Matching the community-list statement in route-map with BGP to OSPF redistribution

Bugs
,
1

I’am trying to redistribute specific routes to ospf matching a community-list. This doesn’t work as expected, as when I try to match a community list in route-map, it effectively evaluates as a true regardless of a content.

For example when I try to exclude a set of prefix with the community 65001:1111 - other prefixes get excluded too (for example, 8.8.7.5/32 with comm 65001:2222)

set policy community-list O2B-IMPORTED rule 10 action ‘permit’
set policy community-list O2B-IMPORTED rule 10 regex ‘65001:1111’

set policy route-map RMAP_B2O rule 10 action ‘deny’
set policy route-map RMAP_B2O rule 10 match community community-list ‘O2B-IMPORTED’
set policy route-map RMAP_B2O rule 20 action ‘permit’
set policy route-map RMAP_B2O rule 20 set tag ‘2222’
set protocols ospf redistribute bgp route-map ‘RMAP_B2O’

show ip bgp community-list and route-map evaluations outputs are as expected:

show ip bgp community-list O2B-IMPORTED
BGP table version is 28, local router ID is 10.222.255.120, vrf id 0
Default local pref 100, local AS 65001
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop’s vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network          Next Hop            Metric LocPrf Weight Path
  • i10.2.128.0/22 10.222.255.110 20 100 0 ?
    *> 10.222.252.253 20 32768 ?
  • i10.222.252.96/28 10.222.255.110 20 100 0 ?
    *> 10.222.252.253 20 32768 ?
  • i172.16.19.0/24 10.222.255.110 20 100 0 ?
    *> 10.222.252.253 20 32768 ?
  • i172.16.33.0/24 10.222.255.110 20 100 0 ?
    *> 10.222.252.253 20 32768 ?
  • i172.16.55.0/24 10.222.255.110 20 100 0 ?
    *> 10.222.252.253 20 32768 ?
  • i172.16.56.0/21 10.222.255.110 20 100 0 ?
    *> 10.222.252.253 20 32768 ?

show ip bgp route-map RMAP_B2O
BGP table version is 28, local router ID is 10.222.255.120, vrf id 0
Default local pref 100, local AS 65001
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop’s vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network          Next Hop            Metric LocPrf Weight Path

*>i1.1.1.10/32 10.222.255.110 0 100 0 i
*> 2.2.2.10/32 0.0.0.0 0 32768 i
*>i9.8.7.5/32 10.222.255.110 0 100 0 i
*> 9.8.7.6/32 0.0.0.0 0 32768 i

Displayed 4 routes and 16 total paths

BGP community tags are OK:

show ip bgp ipv4 unic 9.8.7.5
BGP routing table entry for 9.8.7.5/32, version 28
Paths: (1 available, best #1, table default)
Not advertised to any peer
Local
10.222.255.110 (metric 1) from 10.222.255.110 (10.222.255.110)
Origin IGP, metric 0, localpref 100, valid, internal, best (First path received)
Community: 65001:2222
Last update: Wed Apr 19 09:25:19 2023

Despite that it won’t result in proper redistribution to OSPF:
show ip ospf datab

   OSPF Router with ID (10.222.255.120)

            Router Link States (Area 0.0.0.100)

Link ID ADV Router Age Seq# CkSum Link count
10.222.253.1 10.222.253.1 1605 0x8000003d 0xacfc 2
10.222.255.110 10.222.255.110 818 0x800000ad 0x0fd2 6
10.222.255.120 10.222.255.120 802 0x80000023 0xb6bf 6

            AS External Link States

Link ID ADV Router Age Seq# CkSum Route
10.2.128.0 10.222.253.1 1165 0x8000002d 0x4382 E2 10.2.128.0/22 [0x457]
10.222.252.96 10.222.253.1 1145 0x8000002d 0x8097 E2 10.222.252.96/28 [0x457]
172.16.19.0 10.222.253.1 1165 0x8000002d 0x1b64 E2 172.16.19.0/24 [0x457]
172.16.33.0 10.222.253.1 1215 0x8000002d 0x80f0 E2 172.16.33.0/24 [0x457]
172.16.55.0 10.222.253.1 1275 0x8000002d 0x8dcd E2 172.16.55.0/24 [0x457]
172.16.56.0 10.222.253.1 1175 0x8000002d 0x5f02 E2 172.16.56.0/21 [0x457]

