matching bgp-ext-communities in a filter

bigdweeb · June 19, 2025, 4:37am

I’m currently running RouterOS 7.18.2 on CHR devices in eve-ng to lab up a potential setup. I have two VRFs currently configured, and I am leaking routes between them.

[admin@rtr-1] > routing/bgp/vpn/print
Flags: X - disabled, I - inactive 
 0   name="bgp-mpls-vpn-1" 
     import.route-targets=64546:65010,64546:65020 
     export.route-targets=64546:65010 .redistribute=connected,static 
     route-distinguisher="64546:65010" vrf=blue label-allocation-policy=per-vrf 

 1   name="bgp-mpls-vpn-2" 
     import.route-targets=64546:65010,64546:65020 
     export.route-targets=64546:65020 .redistribute=connected,static,ospf 
     route-distinguisher="64546:65020" vrf=red label-allocation-policy=per-vrf

This all works fine. I would now like to filter out routes that I’m leaking between the VRFs because the red VRF has ospf configured and is originating a default route to it’s OSPF neighbors and I don’t want to leak that into the blue VRF. I am trying to match on a 0.0.0.0/0 prefix with an ext-bgp-communities tag of 64546:65020 to make my match as exact as possible. I believe this should be done by creating a filter chain and adding it with import.filter-chain to the blue VRF.

When I try to create this filter chain, I cannot get it to work. My syntax works with a regular bgp-communities match:

[admin@rtr-1] > routing/filter/rule/add chain=drop_red_default rule="if (bgp-communities includes 64546:65020) { reject }"
[admin@rtr-1] >

When I try to write the same filter with ext-bgp-communities I get an error though:

[admin@rtr-1] > routing/filter/rule/add chain=drop_the_default rule="if (bgp-ext-communities includes 64546:65020) { reject }"6:65020) { reject }"
failure: "Word {bgp-ext-communities} Word {includes} Word {64546:65020} " - invalid argument
[admin@ortr-1] >

I know I can do this on IOS-XR so I assume this should be an attribute I can match on RouterOS too. Anyone know why this is failing?

mrz · June 19, 2025, 7:43am

64546:65020 is not a valid ext community, it is a route target value so you need to match route target:

if (bgp-ext-communities includes rt:64546:65020 )

bigdweeb · June 19, 2025, 11:00am

I had also tried that and it failed.

[admin@rtr-1] > routing/filter/rule/add  chain=drop_red_default rule="if (bgp-ext-communities include rt:64546:65020) { reject }"
failure: "Word {bgp-ext-communities} Word {include} Word {rt:64546:65020} " - invalid argument
[admin@rtr-1] >

I also tried creating an extended community list and referencing that, but that also does not work:

[admin@rtr-1] > routing/filter/community-ext-list/add list=ext_comm_red communities=rt:64546:65020
[admin@rtr-1] > 
[admin@rtr-1] > routing/filter/rule/add  chain=drop_red_default rule="if (bgp-ext-communities include ext_comm_red) { reject }"
failure: "Word {bgp-ext-communities} Word {include} Word {ext_comm_red} " - invalid argument
[admin@rtr-1] >

I finally tabbed through the command and realized there’s are equal-list, any-list, includes-list, and subset-list keywords. Those seem to take

[admin@rtr-1] > routing/filter/rule/add  chain=drop_red_default rule="if (dst in 0.0.0.0/0 && bgp-ext-communities equal-list ext_comm_red) {reject}"
[admin@rtr-1] >

At least I know the syntax now. It doesn’t seem to have the effect I’m looking for yet though. I’ll keep playing with it.

mrz · June 19, 2025, 11:11am

include != includes

bigdweeb · June 19, 2025, 1:45pm

I ended up having to change the ‘dst in 0.0.0.0/0’ to ‘dst == 0.0.0.0/0’ an adding an ‘else {accept}’ to the end of the filter and that now works.