bgp: T7760: remove per vrf instance system-as node #4684

c-po · 2025-08-28T12:52:09Z

Change summary

Originating from the bug in T7665. To avoid potential issues down the line - and given that there's no compelling technical reason to retain the system-as CLI node under per-VRF BGP configuration, which cannot be achieved through alternative means - the maintainers have collectively decided to deprecate the following command:

set vrf name <name> protocols bgp system-as <asn>

Starting with VyOS 1.4.4, this CLI command will be considered deprecated. While it will still be accepted, it will no longer have any operational effect. A deprecation warning will be displayed at commit time, indicating that the BGP ASN from the global BGP configuration is now used instead.

A migration script will handle the transition and perform the following actions:

Ensure a global BGP configuration exists; if not, initialize one.
Iterate over all configured VRFs to determine whether a BGP instance exists
For any insance, update the configuration to use the global system-as
and apply the local-as ASN no-prepend replace-as option on all affected
neighbors to preserve existing behavior.
If a neighbor is already configured with a local-as directive, that neighbor
will be excluded from the migration process, as it already follows a custom
configuration.

The following migration takes place - verified by smoketests

$ /usr/libexec/vyos/run-config-migration.py --test-script /opt/vyatta/etc/config-migrate/migrate/bgp/6-to-7 --output-file /tmp/foo /usr/libexec/vyos/tests/config/bgp-evpn-l3vpn-vrf-different-asn
$ diff -Nurd /usr/libexec/vyos/tests/config/bgp-evpn-l3vpn-vrf-different-asn /tmp/foo
--- /usr/libexec/vyos/tests/config/bgp-evpn-l3vpn-vrf-different-asn     2023-09-10 15:42:53.000000000 +0200
+++ /tmp/foo    2025-08-28 15:49:47.819719018 +0200
@@ -210,6 +210,11 @@
                             maximum-prefix "20"
                         }
                     }
+                    local-as 667 {
+                        no-prepend {
+                            replace-as
+                        }
+                    }
                     remote-as "100"
                 }
                 neighbor 192.0.2.4 {
@@ -227,9 +232,13 @@
                         ipv4-unicast {
                         }
                     }
+                    local-as 667 {
+                        no-prepend {
+                            replace-as
+                        }
+                    }
                     remote-as "112"
                 }
-                system-as "667"
             }
         }
         table "2001"
@@ -252,6 +261,11 @@
                     peer-group "foo"
                 }
                 neighbor 192.0.2.12 {
+                    local-as 65412 {
+                        no-prepend {
+                            replace-as
+                        }
+                    }
                     peer-group "bar"
                 }
                 neighbor 192.0.2.14 {
@@ -281,7 +295,6 @@
                     }
                     remote-as "300"
                 }
-                system-as "65412"
             }
         }
         table "3001"

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Code style update (formatting, renaming)
Refactoring (no functional changes)
Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
Other (please describe): CLI command deprecation

Related Task(s)

https://vyos.dev/T7760

Related PR(s)

