Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EVPN route type does not match route map #14419

Closed
1 of 2 tasks
DaniilHarun opened this issue Sep 14, 2023 · 13 comments
Closed
1 of 2 tasks

EVPN route type does not match route map #14419

DaniilHarun opened this issue Sep 14, 2023 · 13 comments
Assignees

Comments

@DaniilHarun
Copy link


Describe the bug

  • Did you check if this is a duplicate issue?
  • Did you test it on the latest FRRouting/frr master branch?

When using expression match evpn route-type no route matches.
There are no problems in versions below 8.5.3.

To Reproduce

  1. Create vxlan and bridge interface (vxlan 100).
  2. Apply this config:
router bgp 65000
 bgp log-neighbor-changes
 no bgp ebgp-requires-policy
 no bgp default ipv4-unicast
 no bgp network import-check
 neighbor RS-EVPN peer-group
 neighbor RS-EVPN remote-as YYY
 neighbor RS-EVPN bfd
 neighbor RS-EVPN ebgp-multihop 32
 neighbor RS-EVPN update-source dum0
 neighbor RS-EVPN capability extended-nexthop
 neighbor 10.32.1.1 peer-group RS-EVPN
 !
 address-family l2vpn evpn
  neighbor RS-EVPN activate
  neighbor RS-EVPN route-map RS-OUT out
  advertise-all-vni
  vni 100
   rd 65000:100
   advertise-svi-ip
  exit-vni
 exit-address-family
exit
!
route-map RS-OUT deny 10
 match evpn route-type macip
exit
!
route-map RS-OUT permit 20
exit

Checking the route:

show bgp l2vpn evpn neighbors 10.32.1.3 advertised-routes
Route Distinguisher: 65000:100
 *> [2]:[0]:[48]:[26:28:b0:96:c0:c9]:[128]:[fe80::2428:b0ff:fe96:c0c9]
                                       32768 i

Expected behavior

Screenshots

Versions

  • OS Version: Debian 12
  • Kernel: 6.1.0-12-amd64
  • FRR Version: 8.5.3, 9.0.1
@ton31337
Copy link
Member

I tested with #14599, and I can't reproduce it with 9.0.1, and/or the master version...

@ton31337
Copy link
Member

Could you also show the libyang packet version installed on your system?

@DaniilHarun
Copy link
Author

Could you also show the libyang packet version installed on your system?

2.1.80-1~deb12u1

@ton31337
Copy link
Member

Then not related to libyang, this version is not affected.

@aderumier
Copy link

aderumier commented Dec 1, 2023

Hi,
I think I trigger the same bug, It's working for me on 8.4.4 , but it's broken again since 8.5.0 and still broken on 9.1

I think it's related again to route-map optimization.

on 8.4.4, it's working with the below config:
on 8.5.0 up to stable/8.5.2 + 7603eca (lib: skip route-map optimization if !AF_INET(6)),
I can workaround it with "no route-map ... optimization"

after 7603eca, i's not working with or without disabling optimization

(so maybe we have 2 bugs here)

here an example with a l3vni 10000 in vrf vrf_evpn, announce a default 0.0.0.0 type-5 route

auto vrf_evpn
iface vrf_evpn
        vrf-table auto

auto vrfbr_evpn
iface vrfbr_evpn
        bridge-ports vrfvx_evpn
        bridge_stp off
        bridge_fd 0
        mtu 1450
        vrf vrf_evpn