If I remove a route-map entry 10 matching the community-list - routes are redistributed normally:

run show ip ospf datab

   OSPF Router with ID (10.222.255.120)

            Router Link States (Area 0.0.0.100)

Link ID ADV Router Age Seq# CkSum Link count
10.222.253.1 10.222.253.1 140 0x8000003e 0xaafd 2
10.222.255.110 10.222.255.110 1044 0x800000ad 0x0fd2 6
10.222.255.120 10.222.255.120 1029 0x80000023 0xb6bf 6

            AS External Link States

Link ID ADV Router Age Seq# CkSum Route
1.1.1.10 10.222.255.120 56 0x80000001 0xcfc9 E2 1.1.1.10/32 [0x8ae]
9.8.7.5 10.222.255.120 56 0x80000001 0x0386 E2 9.8.7.5/32 [0x8ae]
10.2.128.0 10.222.253.1 1391 0x8000002d 0x4382 E2 10.2.128.0/22 [0x457]
10.222.252.96 10.222.253.1 1371 0x8000002d 0x8097 E2 10.222.252.96/28 [0x457]
172.16.19.0 10.222.253.1 1391 0x8000002d 0x1b64 E2 172.16.19.0/24 [0x457]
172.16.33.0 10.222.253.1 1441 0x8000002d 0x80f0 E2 172.16.33.0/24 [0x457]
172.16.55.0 10.222.253.1 1501 0x8000002d 0x8dcd E2 172.16.55.0/24 [0x457]
172.16.56.0 10.222.253.1 1401 0x8000002d 0x5f02 E2 172.16.56.0/21 [0x457]

2

what version are you using ? when redistribute BGP into OSPF what is configuration applied on those peers ? Can you share it ?

3

I’ve tried two versions with the same result:

show system image
The system currently has the following image(s) installed:

1: 1.4-rolling-202304130846 (default boot) (running image)
2: 1.4-rolling-202211290318

The bgp/ospf config:

set policy community-list O2B-IMPORTED rule 10 action ‘permit’
set policy community-list O2B-IMPORTED rule 10 regex ‘65001:1111’

set policy route-map RMAP_B2O rule 10 action ‘deny’
set policy route-map RMAP_B2O rule 10 match community community-list ‘O2B-IMPORTED’
set policy route-map RMAP_B2O rule 20 action ‘permit’
set policy route-map RMAP_B2O rule 20 set tag ‘2222’

set policy route-map RMAP_O2B rule 10 action ‘deny’
set policy route-map RMAP_O2B rule 10 match tag ‘2222’
set policy route-map RMAP_O2B rule 20 action ‘permit’
set policy route-map RMAP_O2B rule 20 match tag ‘1111’
set policy route-map RMAP_O2B rule 20 set community add ‘65001:1111’
set protocols bfd profile BGP interval receive ‘1000’
set protocols bfd profile BGP interval transmit ‘1000’
set protocols bgp address-family ipv4-unicast network 2.2.2.10/32
set protocols bgp address-family ipv4-unicast network 9.8.7.6/32
set protocols bgp address-family ipv4-unicast redistribute ospf route-map ‘RMAP_O2B’

set protocols ospf area 100 network ‘10.222.253.0/24’
set protocols ospf interface tun3 cost ‘2000’
set protocols ospf interface tun3 dead-interval ‘4’
set protocols ospf interface tun3 hello-interval ‘1’
set protocols ospf interface tun3 network ‘point-to-point’
set protocols ospf parameters router-id ‘10.222.255.120’
set protocols ospf redistribute bgp route-map ‘RMAP_B2O’

4

Hi guys,
any news? Should I create a bug report maybe?
sorry for the bump.

