Here is a basic example of how to configure OSPF (Open Shortest Path First) on MikroTik routers. Please note that the exact commands may vary depending on the specific version of RouterOS you are using.

Here’s a step-by-step guide to configuring OSPF on MikroTik routers:

1. Connect to your MikroTik router using SSH, Telnet, or the Winbox graphical interface.
2. Enter the configuration mode by typing /ip route ospf or navigating to IP > Route > OSPF in Winbox.
3. Configure the OSPF router ID. The router ID is a unique identifier for the OSPF process on each router. To set the router ID, use the following command:

   /routing ospf instance set [find] router-id=[YOUR_ROUTER_ID]

Replace [YOUR_ROUTER_ID] with the desired router ID, which can be an IP address.

4. Configure OSPF areas. OSPF uses areas to logically group routers. Use the following command to add an OSPF area:

   /routing ospf area add name=[AREA_NAME]

Replace [AREA_NAME] with a name for your OSPF area.

5. Add interfaces to the OSPF process. OSPF will only run on interfaces that are explicitly enabled for OSPF. Use the following command to add an interface to OSPF:

   /routing ospf interface add interface=[INTERFACE_NAME] network-type=broadcast area=[AREA_NAME]

Replace [INTERFACE_NAME] with the name of the interface you want to enable OSPF on and [AREA_NAME] with the name of the OSPF area you configured in the previous step.

6. Optionally, adjust OSPF network costs. OSPF uses costs to determine the preferred paths. By default, MikroTik assigns costs based on interface bandwidth. If you want to adjust the cost, you can use the following command:

   /routing ospf interface set [find interface=[INTERFACE_NAME]] cost=[COST_VALUE]

Replace [INTERFACE_NAME] with the name of the interface you want to adjust the cost for, and [COST_VALUE] with the desired cost value.

7. Configure OSPF authentication (if needed). If you want to enable OSPF authentication, you can use the following command:

   /routing ospf interface set [find interface=[INTERFACE_NAME]] authentication=yes authentication-key=[AUTHENTICATION_KEY]

Replace [INTERFACE_NAME] with the name of the interface you want to enable authentication for, and [AUTHENTICATION_KEY] with the desired authentication key.

8. Save the configuration changes by typing /system backup save or using the Save button in the Winbox interface.

That’s it! You have now configured OSPF on your MikroTik routers. Repeat these steps on all the routers you want to participate in the OSPF process. Remember to adjust the OSPF area, interface, cost, and authentication settings based on your network requirements.

If you ever wanted to setup a simple and FREE system to mitigate ddos/dos attacks, then sFlow-rt is the way to go. It’s simple to setup and configure.

You can find installation instructions here: https://sflow-rt.com/intro.php

Once you install it, you can find the ddos-protect module along with installation instructions here: https://github.com/sflow-rt/ddos-protect

Once all that is done, you can start modifying it for your environment. In our clients case, there were 2 edge routers that we had to create the bgp sessions to where we wanted the flowspec rules pushed to.

The edge routers in this case were Juniper MX240’s. The config for the sessions looked like so:

set protocols bgp group IBGP-DDOS neighbor x.x.x.x local-address y.y.y.y
set protocols bgp group IBGP-DDOS neighbor x.x.x.x family inet unicast prefix-limit maximum 100
set protocols bgp group IBGP-DDOS neighbor x.x.x.x family inet unicast prefix-limit teardown
set protocols bgp group IBGP-DDOS neighbor x.x.x.x family inet flow no-validate DDOS_FS_POLICY  #Enables flowspec
set protocols bgp group IBGP-DDOS neighbor x.x.x.x export IBGP-DDOS-EXPORT  #Prevents the routers from sending routes TO the flowspec server
set protocols bgp group IBGP-DDOS neighbor x.x.x.x peer-as 22418

set policy-options policy-statement DDOS_FS_POLICY from neighbor x.x.x.x
set policy-options policy-statement DDOS_FS_POLICY then accept

set policy-options policy-statement IBGP-DDOS-EXPORT term DENY_ALL then reject

Some notes for the install/setup for issues we encontered.

