...
| Code Block | ||
|---|---|---|
| ||
/routing filter rule
add chain=myChain \
rule="if (dst in 192.168.1.0/24 && dst-len>24) {set distance +1; accept} else {set distance -1; accept}" |
...
| Property | Type | Description |
|---|---|---|
| Numeric properties | ||
| distance | route distance | |
| scope | ||
| scope-target | target scope | |
| bgp-weight | BGP WEIGHT attribute | |
| bgp-med | BGP MED attribute is local to the router. It is also used in the output of iBGP peers. | |
| bgp-out-med | BGP MED attribute to be sent to a remote peer. Should be used in the output chain of eBGP peers. | |
| bgp-local-pref | BGP LOCALPREF attribute | |
| bgp-igp-metric | BGP IGP METRIC | |
| bgp-path-peer-prepend | Prepend last received remote peers ASN. If the prefix is originated from the router, then this parameter will not do anything on the router's output, because ASN does not exist yet. If used as a matcher in BGP input, it is possible to filter prefixes exceeding a certain number of prepends. For example, if a remote peer prepends its ASN 5 times, but we want to allow max 4 times prepended ASN, then we can use: " This parameter also overrides any prepends received from the remote peer, for example, if the remote peer prepended it's AS 3 times, we can remove this prepend by setting " | |
| bgp-path-prepend | Prepend routers ASN, should be used in BGP output. | |
| ospf-ext-metric | OSPF External route metric | |
| ospf-ext-tag | OSPF external route tag | |
| rip-ext-metric | RIP External route metric | |
| rip-ext-tag | RIP External route tag | |
| Flag properties | ||
| ospf-ext-dn | DN bit for external OSPF routes | |
| blackhole | ||
| suppress-hw-offload | Whether to suppress L3 HW offloading | |
| use-te-nexthop | ||
| Other properties | ||
| gw | ipv4/6 address | IPv4/IPv6 address or interface name. In the case of BGP output, a gateway can be adjusted in the following setups:
|
| gw-interface | interface_name | Interface part of the gateway. Should be used if it is required to attach a specific interface for next-hop, like (1.2.3.4%ether1) |
| gw-check | none|arp|icmp|bfd|bfd-mh | |
| pref-src | ipv4/6 address | |
| bgp-origin | igp|egp|incomplete | |
| ospf-ext-fwd | ipv4/6 address | Forwarding address of External OSPF route |
| ospf-ext-type | type1|type2 | OSPF External route type |
| comment | string | |
| bgp-communities | inline_community_set | setcommunity_list_name | BGP Communities attribute is defined in RFC 1997. Each community is 32-bit in size. |
| bgp-ext-communities | inline_ext_community_set | ext_community_list_name | BGP Extended Communities attribute is defined in RFC 4360. RouterOS parses site-of-origin (prefixed with soo:) and route-target (prefixed with rt:) extended communities. For example, "set bgp-ext-communities rt:1111:2.3.4.5;". It is possible to set/match RAW extended communities value in 64-bit hex, for example, "set bgp-ext-community 0x.........;" |
| bgp-large-communities | inline_large_community_set | large_community_list_name | BGP Large Communities attribute is defined in RFC 8092. Suitable for use with all ASNs including 32-bit ASNs. Each community is 12-bytes in length and consists of 3 parts: "global_admin:locap_part_1:local_part_2". |
...
| Command | Params | Description |
|---|---|---|
| accept | accept matched prefix | |
| reject | reject matched prefix, the prefix will be stored in the memory as "filtered" and will not be the candidate to be selected as the best path. | |
| return | return to the parent chain | |
| jump | jump chain_name | jump to a specified chain |
| unset | unset prop_name | used to unset the value of the following properties:pref-src|bgp-med|bgp-out-med|bgp-local-pref |
| append | append at the end of the list or string. Following property values can be appended: bgp-communities, bgp-ext-communities, bgp-large-communities, comment | |
| filter | Inverse of the delete action (Delete everything except the specified values). Values of the following properties can be filtered: bgp-communities, bgp-ext-communities, bgp-large-communities | |
| delete | Delete the value of the specified property. Values of the following properties can be deleted: bgp-communities, bgp-ext-communities, bgp-large-communities | |
| set | set prop_writeable value | The command is used to set a new value to writeable properties. Value can be set from other readable properties of matching types. For numeric properties, it is possible to prefix the value with +/- which will increment or decrement the current property value by a given amount. For example, "set pref-src +1" will increment current pref-src by one, or extract value from other readable num property, "set distance +ospf-ext-metric" |
| rpki-verify | rpki-verify rpki_group_name | Enable RPKI verification in the current chain from the specified RPKI group. |
...
