OSPFv3->BGP aggregate->eBGP host working logic

RouterOS Forwarding Protocols
1

I want to achieve something like this:

router bgp 300
address-family ipv6
aggregate-address 2001:1:AAAA::/48 summary-only
redistribute ospf 1 match internal external route-map FROM_OSPF
!
ipv6 prefix-list FROM_OSPF seq 5 permit 2001:1:AAAA::/48 le 128
!
route-map FROM_OSPF permit 10
match ipv6 address prefix-list FROM_OSPF

FIRSTLY:
I cannot/don’t know how add filter FROM_OSPF on routes imported into BGP from OSPF.
SECONDLY:
I want that prefixes imported into BGP routing table from OSPF with flags DAo to be taken into consideration with aggregate function.
Instead “Include IGP” option in BGP aggregate window is taking routes with flags DAC and DAo (and other IGPs). Can this be divided?

Or better - can aggregate function start to aggregate routes that are already in BGP table and not work as separate function and take prefixes from routing table?
THIRDLY:
The aggregated route has BGP origin attribute set as EGP (on EBGP remote host) - should this not be incomplete ? I have aggregated routes that where redistributed. IGP flag is set when network command in BGP is used, incomplete flag is for redistribution and EGP is … obsolete ?
bgp.png

2

I will post this as a IPv4, feel free to translate to IPv6…

(First Item)
How to Build Filters in MT / ROS …

/routing filter add chain=NAMEOFCHAIN prefix=68.122.0.0/19 prefix-length=19-24 invert-match=no action=accept set-bgp-prepend-path=“”

The above is equivalent to :-

ipv6 prefix-list FROM_OSPF seq 5 permit 2001:1:AAAA::/48 le 128
!
route-map FROM_OSPF permit 10
match ipv6 address prefix-list FROM_OSPF

(Second item)
One does not import into BGP Routing Table, one advertises or receives routes from the BGP Peer into the Routing Table.
So if you are trying to advertise the Route to the BGP Peer, then you can simply do that by using an appropriate filter on the BGP peer.

e.g
/routing add chain=bgp-out match-chain=NAMEOFCHAIN invert-match=no action=accept set-bgp-prepend-path=“”
/routing add chain=bgp-out invert-match=no action=discard set-bgp-prepend-path=“”

If the route is active in the MT, it will get advertised…

(Third Item)
The origin flag has to do with your listing the prefix in the bgp Network tab…

3

Thanks,

I don’t want to have redistributed into BGP connected and other IGPs networks.
This is not about filtering connected routes to other peers on bgp-out chain.
2.
Aggregate function should aggregate ONLY if in BGP table I have redistributed there OSPF routes (not routes from routing table).
When I will aggregate based on connected and other routes in routing table I can end up advertising aggregate route without having one OSPF route in routing table. This is important because router has br0 “loopback” with IP address from the prefix area. But the aggregate function shall not take this into consideration.
3.
Aggregate route on peer doing the aggregation (in the network tab) has the flag set correctly (origin=incomplete) but on remote peer (in routing table) I see origin=EBGP.

4

is it possible that you are getting confused between how OSPF works vs BGP ? or something is getting lost in the translation…

OSPF maintains a separate routing table database, from which only certain routes are added to the main routing table.

however with BGP, all in-coming routes are put thru the filter, and then injected straight into the main routing table… similarly for outgoing advertisements only active routes from the main routing table are then processed thru the filter, (exception being the prefixes specified in the networks statement)… any prefix listed in aggregate will be advertised as soon as the router sees even 1 active route in that range.

If one wants to see all of the OSPF Routes, then you have to look in the OSPF Routes table… but if you want to see all of the BGP Routes, they are listed in the Main Routing Table, with only the preferred routes being active.

5

Okay, thank you.

Lets say I have OSPF routes imported from OSPF table to routing table (so they are the best):
192.168.1.0/24
192.168.2.0/24
10.10.10.0/24
I want to redistribute (filter) only routes that fall into range 192.168.0.0/16 into BGP process.
As the next step, BGP process should distribute routes to neighbors from range 192.168.0.0/16 as aggregate only (also 192.168.0.0/16).

How to accomplish this task in Mikrotik?

6

You would do it, one step at a time…

You will have to use filters in your bgp advertisements … and define your prefix appropriately…(as long as the prefix is in your active routing table) bgp process will advertise it to the peer.

You can use the network aggregation section of bgp to aggregate your advertisement.

7

Redistributing OSPF into BGP is probably a very bad idea.
Let OSPF do its job as your IGP.

(see disclaimer below)*

(EDIT: I’m going to post how to do the aggregation/origination in Mikrotik BGP in my next post)

BGP shouldn’t need a bunch of stuff dumped into its table for it to go sorting through and aggregating. It should just look down into the routing table, and if it sees a prefix it should advertise, then it adds that prefix into BGP. Boom. Done. If it sees no such prefix, then it does not originate the prefix anymore.

Analogy:
Imagine a bird flying over a lake looking for fish. If the bird is looking for rainbow trout, when it sees one, it will dive down and snatch it, and now there’s a rainbow trout in its talons. If there’s no rainbow trout, then it won’t dive. The bird = BGP, the lake = the routing table, the bird’s talons = bgp table… This bird just originally caught the fish. (it originated the route).