In start.sh, change the memory to 4G or higher:

RTMEM="${RTMEM:-4G}"

Create a ddos config file with all options you want. Modify the values below as needed to fit your setup.

bgp.port=179
bgp.start=yes
ddos_protect.router=x.x.x.x,y.y.y.y
ddos_protect.as=xxxxx
ddos_protect.id=0.6.6.6
ddos_protect.nexthop=null0
ddos_protect.localpref=666
ddos_protect.enable.ipv6=no
ddos_protect.enable.flowspec=yes
ddos_protect.flowspec.rate=12500
ddos_protect.flowspec.redirect.method=as
ddos_protect.flowspec.redirect.as=xxxxx:666
ddos_protect.flowspec.redirect.as4=xxxxx:666
ddos_protect.flowspec.community=128:6:0
ddos_protect.maxroutes=1000
ddos_protect.maxflows=100
ddos_protect.externalgroup=external
ddos_protect.excludedgroups=exclude

ddos_protect.ip_flood.action=filter
ddos_protect.ip_flood.threshold=500000
ddos_protect.ip_flood.timeout=180
ddos_protect.ip_fragmentation.action=filter
ddos_protect.ip_fragmentation.threshold=50000
ddos_protect.ip_fragmentation.timeout=60
ddos_protect.icmp_flood.action=filter
ddos_protect.icmp_flood.threshold=50000
ddos_protect.icmp_flood.timeout=60
ddos_protect.tcp_amplification.action=ignore
ddos_protect.tcp_amplification.threshold=50000
ddos_protect.tcp_amplification.timeout=60
ddos_protect.tcp_flood.action=filter
ddos_protect.tcp_flood.threshold=1000000
ddos_protect.tcp_flood.timeout=60
ddos_protect.udp_flood.action=filter
ddos_protect.udp_flood.threshold=500000
ddos_protect.udp_flood.timeout=60
ddos_protect.udp_amplification.action=filter
ddos_protect.udp_amplification.threshold=50000
ddos_protect.udp_amplification.timeout=60
ddos_protect.mode=automatic
ddos_protect.flow_seconds=2
ddos_protect.threshold_seconds=60
ddos_protect.esr=no
ddos_protect.esr_samples=15
ddos_protect.syslog.host=Comma
ddos_protect.syslog.port=514
ddos_protect.syslog.facility=16
ddos_protect.syslog.severity=5

Once that is done, create a simple script that you can run at will or on startup to start sflow-rt based on the config file above:

#!/bin/sh

./sflow-rt/start.sh -Dsystem.propertyFiles=/root/ddos.conf &

Once it’s running, you can access the gui at http://x.x.x.x:8008/app/ddos-protect/html/index.html. You can then also change your settings from the Settings tab as needed. You’ll need to tune the tcp/udp/icmp values for your environment so you don’t start dropping legitimate traffic.

We’ve been working quite a bit with Mikrotik devices and had to work out some failover scripts for ipsec and interfaces. You can find them below. Modify them to fit your environment as needed. Enjoy.

IPSec Failover Script

{
   :local PrimaryPolicy 1
   :local SecondaryPolicy 2
   :local PrimaryPeer 1
   :local SecondaryPeer 0 

   :local PrimaryOK [:ping count=3 src-address=x.x.x.x y.y.y.y];
   :local SecondaryOK [:ping count=3 src-address=z.z.z.z a.a.a.a];
   :local PrimaryActive [/ip ipsec policy get $PrimaryPolicy active];
 
