Summary
The Border Gateway Protocol (BGP) allows setting up an inter-domain dynamic routing system that automatically updates routing tables of devices running BGP in case of network topology changes.
MikroTik RouterOS supports BGP Version 4, as defined in RFC 4271
Standards and Technologies:
- RFC 4271 Border Gateway Protocol 4
- RFC 4456 BGP Route Reflection
- RFC 5065 Autonomous System Confederations for BGP
- RFC 1997 BGP Communities Attribute
- RFC 8092 BGP Large Communities
- RFC 4360, 5668 BGP Extended Communities
- RFC 2385 TCP MD5 Authentication for BGPv4
- RFC 5492 Capabilities Advertisement with BGP-4
- RFC 2918 Route Refresh Capability
- RFC 4760 Multiprotocol Extensions for BGP-4
- RFC 2545 Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
- RFC 4893 BGP Support for Four-octet AS Number Space
RFC 4364 BGP/MPLS IP Virtual Private Networks (VPNs)
- RFC 4761 Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signalling
- RFC 6286 - AS-wide Unique BGP Identifier for BGP-4
Quick Configuration Example
Very basic eBGP configuration example assuming, that Router1 IP is 192.168.1.1, AS 65531 and Router2 IP 192.168.1.2, AS 65532:
#Router1 /routing/bgp/connection add name=toR2 remote.address=192.168.1.2 as=65531 local.role=ebgp
#Router2 /routing/bgp/connection add name=toR1 remote.address=192.168.1.1 as=65532 local.role=ebgp
Property Reference
Template
Sub Menu: /routing/bgp/template
The template contains all BGP protocol-related configuration options. It can be used as a template for dynamic peers and to apply a similar configuration to a group of peers. Note that this is not the same as peer groups on Cisco devices, where the group is more than just a common configuration.
| Property | Description | |
|---|---|---|
| add-path-out (all |none; Default: ) | ||
| address-families (ip | ipv6 | l2vpn | l2vpn-cisco | vpnv4; Default: ip) | List of address families about which this peer will exchange routing information. The remote peer must support (they usually do) BGP capabilities optional parameter to negotiate any other families than IP. | |
| as (integer [0..4294967295]; Default: ) | 32-bit BGP autonomous system number. Value can be entered in AS-Plain and AS-Dot formats. The parameter is also used to set up the BGP confederation, in the following format: confederation_as/as. For example, if your AS is 34 and your confederation AS is 43, then as configuration should be as=43/34. | |
| as-override (yes | no; Default: no) | If set, then all instances of the remote peer's AS number in the BGP AS-PATH attribute are replaced with the local AS number before sending a route update to that peer. Happens before routing filters and prepending. | |
| cisco-vpls-nlri-len-fmt (auto-bits | auto-bytes | bits | bytes; Default: ) | VPLS NLRI length format type. Used for compatibility with Cisco VPLS. [[Read more>>]]. | |
| cluster-id (IP address; Default: ) | In case this instance is a route reflector: the cluster-ID of the router reflector cluster to this instance belongs. This attribute helps to recognize routing updates that come from another route reflector in this cluster and avoid routing information looping. Note that normally there is only one route reflector in a cluster; in this case, 'cluster-id' does not need to be configured and BGP router ID is used instead | |
| disabled (yes | no; Default: no) | Whether template is disabled. | |
| hold-time (time[3s..1h] | infinity; Default: 3m) | Specifies the BGP Hold Time value to use when negotiating with peers. According to the BGP specification, if the router does not receive successive KEEPALIVE and/or UPDATE and/or NOTIFICATION messages within the period specified in the Hold Time field of the OPEN message, then the BGP connection to the peer will be closed. The minimal hold-time value of both peers will be actually used (note that the special value 0 or 'infinity' is lower than any other value)
| |
| input - a group of parameters associate with BGP input | ||
| .accept-comunities (string; Default: ) | A quick way to filter incoming updates with specific communities. It allows filtering incoming messages directly before they are even parsed and stored in memory, that way significantly reducing memory usage. Regular input filter chain can only reject prefixes which means that it will still eat memory and will be visible in /routing route table as "not active, filtered". Changes to be applied required session refresh. | |
| .accept-ext-communities(string; Default: ) | A quick way to filter incoming updates with specific extended communities. It allows filtering incoming messages directly before they are even parsed and stored in memory, that way significantly reducing memory usage. Regular input filter chain can only reject prefixes which means that it will still eat memory and will be visible in /routing route table as "not active, filtered". Changes to be applied required session refresh. | |
| .accept-large-comunities (string; Default: ) | A quick way to filter incoming updates with specific large communities. It allows filtering incoming messages directly before they are even parsed and stored in memory, that way significantly reducing memory usage. Regular input filter chain can only reject prefixes which means that it will still eat memory and will be visible in /routing route table as "not active, filtered". Changes to be applied required session refresh. | |
| .accept-nlri(string; Default: ) | Name of the ipv4/6 address-list. A quick way to filter incoming updates with specific NLRIs. It allows filtering incoming messages directly before they are even parsed and stored in memory, that way significantly reducing memory usage. Regular input filter chain can only reject prefixes which means that it will still eat memory and will be visible in /routing route table as "not active, filtered". Changes to be applied required session restart. | |
| .accept-unknown(string; Default: ) | A quick way to filter incoming updates with specific "unknown" attributes. It allows filtering incoming messages directly before they are even parsed and stored in memory, that way significantly reducing memory usage. Regular input filter chain can only reject prefixes which means that it will still eat memory and will be visible in /routing route table as "not active, filtered". Changes to be applied required session refresh. | |
| .affinity(afi | alone | instance | main | remote-as | vrf; Default: ) | Configure input multi-core processing. Read more in Routing Protocol Multi-core Support article.
| |
| .allow-as (integer [0..10]; Default: ) | How many times to allow your own AS number in AS-PATH, before discarding a prefix. | |
| .filter (name; Default: ) | Name of the routing filter chain to be used on input prefixes. Happens after NLRIs are processed. If the chain is not specified, then BGP by default accepts everything. | |
| .ignore-as-path-len (yes | no; Default: no) | Whether to ignore AS_PATH attribute in the BGP route selection algorithm | |
| .limit-nlri-diversity (integer; Default: ) | ||
| .limit-process-routes-ipv4 (integer; Default: ) | Try to limit the amount of received IPv4 routes to the specified number. This number does not represent the exact number of routes going to be installed in the routing table by the peer. BGP session "clear" command must be used to reset the flag if the limit is reached. | |
| .limit-process-routes-ipv6 (integer; Default: ) | Try to limit the amount of received IPv6 routes to the specified number. This number does not represent the exact number of routes going to be installed in the routing table by the peer. BGP session "clear" command must be used to reset the flag if the limit is reached. | |
| keepalive-time (time [1s..30m]; Default:3m ) | How long to keep the BGP session open after the last received "keepalive" message. | |
| multihop (yes | no; Default: no) | Specifies whether the remote peer is more than one hop away. This option affects outgoing next-hop selection as described in RFC 4271 (for EBGP only, excluding EBGP peers local to the confederation). It also affects:
| |
| name (string; Default: ) | Name of the BGP template | |
| nexthop-choice (default | force-self | propagate; Default: default) | Affects the outgoing NEXT_HOP attribute selection. Note that next-hops set in filters always takes precedence. Also note that next-hop is not changed on route reflection, except when it's set in the filter.
| |
| output - a group of parameters associated with BGP output | ||
| .affinity(afi | alone | instance | main | remote-as | vrf; Default: ) | Configure output multicore processing. Read more in Routing Protocol Multi-core Support article.
| |
| .default-originate (always | if-installed | never; Default: never) | Specifies default route (0.0.0.0/0) distribution method. | |
| default-prepend (integer [0..255]; Default: ) | ||
| .filter-chain (name; Default: ) | Name of the routing filter chain to be used on the output prefixes. If the chain is not specified, then BGP by default accepts everything. | |
| .filter-select (name; Default: ) | Name of the routing select chain to be used for prefix selection. If not specified, then default selection is used. | |
| .keep-sent-attributes (yes | no; Default: no) | Store in memory sent prefix attributes, required for "dump-saved-advertisements" command to work. By default sent-out prefixes are not stored to preserve the router's memory. An option should be enabled only for debugging purposes when necessary to see currently advertised prefixes. | |
| .network(name; Default: ) | Name of the address list used to send local networks. The network is sent only if a matching IGP route exists in the routing table. | |
| .no-client-to-client-reflection (yes | no; Default: ) | Disable client to client route reflection in Route Reflector setups. | |
| .no-early-cut (yes | no; Default: ) | Early cut is the mechanism, to guess (based on default RFC behavior) what would happen with the sent NPLRI when received by the remote peer. If the algorithm determines that the NLRI is going to be dropped, a peer will not even try to send it. However such behavior may not be desired in specific scenarios, then then this option should be used to disable the early cut feature. | |
| redistribute (bgp,connected,copy,dhcp,fantasy,modem,ospf,rip,static,vpn; Default:) | Enable redistribution of specified route types. | |
| remove-private-as (yes | no; Default: no | If set, then the BGP AS-PATH attribute is removed before sending out route updates if the attribute contains only private AS numbers. The removal process happens before routing filters are applied and before the local, AS number is prepended to the AS path. | |
| router-id (IP | name; Default: main ) | BGP Router ID to be used. Use the ID from the /routing/router-id configuration by specifying the reference name, or set the ID directly by specifying IP. Equal router-ids are also used to group peers into one instance. | |
| routing-table (string; Default: ) | Name of the routing table BGP connections operates on. By default always use the "main" routing table. | |
| save-to (string; Default: ) | Filename to be used to save BGP protocol-specific packet content (Exported PDU) into pcap file. This method allows much simpler peer-specific packet capturing for debugging purposes. Pcap files in this format can also be loaded to create virtual BGP peers to recreate conditions that happened at the time when packet capture was running. | |
| templates (name[,name]; Default: ) | List of template names from which to inherit parameters. Useful feature, to easily configure groups with overlapping configuration options. | |
| use-bfd (yes | no; Default: no) | Whether to use the BFD protocol for faster connection state detection. | |
| vrf (name; Default: main ) | Name of the VRF, to install routes in. | |
Connection
Sub Menu: /routing/bgp/connection
This menu is used to define BGP outgoing connections as well as listen to a single or group of remote BGP peer connections.
In addition to connection-specific parameters, template-specific parameters are also directly exposed in this menu, for easier configuration in simple scenarios (when templates are not necessary).
When local address is not specified, BGP will try to guess the local address depending on the current setup:
- if peer is iBGP
- if loopback available
- pick highest loopback address
- if loopback not available
- pick any highest IP address on the router
- if loopback available
- if peer is eBGP
- if remote peers IP is not from directly connected network:
- and multihop is not set, then throw an error
- and multihop is enabled:
- if loopback available
- pick highest loopback address
- if loopback not available
- pick any highest IP address on the router
- if loopback available
- if remote peers IP is from directly connected network:
- and multihop is not set:
- pick local routers IP address from that connected network
- and multihop is set:
- if loopback available
- pick highest loopback address
- if loopback not available
- pick any highest IP address on the router
- if loopback available
- and multihop is not set:
- if remote peers IP is not from directly connected network:
| Property | Description | |
|---|---|---|
| name (string; Default: ) | Name of the BGP connection | |
