BGP filter with mikrotik


In this webinar, we start the discussion with an introduction to BGP like AS to AS connection, comparison BGP routing and traditional routing, also BGP peering. we then talk about problem that might occur during BGP peering, its effects, and the solution. finally we cover an example of how to configure BGP filter on mikrotik.

The recording is available on youtube (GLC Networks Channel):

Published in: Internet
  1. 1. BGP filter GLC webinar, 10 august 2017 Achmad Mardiansyah GLC Networks, Indonesia 1
  2. 2. Agenda ● Introduction ● BGP ● BGP filter ● Demo ● Q & A 2
  3. 3. What is GLC? ● Garda Lintas Cakrawala ( ● An Indonesian company ● Located in Bandung ● Areas: Training, IT Consulting ● Mikrotik Certified Training Partner/Consultant/Distributor ● Ubiquiti Certified Trainer/Consultant ● RedHat Certified Trainer 3
  4. 4. About GLC webinar? ● First webinar: january 1, 2010 (title: tahun baru bersama solaris - new year with solaris OS) ● As a sharing event with various topics: linux, networking, wireless, database, programming, etc ● Regular schedule: every 2 weeks ● Irregular schedule: as needed ● Checking schedule: hedule ● You are invited to be a presenter ○ No need to be an expert ○ This is a forum for sharing: knowledge, experiences, information 4
  5. 5. Trainer Introduction ● Name: Achmad Mardiansyah ● Base: bandung, Indonesia ● Linux user (since 1999), Mikrotik user (since 2007), ubnt user (since 2011) ● Certified Trainer (Mikrotik, Ubiquiti, Redhat) ● Certified Consultant ● Work: Telco engineer, Sysadmin, PHP programmer, and Lecturer ● Personal website: ● More info: 5
  6. 6. Please introduce yourself ● Your name ● Your company/university? ● Your networking experience? ● Your mikrotik experience? ● Your expectation from this course? 6
  7. 7. BGP 7
  8. 8. AS and BGP ● AS (Autonomous System) ○ Collection of routers and prefixes under single administration (can be an organisation) which also apply single routing policy ○ AS is identified by AS number, given by IANA via Regional Registry ● BGP (Border Gateway Protocol) ○ A protocol that is used between AS for exchanging routing information (prefixes) ○ BGP see an AS as a (big) node which can forward packet based on layer 3 ● 8
  9. 9. ● Traditional routing: based on router HOP count ● BGP routing: based on AS HOP count Traditional routing VS. BGP routing 9
  10. 10. BGP peering types: ● Internal (iBGP) ○ peering inside AS ○ usually is backed-up by IGP (Interior Gateway Protocol). E.g. OSPF, RIP, EIGRP, etc ○ Unless route-reflector is used, every router inside AS need to setup peering each other (full-mesh peering). ● External (eBGP) ○ Peering between AS border router During ebgp peering, each router will exchange: ● Outgoing: inform own prefix to the world ● Incoming: receive prefixes from other AS BGP peering 10 Other AS
  11. 11. ● Announce wrong prefix ○ Example: AS2 announcing wrong prefix (e.g. to AS5 and AS3 ● Receiving wrong prefix ○ Example: AS3 and AS5 receiving wrong prefix ( from AS 2 BGP peering problem (example) 11 Wrong prefix Wrong prefix Other AS
  12. 12. ● Other AS (AS5, AS3, AS4, AS1) will see prefix is very close to them, compared to the real AS that own that ip block ● Traffic goes to will be forwarded to AS2 ● AS2 will receive flood of traffic ● packets never reach the destination (because its landed in wrong AS) ● Packets will moving around in AS2 until TTL expired -> causing congestion ● Customers complain internet is slow BGP peering problem (effect) 12 Wrong prefix Wrong prefix Other AS
  13. 13. ● Setup outgoing filter on AS2 ○ Only allow prefix that AS2 really own ● Setup incoming filter on AS3 and AS5 ○ Only allow prefix that AS2 really own BGP FILTER is used to protect YOU from INTERNET and to protect INTERNET from YOU BGP peering problem (solution) 13 filter filter Other AS
  14. 14. BGP filter on Mikrotik 14
  15. 15. Filter on BGP peering Filter can be applied on BGP peering: - In-filter - Out-filter This is just an example only, not taken from real environment 15
  16. 16. /routing filter (outgoing) ● Outgoing filter ○ In this example we only allow our own prefix ( to announce it to moratel peer /routing filter add action=accept chain=moratel-out prefix= prefix-length=23-24 ○ Reject anything else /routing filter add action=reject chain=moratel-out 16
  17. 17. /routing filter (incoming) ● Incoming filter ○ In this example: we only allow prefix from moratel to enter our routing table /routing filter add action=accept chain=moratel-in prefix= prefix-length=8-24 ○ Reject anything else /routing filter add action=reject chain=moratel-in 17
  ● Slide: ● Recording: