Skip to main content

MPLS / VPLS

By
Before running MPLS on your production network, make sure you have an in-depth understanding of MPLS and VPLS. It makes for a hard time troubleshooting when things screw up if you don't.

For an overview of how and why MPLS
http://en.wikipedia.org/wiki/Multiprotocol_Label_Switching


MPLS can run alongside your existing IGP such as OSPF which will still determine the best path. Set up your LDP neighbors with targeted addresses, using a loopback address. For a basic MPLS implementation, the following configuration is needed on every Mikrotik router. The routers need to be on 4.xx, preferably the latest (4.16 at the time of writing).

/mpls ldp set enabled=yes transport-address=[loopback] lsr-id=[loopback]
/mpls ldp interface add interface=ether1

Make sure your interfaces aren't bridged or LDP neighbors may not happen.

Check /mpls ldp neighbor print output to verify that LDP relationships have established.
Check /mpls forwarding-table print to see the MPLS 'routes'.
Check /mpls local-bindings print to see what networks and what labels the local router has assigned and is advertising.
Check /mpls remote-bindings print to see incoming label advertisements.


VPLS tunnels are a method to tunnel ethernet frames between sites. The outcome is the same as EoIP tunnels, but the advantages are that VPLS/MPLS are industry standard, whereas EoIP is a Mikrotik proprietary protocol. Also VPLS is up to 60% more efficient than EoIP. The latter sold me.

Create new vpls interface and mirror on other end
/interface vpls add name=vpls1 remote-peer=10.1.1.2 cisco-style=yes cisco-style-id=123 pw-type=raw-ethernet

I got better performance out of using cisco style pseudowires, plus they are compatible with Cisco so it's a win win for me.

**note: Change MPLS interface MTU to 1522 to accomodate overhead and labels, otherwise fragmentation will occur and performance will be degraded. If you are using it as your internet connection, you will find some sites (paypal.com) will not load at all without the mtu change.
/mpls interface set 0 mtu-1522


Labels:

Comments

Post a Comment

Popular posts from this blog

DHCP option 121

By
http://tools.ietf.org/html/rfc3442 This is used to add a classless  static route to the DHCP clients. To add option 121 to a Mikrotik DHCP server, it's value is specified in HEX. The format is as follows. 0xnnddddddddgggggggg where n=mask, d=destination, g=gateway. To convert ip address to HEX, you convert each octet, so 192=C0, 168=A8, 55=37, 1=01 You can use a tool such as  http://www.miniwebtool.com/ip-address-to-hex-converter/?ip=192.168.55.1 Example: To add a route to the destination network of 192.168.55.0/24 via gateway 172.16.10.1. /ip dhcp-server option add name=classlessroutes code=121 value=0x18C0A837AC100A01 where 18 is 24 in hex. *note: depending on the subnet mask, you may only need to specify 0-4 octets. In fact only the non-zero, or network portion of the subnet. Here is a table from the RFC. subnet mask Number of octets 0 0 1- 8 1
Post a Comment
Read more

Mikrotik Bridge Horizon

By
To achieve similar functionality to Cisco's private VLANS, where all ports are on the same L2 segment, but cannot exchange packets, you can use Mikrotik's Bridge Horizon feature. Basically, every port in a bridge is assigned a horizon value, and RouterOS will only forward frames to other interfaces in the bridge that have different horizon values. This means that you assign the same horizon value to the interfaces that you don't want to be able to communicate. For example, you want to bridge all your customers and use a single /24 subnet and the same gateway. Typically this is bad and poses a huge security risk, not to mention performance issues. If you assign the same horizon value to the customer interfaces, then the router will not forward traffic between customers. Customer A will not be able to ping Customer B. If you had a server, such as an IP-PBX that all customers needed to access, and you were lazy and added it to the bridge, then you would assign a diff
Post a Comment
Read more

Mikrotik mac address filtering

By
Playing with an RB493G and wanted to allow only a certain list of mac addresses to be able to connect. We all know this type of security is in no way fool proof. The 493G has 2 switch chips in it and ports 2-5 are on switch2 and ports 1 and 6-9 are on switch1 Much like /ip firewall filter rules, switch rules are checked chronologically (top down). And like /ip firewall filter rules, you must specify a deny rule. Although there is no 'deny' rule as such, you can just specify a redirect to null (specify no port) which achieves the same result.
Post a Comment
Read more