Page 1 of 1

BGP spamming updates

Posted: Sat Aug 29, 2020 2:58 pm
by infused
I have two CCR's in an active/passive config.

For about a year now, they are spamming BGP updates to my provider. Like 1-3 a second.

See here https://i.imgur.com/4YNOpZ0.png

My ISP has asked to sort this out, but I cannot see what's causing it. They have put a filter on it, hence the only acknowledged by them.

Any help would be appreciated.

Re: BGP spamming updates

Posted: Tue Sep 01, 2020 8:02 am
by infused
bump, anyone? I've send a support request to Mikrotik as well

Re: BGP spamming updates

Posted: Tue Sep 01, 2020 11:51 am
by mrz
Since there is not a lot of info provided. I assume you are trying to advertise probably some connected or maybe other IGP routes which are flapping in routing table.

My suggestion would be to add prefix that you want to advertise in BGP networks without synchronize, disable all redistribute-xx in bgp instance and set up output routing filter to accept only your BGP network.

Re: BGP spamming updates

Posted: Wed Sep 02, 2020 9:13 am
by infused
I have this logged as support request SUP-26336

Config is as as follows

CCR1
# aug/30/2020 15:00:55 by RouterOS 6.47.2
add fast-forward=no name=loopback1
/interface ethernet
set [ find default-name=ether1 ] comment="switch link" speed=100Mbps
set [ find default-name=ether2 ] comment="router link" speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full comment=DTS
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full disabled=yes
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full disabled=yes
/interface vrrp
add authentication=simple interface=ether1 name=vrrp1 password=zzz priority=120 version=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=l3-rt01
/routing bgp instance
set default as=65215 router-id=10.65.254.1
/routing ospf instance
set [ find default=yes ] router-id=10.65.254.1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/ip firewall connection tracking
set enabled=no
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=202.20.6.50/29 interface=sfp1 network=202.20.6.48
add address=10.65.1.1/30 interface=ether2 network=10.65.1.0
add address=10.65.254.1 interface=loopback1 network=10.65.254.1
add address=202.68.94.241 interface=vrrp1 network=202.68.94.241
add address=202.68.94.242/28 interface=ether1 network=202.68.94.240
add address=202.68.88.226/27 interface=ether1 network=202.68.88.224
add address=202.68.88.225 interface=vrrp1 network=202.68.88.225
/ip dns
set servers=8.8.8.8
/ip firewall address-list
/ip firewall filter
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept WinBox" dst-port=8291 protocol=tcp src-address-list=Trusted
add action=accept chain=input comment="Accept BGP" port=179 protocol=tcp
add action=accept chain=input comment="Accept OSPF" in-interface=ether2 protocol=ospf
add action=accept chain=input comment="Accept VRRP" in-interface=ether1 protocol=vrrp
add action=accept chain=input comment="Accept NTP" port=123 protocol=udp
add action=drop chain=input comment="drop everything"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never color-scheme=dark default-screen=stats
/lcd interface
set sfp2 disabled=yes
set sfp3 disabled=yes
set sfp4 disabled=yes
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
/ppp secret
add name=infused password=cqr73chw profile=layer3
/routing bgp network
add network=202.68.94.240/28 synchronize=no
add network=202.68.88.224/27 synchronize=no
/routing bgp peer
add default-originate=if-installed multihop=yes name=AS65215-l3-rt02 nexthop-choice=force-self remote-address=10.65.254.2 remote-as=65215 ttl=default update-source=loopback1
add in-filter=AS24185-in name=AS24183-DTS out-filter=AS24185-out remote-address=202.20.6.49 remote-as=24183 ttl=default
/routing filter
add action=discard chain=AS24185-out disabled=yes distance=200 prefix=202.68.88.224/27 prefix-length=27
add action=discard chain=AS24185-out disabled=yes distance=200 prefix=202.68.94.240/28 prefix-length=28
/routing ospf interface
add network-type=broadcast passive=yes
add interface=ether2 network-type=point-to-point
/routing ospf network
add area=backbone network=10.65.1.0/24
add area=backbone network=10.65.254.1/32
/snmp
set contact=Layer3 enabled=yes location=Auckland trap-version=2
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=l3-rt01
/system logging
add disabled=yes topics=bgp
add disabled=yes topics=ospf,!raw
/system ntp client
set enabled=yes primary-ntp=103.242.68.69 secondary-ntp=103.106.65.219
/tool graphing interface
add interface=sfp1
add interface=ether1
add interface=ether2
/tool graphing resource