| Operator | Description | Example | |
|---|---|---|---|
| equal | return true if provided communities are equal to the routes property value | ||
| equal-list | return true if communities from provided community-list are equal to the route's property value | ||
| any | returns true if the route's property value contains at least one of provided communities | ||
| any-list | returns true if the route's property value contains at least one community from the provided list | ||
| includes | returns true if the route's property value includes specified communities | ||
| includes-list | returns true if the route's property value includes all communities from the specified communities-list | ||
| subset | subset-list | any-regexp | subset-regexp |
String Operators
...
| returns true if route community subset matches communities from the list | 1:1,3:3 will match 1:1,2:2,3:3 | |
| subset-list | the same as "subset", but matches communities form the community list. | |
| any-regexp | the same as "any", but matched by regexp | |
| subset-regexp | the same as "subset", but matched by regexp |
String Operators
| Operator | Description |
|---|---|
| find | Check if provided substring is part of the property value |
| regexp | Match string regexp of the property value |
Deleting BGP Communities
Routing filters allow to clear BGP communities by using "delete" command. Delete command accepts several parameters based on the type of the community type:
- communities:
- "wk" - will match and remove well known communities
- "other" - will match and remove other communities that are not well known
- "regexp" - regexp pattern to match communities that should be deleted
- "<community-list name>" - deletes communities from specified community-list
- ext-communities:
- "rt" - will match and remove RouteTarget
- "soo" - will match and remove Site-of-Origin
- "other" - will match and remove other ext communities that are not RT or SSO
- "regexp" - regexp pattern to match ext communities that should be deleted
- "<community-ext-list name>" - deletes communities from specified community-ext-list
- large-communities:
- "all" - removes everything
- "regexp" - regexp pattern to match large communities that should be deleted
- "<community-large-list name>" - deletes large communities from specified community-large-list
It is possible to specify multiple community types, for example delete all SSOs, other type of ext communities and specific RTs from the community-ext list:
| Code Block | ||
|---|---|---|
| ||
/routing/filter/community-ext-list
add list=myRTList communities="rt:1.1.1.1:222"
/routing/filter/rule
add chain=myChain rule="delete bgp-ext-communities sso,other,myRTList;" |
...
AS-PATH Regexp Matching
AS Path is the sequence of autonomous system numbers (ASNs), for example AS Path 123 456 789 would indicate, that route originated from AS with the number 789, and to reach the destination, the packet would need to travel through two autonomous systems: 456 and 789. To apply specific routing policies administrator might want to match specific AS numbers or set of numbers in the AS Path (for example, reject prefixes that travel through AS 456), which can be achieved using regular expression (regexp).
...
| Code Block | ||
|---|---|---|
| ||
/routing/filter/rule/ add chain=myChain rule="if (bgp-as-path .1234.) {accept}" |
...
| Operator | Description | Example | Example Explained | Example Matches |
|---|---|---|---|---|
| ^ | Represents the beginning of the path | ^1234 | will math match AS-path starting with ASN 1234 | |
| $ | Represents the end of the path | 1234$ | will match AS-path of origin ASN 1234 | |
| * | Zero or more occurrences of the listed ASN | ^1234*$ | will math match Null as-path or as-path where ASN 1234 may or may not appear multiple times | MathMatch: 1234 1234 1234 1234 Null path No Match: 1234 5678 |
| + | One or more occurrences of the listed ASN | 1234+ | will match AS-path where ASN 1234 appears at least once | Match: 1234 3 1234 6 No match: 12345 678 |
| ? | Zero or one occurrence of the listed ASN | ^1234? 5678 | will match AS-path that may or may not start with ASN 1234 appearing once. | Match: 5678 1234 5678 No match: 1234 1234 5678 12345 5678 |
| . | One occurrence of any ASN | ^.$ | will match any AS-path with the length of one. | Match: 12345 45678 No match: 1234 5678 |
| | | Match one of two ASNs on each side | ^(1234|5678) | will match AS-path starting with ASN 1234 or 5678 | Match: 1234 5678 1234 5678 No Match: 91011 |
[ ] [^ ] | Represents the set of AS numbers where one AS number from the list must match. Use ^ after opening the bracket to negate the set. It is also possible to reference the pre-defined num-lists from num-list with [[:numset_name:]] | ^[1234 5678 1-100] | will match the AS-path that starts with 1234 or 5678 or from the range of 1 to 100 | Match: 1234 99 5678 No Match: 101 |
() | Group of regexp terms to match | ^(1234$|5678) | will match AS-path that starts and ends with 1234 or AS-path that starts with 5678 | Match: 1234 5678 9999 No Match: 1234 5678 |
...
| Code Block | ||
|---|---|---|
| ||
/routing/filter/community-list add communities=111:222 list=myCommunityList /routing/filter/rule/ add chain=myChain rule="if (bgp-communities equal-list myCommunityList) {delete bgp-communities wk,other; accept;}" |
...