Community discussions

MikroTik App
 
User avatar
MWComms
just joined
Topic Author
Posts: 14
Joined: Thu Nov 30, 2017 1:35 am
Location: Australia

BGP VPN Import / Export Filters

Thu Jun 09, 2022 11:52 am

Hello,

When trying to add export filters to a VRF/VPN Instance in Routing > BGP > VPN, all routes belonging to 'Copy' disappear from the routing table, leaving only Connected / Static, etc.
Is there a specific way in ROSv7 to achieve route filtering from within a VRF without making the Copied routes (from LDP) disappear?

Inversely, when trying to add import filters to a VRF/VPN Instance in Routing > BGP > VPN, no routes appear to have been filtered.

This is irrespective of whether local VRF route-leaking is used, or whether filtering from an external RT.

I have worked around this issue by creating a route filter specific to my route-reflector to filter out prefixes belonging to ext-bgp-communities (containing the route target), which does prevent the VPNv4 route from being distributed via BGP but I am looking for a more fine-grained approach on a per-VRF basis.

Refer Images
:: Without Export Filter
:: With Export Filter

This 'issue' has been present since ROSv7 was released. I have been waiting for this functionality before doing serious testing with it on an MPLS network w/ L3VPN.
You do not have the required permissions to view the files attached to this post.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: BGP VPN Import / Export Filters

Thu Jun 09, 2022 12:09 pm

i fas i as i know vpn4 is not ready on v7
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: BGP VPN Import / Export Filters

Thu Jun 09, 2022 12:18 pm

So to clarify, you add export chain and locally on this router routes from VRF table disappear?
 
User avatar
MWComms
just joined
Topic Author
Posts: 14
Joined: Thu Nov 30, 2017 1:35 am
Location: Australia

Re: BGP VPN Import / Export Filters

Thu Jun 09, 2022 4:38 pm

So to clarify, you add export chain and locally on this router routes from VRF table disappear?
Yes, that is correct. This happens regardless of the contents of the route filter, [which could have an {accept;} or {reject;}] but in spite of this, the export filter should not have any effect on the route table of the same router.

As soon as i add an export filter, all copy routes (as denoted by the 'y' flag are removed from the VRF). The VPNv4 routes however are not removed from the main route table and can be located via /routing/route print.

As mentioned also, the per VPN/VRF import filter has no effect and will not filter routes exchanged from LDP peers or locally (via import/export route targets).

VPNv4 works well and is fairly reliable otherwise.
 
User avatar
MWComms
just joined
Topic Author
Posts: 14
Joined: Thu Nov 30, 2017 1:35 am
Location: Australia

Re: BGP VPN Import / Export Filters

Thu Jun 09, 2022 4:53 pm

To folllow up; and this might be nothing, i have noticed under Routing > BGP > Connection, when selecting input / output filters, the dropdown list actually displays the entries created in Routing > Filters > Rule.

If i attempt to pick from the dropdown list for input/output filter under Routing > BGP > VPN > <vrf>, the list is empty.
 
User avatar
MWComms
just joined
Topic Author
Posts: 14
Joined: Thu Nov 30, 2017 1:35 am
Location: Australia

Re: BGP VPN Import / Export Filters

Thu Jun 09, 2022 4:58 pm

It does, however, return a list from items set in Routing > Filter > Select Rule. Although i am not sure of the use case of 'select rule'.
 
User avatar
MWComms
just joined
Topic Author
Posts: 14
Joined: Thu Nov 30, 2017 1:35 am
Location: Australia

Re: BGP VPN Import / Export Filters

Sat Jun 11, 2022 4:03 pm

I've since discovered that the VRF Export Filter facility expects to use rules created in Routing > Filter > Rule Set.

I've tested this functionality and it 'appears' to work although i can't speak for the reliability of it as i only have 1 of 7 VRF's working using this method. I don't know why the other VRF's aren't working the same as in my test VRF.

If i try to create a rule set in Winbox, most of the time the rule i create or modify will wind up becoming 'invalid'. I have defaulted to using CLI to do create / modify.

What I've also noted during this testing is that the import filter (as defined in BGP > VPN) does absolutely nothing. In-fact if I want to filter routes coming into the VRF, i can achieve this by placing the specific filter on the rule linked to the 'export' rule set.

I get that the filters have had a complete re-write as well as the kernel making a significant jump and there are likely to be bugs but I'd absolutely love an acknowledgement from MikroTik so I know that it's being investigated or it's planned in the roadmap to be fixed or 'hey can you try this and report back'… or something!

Who is online

Users browsing this forum: No registered users and 18 guests