Page tree

Routing Tables

By default, all routes are added to the "main" routing table as it was before. From a configuration point of view, biggest differences are routing table limit increase, routing table monitoring differences and how routes are added to specific routing tables (see next example)
v7 introduces a new menu /routing route, which shows all address family routes as well as all filtered routes with all possible route attributes. /ip route and /ipv6 route menus are used to add static routes and for simplicity shows only basic route attributes.

For more in-depth information on routing see this article (How Packets Are Routed).

Another new change is that most common route print requests are processed by the routing process which significantly improves the speed compared to v6.

Use of Routing Tables and Policy Routing


The main difference from v6 is that routing table must be added in /routing table menu and fib parameter should be specified if the routing table is intended to push routes to the  FIB.
Routing rule configuration is the same except the menu location (instead of /ip route rule, now it is /routing rule).

Another main difference is how the route is added to a specific routing table. There is no separate parameter routing-mark as it was in v6, now routing table is specified as part of destination: dst-address=dst@table_name

(as per user requests v7.0beta9 adds back 'routing-table' parameter)

Let's consider a basic example where we want to resolve 8.8.8.8 only in routing table named myTable to the gateway 172.16.1.1:

/routing table add name=myTable fib
/routing rule add dst-address=8.8.8.8 action=lookup-only-in-table table=myTable
/ip route add dst-address=8.8.8.8 gateway=172.16.1.1@main routing-table=myTable


Instead of routing rules, you could use mangle to mark packets with routing-mark, the same way as it was in ROSv6.

OSPF Configuration

OSPFv3 and OSPFv2 is now merged into one single menu /routing ospf. At the time of writing this article, there is no default instances and areas.
To start both OSPFv2 and OSPF v3 instances, first, you need to create an instance for each and then add an area to the instance.

/routing ospf instance 
add name=v2inst version=2 router-id=1.2.3.4
add name=v3inst version=3 router-id=1.2.3.4
/rouing ospf area
add name=backbone_v2 area-id=0.0.0.0 instance=v2inst
add name=backbone_v3 area-id=0.0.0.0 instance=v3inst


At this point, you are ready to start OSPF on the network interface. In the case of IPv6, you add either interface on which you want to run OSPF (the same as ROSv6) or IPv6 network. In the second case OSPF will automatically detect interface. Here are some interface configuration examples:

/routing ospf interface
add network=192.168.0.0/24 area=backbone_v2
add network=2001:db8::/64 area=backbone_v3
add network=ether1 area=backbone_v3

Another big difference is that interface and neighbor menus are purely for configuration, to monitor adjacent neighbors or interface status there are two new menu interface-state and neighbor-state.

All route distribution control is now done purely with routing filter select, no more redistribution knobs in the instance. This gives greater flexibility on what routes from which protocols you want to redistribute.
For example, let's say you want to redistribute only static ipv4 routes from /192.168.0.0/16 network range.

/routing ospf instance
set backbone_v2 out-filter=ospfv2_out_select
/routing filter select-rule add chain=ospfv2_out_select do-where=ospf_out
/routing filter rule add chain=ospf_out match-prfx-value="dst<subsumes>182.168.0.0/16" action=accept

If routing filter chain is not specified OSPF will try to advertise every active route it can find in the routing table

The default action of the routing filter chain is "drop"

BGP Configuration

There is a complete redesign of the BGP configuration compared to ROSv6. The first biggest difference is that there is no more instance and peer configuration menus. Instead, we have connection, template and peer-cache menus.
The reason for such structure is to strictly split parameters that are responsible for connection and change of these parameters requires immediate connection termination and parameters that do not tear existing connection when changed.

Let's start with the Template. It contains all BGP protocol related configuration options. It can be used as a template for dynamic peers and apply a similar config to a group of peers. Note that this is not the same as peer groups on Cisco devices, where the group is more than just a common configuration.

By default, there is a default template that requires you to set your own AS.