CCR2
# aug/30/2020 15:00:55 by RouterOS 6.47.2
/interface bridge
add fast-forward=no name=loopback1
/interface ethernet
set [ find default-name=ether1 ] comment="switch link" speed=100Mbps
set [ find default-name=ether2 ] comment="router link" speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full comment=DTS
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full
/interface vrrp
add authentication=simple interface=ether1 name=vrrp1 password=zzz version=2
set [ find default=yes ] supplicant-identity=l3-rt02
/routing bgp instance
set default as=65215 router-id=10.65.254.2
/routing ospf instance
set [ find default=yes ] router-id=10.65.254.2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/ip firewall connection tracking
set enabled=no
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=202.20.6.54/29 comment=wan interface=sfp1 network=202.20.6.48
add address=10.65.1.2/30 interface=ether2 network=10.65.1.0
add address=10.65.254.2 interface=loopback1 network=10.65.254.2
add address=202.68.94.241 interface=vrrp1 network=202.68.94.241
add address=202.68.94.243/28 interface=ether1 network=202.68.94.240
add address=202.68.88.227/27 interface=ether1 network=202.68.88.224
add address=202.68.88.225 interface=vrrp1 network=202.68.88.255
/ip dns
set servers=8.8.8.8
/ip firewall address-list
/ip firewall filter
add action=accept chain=input comment="Accpet ICMP" protocol=icmp
add action=accept chain=input comment="Accept WinBox" dst-port=8291 protocol=tcp src-address-list=trusted
add action=accept chain=input comment="Accept OSPF" in-interface=ether2 protocol=ospf
add action=accept chain=input comment="Accept VRRP" in-interface=ether1 protocol=vrrp
add action=accept chain=input comment="Accept BGP" port=179 protocol=tcp
add action=accept chain=input comment="Accept NTP" dst-port=123 protocol=udp
add action=drop chain=input comment="Drop everything"
/ip firewall nat
add action=accept chain=srcnat disabled=yes out-interface=sfp1
/ip route

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set backlight-timeout=never color-scheme=dark default-screen=stats touch-screen=disabled
/lcd interface
set sfp2 disabled=yes
set sfp3 disabled=yes
set sfp4 disabled=yes
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
/routing bgp network
add network=202.68.94.240/28 synchronize=no
add network=202.68.88.224/27 synchronize=no
/routing bgp peer
add default-originate=if-installed multihop=yes name=AS65215-l3-rt01 nexthop-choice=force-self remote-address=10.65.254.1 remote-as=65215 ttl=default update-source=loopback1
add in-filter=AS24185-in name=AS24183-DTS out-filter=AS24185-out remote-address=202.20.6.53 remote-as=24183 ttl=default
/routing filter
add action=discard chain=AS24185-out disabled=yes distance=200 prefix=202.68.88.224/27 prefix-length=27
add action=discard chain=AS24185-out disabled=yes distance=200 prefix=202.68.94.240/28 prefix-length=28
/routing ospf interface
add network-type=broadcast passive=yes
add interface=ether2 network-type=point-to-point
/routing ospf network
add area=backbone network=10.65.1.0/24
add area=backbone network=10.65.254.2/32
/snmp
set contact=Layer3 enabled=yes location=Auckland trap-version=2
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=l3-rt02
/system logging
add disabled=yes topics=ospf,!raw
add disabled=yes topics=bgp
/system ntp client
set enabled=yes primary-ntp=202.6.116.123 secondary-ntp=103.242.70.4
/tool graphing interface
add interface=sfp1
add interface=ether1
add interface=ether2
/tool graphing resource
Note I have removed some information (gateway routes etc). The issue I have is BGP spam https://i.imgur.com/UjTkgAl.png

Sorry, the code tags are not playing ball.

Re: BGP spamming updates

Posted: Wed Sep 02, 2020 1:21 pm
by infused
Disabling ether2 stops the bgp flood, so something is happening there. Once BGP re-establishes across the link, spamming starts.

https://i.imgur.com/JRIzXq4.png

Re: BGP spamming updates

Posted: Thu Sep 03, 2020 7:02 am
by infused
We resolved this. Routing loop by two subnets on VRRP

Re: BGP spamming updates

Posted: Thu Dec 23, 2021 4:51 pm
by sibl2l
Hello @infused,

How did you stop the routing loop on vrrp / bgp ?
I encounter the same issue.
Can you please post the example configuration or explain briefly what you've done ?

Thanks a lot,

Sib