Now suppose you dragged a net through the lake and tied it up in a bundle and the bird grabs the net and flies off with the whole thing. Now it goes picking through everything in the net - frogs, snakes, fish it doesn’t want to eat, junk from the bottom - and of course a rainbow trout that it does eat. It just had to carry EVERYTHING before it could pick out what it wanted.

Back to the real world:
Your configuration sounds like a way to have the router withdraw its advertisement of the master /48 prefix if the router loses its inward-facing connectivity, yet remains connected to its eBGP peer(s). (switch failure / cable failure / interface failure / etc) That’s an excellent design, but you don’t need to redistribute OSPF to do it.

Three ways to originate the route without redistributing ospf:
Consider originating a null route to 2001:db8::/48 (use your real prefix(es) here) at your core routers in OSPF. If the border router has reachability to at least one core router, then it is “connected” to your network, and it will see that /48 route in OSPF. Configuring “network 2001:db8::/48” in the border router would then correctly cause it to originate your /48 prefix whenever it sees the route “down” in OSPF - and as the most preferred type of route: Origin IGP, and not atomic aggregate. If you have multiple border routers, they can all originate the same prefix this way.

If your network is really big and you have route reflectors, then you should just originate the prefix at the RRs and let iBGP hand it out to all of your border routers.

If your network isn’t that large, and you just want to use some specific internal prefixes to signal BGP to create the aggregate prefix when they’re reachable, then consider simply originating the more specific “flag” prefixes using network statements. If any of these network statements matches a prefix in the routing table, it will create the prefix in BGP and your aggregate statement will have its prefix to work with. You won’t need a filter - BGP will just originate the prefixes itself and then glue them together with the aggregate statement.

Basically, the goal of bgp the world over, is to forward a packet to whichever router originally held up its hand and said “I know where to go to reach this network” - When the packet reaches that router, BGP is finished, and the IGP takes over.

Redistributed routes are like the Loch Ness monster for BGP - It heard this route exists somewhere nearby, but it never was spotted by any completely believable witness.

“Best Practice Speech” disclaimer:
You know your own network better than I do, and if you have reasons for doing things the way you do, then by all means continue to do so. I simply point out best practices for those who are interested, or who may not have been aware.

8

With Mikrotik, the “include IGP” allows you to do exactly what you want without re-distributing OSPF into BGP.
(If I understand you properly)

What you want is this:
if there exists in OSPF, a prefix which is a subset of 2001:Db8:1234::/48 then you should advertise that prefix as an aggregate route, and suppress the sub-routes from being advertised.
You do not want connected routes to be candidates to create this aggregate prefix.

If this is true, here’s the relevant bgp settings - tested in GNS3 lab.

/routing filter
add action=accept chain=aggregate-ospf-only protocol=ospf
add action=discard chain=aggregate-ospf-only

/routing bgp aggregate
add advertise-filter=aggregate-ospf-only include-igp=yes inherit-attributes=no instance=default prefix=2001:db8:1234::/48

Done.

I tested it with an OSPF neighbor which advertised three prefixes:
2001:db8:bad:4003/64
2001:db8:1234:4004/64
2001:db8:1234:4005/64

I also created locally connected address 2001:db8:1234:3005::1/64

I tested all combinations of ospf routes up/down and connected route up/down.
If either the 4004 or 4005 prefix was in the RIB from ospf, then the eBGP neighbor received 2001:db8:1234::/48
If neither of those routes was in the RIB, but the other ospf route 2001:db8:bad:4003/64 was in the rib, it did not matter… BGP would withdraw the /48 prefix and the eBGP neighbor would no longer show this route.

reachable/unreachable state of the :3005::1/64 prefix did not affect BGP in any way.

FURTHERMORE - static routes which override ospf routes will not match - whenever I reduce the OSPF routes to just one of the 2001:db8:1234:: prefixes, if I put a static route to the same destination, the OSPF route becomes inactive, and BGP withdraws the /48 aggregate. Disabling the static route lets OSPF take over again, and then BGP re-advertises the /48

Finally, I moved the local 2001:db8:1234:3005/64 address off of the BGP router and onto the OSPF router.
This route then caused the /48 to advertise. (thus proving that the range wasn’t restricted to 4xxx)

At no time did I specify that ospf should be redistributed into BGP.

9

Good discussion…something I wanted to add for clarification.

Unlike Cisco, MikroTik does not require the exact mask length of a route to be present to advertise it in BGP. Actually, it doesn’t need a single route in the routing table to advertise into BGP.

When using the /routing bgp aggregate command, it only considers BGP routes by default and will not include routes from an IGPor connected unless you add the command include-igp.

Since you only want routes that are being redistributed into BGP from OSPF, you ccan always couple the aggregate with an outbound route filter that has prefix length restrictions as well as subnet matching.

That way you can advertise an aggregate, but only leak the prefixes and prefix lengths you expect to be advertised in BGP.

http://wiki.mikrotik.com/wiki/Manual:Routing/BGP#Aggregate

10

Another “unlike Cisco” behavior is that a network origination statement in ROS, by default is not looking in the routing table either. The “synchronize” checkbox is not checked.

I wonder what’s worse for BGP newbies (not calling OP a newbie) -
Default behavior that doesn’t follow “best practices” per-se, but makes it easier to get up and running
-or-
Default behavior that favors best practices, but leads to hair pulling when you clearly put that network statement there, but it’s just not going into BGP. Why!?!?!??