/routing/bgp/template set default as=65533

Most of the parameters are similar to ROSv6 except that some are grouped in the output and input section. If you are familiar with capsman then the syntax is the same, for example, to specify output filter chain you set output.filter=myBgpChain.

You can even inherit template parameters from another template, for example:

/routing/bgp/template 
add name=myAsTemplate as=65500 output.filter=myAsFilter
set default template=myAsTemplate

Another important aspect of the new routing configuration is Routing Instance, which sets router-id and group peers in one instance. RouterOS adds default instance which picks instance-id from any interface highest IP. The default BGP template by default is set to use the "default" instance.
If for any reason you need to tweak or add new instances it can be done in /routing instance menu.

Very interesting parameters are inut.affinity and output.affinity, they allow to control in which process input and output of active session will be processed:

  • alone - input and output of each session is processed in its own process, most likely best option when there are a lot of cores and a lot of peers
  • afi, instance, vrf, remote-as - try to run input/output of new session in process with similar parameters
  • main - run input/output in main process (could potentially increase performance on single core even possiby on multicore devices with small amount of cores)
  • input - run output in the same process as input (can be set only for output affinity)

Now that we have parameters set for the template we can add BGP connections. A minimal set of parameters are remote.address, template, connectlisten and local.role

Connect and listen to parameters specify whether peers will try to connect and listen to a remote address or just connect or just listen. It is possible that in setups where peer uses the multihop connection local.address must be configured too (similar as it was with update-source in ROSv6).

It is not mandatory to specify a remote AS number. ROS v7 can determine remote ASN from an open message. You should specify the remote AS only when you want to accept a connection from that specific AS.

Peer role is now mandatory parameter, for basic setups you can just use ibgp, ebgp (more information on available roles can be found in corresponding RFC draft https://datatracker.ietf.org/doc/draft-ietf-idr-bgp-open-policy/?include_text=1), keep in mind that at the moment capabilities, communities and filtering desribed in draft is not implemented.

Very basic iBGP setup to listen on the whole local network for connections:

/routing/bgp/connection
add remote.address=10.155.101.0/24 listen=yes template=default local.role=ibgp 

Now you can monitor the status of all connected and disconnected peers from /routing bgp peer-cache menu.

Other great debugging information on all routing processes can be monitored from /routing stats menu

[admin@v7_ccr_bgp] /routing/stats/process> print interval=1
Columns: TASKS, PRIVATE-MEM-BLOCKS, SHARED-MEM-BLOCKS, PSS, RSS, VMS, RETIRED, ID, PID, RPID, PROCESS-TIME, KERNEL-TIME, CUR-B>
# TASKS PRIVATE-M SHARED-ME PSS RSS VMS RET ID PID R PROCESS-TI KERN>
0 routing tables 12.2MiB 20.0MiB 18.7MiB 42.2MiB 83.4MiB 8 main 319 0 19s750ms 8s50>
rib >
connected networks >
1 fib 512.0KiB 0 7.4MiB 30.9MiB 83.4MiB fib 384 1 5s160ms 22s5>
2 ospf 1024.0KiB 1024.0KiB 5.9MiB 25.9MiB 83.4MiB 382 ospf 388 1 1m42s170ms 1m31>
connected networks >
3 fantasy 512.0KiB 0 2061.0KiB 5.9MiB 83.4MiB fantasy 389 1 1s410ms 870m>
4 configuration and reporting 40.0MiB 512.0KiB 45.0MiB 64.8MiB 83.4MiB static 390 1 12s550ms 1s17>
5 rip 768.0KiB 0 5.3MiB 24.7MiB 83.4MiB rip 387 1 1s380ms 1s20>
connected networks >
6 routing policy configuration 512.0KiB 256.0KiB 2189.0KiB 6.0MiB 83.4MiB policy 385 1 1s540ms 1s20>
7 BGP service 768.0KiB 0 2445.0KiB 6.2MiB 83.4MiB bgp 386 1 6s170ms 9s38>
8 BGP Input 10.155.101.217 8.8MiB 6.0MiB 15.6MiB 38.5MiB 83.4MiB 20 21338 1 25s170ms 3s23>
BGP Output 10.155.101.217 >
9 Global memory 256.0KiB global 0 0 >
-- [Q quit|D dump|C-z pause|right]

Route filtering differs a bit from ROSv6. In the BGP template, you can now specify output.filter, input.filter as well as several input.accept-* options.

