frr
frr copied to clipboard
FRRouting
EVPN route type does not match route map
Describe the bug
- [x] Did you check if this is a duplicate issue?
- [ ] Did you test it on the latest FRRouting/frr master branch?
When using expression match evpn route-type no route matches.
There are no problems in versions below 8.5.3.
To Reproduce
- Create vxlan and bridge interface (vxlan 100).
- Apply this config:
router bgp 65000
bgp log-neighbor-changes
no bgp ebgp-requires-policy
no bgp default ipv4-unicast
no bgp network import-check
neighbor RS-EVPN peer-group
neighbor RS-EVPN remote-as YYY
neighbor RS-EVPN bfd
neighbor RS-EVPN ebgp-multihop 32
neighbor RS-EVPN update-source dum0
neighbor RS-EVPN capability extended-nexthop
neighbor 10.32.1.1 peer-group RS-EVPN
!
address-family l2vpn evpn
neighbor RS-EVPN activate
neighbor RS-EVPN route-map RS-OUT out
advertise-all-vni
vni 100
rd 65000:100
advertise-svi-ip
exit-vni
exit-address-family
exit
!
route-map RS-OUT deny 10
match evpn route-type macip
exit
!
route-map RS-OUT permit 20
exit
Checking the route:
show bgp l2vpn evpn neighbors 10.32.1.3 advertised-routes
Route Distinguisher: 65000:100
*> [2]:[0]:[48]:[26:28:b0:96:c0:c9]:[128]:[fe80::2428:b0ff:fe96:c0c9]
32768 i
Expected behavior
Screenshots
Versions
- OS Version: Debian 12
- Kernel: 6.1.0-12-amd64
- FRR Version: 8.5.3, 9.0.1
I tested with https://github.com/FRRouting/frr/pull/14599, and I can't reproduce it with 9.0.1, and/or the master version...
Could you also show the libyang packet version installed on your system?
2.1.80-1~deb12u1
Hi, I think I trigger the same bug, It's working for me on 8.4.4 , but it's broken again since 8.5.0 and still broken on 9.1
I think it's related again to route-map optimization.
on 8.4.4, it's working with the below config: on 8.5.0 up to stable/8.5.2 + 7603eca36d7bf7d73f14f46aa5006063214f03e1 (lib: skip route-map optimization if !AF_INET(6)), I can workaround it with "no route-map ... optimization"
after 7603eca36d7bf7d73f14f46aa5006063214f03e1, i's not working with or without disabling optimization
(so maybe we have 2 bugs here)
here an example with a l3vni 10000 in vrf vrf_evpn, announce a default 0.0.0.0 type-5 route
auto vrf_evpn
iface vrf_evpn
vrf-table auto
auto vrfbr_evpn
iface vrfbr_evpn
bridge-ports vrfvx_evpn
bridge_stp off
bridge_fd 0
mtu 1450
vrf vrf_evpn
auto vrfvx_evpn
iface vrfvx_evpn
vxlan-id 10000
vxlan-local-tunnelip 10.3.94.11
bridge-learning off
bridge-arp-nd-suppress on
mtu 1450
frr version 8.5.1
frr defaults datacenter
hostname formationkvm2
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpn
vni 10000
exit-vrf
!
router bgp 65000
bgp router-id 10.3.94.11
no bgp hard-administrative-reset
no bgp graceful-restart notification
no bgp default ipv4-unicast
coalesce-time 1000
neighbor VTEP peer-group
neighbor VTEP remote-as 65000
neighbor VTEP bfd
neighbor 10.3.94.10 peer-group VTEP
!
address-family ipv4 unicast
import vrf vrf_evpn
exit-address-family
!
address-family ipv6 unicast
import vrf vrf_evpn
exit-address-family
!
address-family l2vpn evpn
neighbor VTEP route-map MAP_VTEP_OUT out
neighbor VTEP activate
advertise-all-vni
exit-address-family
exit
!
router bgp 65000 vrf vrf_evpn
bgp router-id 10.3.94.11
no bgp hard-administrative-reset
no bgp graceful-restart notification
!
address-family ipv4 unicast
redistribute connected
exit-address-family
!
address-family ipv6 unicast
redistribute connected
exit-address-family
!
address-family l2vpn evpn
default-originate ipv4
exit-address-family
exit
!
route-map MAP_VTEP_OUT deny 10
match evpn route-type prefix
exit
!
route-map MAP_VTEP_OUT permit 20
exit
!
line vty
a default type-5 is announced, but it should be filtered. (on frr 8.4.4, it's correctly filtered)
sh bgp l2vpn evpn neighbors 10.3.94.10 advertised-routes
BGP table version is 0, local router ID is 10.3.94.11
Default local pref 100, local AS 65000
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 10.3.94.11:2
*> [5]:[0]:[0]:[0.0.0.0]
100 32768 i
I finish to bisect it, for my setup, it don't work since this commit
https://github.com/FRRouting/frr/commit/272c6d5db128ff7450fe9fcd16c046160594deb3
I think I have a clue,
Using my same config but filtering with a prefix-list,
ip prefix-list only-default permit 0.0.0.0/0
!
route-map MAP_VTEP_OUT deny 10
match ip address prefix-list only-default
exit
!
before https://github.com/FRRouting/frr/commit/272c6d5db128ff7450fe9fcd16c046160594deb3 it's not working and after the commit, it's working.
and for "match evpn", this is the reverse.
could it be related to
/*
* Convert type-2 and type-5 evpn route prefixes into the more
* general ipv4/ipv6 prefix types so we can match prefix lists
* and such.
*/
int evpn_prefix2prefix(const struct prefix *evpn, struct prefix *to)
{
? so we can't use "match evpn" anymore ?
I'm adding issue about prefix-list filtering https://github.com/FRRouting/frr/issues/10559
match evpn route-type should work fine, you can see that we have a topotest for this route-map command: https://github.com/FRRouting/frr/pull/14599/files. Could you check that example?
Hello @ton31337 , I tested your topotest and indeed it works. However I defined a new topotest with type-5 evpn routes, and tested several evpn matchers (match evpn vni and match evpn route-type) and it doesn't work.
Here is my topotest if you want to test it by yourself: https://github.com/fdomain/frr/commit/47cef05b25140edaf0a8c6786bafc1d5edfd7548
Good news is that the match ip address prefix-list now works for EVPN prefixes (as mentioned by @aderumier in previous messages).
@fdomain can you check this patch? https://github.com/FRRouting/frr/pull/15377
@ton31337 I confirm it works fine now, thanks a lot! Would it be possible to backport this fix on older versions ?
https://github.com/FRRouting/frr/pull/15412 https://github.com/FRRouting/frr/pull/15416 https://github.com/FRRouting/frr/pull/15417 https://github.com/FRRouting/frr/pull/15418