5

Hi!

Can you share other policies and configurations?

On the logs provided, the route 9.8.7.5 is a redistributed route (IGP), no tags and with community 65001:2222.

But based on the configurations provided, I don’t see any policy how it gets community 65001:2222.

6

@j.landicho Here is a full config of the node which performs the mutual redistribution:

show conf comm | match bgp
set protocols bgp address-family ipv4-unicast network 2.2.2.10/32
set protocols bgp address-family ipv4-unicast network 9.8.7.6/32
set protocols bgp address-family ipv4-unicast redistribute ospf route-map ‘RMAP_O2B’
set protocols bgp neighbor 10.160.17.141 peer-group ‘DMVPN’
set protocols bgp neighbor 10.160.17.141 remote-as ‘65002’
set protocols bgp neighbor 10.160.17.141 solo
set protocols bgp neighbor 10.160.17.151 peer-group ‘DMVPN’
set protocols bgp neighbor 10.160.17.151 remote-as ‘65103’
set protocols bgp neighbor 10.160.17.151 solo
set protocols bgp neighbor 10.160.17.161 peer-group ‘DMVPN’
set protocols bgp neighbor 10.160.17.161 remote-as ‘65104’
set protocols bgp neighbor 10.160.17.161 shutdown
set protocols bgp neighbor 10.160.17.161 solo
set protocols bgp neighbor 10.222.255.110 peer-group ‘P2P’
set protocols bgp neighbor 10.222.255.110 solo
set protocols bgp parameters network-import-check
set protocols bgp peer-group DMVPN address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group DMVPN bfd profile ‘BGP’
set protocols bgp peer-group DMVPN update-source ‘tun1’
set protocols bgp peer-group P2P address-family ipv4-unicast route-map export ‘RMAP_BGP_P2P_OUT’
set protocols bgp peer-group P2P address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp peer-group P2P bfd
set protocols bgp peer-group P2P remote-as ‘internal’
set protocols bgp peer-group P2P update-source ‘lo’
set protocols bgp system-as ‘65001’
set protocols bgp timers holdtime ‘30’
set protocols bgp timers keepalive ‘10’
set protocols ospf redistribute bgp route-map ‘RMAP_B2O’
evolodin@yandex-wan-r2:~$
evolodin@yandex-wan-r2:~$
evolodin@yandex-wan-r2:~$ show conf comm | match ospf
set protocols bgp address-family ipv4-unicast redistribute ospf route-map ‘RMAP_O2B’
set protocols ospf area 100 network ‘10.222.255.0/24’
set protocols ospf area 100 network ‘10.160.16.0/24’
set protocols ospf area 100 network ‘10.160.17.0/24’
set protocols ospf area 100 network ‘10.222.253.0/24’
set protocols ospf area 100 network ‘10.222.252.252/30’
set protocols ospf interface eth0 passive
set protocols ospf interface eth1 passive
set protocols ospf interface tun1 passive
set protocols ospf interface tun2 network ‘point-to-point’
set protocols ospf interface tun3 cost ‘2000’
set protocols ospf interface tun3 dead-interval ‘4’
set protocols ospf interface tun3 hello-interval ‘1’
set protocols ospf interface tun3 network ‘point-to-point’
set protocols ospf parameters router-id ‘10.222.255.120’
set protocols ospf redistribute bgp route-map ‘RMAP_B2O’

BGP table of the node:

evolodin@yandex-wan-r2:~$ show ip bgp ipv4 unicast
BGP table version is 1562, local router ID is 10.222.255.120, vrf id 0
Default local pref 100, local AS 65001
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop’s vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network          Next Hop            Metric LocPrf Weight Path

