS is listed in the routing table of my MikroTik router. But I cannot reach it, as it’s inactive:
[admin@KA-CE002] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 Db 8.8.4.0/24 212.6.82.0 20
1 Db 8.8.8.0/24 212.6.82.0 20
2 ADC 149.13.0.0/25 149.13.0.1 Loopback0 0
3 ADC 212.6.82.0/31 212.6.82.1 vlan-2958 0
[admin@KA-CE002] > ping 8.8.8.8
HOST SIZE TTL TIME STATUS
no route to host
no route to host
no route to host
sent=3 received=0 packet-loss=100%

It does seem to work flawlessly on the Cisco end though:
PE#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

8.0.0.0/24 is subnetted, 2 subnets
C 8.8.4.0 is directly connected, Loopback1
C 8.8.8.0 is directly connected, Loopback0
149.13.0.0/25 is subnetted, 1 subnets
B 149.13.0.0 [20/0] via 212.6.82.1, 00:25:50
212.6.82.0/31 is subnetted, 1 subnets
C 212.6.82.0 is directly connected, FastEthernet0/0.2958

PE#ping 149.13.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 149.13.0.1, timeout is 2 seconds:
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/16 ms

So the question is why the RouterOS does not want to make these BGP routes active and use them?

lz1dsb · July 16, 2014, 4:39pm

I’ve just decided whether the same situation is valid for all routing protocols, yes it is!
I’ve started OSPF between the routers - the same situation.

Than I’ve configured a parallel connection between the routers. The parallel connection was configured with a standard /24 mask. And… voilla! It lists all advertised routes from the Cisco router as “A” - Active. Here’s the output:
[admin@KA-CE002] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADb 8.8.4.0/24 192.168.1.1 20
1 Db 8.8.4.0/24 212.6.82.0 20
2 ADb 8.8.8.0/24 192.168.1.1 20
3 Db 8.8.8.0/24 212.6.82.0 20
4 Do 10.1.1.0/24 212.6.82.0 110
5 ADC 149.13.0.0/25 149.13.0.1 Loopback0 0
6 ADC 192.168.1.0/24 192.168.1.2 ether2 0
7 ADC 212.6.82.0/31 212.6.82.1 vlan-2958 0

But why it happens like that? Why is RouterOS treating the routes advertised over the /31 subnet as not active? Do I need any additional BGP or routing configuration?

jarda · July 16, 2014, 5:08pm

Haven’t you tried /30 subnet? It has also network and mulicast addresses in addition and it could help. Maybe.

Etz · July 16, 2014, 5:17pm

RouterOS doesnt support RFC3021?

You shouldnt need /30 for running OSPF or BGP…as both routing protocols work just fine with RFC3021 adressing scheme.
As public ipv4 space is exhausted, every little trick, helps a bit in siuations where you cannot use ipv6.

lz1dsb · July 17, 2014, 5:49pm

Yes i did. It works, the question is… why RouterOS does not work with /31 subnet?
We’ll establish a BGP session with a backup provider and they’ve asked whether our equipment supports that kind of setup. Apparently the support is flaky in my opinion. As it in general works, but for some reason the RouterOS does not use the routes in its routing table…

lz1dsb · July 17, 2014, 5:51pm

It’s a question we’ve got from an ISP, whether such setup is supported by our equipment. That’s why I made the tests and I wonder why in general /31 works, routing updates are exchanged, but RouterOS does not list the routes learned over the /31 route as Active, hence it does not use them.

Etz · July 17, 2014, 6:35pm

Well thats odd indeed as there is no reason whatsover to use /30 for P-t-P links and just waste 2 IP`s on every link.

Its actually pretty common nowdays to use /31 adresses for peering links, P-t-P links, etc... Lots of ISPs do it aswell and prefer it, offering /30 only when customers equipment doesnt support smaller prefixes.

CelticComms · July 18, 2014, 4:22am

Unless it was slipped into a release without me noticing, RouterOS does not support Cisco/RFC style /31 addressing.

Etz · July 18, 2014, 6:27am

Thank you for clarifying…

eflanery · July 21, 2014, 4:17pm

For BGP, you can use a /31 on the Cisco side; and a /32 on the MT side, with the network= parameter set to the Cisco’s side of the /31.

So, with the Cisco config you have, you would want to change the MT side to:

/ip address
add address=212.6.82.1/32 interface=vlan-2958 network=212.6.82.0

That won’t work for OSPF though, as it will complain about netmask mis-match, and fail to come up. In that case, you need to step down to a /30.