auto vrfvx_evpn
iface vrfvx_evpn
        vxlan-id 10000
        vxlan-local-tunnelip 10.3.94.11
        bridge-learning off
        bridge-arp-nd-suppress on
        mtu 1450
frr version 8.5.1
frr defaults datacenter
hostname formationkvm2
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpn
 vni 10000
exit-vrf
!
router bgp 65000
 bgp router-id 10.3.94.11
 no bgp hard-administrative-reset
 no bgp graceful-restart notification
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor VTEP bfd
 neighbor 10.3.94.10 peer-group VTEP
 !
 address-family ipv4 unicast
  import vrf vrf_evpn
 exit-address-family
 !
 address-family ipv6 unicast
  import vrf vrf_evpn
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
 exit-address-family
exit
!
router bgp 65000 vrf vrf_evpn
 bgp router-id 10.3.94.11
 no bgp hard-administrative-reset
 no bgp graceful-restart notification
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
 exit-address-family
exit
!
route-map MAP_VTEP_OUT deny 10
 match evpn route-type prefix
exit
!
route-map MAP_VTEP_OUT permit 20
exit
!
line vty

a default type-5 is announced, but it should be filtered. (on frr 8.4.4, it's correctly filtered)

sh bgp l2vpn evpn neighbors 10.3.94.10 advertised-routes
BGP table version is 0, local router ID is 10.3.94.11
Default local pref 100, local AS 65000
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 10.3.94.11:2
 *> [5]:[0]:[0]:[0.0.0.0]
                                  100  32768 i

@aderumier
Copy link

I finish to bisect it,
for my setup, it don't work since this commit

272c6d5

@aderumier
Copy link

I think I have a clue,

Using my same config but filtering with a prefix-list,

ip prefix-list only-default permit 0.0.0.0/0
!
route-map MAP_VTEP_OUT deny 10
 match ip address prefix-list only-default
exit
!

before 272c6d5
it's not working
and after the commit, it's working.

and for "match evpn", this is the reverse.

could it be related to

/*
 * Convert type-2 and type-5 evpn route prefixes into the more
 * general ipv4/ipv6 prefix types so we can match prefix lists
 * and such.
 */
int evpn_prefix2prefix(const struct prefix *evpn, struct prefix *to)
{

? so we can't use "match evpn" anymore ?

I'm adding issue about prefix-list filtering
#10559

@ton31337
Copy link
Member

match evpn route-type should work fine, you can see that we have a topotest for this route-map command: https://github.com/FRRouting/frr/pull/14599/files. Could you check that example?

ProxBot pushed a commit to proxmox/pve-network that referenced this issue Jan 22, 2024
…match

"match evpn" in route-map is broken since 8.5.0
FRRouting/frr#14419

the patch
FRRouting/frr@272c6d5
is converting type-2 && type-5 evpn routes to prefix-prefix.
(fixing prefix-list not working previously, but breaking "match evpn")

So, simply use prefix-list now, as "match epvn" was a workaround anyway.

reported on the forum, where user have routing loop between the 2 exit-nodes:
https://forum.proxmox.com/threads/sdn-with-evpn-controller-routing-loop-when-using-multiple-exit-nodes.137362/

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
fdomain added a commit to fdomain/frr that referenced this issue Feb 1, 2024
* simple topology with 2 routers doing BGP EVPN for type 5 routes
* r1 is advertising 3 EVPN Type-5 routes, outbound route-map filters on
  each prefix with a different matcher
* evpn matchers don't work as shown in the test
@fdomain
Copy link

fdomain commented Feb 1, 2024

Hello @ton31337 , I tested your topotest and indeed it works. However I defined a new topotest with type-5 evpn routes, and tested several evpn matchers (match evpn vni and match evpn route-type) and it doesn't work.

Here is my topotest if you want to test it by yourself:
fdomain@47cef05

Good news is that the match ip address prefix-list now works for EVPN prefixes (as mentioned by @aderumier in previous messages).

fdomain added a commit to fdomain/frr that referenced this issue Feb 9, 2024
* simple topology with 2 routers doing BGP EVPN for type 5 routes
* r1 is advertising 3 EVPN Type-5 routes, outbound route-map filters on
  each prefix with a different matcher
* evpn matchers don't work as shown in the test
fdomain added a commit to fdomain/frr that referenced this issue Feb 9, 2024
* simple topology with 2 routers doing BGP EVPN for type 5 routes
* r1 is advertising 3 EVPN Type-5 routes, outbound route-map filters on
  each prefix with a different matcher
* evpn matchers don't work as shown in the test
@ton31337
Copy link
Member

@fdomain can you check this patch? #15377

@ton31337 ton31337 added bug and removed triage Needs further investigation labels Feb 15, 2024
@fdomain
Copy link

fdomain commented Feb 19, 2024

thanks @ton31337 I'll have a look today

@fdomain
Copy link

fdomain commented Feb 19, 2024

@ton31337 I confirm it works fine now, thanks a lot!
Would it be possible to backport this fix on older versions ?