*>i1.1.1.10/32 10.222.255.110 0 100 0 i
*> 2.2.2.10/32 0.0.0.0 0 32768 i

  • 3.3.3.3/32 10.160.17.141 0 65103 65002 i
  • i 10.222.255.110 0 100 0 65002 i
    *> 10.160.17.141 0 65002 i
  • 4.4.4.4/32 10.160.17.141 0 65103 65002 i
  • i 10.222.255.110 100 0 65002 i
    *> 10.160.17.141 0 0 65002 i
    *> 5.5.5.5/32 10.160.17.151 0 65103 i
  • i 10.222.255.110 0 100 0 65103 i
  •               10.160.17.151                          0 65002 65103 i

*> 6.6.6.6/32 10.160.17.151 0 0 65103 i

  • i 10.222.255.110 100 0 65103 i
  •               10.160.17.151                          0 65002 65103 i

*>i9.8.7.5/32 10.222.255.110 0 100 0 i
*> 9.8.7.6/32 0.0.0.0 0 32768 i
*> 10.100.0.0/24 10.160.17.151 21 0 65103 ?

  • i 10.222.255.110 21 100 0 65103 ?
  •               10.160.17.151                          0 65002 65103 ?
  • i10.100.4.0/24 10.222.255.110 20 100 0 ?
    *> 10.222.252.253 20 32768 ?
    *> 10.111.0.0/21 10.160.17.151 2 0 65103 ?
  • i 10.222.255.110 2 100 0 65103 ?
  •               10.160.17.151                          0 65002 65103 ?

*> 10.111.10.0/24 10.160.17.151 2 0 65103 ?

  • i 10.222.255.110 2 100 0 65103 ?
  •               10.160.17.151                          0 65002 65103 ?

*> 10.111.96.255/32 10.160.17.151 2 0 65103 ?

  • i 10.222.255.110 2 100 0 65103 ?
  •               10.160.17.151                          0 65002 65103 ?

*> 10.112.0.0/18 10.160.17.151 2 0 65103 ?

  • i 10.222.255.110 2 100 0 65103 ?
  •               10.160.17.151                          0 65002 65103 ?

*> 10.112.64.0/24 10.160.17.151 2 0 65103 ?

  • i 10.222.255.110 2 100 0 65103 ?
  •               10.160.17.151                          0 65002 65103 ?

*>i10.222.255.31/32 10.222.255.110 0 100 0 65103 i

  •               10.160.17.141                          0 65002 65103 i

*> 10.222.255.32/32 10.160.17.151 0 0 65103 i

  •               10.160.17.151                          0 65002 65103 i
  • 172.16.200.0/24 10.160.17.141 0 65103 65002 ?
  • i 10.222.255.110 11 100 0 65002 ?
    *> 10.160.17.141 11 0 65002 ?
  • 172.16.201.0/24 10.160.17.141 0 65103 65002 ?
  • i 10.222.255.110 11 100 0 65002 ?
    *> 10.160.17.141 11 0 65002 ?

Displayed 19 routes and 46 total paths

Here you can see some routes:
172.16.200.0/24 - no community, came from some other DMVPN peers, should be redistributed to OSPF;
9.8.7.5/32 - test prefix from “r1” ibgp neighbor with community 65001:2222 (just to see how community filter work) should be redistributed;
10.100.4.0/24 - imported route from OSPF process tagged with community 65001:1111 - is the only one route that should be filtered back. Other routes should pass.

