Community discussions

MikroTik App
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 3:25 pm

Hello MK and forum members,

I've upgraded to RouterOS 7.1.1 for the support of Large BGP communities. The following has been configured, but it is not received by the upstream provider:
/routing bgp connection
add address-families=ip,ipv6 as=[My-AS] connect=yes disabled=no listen=yes \
    local.role=ebgp name=peer2 output.filter-chain=BGP-OUT-HEP3 .network=\
    bgp-networks remote.address=[IPv6 peer address]/128 .as=[ISP-AS] \
    routing-table=main templates=default
/routing filter rule
add chain=BGP-OUT-HEP3 disabled=no rule=\
    "if ( dst == [IPv6 Subnet]/48 ) { accept; }"
add chain=BGP-OUT-HEP3 disabled=no rule=\
    "append bgp-large-communities [ISP-AS]:6939:3; accept;"
The upstream provider says it does not receive the community...
I've already recreated and restarted the filter. Also restarted the BGP connection. But it did nothing unfortunately.

Is there someone who has more information about ROSv7 Large BGP communities?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 3:39 pm

You are trying to set communities for [IPv6 Subnet]/48 or for everything else?
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 3:46 pm

You are trying to set communities for [IPv6 Subnet]/48 or for everything else?
Hello mrz,
For now. I want it only on IPv6 ([IPv6 Subnet]/48 indeed), so the impact is not so large as on IPv4. If it all works, I want it for my IPv4 /24 subnet also.
I've added rule 1 because the filter will not announce my IPv6 subnet if I left it out.

Current have 1 /48 IPv6 subnet and 1 /24 IPv4 subnet. So if it will work, I want it for "everything"
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 3:50 pm

Your rules will not set community for/48 prefix. If you remove the first rule, then communities will append to all prefixes.
And if those are your prefixes then probably you should use "set" instead of "append".
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 4:00 pm

Your rules will not set community for/48 prefix. If you remove the first rule, then communities will append to all prefixes.
And if those are your prefixes then probably you should use "set" instead of "append".
Hello mrz,
So if I understand correctly. If I remove the first rule, it will be active for all IPv6 subnets within the firewall address list. And change append to set to get it working?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 4:20 pm

yes
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 4:23 pm

yes
As far as I see it is not working yet with the following:
/routing bgp connection
add address-families=ip,ipv6 as=[My-AS] connect=yes disabled=no listen=yes \
    local.role=ebgp name=peer2 output.filter-chain=BGP-OUT-HEP3 .network=\
    bgp-networks remote.address=[IPv6-Peer-address]/128 .as=[ISP-AS]\
    routing-table=main templates=default
/routing filter rule
add chain=BGP-OUT-HEP3 disabled=no rule=\
    "set bgp-large-communities [ISP-AS]:6939:3; accept;"
The datacenter will check in a bit if they receive it. But I still see nothing on the lookingglass of Hurricane Electric.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 4:33 pm

You should understand that { accept ; } terminates rule processing at that point for the condition that you have matched.
So when you want something else to happen (like the append community) it has to happen before that rule.
Of course that should be the case in the last example that you mentioned. But you could add the dst == match in that rule as well.
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 5:21 pm

You should understand that { accept ; } terminates rule processing at that point for the condition that you have matched.
So when you want something else to happen (like the append community) it has to happen before that rule.
Of course that should be the case in the last example that you mentioned. But you could add the dst == match in that rule as well.
Hello pe1chl,

Thank you. I didn't know that. The rule is not yet working if I look into the LG's of HE and others. Is there still something that needs to be changed from the last export post?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 5:32 pm

You can check with packet sniffer if the nlri was actually sent to the upstream peer.
Also if you are advertising via output.networks make sure you have corresponding route in the routing table for synchronisation.
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 6:17 pm

You can check with packet sniffer if the nlri was actually sent to the upstream peer.
Also if you are advertising via output.networks make sure you have corresponding route in the routing table for synchronisation.
Hello mrz,