Now input.accept-* allows filter incoming messages directly before they are even parsed and stored in memory, that way significantly reducing memory usage. Regular input filter chain can only reject prefix which means that it will still eat memory and will be visible in /routing route table as "not active, filtered", 

A very basic example of a BGP input filter to accept prefixes from 192.168.0.0/16 subnet without modifying any attributes. For other prefixes subtract 1 from received local pref value and set IGP metric to value from OSPF ext. Additionally, we will accept only specific  prefixes from address list to reduce memory usage

/ip/firewall/address-list
add list=bgp_list dst-address=192.168.1.0/24
add list=bgp_list dst-address=192.168.0.0/24
add list=bgp_list dst-address=172.16.0.0/24

/routing/bgp/template
set default input.filter=bgp_in .accept-nlri=bgp_list

/routing/filter/rule
add chain=bgp_in match-prfx-value="dst<subsumes>192.168.0.0/16" action=accept
add chain=bgp_in set-num-value="bgp-local-pref<sub>1"
add chain=bgp_in set-num-prop="bgp-igp-metric<assign>ospf-ext-metric" action=accept

If routing filter chain is not specified BGP will try to advertise every active route it can find in the routing table

The default action of the routing filter chain is "drop"

Lastly you might noticed that network menu is missing and probably wondering how to advertise your own networks. Now you would need to add route to the routing table before being able to advertise it to remote peer.
So ROSv6 network configuration:

/routing bgp network add network=192.168.0.0/24

in v7 would translate to:

/ip/route 
add dst-address=192.168.0.0/24 type=blackhole
/routing/filter/rule
add chain=bgp_out match-prfx-value="dst<equal>192.168.0.0/24" action=accept

Routing Filters

One filter rule in ROSv7 compared to ROSv6 can have only one set of "match" and one set of "set", which means that if you want to match by more than one parameter you will have to add more than one rule, for example, match static default route and apply action accept:

/routing/filter/rule
add chain=ospf_in match-prfx-value="dst<equal>0.0.0.0/0"
add chain=ospf_in match-protocol=static action=accept

Multiple rules without action are stacked in single rules and executed in order like firewall rules.
For example, ROSv6 rule "/routing filter add chain=ospf_in prefix=172.16.0.0/16 prefix-length=24 protocol=static action=accept" converted to ROSv7 would be:

/routing/filter/rule
add chain=ospf_in match-prfx-value="dst<subsumes>172.16.0.0/16"
add chain=ospf_in match-num-value="dst-len<equals>24"
add chain=ospf_in match-protocol=static action=accept



Filter rules now can be used to match or set communities,  large communities, and extended communities from community list:

/routing/filter/large-community-set
add set=myLargeComSet community=200001:200001:10 


/routing/filter/rule
add chain=bgp_in set-bgp-communities-large="modify<append>myLargeComSet" action=accept

RPKI

RouterOS implements an RTR client. You connect to the server which will send route validity information. This information then can be used to validate routes in route filters against a group with "rpki-validate" and further in filters "match-rpki" can be used to match exact state.

Very basic example to reject all prefixes with "invalid" state and accept the rest. Let's consider that we have our own RTR server on our network with IP address 192.168.1.1

/routing/bgp/rpki
add group=myRpkiGroup address=192.168.1.1 port=8282 refresh-interval=20

/routing/filter/rule
add chain=bgp_in rpki-verify=myRpkiGroup 
add chain=bgp_in match-rpki=invalid action=reject
add action=accept
  • No labels