evolodin@yandex-wan-r2:~$ show ip bgp ipv4 unicast 172.16.200.0
BGP routing table entry for 172.16.200.0/24, version 1341
Paths: (3 available, best #3, table default)
Advertised to non peer-group peers:
10.160.17.151 10.222.255.110
65103 65002
10.160.17.151 from 10.160.17.151 (10.222.255.32)
Origin incomplete, valid, external
Last update: Mon Apr 24 13:52:17 2023
65002
10.222.255.110 (metric 1) from 10.222.255.110 (10.222.255.110)
Origin incomplete, metric 11, localpref 100, valid, internal
Last update: Mon Apr 24 08:13:50 2023
65002
10.160.17.141 from 10.160.17.141 (10.222.255.22)
Origin incomplete, metric 11, valid, external, best (Peer Type)
Last update: Mon Apr 24 08:13:40 2023
evolodin@yandex-wan-r2:~$
evolodin@yandex-wan-r2:~$ show ip bgp ipv4 unicast 10.100.4.0
BGP routing table entry for 10.100.4.0/24, version 1343
Paths: (2 available, best #2, table default)
Advertised to non peer-group peers:
10.160.17.141 10.160.17.151 10.222.255.110
Local
10.222.255.110 (metric 1) from 10.222.255.110 (10.222.255.110)
Origin incomplete, metric 20, localpref 100, aigp-metric 20, valid, internal
Community: 65001:1111
Last update: Mon Apr 24 08:13:50 2023
Local
10.222.252.253 from 0.0.0.0 (10.222.255.120)
Origin incomplete, metric 20, aigp-metric 20, weight 32768, tag 1111, valid, sourced, best (Weight)
Community: 65001:1111
Last update: Mon Apr 24 08:13:50 2023

Here is the route-map and a community-list which denies any routes with community 65001:1111 from BGP–>OSPF redistribution and permits any other routes to be redistributed:

set policy community-list O2B-IMPORTED rule 10 action ‘permit’
set policy community-list O2B-IMPORTED rule 10 regex ‘65001:1111’
^^ that should match only the routes with 65001:1111 community tag

set policy route-map RMAP_B2O rule 10 action ‘deny’
set policy route-map RMAP_B2O rule 10 match community community-list ‘O2B-IMPORTED’
^^ match it here and deny
set policy route-map RMAP_B2O rule 20 action ‘permit’
set policy route-map RMAP_B2O rule 20 set tag ‘2222’
^^ any other routes should be permitted for redistribution and added a tag 2222

Here is ospf LSDB which I am getting with this settings:>

evolodin@yandex-wan-r2:~$ show ip ospf database

   OSPF Router with ID (10.222.255.120)

            Router Link States (Area 0.0.0.100)

Link ID ADV Router Age Seq# CkSum Link count
10.222.253.1 10.222.253.1 1006 0x80000149 0x910b 2
10.222.255.110 10.222.255.110 703 0x80000101 0x5f30 6
10.222.255.120 10.222.255.120 983 0x80000135 0xd48e 6

            AS External Link States

You could see that there are no imported routes whatsoever.

Link ID ADV Router Age Seq# CkSum Route
10.100.4.0 10.222.253.1 1676 0x80000103 0x60a5 E2 10.100.4.0/24 [0x457]

evolodin@yandex-wan-r2:~$
evolodin@yandex-wan-r2:~$
evolodin@yandex-wan-r2:~$
evolodin@yandex-wan-r2:~$ show ip ospf route
============ OSPF network routing table ============
N 10.160.16.128/25 [2] area: 0.0.0.100
via 10.222.252.253, tun2
N 10.160.17.128/25 [1] area: 0.0.0.100
directly attached to tun1
N 10.222.252.252/30 [1] area: 0.0.0.100
directly attached to tun2
N 10.222.253.0/30 [1001] area: 0.0.0.100
via 10.222.252.253, tun2
N 10.222.253.4/30 [2000] area: 0.0.0.100
directly attached to tun3
N 10.222.255.110/32 [1] area: 0.0.0.100
via 10.222.252.253, tun2
N 10.222.255.120/32 [0] area: 0.0.0.100
directly attached to lo

============ OSPF router routing table =============
R 10.222.253.1 [1001] area: 0.0.0.100, ASBR
via 10.222.252.253, tun2

============ OSPF external routing table ===========
N E2 10.100.4.0/24 [1001/20] tag: 1111
via 10.222.252.253, tun2

If I remove rule 10 deny from RMAP_B2O - I am start getting the routes in ospf.

evolodin@yandex-wan-r2# run show ip ospf data

   OSPF Router with ID (10.222.255.120)

            Router Link States (Area 0.0.0.100)