bgp: T7760: remove per vrf instance system-as node vyos-documentation#1675

How to test / Smoketest result

[email protected]:~$ /usr/libexec/vyos/tests/smoke/cli/test_protocols_bgp.py
test_bgp_01_simple (__main__.TestProtocolsBGP.test_bgp_01_simple) ... ok
test_bgp_02_neighbors (__main__.TestProtocolsBGP.test_bgp_02_neighbors) ... ok
test_bgp_03_peer_groups (__main__.TestProtocolsBGP.test_bgp_03_peer_groups) ... ok
test_bgp_04_afi_ipv4 (__main__.TestProtocolsBGP.test_bgp_04_afi_ipv4) ... ok
test_bgp_05_afi_ipv6 (__main__.TestProtocolsBGP.test_bgp_05_afi_ipv6) ... ok
test_bgp_06_listen_range (__main__.TestProtocolsBGP.test_bgp_06_listen_range) ... ok
test_bgp_07_l2vpn_evpn (__main__.TestProtocolsBGP.test_bgp_07_l2vpn_evpn) ... ok
test_bgp_09_distance_and_flowspec (__main__.TestProtocolsBGP.test_bgp_09_distance_and_flowspec) ... ok
test_bgp_10_vrf_simple (__main__.TestProtocolsBGP.test_bgp_10_vrf_simple) ... ok
test_bgp_11_confederation (__main__.TestProtocolsBGP.test_bgp_11_confederation) ... ok
test_bgp_12_v6_link_local (__main__.TestProtocolsBGP.test_bgp_12_v6_link_local) ... ok
test_bgp_13_vpn (__main__.TestProtocolsBGP.test_bgp_13_vpn) ... ok
test_bgp_14_remote_as_peer_group_override (__main__.TestProtocolsBGP.test_bgp_14_remote_as_peer_group_override) ... ok
test_bgp_15_import_rd_rt_compatibility (__main__.TestProtocolsBGP.test_bgp_15_import_rd_rt_compatibility) ... ok
test_bgp_16_import_rd_rt_compatibility (__main__.TestProtocolsBGP.test_bgp_16_import_rd_rt_compatibility) ... ok
test_bgp_17_deleting_import_vrf (__main__.TestProtocolsBGP.test_bgp_17_deleting_import_vrf) ... ok
test_bgp_18_deleting_default_vrf (__main__.TestProtocolsBGP.test_bgp_18_deleting_default_vrf) ... ok
test_bgp_19_import_rd_rt_compatibility (__main__.TestProtocolsBGP.test_bgp_19_import_rd_rt_compatibility) ... ok
test_bgp_20_import_unspecified_vrf (__main__.TestProtocolsBGP.test_bgp_20_import_unspecified_vrf) ... ok
test_bgp_21_interface_mpls_forwarding (__main__.TestProtocolsBGP.test_bgp_21_interface_mpls_forwarding) ... ok
test_bgp_22_vrf_interface_mpls_forwarding (__main__.TestProtocolsBGP.test_bgp_22_vrf_interface_mpls_forwarding) ... ok
test_bgp_23_srv6_sid (__main__.TestProtocolsBGP.test_bgp_23_srv6_sid) ... ok
test_bgp_24_ipv4_labeled_unicast_peer_group (__main__.TestProtocolsBGP.test_bgp_24_ipv4_labeled_unicast_peer_group) ... ok
test_bgp_25_ipv6_labeled_unicast_peer_group (__main__.TestProtocolsBGP.test_bgp_25_ipv6_labeled_unicast_peer_group) ... ok
test_bgp_26_route_reflector_client (__main__.TestProtocolsBGP.test_bgp_26_route_reflector_client) ... ok
test_bgp_27_peer_group_member_all_internal_or_external (__main__.TestProtocolsBGP.test_bgp_27_peer_group_member_all_internal_or_external) ... ok
test_bgp_29_peer_group_remote_as_equal_local_as (__main__.TestProtocolsBGP.test_bgp_29_peer_group_remote_as_equal_local_as) ... ok
test_bgp_30_import_vrf_routemap (__main__.TestProtocolsBGP.test_bgp_30_import_vrf_routemap) ... ok
test_bgp_99_bmp (__main__.TestProtocolsBGP.test_bgp_99_bmp) ... ok

----------------------------------------------------------------------
Ran 29 tests in 347.712s

OK

Checklist:

I have read the CONTRIBUTING document
I have linked this PR to one or more Phabricator Task(s)
I have run the components SMOKETESTS if applicable
My commit headlines contain a valid Task id
My change requires a change to the documentation
I have updated the documentation accordingly

github-actions · 2025-08-28T12:52:25Z

👍
No issues in PR Title / Commit Title

github-actions · 2025-08-28T12:52:25Z

✅ No issues found in unused-imports check.. Please refer the workflow run

github-actions · 2025-08-28T15:21:58Z

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions · 2025-08-28T15:41:24Z

Conflicts have been resolved. A maintainer will review the pull request shortly.

Originating from the bug in T7665. To avoid potential issues down the line - and given that there's no compelling technical reason to retain the system-as CLI node under per-VRF BGP configuration, which cannot be achieved through alternative means - the maintainers have collectively decided to deprecate the following command: set vrf name <name> protocols bgp system-as <asn> Starting with VyOS 1.4.4, this CLI command will be considered deprecated. While it will still be accepted, it will no longer have any operational effect. A deprecation warning will be displayed at commit time, indicating that the BGP ASN from the global BGP configuration is now used instead. A migration script will handle the transition and perform the following actions: * Ensure a global BGP configuration exists; if not, initialize one. * Iterate over all configured VRFs to determine whether a BGP instance exists * For any insance, update the configuration to use the global system-as and apply the local-as ASN no-prepend replace-as option on all affected neighbors to preserve existing behavior. * If a neighbor is already configured with a local-as directive, that neighbor will be excluded from the migration process, as it already follows a custom configuration. * Add allowas-in per neighbor option. Required to not deny prefix received updates due to as-path contains our own global ASN.

