Basic Mikrotik BGP filter rules

Below are some basic Filter Rules for Mikrotik BGP filtering.  These are not complex and can be very easily implemented on your BGP peers.

Before we get to the code there are a few assumptions
1.Your own IP space in this example is 1.1.1.0/22
2.These filters are not fancy and are geared toward upstream ISPs, not your own internal routers or clients.
3.If you copy and paste the below code make sure there is one command per line.  Some browsers will cut the line off and then it won’t paste right.  If in doubt paste it into notepad, textedit, etc. and clean it up.

/routing filter
add action=discard chain=INET-IN comment="BEGIN INET-IN" prefix=127.0.0.0/8 protocol=bgp
add action=discard chain=INET-IN prefix=10.0.0.0/8 protocol=bgp
add action=discard chain=INET-IN prefix=169.254.0.0/16 protocol=bgp
add action=discard chain=INET-IN prefix=172.16.0.0/12 protocol=bgp
add action=discard chain=INET-IN prefix=192.168.0.0/16 protocol=bgp
add action=discard chain=INET-IN prefix=224.0.0.0/3 protocol=bgp
add action=discard chain=INET-IN prefix=1.1.1.0/22 protocol=bgp
add action=discard chain=INET-IN prefix-length=25-32 protocol=bgp
add action=discard chain=INET-IN protocol=bgp
add action=accept chain=INET-OUT comment="BEGIN INET OUT" prefix=1.1.1.0/22 protocol=bgp
add action=discard chain=INET-OUT protocol=bgp

So what does this do?
-The first 6 lines filter out non routeable IP space.  There should be no reason these are being advertised to you from the public internet.

-Next we are saying if we see our own IP space being advertised to us (in this case 1.1.1.0/22) discard that.  There should be no reason we see our own IP space on a public peer.

-The next line filters out prefixes that are a /25 and smaller.  Just about every provider out there has a minimum size of a /24 they will accept as an advertisement.  If you are getting anything smaller it’s a good practice to drop that.  If there happens to be smaller prefixes they can be sent to a default route to the provider.  This helps trim your routing table, which makes lookups and convergence time quicker.

Under the INET-OUT rules we are advertising our IP space to our upstream.

Pretty simple eh? We could get complicated and add in chains, and more rules. But, this is a start.  We will do some more advanced rules in a later post.

What is a DCI?

As you get more and more into Cisco Data Center terminology you come across the term DCI.  DCI is a Data Center Interconnect. DCI’s typically come in 3 categories.

Dark Fiber (CWDM/DWDM)
MPLS Layer 2 VPN (VPWS/VPLS)
MPLS Layer 3 VPN

A DCI is basically a LAN extension over one of the above methods.