–Eric

lz1dsb · July 25, 2014, 1:02pm

I’ve also tested this. it does not work. Again the issue is the same - the IP communication between the routers is established, the BGP session is established. But than, on the MikroTik side, the problem is that all networks advertised over BGP are not used. I see them in the routing table - but the RouterOS does not mark them as “Active”.
I see them as “Db” and not as “ADb” like it’s the case with a routing session over a “normal” network like /30 for example.
To me the limitation in RouterOS is not the general IP communication over /31 network, but the way the software handles routes advertised over such networks. I can’t explain why those routes are not seen as “Active” by the RouterOS…

marekm · July 26, 2014, 12:04am

I’ve had similar issues with OSPF as well, between Mikrotik and Vyatta. The only common method supported by both is the old school /30 (wasting precious IPv4 addresses) - /31 works with Vyatta but not Mikrotik, /32 works with Mikrotik but not Vyatta.

eflanery · July 28, 2014, 4:34pm

lz1dsb:

eflanery:

For BGP, you can use a /31 on the Cisco side; and a /32 on the MT side, with the network= parameter set to the Cisco’s side of the /31.

So, with the Cisco config you have, you would want to change the MT side to:

/ip address
add address=212.6.82.1/32 interface=vlan-2958 network=212.6.82.0

That won’t work for OSPF though, as it will complain about netmask mis-match, and fail to come up. In that case, you need to step down to a /30.

–Eric

I’ve also tested this. it does not work. Again the issue is the same - the IP communication between the routers is established, the BGP session is established. But than, on the MikroTik side, the problem is that all networks advertised over BGP are not used. I see them in the routing table - but the RouterOS does not mark them as “Active”.
I see them as “Db” and not as “ADb” like it’s the case with a routing session over a “normal” network like /30 for example.
To me the limitation in RouterOS is not the general IP communication over /31 network, but the way the software handles routes advertised over such networks. I can’t explain why those routes are not seen as “Active” by the RouterOS…

Hmm, works for me (with /32). Maybe post a copy of your BGP and filter config, along with “/ip route print detail”.

–Eric

lz1dsb · July 28, 2014, 7:14pm

eflanery:

lz1dsb:

eflanery:

For BGP, you can use a /31 on the Cisco side; and a /32 on the MT side, with the network= parameter set to the Cisco’s side of the /31.

So, with the Cisco config you have, you would want to change the MT side to:

/ip address
add address=212.6.82.1/32 interface=vlan-2958 network=212.6.82.0

That won’t work for OSPF though, as it will complain about netmask mis-match, and fail to come up. In that case, you need to step down to a /30.

–Eric

I’ve also tested this. it does not work. Again the issue is the same - the IP communication between the routers is established, the BGP session is established. But than, on the MikroTik side, the problem is that all networks advertised over BGP are not used. I see them in the routing table - but the RouterOS does not mark them as “Active”.
I see them as “Db” and not as “ADb” like it’s the case with a routing session over a “normal” network like /30 for example.
To me the limitation in RouterOS is not the general IP communication over /31 network, but the way the software handles routes advertised over such networks. I can’t explain why those routes are not seen as “Active” by the RouterOS…

Hmm, works for me (with /32). Maybe post a copy of your BGP and filter config, along with “/ip route print detail”.

–Eric

Eric,
I posted the configuration at the beginning of the thread. The only difference now is the way the /31 interface is configured. It is:
/ip address
add address=212.6.82.1/32 interface=vlan-2958 network=212.6.82.0

ip firewall filter is empty:
[admin@KA-CE002] > ip firewal filter print
Flags: X - disabled, I - invalid, D - dynamic

/routing bgp instance
set default as=60483 router-id=212.6.82.1
/routing bgp aggregate
add instance=default prefix=149.13.0.0/24
/routing bgp network
add network=149.13.0.0/25 synchronize=no
/routing bgp peer
add name=PE remote-address=212.6.82.0 remote-as=123
add name=PE_backup remote-address=192.168.1.1 remote-as=123

Here and example of ip route output:
[admin@KA-CE002] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADb dst-address=8.8.4.0/24 gateway=192.168.1.1
gateway-status=192.168.1.1 reachable via ether2 distance=20 scope=40
target-scope=10 bgp-as-path=“123” bgp-med=0 bgp-origin=igp
received-from=PE_backup

1 Db dst-address=8.8.4.0/24 gateway=212.6.82.0
gateway-status=212.6.82.0 reachable via vlan-2958 distance=20
scope=40 target-scope=10 bgp-as-path=“123” bgp-med=0 bgp-origin=igp
received-from=PE

As you can see the the route advertised by the peer with the /31 network is listed as Db. The same prefix, advertised over a standard /24 network is listed as “ADb”. It all looks the same to me - only the RouterOS does not like the prefixes, advertised over /31 network.

Cheers,
Boyan

eflanery · July 28, 2014, 8:28pm

What does the connected route for 212.6.82.0/32 look like?

I just tried it, setting up a session between two MTs, one with a /32 mask, and the other with a /31.

As I expected, the routes are active on the unit with the /32 mask, and not on the one with the /31.

/32 unit:

/ip address
add address=169.254.1.0/32 interface=ether11-to-test-1 network=169.254.1.1
/routing bgp peer
add in-filter=ip-bgp-in name=test-1 out-filter=ip-bgp-out remote-address=169.254.1.1 remote-as=23138 ttl=default

/ip rou pr d where received-from=test-1 
24 ADb  dst-address=10.118.255.1/32 pref-src=172.26.254.3 gateway=169.254.1.1 gateway-status=169.254.1.1 reachable via  ether11-to-ES-PPPoE-B distance=200 scope=40 
        target-scope=30 bgp-local-pref=100 bgp-origin=incomplete bgp-communities=65001:26254,65103:2828,65110:19092 received-from=test-1

/31 unit:

/ip address
add address=169.254.1.1/31 interface=ether11-to-test-2 network=169.254.1.0
/routing bgp peer
add in-filter=ip-bgp-in name=test-2 out-filter=ip-bgp-out remote-address=169.254.1.0 remote-as=23138 ttl=default

/ip rou pr d where received-from=test-2
 5  Db  dst-address=10.126.0.6/32 pref-src=172.26.254.6 gateway=169.254.1.0 gateway-status=169.254.1.0 unreachable distance=200 scope=40 target-scope=30 bgp-local-pref=100 bgp-origin=incomplete bgp-communities=65001:26254,65110:2828,65110:19092 received-from=test-2

Now, this is iBGP rather than eBGP, so something could be going on there, but I don’t see what. It’s also MT-MT, not MT-Cisco, but again, that shouldn’t make a difference.

–Eric

lz1dsb · July 30, 2014, 3:56pm

eflanery:

What does the connected route for 212.6.82.0/32 look like?

I just tried it, setting up a session between two MTs, one with a /32 mask, and the other with a /31.

As I expected, the routes are active on the unit with the /32 mask, and not on the one with the /31.

/32 unit:

/ip address
add address=169.254.1.0/32 interface=ether11-to-test-1 network=169.254.1.1
/routing bgp peer
add in-filter=ip-bgp-in name=test-1 out-filter=ip-bgp-out remote-address=169.254.1.1 remote-as=23138 ttl=default

/ip rou pr d where received-from=test-1 
24 ADb  dst-address=10.118.255.1/32 pref-src=172.26.254.3 gateway=169.254.1.1 gateway-status=169.254.1.1 reachable via  ether11-to-ES-PPPoE-B distance=200 scope=40 
        target-scope=30 bgp-local-pref=100 bgp-origin=incomplete bgp-communities=65001:26254,65103:2828,65110:19092 received-from=test-1

/31 unit:

/ip address
add address=169.254.1.1/31 interface=ether11-to-test-2 network=169.254.1.0
/routing bgp peer
add in-filter=ip-bgp-in name=test-2 out-filter=ip-bgp-out remote-address=169.254.1.0 remote-as=23138 ttl=default

/ip rou pr d where received-from=test-2
 5  Db  dst-address=10.126.0.6/32 pref-src=172.26.254.6 gateway=169.254.1.0 gateway-status=169.254.1.0 unreachable distance=200 scope=40 target-scope=30 bgp-local-pref=100 bgp-origin=incomplete bgp-communities=65001:26254,65110:2828,65110:19092 received-from=test-2

Now, this is iBGP rather than eBGP, so something could be going on there, but I don’t see what. It’s also MT-MT, not MT-Cisco, but again, that shouldn’t make a difference.

–Eric

Indeed, I agree. But the strangest thing is that in my case the route is not listed as Active. It’s either an issue with the RouterOS, or maybe I’m missing something… Like I wrote, as soon as I move to a conventional network like /30 - it wall works.
But even if it works in an IBGP scenario, it’s of no use for me as I have to have it running in an eBGP session with the ISP.

Boyan