VyOS 1.5 and onwards will no longer have the following CLI node available: set vrf name <name> protocols bgp system-as <asn>

github-actions · 2025-09-09T18:01:36Z

CI integration 👍 passed!

Details

CI logs

CLI Smoketests (no interfaces) 👍 passed
CLI Smoketests VPP 👍 passed
CLI Smoketests (interfaces only) 👍 passed
Config tests 👍 passed
Config tests VPP 👍 passed
RAID1 tests 👍 passed
TPM tests 👍 passed

dmbaturin

The issue is real and I see no other solution. The migration script and everything else look good to me.

sever-sever · 2025-09-15T13:08:36Z

There could be a case for per VRF system-as instance without global without vrf system-as
For example, route leaking between VRFs

vyos@r14:~$ show conf com | match "bgp|vrf|dum"
set interfaces dummy dum0 address '10.10.10.1/24'
set interfaces dummy dum0 vrf 'red'
set interfaces dummy dum1 address '192.168.10.1/24'
set interfaces dummy dum1 vrf 'blue'
set interfaces ethernet eth1 vrf 'red'

set vrf bind-to-all
set vrf name blue protocols bgp address-family ipv4-unicast import vrf 'red'
set vrf name blue protocols bgp address-family ipv4-unicast redistribute connected
set vrf name blue protocols bgp system-as '65003'
set vrf name blue table '1013'

set vrf name red protocols bgp address-family ipv4-unicast import vrf 'blue'
set vrf name red protocols bgp address-family ipv4-unicast redistribute connected
set vrf name red protocols bgp system-as '65002'
set vrf name red table '1010'

Check

vyos@r14:~$ show ip route vrf red 
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF red:
C>* 10.10.10.0/24 is directly connected, dum0, weight 1, 00:08:57
L>* 10.10.10.1/32 is directly connected, dum0, weight 1, 00:08:57
K>* 127.0.0.0/8 [0/0] is directly connected, red, weight 1, 03:29:58
B>* 192.168.10.0/24 [20/0] is directly connected, blue (vrf blue), weight 1, 00:03:22
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ show ip route vrf blue 
Codes: K - kernel route, C - connected, L - local, S - static,
       R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric, t - Table-Direct,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF blue:
B>* 10.10.10.0/24 [20/0] is directly connected, red (vrf red), weight 1, 00:03:27
K>* 127.0.0.0/8 [0/0] is directly connected, blue, weight 1, 00:09:59
C>* 192.168.10.0/24 is directly connected, dum1, weight 1, 00:09:02
L>* 192.168.10.1/32 is directly connected, dum1, weight 1, 00:09:02
vyos@r14:~$

Check BGP table:

vyos@r14:~$ show ip bgp vrf red
BGP table version is 2, local router ID is 10.10.10.1, vrf id 8
Default local pref 100, local AS 65002
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.10.10.0/24    0.0.0.0                  0         32768 ?
 *>  192.168.10.0/24  0.0.0.0@92<              0         32768 65003 ?

Displayed 2 routes and 2 total paths
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ show ip bgp vrf blue 
BGP table version is 2, local router ID is 192.168.10.1, vrf id 92
Default local pref 100, local AS 65003
Status codes:  s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
 *>  10.10.10.0/24    0.0.0.0@8<               0         32768 65002 ?
 *>  192.168.10.0/24  0.0.0.0                  0         32768 ?

Displayed 2 routes and 2 total paths
vyos@r14:~$

Will it be impossible to do it after this change?

c-po · 2025-09-18T14:58:03Z

Your config

set vrf name blue protocols bgp address-family ipv4-unicast import vrf 'red'
set vrf name blue protocols bgp address-family ipv4-unicast redistribute connected
set vrf name blue protocols bgp system-as '65003'
set vrf name blue table '1013'

set vrf name red protocols bgp address-family ipv4-unicast import vrf 'blue'
set vrf name red protocols bgp address-family ipv4-unicast redistribute connected
set vrf name red protocols bgp system-as '65002'
set vrf name red table '1010'

Will be migrated to:

set protocols bgp system-as '65003'

set vrf name blue protocols bgp address-family ipv4-unicast import vrf 'red'
set vrf name blue protocols bgp address-family ipv4-unicast redistribute connected
set vrf name blue table '1013'

set vrf name red protocols bgp address-family ipv4-unicast import vrf 'blue'
set vrf name red protocols bgp address-family ipv4-unicast redistribute connected
set vrf name red table '1010'

Will it be impossible to do it after this change?

