Table of Contents
Complete the following OSPF lab exercises
The Topology
There are three routers connected together over a switch.
- Router 1 is an FRR router with interface IP 10.10.10.1 and Loopback 192.0.2.1
- Router 2 is a preconfigured router with interface IP 10.10.10.2 and Loopback 192.0.2.2
- Router 3 is a Mikrotik router with interface IP 10.10.10.3 and Loopback 192.0.2.3
You will configure Router 1 and Router 3 to get them to communicate over OSPF and share infrastructure info. Router 2 already has a running OSPF process and will not need to be configured. Router 1 and Router 3 do not have any IP address configuration so you will also need to configure them appropriately.
Start with the FRR Router (Router 1)
FRR Router OSPF Config
Configure the loopback and eth0 interfaces
Enter the configuration mode
config t
Set the hostname
hostname FRR-Router1
Set the loopback IP
interface lo description Loopback interface ip address 192.0.2.1/32
Set the interface IP which is connected to the switch
interface eth0 description link to Router2 ip address 10.10.10.1/24 no shut exit exit
ping Router 2 from router 1
ping 10.10.10.2
Ensure ping reachability is working before proceeding. Router 3 at this point is not reachable but you must be able to reach Router 2.
Configure OSPF on Router 1 (FRR)
Enter the configuration mode and enable OSPF on eth0 and the loopback. First, we will set our router-id as follows:
config t ip router-id 192.0.2.1
The below activates OSPF.
router ospf log-adjacency-changes area 0 authentication message-digest
Now configure OSPF on the ethernet interface to add it to Area 0. Notice we are using a password to secure our OSPF updates between the routers (Router 2 has this configured and you will do the same on Router 3)
interface eth0 ip ospf area 0 ip ospf authentication-key ospflab ip ospf authentication
Do the same on the loopback interface to allow it's IP to be included in area 0 updates.
interface lo ip ospf area 0 exit exit ! To exit the command prompt
Check whether OSPF neighbors are visible
sh ip ospf neighbor
You should see something like the below:
Neighbor ID Pri State Up Time Dead Time Address Interface 192.0.2.2 1 Full/DR 1m50s 39.631s 10.10.10.2 eth0:10.10.10.1
This means that a neighbor with the IP 192.0.2.2 has been seen and full adjacency completed. What does the State: Full/DR mean?
Check your Routing table
sh ip route
You will receive output as below. Observe the Codes. Which routes have you received over OSPF?
FRR-Router1# sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
O>* 0.0.0.0/0 [110/10000] via 10.10.10.2, eth0, weight 1, 00:05:50
O 10.10.10.0/24 [110/100] is directly connected, eth0, weight 1, 00:05:51
C>* 10.10.10.0/24 is directly connected, eth0, 00:07:45
O>* 172.16.0.0/13 [110/10000] via 10.10.10.2, eth0, weight 1, 00:05:50
O 192.0.2.1/32 [110/0] is directly connected, lo, weight 1, 00:06:31
C>* 192.0.2.1/32 is directly connected, lo, 00:07:50
O>* 192.0.2.2/32 [110/100] via 10.10.10.2, eth0, weight 1, 00:05:51
Mikrotik Router Config
We will do the same on the Mikrotik router to configure the interface and loopback IP addresses.
Configure the loopback and eth0 interfaces
Enter the configuration mode and enable OSPF on eth0 and the loopback:
/interface bridge add name=loopback /interface ethernet set [ find default-name=ether1 ] comment="Link to Router2 and Router1" /ip address add address=10.10.10.3/24 interface=ether1 comment="Link to Router2 and Router1" add address=192.0.2.3/32 interface=loopback comment="Loopback Interface"
Configure OSPF on Router 2 (Mikrotik)
The below command activates OSPF with router ID 192.0.2.3
/routing ospf instance add name=ospf1 router-id=192.0.2.3 version=2 /routing ospf area add instance=ospf1 name=area0 /routing ospf interface-template add networks=10.10.10.3/24 area=area0 auth=simple auth-key=ospflab add networks=192.0.2.3/32 area=area0 auth=simple auth-key=ospflab
Notice we have added the OSPF authentication key as was done for FRR.
