Set OSPF route tag for BGP routes (fixed) // New: OSPF routing loop bug?

LiNDi · January 17, 2019, 5:24pm

Hi there,

I’m currently trying to achieve the following:
I have a small iBGP network and my routers should redistribute those BGP routes via OSPF into the LAN, which works as expected. Now, to be able to filter certain OSPF routes at other stages, I’d like to add an OSPF tag to every prefix, redistributed from BGP into OSPF.

Currently, my config looks like this:

set policy route-map RM-2 rule 1 action ‘permit’
set policy route-map RM-2 rule 1 set tag ‘20570’
set policy route-map RM-3 rule 1 action ‘deny’
set policy route-map RM-3 rule 1 match tag ‘20570’
set policy route-map RM-3 rule 2 action ‘permit’
set policy route-map RM-3 rule 2 set local-preference ‘200’

set protocols bgp 3320 neighbor 172.16.1.11 remote-as ‘3320’
set protocols bgp 3320 neighbor 172.16.1.11 soft-reconfiguration ‘inbound’
set protocols bgp 3320 neighbor 172.16.1.20 remote-as ‘3320’
set protocols bgp 3320 neighbor 172.16.1.20 soft-reconfiguration ‘inbound’
set protocols bgp 3320 neighbor 172.16.1.21 remote-as ‘3320’
set protocols bgp 3320 neighbor 172.16.1.21 soft-reconfiguration ‘inbound’
set protocols bgp 3320 neighbor 172.16.1.30 remote-as ‘3320’
set protocols bgp 3320 neighbor 172.16.1.30 soft-reconfiguration ‘inbound’
set protocols bgp 3320 neighbor 172.16.1.31 remote-as ‘3320’
set protocols bgp 3320 neighbor 172.16.1.31 soft-reconfiguration ‘inbound’
set protocols bgp 3320 parameters router-id ‘172.16.1.10’
set protocols bgp 3320 redistribute connected route-map ‘RM-3’
set protocols bgp 3320 redistribute ospf route-map ‘RM-3’

set protocols ospf area 0.0.0.0 network ‘10.99.5.0/24’
set protocols ospf parameters router-id ‘10.99.5.11’
set protocols ospf redistribute bgp route-map ‘RM-2’

Now apparently, my OSPF neighbor does receive prefixes originated from BGP, but there are no route tags applied to them.

I tried to find some more ressources or examples on how to achieve this with VyOS, but it appears to be a rare case which is why I got stuck right here.

Any feedback appreciated!
Rgds,
Simon

zsdc · January 21, 2019, 10:18am

Hi, @LiNDi!
Can you check this with VyOS 1.2? It uses others routing software and we can support only this release now.

LiNDi · January 21, 2019, 4:28pm

Hi @zsdc

I updated to 1.2 rc11 but now the BGP redistribute config tree is completely missing:

vyos@VyOS-1# set protocols bgp 3320 
Possible completions:
 > address-family
                BGP address-family parameters
 > maximum-paths
                BGP multipaths
+> neighbor     BGP neighbor
 > parameters   BGP parameters
+> peer-group   BGP peer-group
 > timers       BGP protocol timers

Is that intended?

Rgds,
Simon

LiNDi · January 21, 2019, 4:42pm

OK, found the redistribution profiles here:

set protocols bgp 3320 address-family ipv4-unicast redistribute ospf route-map

Now, still need to check the OSPF tagging, but at a first peek I cannot see any difference, meaning the tag has not been set.

Matt_VyOS87 · January 22, 2019, 1:35pm

Have you confirmed the absence of tagging via packet capture?

zsdc · January 22, 2019, 1:37pm

Good. Now we can continue.
Internal test shows, that tag was setting correctly (output from another router from same OSPF area):

vyos@vyos:~$ show ip ospf route 
============ OSPF network routing table ============
N    10.99.5.0/24          [1] area: 0.0.0.0
                           directly attached to eth1

============ OSPF router routing table =============
R    10.99.5.11            [1] area: 0.0.0.0, ASBR
                           via 10.99.5.11, eth1

============ OSPF external routing table ===========
N E2 10.11.12.0/24         [1/20] tag: 20570
                           via 10.99.5.11, eth1

If in your environment this not working, then show please your complete configuration of both routers (10.99.5.11 and OSPF receiver) and we will try to see what can be wrong.
Also, please show outputs of this commands:

show ip ospf database
show ip ospf neighbor
show ip ospf route

LiNDi · January 23, 2019, 1:34pm

Hi @zsdc, hi @Matt_VyOS87

Sorry for replying late, I locked myself into the lab and troubleshooted the hell out of it
Current situation:

Tagging - works! Since the update to 1.2 and with the new BGP redistribution commands in place it seems to work in both directions. Thank you for pointing me into this direction.
However, I do face another and from my point of view even worse issue, see explanation below.