Excuse my lack of knowledge, but what settings needs to be used to check for NLRI packets? And where to look?
The internet is not helpful with showing how to do this.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 7:03 pm

You can do a packet sniffer capture for the BGP traffic using Tools->Packet Sniffer where you select the proper interface, IP address of your router, and protocol TCP port 179 (this all to limit the capture size), and capture to a file.
Then Start it, wait a while (look in Packets to see if you captured something), Stop it again and download the file.
You can then analyze this file in Wireshark to see what has gone back and forth.
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Thu Jan 27, 2022 7:40 pm

You can do a packet sniffer capture for the BGP traffic using Tools->Packet Sniffer where you select the proper interface, IP address of your router, and protocol TCP port 179 (this all to limit the capture size), and capture to a file.
Then Start it, wait a while (look in Packets to see if you captured something), Stop it again and download the file.
You can then analyze this file in Wireshark to see what has gone back and forth.

Thank you! I've found the packet containing the Large Community. So it is sending, datacenter is still pending on my request to look for any received community.
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Sat Jan 29, 2022 12:22 am

Hello,

My datacenter got back and said I need to set out an extended community with route target.
I've followed this: https://help.mikrotik.com/docs/display/ ... g+Examples and this: https://help.mikrotik.com/docs/pages/vi ... yOperators. But it won't get itself announced properly to the ISP router.

It seems that the commands for bgp-communities-ext-set are not translated into Winbox's window. If I hit enter, it adds the rule, but theres nothing within the rule.

If I type:
add chain=BGP-OUT-HEP3 rule="set bgp-ext-communities rt:value1:value2; accept;
it doenst work.
And gives an "word" error on following the example:
add chain=BGP-OUT-HEP3 rule=" bgp-ext-communities-set BGP-OUT-HEP3; accept; "
(append doesnt work either)

The whole example seems to be off on what is valid in ROS 7.1.1.
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Mon Jan 31, 2022 3:53 pm

You can check with packet sniffer if the nlri was actually sent to the upstream peer.
Also if you are advertising via output.networks make sure you have corresponding route in the routing table for synchronisation.
Hello mrz,

Do you have any further ideas on what is needed?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RouterOS 7.1.1 Large BGP Communities

Mon Jan 31, 2022 4:08 pm

Examples are now fixed to the new syntax.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RouterOS 7.1.1 Large BGP Communities

Mon Jan 31, 2022 4:11 pm


If I type:
add chain=BGP-OUT-HEP3 rule="set bgp-ext-communities rt:value1:value2; accept;
it doenst work.
And gives an "word" error on following the example:
add chain=BGP-OUT-HEP3 rule=" bgp-ext-communities-set BGP-OUT-HEP3; accept; "
(append doesnt work either)
Works for me:
[admin@rack1_b32_CCR1036] /routing/filter/rule> add chain=test rule="set bgp-ext-communities rt:111:1.2.3.4"
[admin@rack1_b32_CCR1036] /routing/filter/rule> print 
Flags: X - disabled, I - inactive 
 0   chain=test rule="set bgp-ext-communities rt:111:1.2.3.4" 
Probably you are trying to enter invalid values?
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Mon Jan 31, 2022 4:28 pm

Works for me:
[admin@rack1_b32_CCR1036] /routing/filter/rule> add chain=test rule="set bgp-ext-communities rt:111:1.2.3.4"
[admin@rack1_b32_CCR1036] /routing/filter/rule> print 
Flags: X - disabled, I - inactive 
 0   chain=test rule="set bgp-ext-communities rt:111:1.2.3.4" 
Probably you are trying to enter invalid values?
[/quote]

Hello mrz,

I had it typed like this
set bgp-ext-communities [ISP-AS]:6939:3; accept;
just like the example page says: https://help.mikrotik.com/docs/display/ ... g+Examples. But that does not seem to work or received by the ISP router.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RouterOS 7.1.1 Large BGP Communities

Mon Jan 31, 2022 4:54 pm

That is not a valid ext-community.

