RouterOS 7.1.1 Large BGP Communities

BryanBarb · January 27, 2022, 1:25pm

Hello MK and forum members,

I’ve upgraded to RouterOS 7.1.1 for the support of Large BGP communities. The following has been configured, but it is not received by the upstream provider:

/routing bgp connection
add address-families=ip,ipv6 as=[My-AS] connect=yes disabled=no listen=yes \
    local.role=ebgp name=peer2 output.filter-chain=BGP-OUT-HEP3 .network=\
    bgp-networks remote.address=[IPv6 peer address]/128 .as=[ISP-AS] \
    routing-table=main templates=default
/routing filter rule
add chain=BGP-OUT-HEP3 disabled=no rule=\
    "if ( dst == [IPv6 Subnet]/48 ) { accept; }"
add chain=BGP-OUT-HEP3 disabled=no rule=\
    "append bgp-large-communities [ISP-AS]:6939:3; accept;"

The upstream provider says it does not receive the community…
I’ve already recreated and restarted the filter. Also restarted the BGP connection. But it did nothing unfortunately.

Is there someone who has more information about ROSv7 Large BGP communities?

mrz · January 27, 2022, 1:39pm

You are trying to set communities for [IPv6 Subnet]/48 or for everything else?

BryanBarb · January 27, 2022, 1:46pm

Hello mrz,
For now. I want it only on IPv6 ([IPv6 Subnet]/48 indeed), so the impact is not so large as on IPv4. If it all works, I want it for my IPv4 /24 subnet also.
I’ve added rule 1 because the filter will not announce my IPv6 subnet if I left it out.

Current have 1 /48 IPv6 subnet and 1 /24 IPv4 subnet. So if it will work, I want it for “everything”

mrz · January 27, 2022, 1:50pm

Your rules will not set community for/48 prefix. If you remove the first rule, then communities will append to all prefixes.
And if those are your prefixes then probably you should use “set” instead of “append”.

BryanBarb · January 27, 2022, 2:00pm

Hello mrz,
So if I understand correctly. If I remove the first rule, it will be active for all IPv6 subnets within the firewall address list. And change append to set to get it working?

mrz · January 27, 2022, 2:20pm

yes

BryanBarb · January 27, 2022, 2:23pm

As far as I see it is not working yet with the following:

/routing bgp connection
add address-families=ip,ipv6 as=[My-AS] connect=yes disabled=no listen=yes \
    local.role=ebgp name=peer2 output.filter-chain=BGP-OUT-HEP3 .network=\
    bgp-networks remote.address=[IPv6-Peer-address]/128 .as=[ISP-AS]\
    routing-table=main templates=default
/routing filter rule
add chain=BGP-OUT-HEP3 disabled=no rule=\
    "set bgp-large-communities [ISP-AS]:6939:3; accept;"

The datacenter will check in a bit if they receive it. But I still see nothing on the lookingglass of Hurricane Electric.

pe1chl · January 27, 2022, 2:33pm

You should understand that { accept ; } terminates rule processing at that point for the condition that you have matched.
So when you want something else to happen (like the append community) it has to happen before that rule.
Of course that should be the case in the last example that you mentioned. But you could add the dst == match in that rule as well.

BryanBarb · January 27, 2022, 3:21pm

Hello pe1chl,

Thank you. I didn’t know that. The rule is not yet working if I look into the LG’s of HE and others. Is there still something that needs to be changed from the last export post?

mrz · January 27, 2022, 3:32pm

You can check with packet sniffer if the nlri was actually sent to the upstream peer.
Also if you are advertising via output.networks make sure you have corresponding route in the routing table for synchronisation.

BryanBarb · January 27, 2022, 4:17pm

Hello mrz,

Excuse my lack of knowledge, but what settings needs to be used to check for NLRI packets? And where to look?
The internet is not helpful with showing how to do this.

pe1chl · January 27, 2022, 5:03pm

You can do a packet sniffer capture for the BGP traffic using Tools->Packet Sniffer where you select the proper interface, IP address of your router, and protocol TCP port 179 (this all to limit the capture size), and capture to a file.
Then Start it, wait a while (look in Packets to see if you captured something), Stop it again and download the file.
You can then analyze this file in Wireshark to see what has gone back and forth.

