BGP Basic Peering

BGP Basic Peering

Version Info

RouterOS 7.16 | Min: v7.0+ | :clock1: 20 minutes | :red_circle: Advanced

Tested on: 7.16 7.14

Version-specific notes

• v7.x: Completely new BGP architecture (instance/template/connection)
• RouterOS v6 BGP configuration is significantly different and not covered here

TL;DR (Quick Start)

For the impatient: basic eBGP peering with an upstream provider.

# Create BGP instance with your AS number
/routing bgp instance add name=main as=65001

# Configure peering connection
/routing bgp connection add name=upstream remote.address=10.0.0.2 instance=main local.role=ebgp

Verify:

/routing bgp session print

Expected: State=established

Overview

What this does: BGP (Border Gateway Protocol) is the routing protocol that powers the Internet, enabling policy-based routing between autonomous systems (AS). Use it for ISP connectivity, multi-homing, and large-scale networks.

When to use this:

• Connecting to ISPs with your own AS number
• Multi-homing (multiple upstream connections)
• Advertising your own IP prefixes
• Large enterprise or service provider networks

RouterOS v7 BGP Architecture:

Component	Purpose
Instance	Defines AS number and router ID
Template	Default settings for connections
Connection	Individual BGP peer configuration
Session	Active BGP session status

Prerequisites:

• RouterOS 7.x (v6 uses different config model)
• AS number (private 64512-65534 or public)
• Peering agreement with upstream provider
• Firewall allowing TCP port 179

Common Mistakes

• Don’t mix RouterOS v6 and v7 BGP syntax - they’re completely different
• Don’t forget to create a blackhole route for prefixes you advertise
• Don’t ignore TCP port 179 in your firewall - BGP needs it

Configuration Steps

Step 1: Create BGP Instance

Define your AS number:

/routing bgp instance add name=main as=65001 router-id=10.0.0.1

Properties:

• name - Instance identifier
• as - Your autonomous system number
• router-id - Unique identifier (typically loopback IP)

Step 2: Configure BGP Connection

Add a peer:

/routing bgp connection add name=upstream \
    remote.address=10.0.0.2 \
    instance=main \
    local.role=ebgp

Properties:

• remote.address - Peer’s IP address
• instance - BGP instance name
• local.role - ebgp (external) or ibgp (internal)

Step 3: Verify Session

/routing bgp session print

Expected output:

Flags: E - ESTABLISHED
#   INSTANCE  REMOTE-ADDRESS  AS     STATE       UPTIME
0 E main      10.0.0.2        65002  established 00:05:23

Advertising Networks

To advertise your prefixes to peers:

Step 1: Create Blackhole Route

/ip route add dst-address=192.168.1.0/24 blackhole comment="BGP advertise"

Step 2: Create Network Filter

/routing filter rule add chain=bgp-out rule="if (dst in 192.168.1.0/24) {accept}"

Step 3: Apply to Template

/routing bgp template set default output.network=bgp-out

MD5 Authentication

Secure your BGP session:

/routing bgp connection set upstream tcp-md5-key="your-secret-key"

Both peers must use the same key.

Multihop eBGP

For peers not directly connected:

/routing bgp connection add name=multihop-peer \
    remote.address=203.0.113.1 \
    instance=main \
    local.role=ebgp \
    multihop=yes \
    remote.ttl=5

Routing Filters

Control what routes you accept and advertise:

Input Filter (Received Routes)

# Reject default route from peer
/routing filter rule add chain=bgp-in rule="if (dst == 0.0.0.0/0) {reject}"

# Accept everything else
/routing filter rule add chain=bgp-in rule="accept"

# Apply filter
/routing bgp template set default input.filter=bgp-in

Output Filter (Advertised Routes)

# Only advertise specific prefixes
/routing filter rule add chain=bgp-out rule="if (dst in 192.168.0.0/16) {accept}"
/routing filter rule add chain=bgp-out rule="reject"

# Apply filter
/routing bgp template set default output.filter=bgp-out

iBGP Configuration

For internal BGP between your routers:

/routing bgp connection add name=ibgp-peer \
    remote.address=10.0.0.3 \
    instance=main \
    local.role=ibgp

Community Tips

• iBGP preserves next-hop from eBGP - ensure IGP routes to eBGP next-hops exist
• iBGP requires full mesh or route reflectors to avoid routing loops
• Use loopback addresses for iBGP peering for resilience

Verification Commands

# BGP instances
/routing bgp instance print

# Configured connections
/routing bgp connection print

# Active sessions
/routing bgp session print
/routing bgp session print detail

# Received routes
/ip route print where bgp

# BGP logs
/log print where topics~"bgp"

Troubleshooting

Symptom	Cause	Solution
Session stuck in Connect/Active	TCP issue, firewall	Check connectivity, allow port 179
Session up but no routes	Peer not advertising, filters	Check peer config, verify input filters
Routes received but inactive	Better route exists, next-hop unreachable	Check route details, verify next-hop
Session flapping	Network instability, aggressive timers	Increase hold-time, check links
AS mismatch error	Wrong AS configured	Verify AS numbers match agreement
iBGP routes not active	Next-hop unreachable	Add IGP route to eBGP next-hop

Common Mistakes

• Don’t advertise prefixes without a blackhole route - may cause routing loops
• Don’t use aggressive hold-times with unstable links
• Don’t forget iBGP requires routes to eBGP next-hops via IGP
• Don’t run BGP on SMIPS devices - not supported

Firewall Rules

Allow BGP traffic:

/ip firewall filter add chain=input protocol=tcp dst-port=179 \
    src-address=10.0.0.2 action=accept comment="BGP from upstream"

Template Properties

Property	Default	Description
hold-time	3m	BGP hold timer
keepalive-time	1m	Keepalive interval
input.filter	-	Filter for received routes
output.filter	-	Filter for advertised routes
output.network	-	Networks to advertise

Related Topics

• Routing Filters - BGP policy control
• OSPF - Interior routing for iBGP next-hops
• BFD - Fast failure detection
• Firewall - Protect BGP sessions

Reference

• MikroTik BGP Documentation