Check whether OSPF neighbors are visible
The following command will show the OSPF neighbors
/routing/ospf/neighbor/print
You should see somethign similar to the below
Check your Routing table
You should see something similar to the below:
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, o - OSPF
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAo 0.0.0.0/0 10.10.10.2%ether1 110
DAc 10.10.10.0/24 ether1 0
DAo 172.16.0.0/13 10.10.10.2%ether1 110
DAo 192.0.2.1/32 10.10.10.1%ether1 110
DAo 192.0.2.2/32 10.10.10.2%ether1 110
DAc 192.0.2.3/32 loopback 0
Ping the loopbacks from the Mikrotik
to ping on the Mikrotik, do as follows
/ping 192.0.2.1
The above will ping the loopback on Router 1. The route is available on OSPF
Now go back to the FRR router and see if there are new OSPF neighbors.
Complete the following BGP lab exercises
The Topology
There are three routers connected together over a switch and with OSPF sending infrastructure prefix routes. All routers are part of Autonomouse System Number 64500. Here is a summary of the BGP related advertisements to be made within this IBGP. setup.
- Router 1 is an FRR router. It will advertise the prefix 198.51.100.0/24
- Router 2 is a preconfigured and is advertising the prefix 1.1.1.0/24
- Router 3 is a Mikrotik router. It will advertise the prefix 3.3.3.0/24
You will configure Router 1 and Router 3 to accept the BGP routes being advertised by all routers in AS 64500 and also configure the two routers to advertise their respective prefixes.
FRR Router BGP Config
The following config is to activate BGP and setup the respective neighbours.
Enable BGP
The follwing commands configure BGP on most Cisco and FRR routers.
router bgp 64500 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 192.0.2.2 remote-as 64500 neighbor 192.0.2.2 description to Router 2 neighbor 192.0.2.3 remote-as 64500 neighbor 192.0.2.3 description to Router 3 ! address-family ipv4 unicast network 198.51.100.0/24 neighbor 192.0.2.2 activate neighbor 192.0.2.2 soft-reconfiguration inbound neighbor 192.0.2.2 prefix-list ROUTER2-IN in neighbor 192.0.2.2 prefix-list ROUTER2-OUT out neighbor 192.0.2.3 activate neighbor 192.0.2.3 soft-reconfiguration inbound neighbor 192.0.2.3 prefix-list ROUTER3-IN in neighbor 192.0.2.3 prefix-list ROUTER3-OUT out exit-address-family exit
Let us look at what each command means:
| BGP Command | Description |
|---|---|
| router bgp 64500 | This enables BGP with Autonomous System Number 64500 |
| bgp log-neighbor-changes | This enables logging for BGP |
| no bgp default ipv4-unicast | |
| neighbor 192.0.2.2 remote-as 64500 | This sets up the first BGP Neighbour and the ASN |
| neighbor 192.0.2.2 description to Router 2 | This is a description for the above neighbour |
| neighbor 192.0.2.3 remote-as 64500 | This sets up the second BGP Neighbour and the ASN |
| neighbor 192.0.2.3 description to Router 3 | This is a description for the above neighbour |
| address-family ipv4 unicast | Specifies unicast routing for the following IP address block |
| network 198.51.100.0/24 | This is the network block that this router will advertise |
| neighbor 192.0.2.2 activate | Turns on BGP neighbour so that BGP announcements can be sent/received |
| neighbor 192.0.2.2 soft-reconfiguration inbound | Allows changes to inbound BGP without restarting BGP |
| neighbor 192.0.2.2 prefix-list ROUTER2-IN in | A policy for inbound BGP prefixes |
| neighbor 192.0.2.2 prefix-list ROUTER2-OUT out | A policy for outbound BGP prefixes |
| neighbor 192.0.2.3 activate | Turns on BGP neighbour so that BGP announcements can be sent/received |
| neighbor 192.0.2.3 soft-reconfiguration inbound | Allows changes to inbound BGP without restarting BGP |
| neighbor 192.0.2.3 prefix-list ROUTER3-IN in | A policy for inbound BGP prefixes |
| neighbor 192.0.2.3 prefix-list ROUTER3-OUT out | A policy for outbound BGP prefixes |
Configure inbound routing policy for BGP
You need to control what your router accepts and advertises and BGP. This is done by having a policy for incoming traffic and outgoing traffic for each BGP peer. We will start by doing a policy for advertisements received and sent to Router 2:
You have the above command in the previous BGP configuration:
“neighbor 192.0.2.2 prefix-list ROUTER2-IN in” .