Format you are trying to enter is for large-communities.


Ext community can be:
Route Target (prefixed with RT)
Or site of origin (prefixed with soo)
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Tue Feb 01, 2022 12:29 pm

That is not a valid ext-community.

Format you are trying to enter is for large-communities.

Ext community can be:
Route Target (prefixed with RT)
Or site of origin (prefixed with soo)
Hello mrz,

Thank you. Was already expecting that. My DC says the following:
When you create a large community, MK adds the word "large" to the beginning of the community and use 12byts.

inet6.0: 50 destinations, 51 routes (50 active, 0 holddown, 0 hidden)
* [My-IPv6 subnet] (1 entry, 1 announced)
Accepted
Nexthop: [IPv6-Transit IP]
AS path: 123457 I
Communities: large:123456:6939:3

But Juniper expects the community without the "larger" extension.
Our community less then 12byts, 123456:6939:3
That's why it doesn't work.

Try asking MK for information if they have an implementation of this type of community, If they officially confirm that no, then I will come up with something to make it work for you.
Is there something that will make communities with 32-bit AS work without the large community? Or make it work with juniper? I now have the following:
set bgp-communities 123456:6939:3; accept;
But the DC says this is also not received.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RouterOS 7.1.1 Large BGP Communities

Tue Feb 01, 2022 12:58 pm

ROS is not sending "large" word, I believe Juniper just indicates that this attribute was from a "large" community

You mentioned that the data center said they expect extended community with route-target.

If you know expected value you can try "set bgp-ext-communities rt:value1:value2"
Or you can send directly RAW value in 64-bit hex "set bgp-ext-communities 0x............."

Regarding your last example: set bgp-communities 123456:6939:3 it is not going to work, because it is not a valid community value. Community attribute is a 32bit value that typically is written in the following format "16bit_value:16bit_value"

communities
ext-communities
large-communities

are three separate attributes.
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities

Tue Feb 01, 2022 5:22 pm

ROS is not sending "large" word, I believe Juniper just indicates that this attribute was from a "large" community

You mentioned that the data center said they expect extended community with route-target.

If you know expected value you can try "set bgp-ext-communities rt:value1:value2"
Or you can send directly RAW value in 64-bit hex "set bgp-ext-communities 0x............."

Regarding your last example: set bgp-communities 123456:6939:3 it is not going to work, because it is not a valid community value. Community attribute is a 32bit value that typically is written in the following format "16bit_value:16bit_value"

communities
ext-communities
large-communities

are three separate attributes.
Hello mrz,

The DC is busy with a custom solution for communities. He says:
I see that MK is not flexible in the community.
So I will wait for that and see if it works. I will post the solution here for others. Then I will close this post.
 
BryanBarb
just joined
Topic Author
Posts: 14
Joined: Mon Feb 24, 2020 12:24 am

Re: RouterOS 7.1.1 Large BGP Communities  [SOLVED]

Tue Feb 01, 2022 5:49 pm

ROS is not sending "large" word, I believe Juniper just indicates that this attribute was from a "large" community

You mentioned that the data center said they expect extended community with route-target.

If you know expected value you can try "set bgp-ext-communities rt:value1:value2"
Or you can send directly RAW value in 64-bit hex "set bgp-ext-communities 0x............."

Regarding your last example: set bgp-communities 123456:6939:3 it is not going to work, because it is not a valid community value. Community attribute is a 32bit value that typically is written in the following format "16bit_value:16bit_value"

communities
ext-communities
large-communities

are three separate attributes.
Hello mrz,

The DC is busy with a custom solution for communities. He says:
I see that MK is not flexible in the community.
So I will wait for that and see if it works. I will post the solution here for others. Then I will close this post.
The DC has edited their filters to support the following:
set bgp-ext-communities rt:6939:3; accept;
They say it's working now. Thank you mrz and others for your time :)

Who is online

Users browsing this forum: Bing [Bot] and 18 guests