Setup

#
#        +--+--+                                                                                                +--+--+
#           |                 +------+                                                +------+                     |
#           |          OSPF   |      | iBGP                   XXXXX            iBGP   |      |  OSPF               |
#           |         +-------+ Vy-5 +-----+       XXX XXXXXXX     XXX       +--------+ Vy-1 +---------+           |
#           |         |       +------+     |      XX     X           X       |        +------+         |           |
# Branch LAN|  area 0 |                    |      XX                 XX      |                         |   area 0  | HQ-LAN Networks
#           +---------+                    +------+XX    vWAN         +------+                         +-----------+    ~480 Routes
#           |         |                    |     XX      AS 3320    XXX      |                         |           |
#           |         |       +------+     |     XX             XX XX        |        +------+         |           |
#           |         | OSPF  |      | iBGP|      XXXXXXX       X            |  iBGP  |      |  OSPF   |           |
#           |         +-------+ Vy-6 +-----+            XXXXX XXX            +--------+ Vy-2 +---------+           |
#           |                 +------+                                                +------+                     |
#        +--+--+                                                                                                +--+--+
#

Basic idea
I’m distributing all HQ LAN routes over OSPF into BGP, setting a routing-loop-prevention tag and redistribute iBGP routes into OSPF in the branch again. All VyOS routers have the same config, except from IP-adresses and names obviously. Here is an example:

[...]
set interfaces ethernet eth0 address '172.16.1.31/24'
set interfaces ethernet eth1 address '10.11.70.67/28'
set policy route-map RM-BGP-TO-OSPF rule 1 action 'permit'
set policy route-map RM-BGP-TO-OSPF rule 1 set tag '20570'
set policy route-map RM-OSPF-TO-BGP rule 1 action 'deny'
set policy route-map RM-OSPF-TO-BGP rule 1 match tag '20570'
set policy route-map RM-OSPF-TO-BGP rule 2 action 'permit'
set policy route-map RM-OSPF-TO-BGP rule 2 set local-preference '50'
set protocols bgp 3320 address-family ipv4-unicast redistribute connected route-map 'RM-OSPF-TO-BGP'
set protocols bgp 3320 address-family ipv4-unicast redistribute ospf route-map 'RM-OSPF-TO-BGP'
set protocols bgp 3320 neighbor 172.16.1.10 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 3320 neighbor 172.16.1.10 remote-as '3320'
set protocols bgp 3320 neighbor 172.16.1.11 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 3320 neighbor 172.16.1.11 remote-as '3320'
set protocols bgp 3320 neighbor 172.16.1.20 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 3320 neighbor 172.16.1.20 remote-as '3320'
set protocols bgp 3320 parameters distance global external '20'
set protocols bgp 3320 parameters distance global internal '21'
set protocols bgp 3320 parameters distance global local '19'
set protocols bgp 3320 parameters router-id '172.16.1.31'
set protocols ospf area 0.0.0.0 network '10.11.70.64/28'
set protocols ospf parameters router-id '10.11.70.67'
set protocols ospf redistribute bgp route-map 'RM-BGP-TO-OSPF'
set protocols ospf redistribute connected route-map 'RM-BGP-TO-OSPF'
set system host-name 'Vy-2'
[...]

As you can see nothing fancy, just plain OSPF, BGP, setting and filtering on route tags.

Problem
If I disable the OSPF or the LAN interfaces on both VyOS-routers at - for instance - the HQs LAN side, the BGP routes disappear as expected. However, if I now check the routing tables on bother VyOS routers at the branch side, I still see full OSPF routing tables. In that case Vy-1 is learning all HQ prefixes from Vy-2 and vice versa. So appears, that as soon as the BGP routes are getting flushed out of the routing tables, the OSPF routes persist and both VyOS routers are pointing towards each other, instead of deleting the prefixes from the routing table.

From my understanding, the OSPF routes should be flushed as soon as the BGP routes disappear. Even if I disable both VyOS routers LAN interfaces (so there is no OSPF neighborship anymore), the OSPF routes re-appear as soon as I enable the interfaces again. The only way to stop traffic from looping between them is to completely reboot one or both routers.

To me this appears to be a bug.

zsdc · January 23, 2019, 2:54pm

Are you sure that there is no routes in BGP table? Show please output of next commands in two states: when all connections is up (normal) and when LAN interfaces at one side is down:

show ip ospf database
show ip ospf neighbor
show ip ospf route
show ip bgp
show ip bgp summary

LiNDi · January 23, 2019, 3:16pm

Yes, no routes except for BGP internal networks or directly connected. As I only have console access via ESXi when the network is down I can share screenshots only, but I think you can still see the essential problem. As the full output is too long for this, I took one prefix that is orginated in the HQ as an example (10.132.40.0):

Working scenario (OSPF and BGP up at all sites)

Vy-5 (LAN 10.99.100.11):

image722×465 14 KB
Vy-6 (LAN 10.99.100.12):

image722×465 14 KB

Not working scenario (I’ve disable OSPF in HQ to make BGP routes disappear)

Vy-5 (LAN 10.99.100.11):

image722×465 13.7 KB
Vy-6 (LAN 10.99.100.12):

image722×465 13.7 KB

As you can see, the OSPF routes persist after BGP went down and both routers are mutually pointing to each other.

Let know if that helps or more information is needed.

zsdc · January 23, 2019, 3:24pm

Thank you, this must be enough. I will try to reproduce this behavior in lab and will back to you after this.

LiNDi · January 23, 2019, 3:26pm

Well appreciated, thanks!

zsdc · February 7, 2019, 12:55pm

Hello, @LiNDi!
Sorry for late answer. Your case is very interesting. I don’t know if this is a bug or feature in FRRouting or we just missing something, but to make this schema working you need to filter OSPF routes which were redistributed from BGP to prevent them installing into a kernel routing table.
For example in this example:

set protocols ospf route-map RM-OSPF-TO-BGP

Then all working fine, but you will lose backup route to remote OSPF area or will need to add it by other protocol.