Page 1 of 1

no enforce-first-as in RouterOS?

Posted: Mon Dec 10, 2018 3:50 pm
by ners
We need to accept BGP routes with the peer's AS removed from AS_PATH on the peer's side. Will RouterOS accept such routes (without peer's AS) or do we need to configure something to enable acceptance of such routes? I haven't been able to find any relevant settings.

In Cisco it's called no enforce-first-as.

Re: no enforce-first-as in RouterOS?

Posted: Mon Dec 10, 2018 4:33 pm
by CZFan
I am new to BGP, so take with a pinch of salt.

This is usually used where an ISP (Upstream provider) needs to remove clients "private AS", and one of the requirements I understand is that the client then needs to have the same routing policy as the ISP.

It is a setting called "Remove-Private-AS" in /routing bgp peer

Re: no enforce-first-as in RouterOS?

Posted: Mon Dec 10, 2018 5:04 pm
by ners
We don't need to strip our AS from AS_PATH. We want to accept routes from a BGP peer who has their AS stripped from AS_PATH.
So if our peer's AS is 43322, and the AS_PATH for a route from that peer is "43322 20324 53221 9098" (our peer's AS first), we want Mikrotik to accept that route if it looked like "20324 53221 9098" (AS 43322 stripped by the peer). By default Cisco won't accept such a route and we'd need to configure "no enforce-as-first" to allow such routes to be accepted.

Re: no enforce-first-as in RouterOS?

Posted: Mon Dec 10, 2018 6:13 pm
by CZFan
What I explained is not to remove your AS, but the downstream private AS. i.e.

Client (AS65500) ---- ISP (AS200) ---- Global Net

At the ISP, they will strip the "Private AS" by using "Remove-Remote-AS" and only advertise aggregate. Anyway, seems this is only related to "Private AS" and possibly not related to you situation

I am not sure it is a good thing you want to do, again, I am no BGP expert, but by removing the AS the way you explained, it might cause routing loops

Re: no enforce-first-as in RouterOS?

Posted: Mon Dec 10, 2018 6:43 pm
by nest
In your first post you stated "In Cisco it's called no enforce-first-as."
Searching on this forum gave me this viewtopic.php?t=43498#p221428
However from your further description in a later post it's not very clear that "no enforce-first-as" is actually want you are wanting to do.
But anyway, is that forum post any help?

Re: no enforce-first-as in RouterOS?

Posted: Mon Dec 10, 2018 8:33 pm
by ners
Ok, I'll try to explain it in real life terms.

I want to connect to an IX which is a shared L2 Domain with a Router Server (running bird: https://bird.network.cz/) and a dozen of other peers each one with their own AS.
The direct BGP session will be established with the Router Server (RS) and not with the other peers.
The Route Server will advertise prefixes for the other peers (each peer with have a BGP session with the Route Server). However, in order to facilitate direct traffic exchange between peers (not via the route server), the Route Server will strip its own AS from the AS_PATH attribute and set the next-hop parameter to that of the relevant peer's. This will look like this:

1) R1 (AS1000) establishes a BGP session with the RS (AS 500) and advertises 192.0.2.0/24 to the RS.
2) R2 (AS2000) establishes a BGP session with the RS (AS 500) and receives 192.0.2.0/24 from the RS. Normally it would receive it with AS_PATH as "AS500, AS1000" and the RS' next-hop. So when sending traffic to 192.0.2.0/24, R2 will send it to the RS.
HOWEVER this is where things get tricky. The RS does a little magic to the prefix: it removes its own AS from the AS_PATH and sets the next-hop to that of R1, so R2 receives the prefix as AS_PATH: AS1000 and R1 as the next-hop. So when R2 sends traffic to 192.0.2.0/24, it will send it towards R1 and not RS.

===================
Now some vensors (i.e. Cisco) by default won't accept a prefix from RS where the first AS in AS_PATH is not AS500 (RS'). By setting "no enforce-first-as" we tell Cisco to accept such routes.
Juniper by default accepts such routes.

How do I make Mikrotik accept such routes?

Re: no enforce-first-as in RouterOS?

Posted: Tue Dec 11, 2018 2:07 am
by joegoldman
Its default. There's no specific option for it. I do run Client to Client reflection ticked on my instances not sure if that makes a difference, but I use Mikrotik to peer with IX route servers and they deliver routes without their own AS in the path, which my router happily accepts.

Re: no enforce-first-as in RouterOS?

Posted: Fri Jan 25, 2019 11:30 am
by mikro2009
Hi,

we had the same problem (running a CCR1036-12G-4S to peer at BCIX). It seems that
newer RouterOS (at least 6.43.2) versions accept these prefixes now without additional
configuration:

/ip route print detail where received-from=BCIX_IPv4_RS1
...
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 ADb dst-address=1.0.4.0/22 gateway=A.B.C.X gateway-status=A.B.C.Y reachable via ether12 bgp-as-path="6939,4826,38803,56203"
...

The bgp peering session is established to a route server with as-number 16374.

Regards,

Re: no enforce-first-as in RouterOS?

Posted: Fri Jan 25, 2019 2:56 pm
by ners
Thank you! Got it.