The below is the actual policy enforcement using the prefix list statement:
ip prefix-list ROUTER2-IN seq 5 permit 1.1.1.0/24 ip prefix-list ROUTER2-IN seq 10 deny 0.0.0.0/0 le 32
The first line allows the incoming prefix being advertised by Router 2 which is 1.1.1.0/24. The second line denies any further BGP advertisements to be accepted from Router 2. This is important to ensure strict BGP traffic control.
The same must be done for Router 3.
ip prefix-list ROUTER3-IN seq 5 permit 3.3.3.0/24 ip prefix-list ROUTER3-IN seq 10 deny 0.0.0.0/0 le 32
This enforces that only the prefix 3.3.3.0/24 is accepted from Router 3.
Configure outbound routing policy for BGP
You must also be strict on what BGP advertisement your router sends out. The lines below ensure that you only advertise the prefix 198.51.100.0/24 to Router 2 and Router 3
ip prefix-list ROUTER2-OUT seq 5 permit 198.51.100.0/24 ip prefix-list ROUTER2-OUT seq 10 deny 0.0.0.0/0 le 32 ip prefix-list ROUTER3-OUT seq 5 permit 198.51.100.0/24 ip prefix-list ROUTER3-OUT seq 10 deny 0.0.0.0/0 le 32
Add a route for 198.51.100.0/24
Your router will advertise the prefix 198.51.100.0/24. To do so, this route must exist in the router's routing table via other protocols or manually inserted. We will manually add it for this lab exercise:
config t ip route 198.51.100.0/24 eth0 exit
Test BGP
Try the following commands and assess the output:
sh ip bgp neighbors
to see BGP neighbours
sh ip bgp neighbor 192.0.2.2 advertised-routes
to see routes sent to this neighbor
sh ip bgp neighbor 192.0.2.2 recived-routes
to see routes received from this neighbor
sh ip route
To see the router's routing table. Look for the BGP codes
FRR Router BGP Config
The following config is to activate BGP and setup the respective neighbours.
Enable BGP
The follwing commands configure BGP on most Mikrotik version 7 routers.
/routing bgp connection
add address-families=ip as=64500 connect=yes disabled=no input.affinity=alone .filter=ROUTER2-IN \
listen=yes local.address=192.0.2.3 .role=ibgp name=To-ROUTER2 output.affinity=alone \
.default-originate=never .filter-chain=ROUTER2-OUT .network=bgp-networks remote.address=\
192.0.2.2 .as=64500 router-id=192.0.2.3 routing-table=main
add address-families=ip as=64500 connect=yes disabled=no input.affinity=alone .filter=ROUTER1-IN \
listen=yes local.address=192.0.2.3 .role=ibgp name=To-ROUTER1 output.affinity=alone \
.default-originate=never .filter-chain=ROUTER1-OUT .network=bgp-networks remote.address=\
192.0.2.1 .as=64500 router-id=192.0.2.3 routing-table=main
Let us look at what the configuration means for each key word:
| Parameter | Description |
| ————————- | ——————————————————————————————————————————————————- |
| `/routing bgp connection` | The section for configuring BGP (Border Gateway Protocol) connections on the MikroTik router. |
| `add` | The command to add a new BGP connection. |
| `address-families=ip` | Specifies the address family for the connection. Here, `ip` refers to IPv4 addresses for BGP. |
| `as=64500` | Defines the Autonomous System (AS) number for the local router, here set to `64500`. |
| `connect=yes` | Indicates whether the BGP connection should actively try to connect. `yes` means the connection is enabled. |
| `disabled=no` | Ensures that the connection is not disabled. Setting this to `no` enables the BGP connection. |
| `input.affinity=alone` | Defines the input traffic affinity for the connection. `alone` means this connection is not tied to any specific affinity group. |
| `.filter=ROUTER2-IN` | Refers to a predefined filter rule named `ROUTER2-IN` that will be applied to incoming BGP routes from the peer. |
| `listen=yes` | Specifies that the router will listen for incoming BGP connections. |
| `local.address=192.0.2.3` | The local IP address that the BGP session will bind to. This IP address is typically a loopback or a dedicated BGP address. |