Link ID ADV Router Age Seq# CkSum Link count
10.222.253.1 10.222.253.1 1697 0x80000149 0x910b 2
10.222.255.110 10.222.255.110 1394 0x80000101 0x5f30 6
10.222.255.120 10.222.255.120 1674 0x80000135 0xd48e 6

            AS External Link States

Link ID ADV Router Age Seq# CkSum Route
1.1.1.10 10.222.255.120 204 0x80000001 0xcfc9 E2 1.1.1.10/32 [0x8ae]
3.3.3.3 10.222.255.120 204 0x80000001 0x5ff1 E2 3.3.3.3/32 [0x8ae]
4.4.4.4 10.222.255.120 204 0x80000001 0x311c E2 4.4.4.4/32 [0x8ae]
5.5.5.5 10.222.255.120 204 0x80000001 0x8faf E2 5.5.5.5/32 [0x8ae]
6.6.6.6 10.222.255.120 204 0x80000001 0x61d9 E2 6.6.6.6/32 [0x8ae]
9.8.7.5 10.222.255.120 204 0x80000001 0x0386 E2 9.8.7.5/32 [0x8ae]
10.100.0.0 10.222.255.120 204 0x80000001 0x3fa5 E2 10.100.0.0/24 [0x8ae]
10.100.4.0 10.222.253.1 676 0x80000104 0x5ea6 E2 10.100.4.0/24 [0x457]
10.111.0.0 10.222.255.120 204 0x80000001 0x9749 E2 10.111.0.0/21 [0x8ae]
10.111.10.0 10.222.255.120 204 0x80000001 0x4c83 E2 10.111.10.0/24 [0x8ae]
10.111.96.255 10.222.255.120 204 0x80000001 0x96e2 E2 10.111.96.255/32 [0x8ae]
10.112.0.0 10.222.255.120 204 0x80000001 0x72a5 E2 10.112.0.0/18 [0x8ae]
10.112.64.0 10.222.255.120 204 0x80000001 0xebac E2 10.112.64.0/24 [0x8ae]
10.222.255.31 10.222.255.120 204 0x80000001 0x2c72 E2 10.222.255.31/32 [0x8ae]
10.222.255.32 10.222.255.120 204 0x80000001 0x400a E2 10.222.255.32/32 [0x8ae]
172.16.200.0 10.222.255.120 204 0x80000001 0xc314 E2 172.16.200.0/24 [0x8ae]
172.16.201.0 10.222.255.120 204 0x80000001 0xb81e E2 172.16.201.0/24 [0x8ae]

** Worth to mention: If I change rule 10 to permit I am also start getting all the routes. That means that rule 10 always evaluates to “true” for some reason.**
Please let me know of you need more info on that.

7

Hi,

The reason for this behavior is that you cannot use community O2B-IMPORTED when redistributing BGP routes to OSPF. OSPF does not natively support the use of community attributes to control the import of BGP routes.

We can use " vtysh -c ‘show route-map’ " command to verify the behavior you mentioned (sample output below).

In the OSPF protocol output, you can see that sequence 10 is in deny mode, and since there is no match clause, any route that enters the route-map will be denied and will exit the route-map without any changes made to it.

Thus, this also explains the behavior you mentioned “rule 10 always evaluates to “true” for some reason.”

OSPF:
route-map: RMAP_B2O Invoked: 4 Optimization: enabled Processed Change: false
 deny, sequence 10 Invoked 1
  Match clauses:
  Set clauses:
  Call clause:
  Action:
    Exit routemap
 permit, sequence 20 Invoked 1
  Match clauses:
  Set clauses:
    tag 2222
  Call clause:
  Action:
    Exit routemap
8

Do you know if is it specific behavior of frr/ospfd/bgpd or just a common thing that every vendor uses? Because AFAIK, I did that filtering based on communities with dual point OSFP<>BGP mutual redistribution on Huawei and Cisco and this worked quite well.

Also if you have a suggestions on how to filter the routes/avoid routing loops when using dual point mutual redistribution - feel free to share! :slight_smile:

Thank you for your efforts!