   # :log info "Status: $PrimaryOK $SecondaryOK $PrimaryActive";
   # Test case: set $PrimaryOK 0;
 
   :if ($PrimaryOK < 1 && $SecondaryOK > 1 && $PrimaryActive) do={
         :log warn "switch to failover";
         /ip ipsec policy disable $PrimaryPolicy;
         /ip ipsec policy enable $SecondaryPolicy;
         /ip ipsec peer disable $PrimaryPeer;
         /ip ipsec peer enable $SecondaryPeer;
   }
   :if ($PrimaryOK = 3 && !$PrimaryActive) do={
         :log warn "switch to primary";
         /ip ipsec policy disable $SecondaryPolicy;
         /ip ipsec policy enable $PrimaryPolicy;
         /ip ipsec peer disable $SecondaryPeer;
         /ip ipsec peer enable $PrimaryPeer;
   }
}

Interface Failover Script

/interface ethernet 
:if ((![get sfp-sfpplus2 disabled]) && ([get sfp-sfpplus2 running])) do={
	# Interface is Enabled AND Interface is Running
	set sfp-sfpplus1 disabled=yes
} else={
	:if ((![get sfp-sfpplus2 disabled]) && (![get sfp-sfpplus2 running])) do={
		# Interface is Enabled and NOT Running
		set sfp-sfpplus1 disabled=no
	}
}

If you ever were in a situation where you needed to quickly change the ospf cost on multiple interfaces to manipulate traffic, an easy way to do this would be to run an ansible playbook.

Here’s an example of an Ansible playbook that changes the OSPF cost on a single interface on a Cisco device. You can modify it further to include multiple interfaces as needed.

---
- name: Change OSPF cost on Cisco device
  hosts: cisco_device
  gather_facts: no  # Disable gathering facts for efficiency
  
  vars:
    ospf_process_id: 1
    ospf_interface: GigabitEthernet0/1  # Replace with the appropriate interface name
    new_cost: 1000  # Replace with the desired OSPF cost value

  tasks:
    - name: Configure OSPF cost
      ios_command:
        commands:
          - "router ospf {{ ospf_process_id }}"
          - "interface {{ ospf_interface }}"
          - "ip ospf cost {{ new_cost }}"
      register: ospf_output

    - name: Check OSPF output
      debug:
        var: ospf_output

In this playbook, we assume that you have already set up Ansible and have the necessary inventory file configured with the target Cisco device. The inventory file should contain an entry for cisco_device with its IP address or hostname.

To use the playbook, save it in a file like change_ospf_cost.yaml and run the following command:

ansible-playbook -i inventory.ini change_ospf_cost.yaml

Make sure to replace inventory.ini with the path to your actual inventory file.

Please note that this playbook uses the ios_command module, which is part of the ansible.netcommon collection. You may need to install this collection using the ansible-galaxy command before running the playbook:

ansible-galaxy collection install ansible.netcommon

Also, ensure that you have the necessary connectivity and credentials to access and configure the Cisco device using Ansible.

In the realm of computer networking, efficient and reliable routing protocols are essential for optimal network performance. Open Shortest Path First (OSPF) is a dynamic routing protocol widely used in large-scale enterprise networks. One of the key features of OSPF is the ability to divide the network into areas. In this blog post, we will delve into the benefits of OSPF areas and explore how they can enhance network scalability, fault tolerance, and overall performance.

1. Enhanced Scalability

As networks grow larger and more complex, maintaining a flat routing domain becomes increasingly challenging. OSPF areas offer a solution by allowing network administrators to partition a network into logical segments. Each area operates as a distinct routing domain with its own link-state database. This division enables efficient routing and reduces the burden on routers by limiting the scope of SPF (Shortest Path First) calculations.

By dividing the network into areas, OSPF allows for hierarchical routing, where routers in one area only need to be aware of the topology and routing information within their own area. This simplifies network management, reduces memory and CPU requirements, and improves the scalability of the overall network.

