BGP on Mikrotik ROSv7.1 – Change for good?

BGP on Mikrotik ROSv7.1 is something that has changed drastically. With RouterOS v7.1 RC3 Mikrotik has made BGP stable enough for use with route filters finally working fine. The entire Routing Engine of RouterOS has been redesigned from scratch and this is the main cause of slow progress of the much anticipated RouterOS v7. I had the time to test v7.1 RC3 for over a week at it worked as expected. Mikrotik has rolled out ROSv7.1 RC4 on 20th September with a vague change log. No mention of specific bug fixes but it certainly broke BGP initially. More on that later.

The new routing engine works similar to that of Cisco. Filters works as route-maps with prefix lists created under /ip/firewall/address lists (/ipv6/firewall/address lists in case of IPv6). IGP entry for all routes to be announced needs to be present in the routing table. Also now we need to add our prefixes as a blackhole route else BGP will advertise our routes. We can say that the No Synchronization option under /routing/bgp/networks is gone. In fact, networks tab is gone under BGP. To get BGP working we need to first add the prefixes with black hole option ticked in /ip/route (/ipv6/route). Redistribute Static, default, OSPF, RIP routes buttons are gone. Now we need to use routing filter rules to redistribute routes. Filter rules are now based on if statements similar to that we use in programming.

Adding blackhole route.

The next step is to create an address list under /ip/address lists (/ipv6/address lists). We will use this address list to match for routes to be announced using routing filters. I have created three address lists, two for my up streams and one for announcing to IX.

Address list

After address list creation now comes routing filter rules. I am sharing my routing filter rules:
1. ‘Openswitch-out’ used to advertise routed matching in ix_networks address list to the neighbor and rejecting all other routes.
2. ‘Openswitch-in’ to set bgp local preference to 300.
3. ‘Openfactory-out’ to advertise only routes matching in ‘openfactory’ address list and setting as-path-prepend to 3 before announcing to upstream.
I have used some basic traffic engineering to maximize traffic flowing through IX (that’s what every network should be doing), though this is a lab network. I have set local preference to 400 for private peering, 300 for IX that’s closest to me, 200 for other IXs, and 100 for upstream. To modify inbound traffic I have set AS path prepending to 3 for my upstream.
Similarly, more route filters are there in my config but are similar to the above, just for my various peers and private peering.

[[email protected]] /routing/filter/rule> print
Flags: X - disabled, I - inactive 
 0   chain=Openswitch-out rule="if (dst in ix_networks ) {accept }" 

 1   chain=Openswitch-out rule="reject" 

 2   chain=igor-out rule="if (dst in ix_networks ) {accept }" 

 3   chain=igor-out rule="reject " 

 4   chain=Openswitch-in rule="set bgp-local-pref 300; accept " 

 5   chain=igor-in rule="set bgp-local-pref 400; accept " 

 6   chain=ifog-out rule="if (dst in ifog ) {set bgp-path-prepend 3 ; accept }" 

 7   chain=ifog-out rule="reject" 

 8   chain=openfactory-out rule="if (dst in openfactory ) {set bgp-path-prepend 3; accept }" 

 9   chain=openfactory-out rule="reject " 

10   chain=llix-out rule="if(dst in ix_networks ) {accept }" 

11   chain=llix-out rule="reject" 

12   chain=llix-in rule="set bgp-local-pref 200; accept " 

13   chain=PyramIX-out rule="if (dst in ix_networks ) {accept }" 

14   chain=PyramIX-out rule="reject " 

15   chain=PyramIX-in rule="set bgp-local-pref 200; accept " 

Then we head on to creating BGP sessions under /routing/bgp/connection. It is important to note that Listen and Connect options are ticked. We can leave the remote AS part blank. RouterOSv7 onwards, it can detect the Remote ASN from BGP Open message. Next we click on the Filter tab and here, we need to add ‘In Filter’ and ‘Out Filter’ along with ‘Output Network’. It is very important to mention the address list in use for the ‘Output Filter’ rule as ‘Output Network’ else routes will not be announced. Also since Peer Cache is not fully functional, we cannot check the number of prefixes received by our router from a particular peer.

BGP connection

BGP Filter

Now coming to the issue with v7.1 RC4, after upgrading from RC3 to RC4 routes are not advertised y the router to any peers. To fix this we have to simply disable the address lists and re-enable them. This problem has been already reported to Mikrotik on their forum. By following the above procedure you shall get you BGP up and running as expected. On v7.1 RC4 the CPU utilization by BGP is very less. The new routing engine is very memory and CPU efficient. I have used my RB3011UiAS-RM for testing using my AS213326.

BGP Peers

With two full IPv6 routing tables and 3 IX routes CPU utilization with just route calculation without any traffic flowing used to be 27-35% on ROSv6 now it is just 5-8%. That means virtually more CPU resource is available to push packets.

Leave a Reply

Your email address will not be published. Required fields are marked *