BryanBarb · January 27, 2022, 5:40pm

Thank you! I’ve found the packet containing the Large Community. So it is sending, datacenter is still pending on my request to look for any received community.

BryanBarb · January 28, 2022, 10:22pm

Hello,

My datacenter got back and said I need to set out an extended community with route target.
I’ve followed this: https://help.mikrotik.com/docs/display/ROS/ROSv7+Basic+Routing+Examples and this: https://help.mikrotik.com/docs/pages/viewpage.action?pageId=74678285#id-/routing/filter-BGPCommunityOperators. But it won’t get itself announced properly to the ISP router.

It seems that the commands for bgp-communities-ext-set are not translated into Winbox’s window. If I hit enter, it adds the rule, but theres nothing within the rule.

If I type:

add chain=BGP-OUT-HEP3 rule="set bgp-ext-communities rt:value1:value2; accept;

it doenst work.
And gives an “word” error on following the example:

add chain=BGP-OUT-HEP3 rule=" bgp-ext-communities-set BGP-OUT-HEP3; accept; "

(append doesnt work either)

The whole example seems to be off on what is valid in ROS 7.1.1.

BryanBarb · January 31, 2022, 1:53pm

Hello mrz,

Do you have any further ideas on what is needed?

mrz · January 31, 2022, 2:08pm

Examples are now fixed to the new syntax.

mrz · January 31, 2022, 2:11pm

If I type:
add chain=BGP-OUT-HEP3 rule="set bgp-ext-communities rt:value1:value2; accept;
it doenst work.
And gives an “word” error on following the example:
add chain=BGP-OUT-HEP3 rule=" bgp-ext-communities-set BGP-OUT-HEP3; accept; "
(append doesnt work either)

Works for me:

[admin@rack1_b32_CCR1036] /routing/filter/rule> add chain=test rule="set bgp-ext-communities rt:111:1.2.3.4"
[admin@rack1_b32_CCR1036] /routing/filter/rule> print 
Flags: X - disabled, I - inactive 
 0   chain=test rule="set bgp-ext-communities rt:111:1.2.3.4"

Probably you are trying to enter invalid values?

BryanBarb · January 31, 2022, 2:28pm

Works for me:

[admin@rack1_b32_CCR1036] /routing/filter/rule> add chain=test rule="set bgp-ext-communities rt:111:1.2.3.4"
[admin@rack1_b32_CCR1036] /routing/filter/rule> print 
Flags: X - disabled, I - inactive 
 0   chain=test rule="set bgp-ext-communities rt:111:1.2.3.4"

Probably you are trying to enter invalid values?
[/quote]

Hello mrz,

I had it typed like this

set bgp-ext-communities [ISP-AS]:6939:3; accept;

just like the example page says: https://help.mikrotik.com/docs/display/ROS/ROSv7+Basic+Routing+Examples. But that does not seem to work or received by the ISP router.

mrz · January 31, 2022, 2:54pm

That is not a valid ext-community.

Format you are trying to enter is for large-communities.

Ext community can be:
Route Target (prefixed with RT)
Or site of origin (prefixed with soo)

BryanBarb · February 1, 2022, 10:29am

Hello mrz,

Thank you. Was already expecting that. My DC says the following:

When you create a large community, MK adds the word “large” to the beginning of the community and use 12byts.

inet6.0: 50 destinations, 51 routes (50 active, 0 holddown, 0 hidden)

[My-IPv6 subnet] (1 entry, 1 announced)
Accepted
Nexthop: [IPv6-Transit IP]
AS path: 123457 I
Communities: large:123456:6939:3

But Juniper expects the community without the “larger” extension.
Our community less then 12byts, 123456:6939:3
That’s why it doesn’t work.

Try asking MK for information if they have an implementation of this type of community, If they officially confirm that no, then I will come up with something to make it work for you.

Is there something that will make communities with 32-bit AS work without the large community? Or make it work with juniper? I now have the following:

set bgp-communities 123456:6939:3; accept;

But the DC says this is also not received.