| `.role=ibgp` | Specifies the role of the BGP peer. `ibgp` indicates an internal BGP peer, meaning both routers are within the same AS. |
| `name=To-ROUTER2` | The name assigned to this specific BGP connection. It helps in identifying the connection in the configuration. |
| `output.affinity=alone` | Specifies the output traffic affinity for the connection, similar to the input affinity but applied to outbound traffic. |
| `.default-originate=never` | Specifies whether the router should originate the default route (`0.0.0.0/0`). `never` means the router will not advertise the default route. |
| `.filter-chain=ROUTER2-OUT` | Refers to the `ROUTER2-OUT` filter chain applied to outgoing BGP routes towards the peer. |
| `.network=bgp-networks` | Specifies which networks are advertised to the BGP peer. In this case, the `bgp-networks` network is advertised. |
| `remote.address=192.0.2.2` | The IP address of the remote BGP peer. In this case, it's `192.0.2.2`. This is the neighbor router for the BGP session. |
| `.as=64500` | The AS number of the remote BGP peer. This should match the AS number configured on the remote router. |
| `router-id=192.0.2.3` | The unique identifier for the BGP router. It is used to uniquely identify this router in the BGP network. |
| `routing-table=main` | Defines which routing table will be used for this BGP session. The `main` table is the default routing table. |
Configure inbound routing policy for BGP
For Mikrotik, the following specifies the inbound policy for each BGP peer (Router 1 and Router 2)
/routing filter rule
add chain=ROUTER1-IN rule="if (dst in 198.51.100.0/24) { accept } else { reject }"
add chain=ROUTER2-IN rule="if (dst in 1.1.1.0/24) { accept } else { reject }"
Configure outbound routing policy for BGP
The following specifies the outbound policy for each BGP peer (Router 1 and Router 2). This is to permit which prefixes the Mikrotik router will advertise to Router 1 and Router 2:
/routing filter rule
add chain=ROUTER2-OUT rule="if (dst in 3.3.3.0/24) { accept } else { reject }"
add chain=ROUTER1-OUT rule="if (dst in 3.3.3.0/24) { accept } else { reject }"
Add a route for 3.3.3.0/24
Your router will advertise the prefix 3.3.3.0/24. To do so, this route must exist in the router's routing table via other protocols or manually inserted. We will manually add it for this lab exercise. For Mikrotik, this involves adding a firewall statement:
/ip firewall address-list add address=3.3.3.0/24 list=bgp-networks
And also add the route itself into the routing table with the below command:
/ip route add blackhole dst-address=3.3.3.0/24
Recall that in the bgp configuration earlier, we had this statement for each BGP peer: “.network=bgp-networks”. That enables the Mikrotik router to advertise the prefixes included in the firewall list with the name “bgp-networks”. That is all that is needed, now we can test BGP.
Test BGP
Check which prefixes your Mikrotik router is sending out:
/routing bgp advertisements print
You should see something like this:
Check which routes are in the routing table and see if your are receiveing routes from Router 1 and Router 2:
/ip route print
Do you see the routes indicated in red below? If so, you are receiving BGP correctly:
- DAb 1.1.1.0/24 192.0.2.2 200
- DAb 198.51.100.0/24 192.0.2.1 200
Try the following commands to see more info on BGP:
/routing ospf neighbor print
to see BGP neighbours
/routing/bgp/session/print
to see more info on the BGP sessions
Final BGP Tests on Router 1 (FRR)
Do the following on Mikrotik to see if the BGP full mesh is working:
- Check what you are receiving from Router 3:
sh ip bgp neighbors 192.0.2.3 received-routes
- Check the routing table
sh ip route
You should see something like the below. Do you see the routes indicated with “B”?
Congratulations, you have configured a BGP full mesh in a multi-vendor network.