@ton31337
Copy link
Member

#15412
#15416
#15417
#15418

robertvolkmann added a commit to metal-stack/mini-lab that referenced this issue Apr 16, 2024
FRR 8.5.1 doesn't support `match evpn vni` because of FRRouting/frr#14419
lguohan pushed a commit to sonic-net/sonic-buildimage that referenced this issue Apr 23, 2024
Backport based on comment #18669 (comment)

Why I did it
Fix the below FRR issues
FRRouting/frr#14419
FRRouting/frr#13792
StormLiangMS pushed a commit to sonic-net/sonic-buildimage that referenced this issue Apr 29, 2024
Why I did it
Upgrading FRR 8.5.4 to include latest fixes.

Work item tracking
Microsoft ADO (number only):
How I did it
New patches that were added:

Patch	FRR Pull request	Issue fixed
0024-lib-use-snmp-s-large-fd-sets-for-agentx.patch	FRRouting/frr#13396	FRRouting/frr#14143
0025-bgp-community-memory-leak-fix.patch	FRRouting/frr#15466	FRRouting/frr#15459
0026-bgp-fib-suppress-announce-fix.patch	FRRouting/frr#15634	FRRouting/frr#15626
0027-lib-Do-not-convert-EVPN-prefixes-into-IPv4-IPv6-if-n.patch	FRRouting/frr#15418	FRRouting/frr#14419
Removed patches:

Patch	Upstream FRR commit that is present in 8.5.4
0019-zebra-Abstract-dplane_ctx_route_init-to-init-route-w.patch	FRRouting/frr@3f01977
0020-zebra-Fix-crash-when-dplane_fpm_nl-fails-to-process-.patch	FRRouting/frr@fe5f624
0022-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch	FRRouting/frr@3515178
0023-bgpd-Make-sure-we-have-enough-data-to-read-two-bytes.patch	FRRouting/frr@460ee93
0024-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch	FRRouting/frr@f291f1e
0025-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch	FRRouting/frr@8a4a88c
0026-zebra-Add-encap-type-when-building-packet-for-FPM.patch	FRRouting/frr@f0f7b28
0028-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch	FRRouting/frr@21418d6
0029-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch	FRRouting/frr@30b5c2a
0030-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch	FRRouting/frr@01f232c
0031-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch	FRRouting/frr@a0c4ec2
0032-zebra-Fix-fpm-multipath-encap-addition.patch	FRRouting/frr@10a9a5f
Realigned patches:

Old Patch	New patch
0005-Add-support-of-bgp-l3vni-evpn.patch	0005-Add-support-of-bgp-l3vni-evpn.patch
0021-zebra-remove-duplicated-nexthops-when-sending-fpm-msg.patch	0019-zebra-remove-duplicated-nexthops-when-sending-fpm-msg.patch
0027-zebra-Fix-non-notification-of-better-admin-won.patch	0020-zebra-Fix-non-notification-of-better-admin-won.patch
Disable-ipv6-src-address-test-in-pceplib.patch	0021-Disable-ipv6-src-address-test-in-pceplib.patch
cross-compile-changes.patch	0022-cross-compile-changes.patch
0033-zebra-The-dplane_fpm_nl-return-path-leaks-memory.patch	0023-zebra-The-dplane_fpm_nl-return-path-leaks-memory.patch
How to verify it
Running sonic-mgmt test suite.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants