I will give a bit of a summary of the differences between Mikrotik’s RouterOS v6 and v7 BGP setup and configuration. This is not supposed to be exhaustive, my knowledge isn’t. I just am wanting to aggregate some info so I can direct people to it. If people want to help me out with some of the missing information I would be more then grateful.
Note, all of my examples of RouterOS will be from 6.48.1(v6) and 7.1(v7) since that’s what I am running on my home router. Yes, I run BGP on my home router.
I would highly recommend duplicating your config on to another router running v6 and doing a straight upgrade to RouterOS v7.1, I have done it multiple times and it works pretty well. With the most significant issues being in filters. Mikrotik has done a ton of work to make a direct conversion work (in both directions, you can downgrade your router and get your old configuration back, though Mikrotik does not promise this so don’t bet money on it…). You might also catch some holdover issues with your configuration.
This means that an export backup from v6 will not work be importable in v7 if you are running BGP, I believe this issue effects OSPF and a few different menus. Just a heads up.
Mikrotik has removed all of the old menus. I am just going to give a broad overview of how v7 replaces, or doesn’t, Instance, Networks, Aggregates and Advertisements menus. Which used to be all you needed to get your router talking BGP to an upstream provider or internally in your network.
Firstly Instance:
You can think of Instance being moved completely over to Template, but you would have the wrong idea and get yourself into trouble if you do. Unlike in v6 there are no longer different BGP instances, just different VRFs. Practically, this doesn’t mean all that much to the simple user, or even an advanced user. If you need to separate out your routes, send them to a unique VRF.
Template is more accurately described by it’s name, think of it as a reusable group of settings that you can apply to different BGP connections.
Technically Instance is entirely gone, you no longer need to create separate instances of BGP (nor did you really ever need to). While it was tempting, it frequently caused beginners to create headaches for themselves that were not simple to diagnose or understand the issues. While you no longer “need” the instance menu Templates is pretty useful for replicating the features it gave us.
| v6 command “/routing bgp instance set default” | v7 command “routing/bgp/connection/set default” | Change effect |
| as | as | none |
| client-to-client-reflection | output.no-client-to-client-reflection | Reversed (default was enabled in v6) |
| cluster-id | cluster-id | none |
| comment | N/A | Removed |
| confederation | Moved to AS, you place the confederation AS then a “/” then your router’s AS | Little |
| confederation-peers | I’m not sure, help would be appreciated | Unkown, Mikrotik’s documentation says they support confederation in v7 |
| disabled | disabled | not a good way you will probably break stuff if you do it this way… |
| ignore-as-path-length | input.ignore-as-path-len | none |
| name | name | none |
| out-filter | output.filter-chain | little, see below for out-filter |
| redistribute-connected | ouput.redistribute=connected | little, these are now options that you need to add to a group |
| redistribute-static | ouput.redistribute=static | |
| redistribute-rip | ouput.redistribute=rip | |
| redistribute-ospf | ouput.redistribute=ospf | |
| redistribute-other-bgp | ouput.redistribute=bgp | |
| router-id | router-id | none |
| routing-table | routing-table | none |
Note: output.redistribute has vpn, fantasy, modem, dhcp, copy. Which allows us to redistribute stuff learned from some new specific sources. Have fun exploring.
Peers:
It’s completely replaced with /routing/bgp/connections/ and peer-cache/
Connections/ is where you manage all of your BGP peering settings while peer-cache/ is where you view the actual active sessions and information about them.
Here are the settings and their corresponding settings in v7
| v6 command “routing bpg peer add” | v7 command “routing/bgp/connection/add” | Changes/notes |
| address-families | address-families | none |
| disabled | disabled | none |
| multihop | multihop | none |
| route-reflect | ? | I don’t use route reflection in my networks, so I have not followed it in v7. |
| allow-as-in | input.allow-as-in | none |
| hold-time | hold-time | none |
| name | name | none |
| tcp-md5-key | tcp-md5-key | none |
| as-override | as-override | none |
| in-filter | input.filter | little, if a route filter is specified then default is drop everything. If not, then default is to accept everything. |
| nexthop-choice | nexthop-choice | none |
| ttl | local.ttl | little, there is also a remote.ttl. Probably none, but discussed below |
| cisco-vpls-nlri-len-fmt | cisco-vpls-nlri-len-fmt | Seems similar, Mikrotik has a dead link to documentation about this |
| instance | n/a, template | You can use template if you want to standardize your settings. |
| out-filter | output.filter | little, if you specify a filter the default is to drop all prefixes. If not, then default is to accept all prefixes. |
| update-source | local.address | little, You MUST SPECIFY THIS NOW. |
| comment | N/A | Removed |
| keepalive-time | keepalive-time | none |
| passive | connect/listen | Technically just listen, but connect is disabled by default. Turn on both. |
| use-bfd | use-bfd | none |
| copy-from | copy-from | none |
| max-prefix-limit | I’m not sure, help would be appreciated | ? |
| remote-port | remote.port | none |
| remote-address | remote.address | none |
| default-originate | output.default-originate | none |
| max-prefix-restart-time | I’m not sure, help would be appreciated | ? |
| remove-private-as | remove-private-as | none |
| remote-as | remote.as | none |
Note, you need to specify output.network (an address list you create that replaces networks & aggregates)
Not sure about the remote.ttl, but I guess it should be a slight security measure to prevent BGP spoofing attacks.
There are a whole group of new filters. I recommend using the commands that I specify, because it leaves you with more diagnostics information, but if you want to squeeze out a little more performance you can use input.accept-nlri to filter down routes without them being saved in memory (like v6 filters used to work).
Peer-cache will have all the information you need available for session state. If the entry is missing from the list then the BGP session is in “idle” state or has never established a connection. (probably a configuration issue) If it exists in the list, then it’s either connecting or established.
Advertisements
Completely gone, not replaced
I am not kidding, there’s no easy way to view the routes you are advertising to specific peers or any routes that you are advertising… This will be the most difficult part for beginners and people trying to learn.
The closest is “/routing/bgp/connection/set save-to=filename” “to be used to save BGP protocol-specific packet content (Exported PDU) into pcap file. This method allows much simpler peer-specific packet capturing for debugging purposes.” (Copied from Mikrotik’s documentation)
My solution to this problem is to setup a v7 router that accepts bgp connections from anywhere and accepts all routes sent to it. This way you can see what routes you are sending out by just changing the remote.address and remote.as you are using. It’s not a good solution, but it’s a work around.
Networks
There are two types of people who this change effects differently, those who had their BGP setup properly (in which case this change effects minimally), and those who disabled “synchronize” in the network tab or used “redistribute-connected/static/…” to make BGP work in v6.
Networks have been moved to /ip/firewall/address-list and /ipv6/firewall/address-list, you create an address list of the routes you want to advertise. The problem is that the route you want to advertise MUST be in your route table, there is no way to force Mikrotik’s BGP to advertise a route that it doesn’t have in it’s route table. (except for a default route)
I have seen several people bitten by this problem, especially if they didn’t have proper aggregation working. Speaking of…
Aggregates
Totally gone. Technically since a route won’t be advertised unless it is both in the route table and in your output.network address list, you don’t need aggregation anymore.
I hope this is a useful summary and set of notes.