| connect (yes | no; Default: yes) | Whether to allow the router to initiate the connection. | |
| listen (yes | no; Default: yes) | Whether to listen for incoming connections. | |
| local - a group of parameters associated with the local side of the connection | ||
| .address (IPv4/6; Default: ::) | Local connection address. | |
| .port(integer [0..65535]; Default:179 ) | Local connection port. | |
| .role(ebgp | ebgp-customer | ebgp-peer | ebgp-provider | ebgp-rs | ebgp-rs-client | ibgp | ibgp-rr | ibgp-rr-client; Default: ) | BGP role, in most common scenarios it should be set to iBGP or eBGP. More information on BGP roles can be found in the corresponding RFC draft https://datatracker.ietf.org/doc/draft-ietf-idr-bgp-open-policy/?include_text=1) | |
| .ttl (integer [1..255]; Default:) | Time To Live (hop limit) that will be recorded in sent TCP packets. | |
| remote - a group of parameters associated with the remote side of the connection | ||
| .address (IPv4/6; Default: ::) | Remote address used to connect and/or listen to. | |
| .port(integer [0..65535]; Default:179 ) | Local connection port. | |
| .as(integer []; Default: ) | Remote AS number. If not specified BGP will determine remote AS automatically from the OPEN message. | |
| .allow-as() | List of remote AS numbers that are allowed to connect. Useful for dynamic peer configuration. | |
| .ttl (integer [1..255]; Default:) | Acceptable Time To Live, the hop limit for this TCP connection. For example, if 'ttl=1' then only single-hop neighbors will be able to establish the connection. This property only affects EBGP peers. | |
| tcp-md5-key (string; Default: ) | Key used to authenticate the connection with TCP MD5 signature as described in RFC 2385. If not specified, authentication is not used. | |
| templates (name[,name]; Default: default) | List of the template names, to inherit parameters from. Useful for dynamic BGP peers. | |
Session
Sub Menu: /routing/bgp/session
This menu shows read-only cached BGP session information. It will show the current status of the session, session flags, last received notification, and negotiated session parameters.
Even if the BGP session is not active anymore, the cache can still be stored for some time. Routes received from a particular session are removed only if the cache expires, this allows to mitigate extensive routing table recalculations if the BGP session is flapping.
Commands:
| Command | Description | |
|---|---|---|
| apply-changes | Apply new config changes to a specified BGP session. Should be called to apply config template changes that are not automatically updated. | |
| clear | Clear all the session flags. For example, to be able to re-establish a session after the prefix limit is reached "limit-exceeded" flag must be cleared. | |
| dump-saved-advertisements | Dump saved advertisements from specified BGP session in the *.pcap file. Filename to store data is set by "save-to" parameter. | |
| refresh | Send route refresh to a specified BGP session. Is used to trigger re-sending all the routes from the remote peer. | |
| resend | Resend prefixes to a specified BGP session. | |
| reset | Reset specified BGP session. | |
| stop | Stop specified BGP session. | |
VPN
Sub Menu: /routing/bgp/vpn
Route Distinguisher
Route Distinguisher is a 64bit integer, which is divided into three parts: type (always 2 bytes), administrator, and value.
Currently, there are three format types defined.
| 2bytes | 2bytes | 2bytes | 2bytes |
|---|---|---|---|
| Type1 | ASN | 4byte value | |
| Type2 | 4-byte IP | value | |
| Type3 | 4-byte ASN | value | |
Properties
| Property | Description | |
|---|---|---|
| disabled (yes | no; Default: ) | ||
| export-filter (name; Default: ) | The name of the routing filter chain is used to filter prefixes before exporting. | |
| export-route-targets (rt[,rt]; Default: ) | Route targets to be added when exporting VPNv4 routes. The accepted RT format is similar to one for Route Distinguishers. | |
| import-filter (integer [0..4294967295]; Default: ) | The name of the routing filter chain is used to filter prefixes before importing. | |
| import-route-targets (rt[,rt]; Default: ) | Import VPNv4 routes with matching route targets. The accepted RT format is similar to one for Route Distinguishers. | |
| label-allocation-policy (per-prefix | per-vrf; Default: ) | ||
| route-distinguisher (string; Default: ) | Helps to distinguish between overlapping routes from multiple VRFs. Should be unique per VRF. Accepts 3 types of formats. Read more>> | |
| vrf (name; Default: ) | Name of the VRF table to install routes to. | |