2. Increased Fault Tolerance

Network resilience is a critical aspect of any robust infrastructure. OSPF areas contribute to fault tolerance by isolating network failures within specific areas, preventing them from affecting the entire network. When a link or router failure occurs, OSPF will automatically recalculate the shortest paths within the affected area without causing unnecessary updates in other areas. This localized recalculation process minimizes the impact of failures, improves convergence time, and ensures that the network remains stable.

Furthermore, OSPF supports the concept of Area Border Routers (ABRs), which reside on the boundaries between areas. ABRs maintain summarized routing information for their connected areas, reducing the routing table size in other areas. This hierarchical design allows for efficient routing and containment of failures within their respective areas.

3. Enhanced Performance and Traffic Engineering

OSPF areas enable network administrators to optimize traffic patterns and implement specific policies within different areas. By assigning different metrics or path costs to links in different areas, administrators can influence the flow of traffic and direct it along desired paths. This ability to manipulate routing metrics within areas is known as traffic engineering.

For example, in a network with multiple branches, an organization can configure OSPF to prioritize certain links or routes in specific areas, ensuring that critical traffic takes the most reliable or highest bandwidth paths. By leveraging OSPF’s area-based policies, network administrators have finer control over traffic flows and can tailor the network to meet specific requirements.

4. Simplified Network Administration

Managing a large-scale network can be a daunting task. OSPF areas simplify network administration by dividing the network into smaller, manageable units. Each area can have its own administrative control, allowing different teams or departments to have autonomy over their area’s routing policies and configurations.

This division of responsibilities enables efficient delegation, improves troubleshooting, and reduces the chances of accidental misconfigurations affecting the entire network. Network administrators can focus on specific areas of expertise without the need to comprehend the entire network’s complexity.

Conclusion

OSPF areas are a valuable feature of the OSPF routing protocol, providing numerous benefits in terms of scalability, fault tolerance, performance optimization, and simplified network administration. By dividing the network into logical areas, OSPF allows for hierarchical routing, efficient resource utilization, localized fault containment, and fine-grained traffic engineering. These advantages make OSPF areas an essential tool for network architects and administrators seeking to build scalable, reliable, and manageable networks.

Here’s an example script that uses the Netmiko library to connect to multiple Cisco network devices and detect VLANs on each device:

from netmiko import ConnectHandler

# Define the credentials and connection details for each device
devices = [
    {
        'device_type': 'cisco_ios',
        'ip': '192.168.1.1',
        'username': 'your_username',
        'password': 'your_password',
    },
    {
        'device_type': 'cisco_ios',
        'ip': '192.168.1.2',
        'username': 'your_username',
        'password': 'your_password',
    },
    # Add more devices here if needed
]

# Iterate over each device
for device in devices:
    print(f"Connecting to {device['ip']}...")

    # Establish SSH connection to the device
    try:
        connection = ConnectHandler(**device)
        print("Connection successful!\n")
    except Exception as e:
        print(f"Failed to connect to {device['ip']}: {e}\n")
        continue

    try:
        # Send command to retrieve VLAN information
        output = connection.send_command('show vlan')
        print(f"VLANs on {device['ip']}:\n{output}\n")
    except Exception as e:
        print(f"Failed to retrieve VLAN information from {device['ip']}: {e}\n")

    # Disconnect from the device
    connection.disconnect()

Make sure you have the netmiko library installed before running this script. You can install it using pip install netmiko.

In the devices list, provide the necessary details for each Cisco device you want to connect to: the device_type should be set to 'cisco_ios', the ip should be the IP address of the device, and provide the appropriate username and password for authentication.

The script will iterate over each device, establish an SSH connection using Netmiko, send the command show vlan to retrieve VLAN information, and then disconnect from the device. The VLAN information retrieved from each device will be printed on the console.

You can add more devices to the devices list as needed. Remember to replace 'your_username' and 'your_password' with the actual credentials for each device.

Note: This script assumes that you have SSH access enabled on the Cisco devices and that the provided credentials are correct. Make sure to adjust the script according to your network environment and specific requirements.