Yes - you can always adjust an AS path with a route-map and replace ASNs as much as you like

sever-sever · 2025-09-20T11:57:15Z

@aapostoliuk, could you take a look at whether we have some similar configs that could be affected? Or are you OK with those changes?

sever-sever

Delete system-as under VRF to avoid bugs with not loaded configuration after reboot.

c-po self-assigned this Aug 28, 2025

c-po added bp/sagitta Create automatic backport for sagitta LTS version bp/circinus Create automatic backport for circinus labels Aug 28, 2025

github-actions bot added the current label Aug 28, 2025

c-po mentioned this pull request Aug 28, 2025

bgp: T7760: remove per vrf instance system-as node vyos/vyos-documentation#1675

Open

1 task

c-po requested review from dmbaturin, sever-sever and zdc August 28, 2025 13:08

c-po force-pushed the bgp-vrf-system-as branch 3 times, most recently from 0e800f1 to 20a4de7 Compare August 28, 2025 13:57

github-actions bot added the conflicts label Aug 28, 2025

vyos deleted a comment from github-actions bot Aug 28, 2025

c-po removed the conflicts label Aug 28, 2025

github-actions bot added the conflicts label Aug 28, 2025

c-po force-pushed the bgp-vrf-system-as branch from 20a4de7 to 2781519 Compare August 28, 2025 15:40

github-actions bot removed the conflicts label Aug 28, 2025

c-po added 2 commits September 9, 2025 17:58

bgp: T7760: remove per vrf instance system-as node

85fe32f

VyOS 1.5 and onwards will no longer have the following CLI node available: set vrf name <name> protocols bgp system-as <asn>

c-po force-pushed the bgp-vrf-system-as branch from 2781519 to 85fe32f Compare September 9, 2025 16:00

dmbaturin approved these changes Sep 15, 2025

View reviewed changes

sever-sever requested a review from aapostoliuk September 20, 2025 11:55

sever-sever approved these changes Sep 23, 2025

View reviewed changes

dmbaturin merged commit bf1c29a into vyos:current Sep 23, 2025
17 of 18 checks passed

vyosbot added the mirror-initiated This PR initiated for mirror sync workflow label Sep 23, 2025

github-actions bot added the rebase label Sep 23, 2025

vyosbot added mirror-completed and removed mirror-initiated This PR initiated for mirror sync workflow labels Sep 23, 2025

c-po deleted the bgp-vrf-system-as branch September 23, 2025 18:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bgp: T7760: remove per vrf instance system-as node #4684

bgp: T7760: remove per vrf instance system-as node #4684

c-po commented Aug 28, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Aug 28, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Aug 28, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Aug 28, 2025

Uh oh!

github-actions bot commented Aug 28, 2025

Uh oh!

github-actions bot commented Sep 9, 2025

Uh oh!

dmbaturin left a comment

Uh oh!

sever-sever commented Sep 15, 2025

Uh oh!

c-po commented Sep 18, 2025

Uh oh!

sever-sever commented Sep 20, 2025

Uh oh!

sever-sever left a comment

Uh oh!

Uh oh!

Uh oh!

bgp: T7760: remove per vrf instance system-as node #4684

bgp: T7760: remove per vrf instance system-as node #4684

Conversation

c-po commented Aug 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Change summary

Types of changes

Related Task(s)

Related PR(s)

How to test / Smoketest result

Checklist:

Uh oh!

github-actions bot commented Aug 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Aug 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Aug 28, 2025

Uh oh!

github-actions bot commented Aug 28, 2025

Uh oh!

github-actions bot commented Sep 9, 2025

Details

Uh oh!

dmbaturin left a comment

Choose a reason for hiding this comment

Uh oh!

sever-sever commented Sep 15, 2025

Uh oh!

c-po commented Sep 18, 2025

Uh oh!

sever-sever commented Sep 20, 2025

Uh oh!

sever-sever left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

c-po commented Aug 28, 2025 •

edited

Loading

github-actions bot commented Aug 28, 2025 •

edited

Loading

github-actions bot commented Aug 28, 2025 •

edited

Loading