MPLS and VPLS on Mikrotik
On the one hand, the desire is somewhat strange - the organization of a “serious” MPLS / VPLS on cheap Mikrotik-type hardware. On the other hand, for 70 bucks (1500-2000r) for the younger model RB / 750 (GL) we get a PE / CE device that can (among other things) L2VPN / L3VPN over an MPLS medium and can pump through about 70 megabits of duplex (on large packages).
Mikrotik RouterOS can do both MPLS (L3VPN, Traffic Engeneering) and L2VPN (l2circuit aka VPWS, VPLS), which covers almost all possible tasks (given the performance of iron, of course).
Interesting? I ask under the cat!
For a start, a little theory.
MPLS ( multiprotocol label switching ) - label- based routing mechanism. Each packet passing through the MPLS network, regardless of the type of this packet, is assigned a specific label on the basis of which the routing decision is made. It is important to note that the content is not studied, i.e. inside MPLS, you can drive absolutely any L2 / L3 traffic (STP, BPDU, etc., up to SDH and ATM) without any influence on the transport network (flood, Vlana with a large number of MAC addresses, loops and other "joys "Become you, as a transport, deep purple).
')
The key concept in MPLS is LSP ( Label Switched Path ), a packet path that is established based on the LDP, RSVP-TE, BGP or CR-LDP protocols. In this article I will not be distributed, according to what criteria is set LSP, and from the protocols I will focus on the LDP. The MPLS literature on the network is enough for an interested reader to learn a lot of new things, but the purpose of this article is to demonstrate the very specific features of RouterOS.
A router in an MPLS network can perform one of three functions:
1. CE-router (Client-edge) - is not a member of the MPLS network, and in general does not know anything about it, it is just a client device that has L2 / L3 connectivity with the provider’s router.
2. PE router (Provider-edge) - an edge MPLS router. It is the gateway for the client and forwards its traffic to the provider's MPLS network. Another name is LER - label edge router.
3. P router (provider router) - MPLS router that transparently passes MPLS traffic without analyzing its contents. Another name is LSR (label-switch router).
VPWS (l2circuit) is a point-to-point channel (aka pseudo-wire).
VPLS is a multipoint channel, for the client it looks like a virtual “dumb” switch, transparently letting through any packets.
Now, when we have decided on terminology, we will consider concrete examples:
1. Mikrotik - Juniper - Mikrotik L2Circuit
Option one: Mikrotik acts as a PE router, Juniper - as a P-router.
Network layout
All images are clickable
Miktorik configuration as a PE router
Raise interfaces and ip-addresses:
We configure OSPF, announce networks through which we see our neighbors + loopback:
Configuring LDP, don't forget about mpls-mtu (for successful passing of tagged packets and QinQ:
Finally, we raise L2VPN and wrap eth5 there, where our customers will live:
Cisco-style defines id parameters by which routers recognize each other. l2-mtu determines the maximum frame size that can pass without fragmentation.
Juniper SRX configuration as a P-router
Configuring interfaces, IP addresses:
Then we raise OSPF:
Finally, configure MPLS:
In this case, SRX, as a P-router, does not install any MPLS connections itself, but only passes LDP packets.
2. Juniper - Mikrotik - Mikrotik L2Circuit
Another option - now Juniper SRX acts as a PE router, and Mikrotik - as a P-router.
Network layout
Juniper SRX configuration as a PE router
Of the features worth noting encapsulation vlan-ccc; which tells us that this port is wrapped in a cross connect. mpls-mtu should match that of another PE device.
Here we build l2circuit, specify id and mpls-mtu.
Everything is absolutely standard, you do not need to create vpls-interfaces.
3. Juniper - Mikrotik VPLS
The third option is to configure not L2circuit (it’s CrossConnect Circuit in Juniper implementation), but a full-fledged multipoint VPLS.
Similar to the configuration for l2circuit, but there are a couple of nuances:
1. Channels in the same VPLS domain must have one vpls-id.
2. Connectivity should be full-mesh (each with each) to ensure the greatest reliability. However, this condition is not mandatory.
3. To get rid of the possibility of a loop, use the following option:
Juniper SRX configuration as a PE router
If we specified encapsulation vlan-ccc for cross-connect, then for VPLS we need encapsulation ethernet-vpls and specify family vpls in the unit settings.
VPLS connections are also built, if possible “every with each”, although this is not necessary.
4. Verification
PE Juniper
PE Mikrotik
If the channel does not rise right away, then Mikrotik will turn off and on the VPLS interface. In other cases, the channel, as they say, "either works or not."
On this, in fact, everything.
5. Theory
Manuals on the topic:
1. MPLS
2. MPLS Overview
3. MPLSVPLS
4. L2VPN with Juniper
PS I apologize in advance for the large volume and large number of configs, but here, as they say, it is better to see the config once than to go into theoretical arguments.
PPS Transferred to “Network Equipment”
Mikrotik RouterOS can do both MPLS (L3VPN, Traffic Engeneering) and L2VPN (l2circuit aka VPWS, VPLS), which covers almost all possible tasks (given the performance of iron, of course).
Interesting? I ask under the cat!
For a start, a little theory.
MPLS ( multiprotocol label switching ) - label- based routing mechanism. Each packet passing through the MPLS network, regardless of the type of this packet, is assigned a specific label on the basis of which the routing decision is made. It is important to note that the content is not studied, i.e. inside MPLS, you can drive absolutely any L2 / L3 traffic (STP, BPDU, etc., up to SDH and ATM) without any influence on the transport network (flood, Vlana with a large number of MAC addresses, loops and other "joys "Become you, as a transport, deep purple).
')
The key concept in MPLS is LSP ( Label Switched Path ), a packet path that is established based on the LDP, RSVP-TE, BGP or CR-LDP protocols. In this article I will not be distributed, according to what criteria is set LSP, and from the protocols I will focus on the LDP. The MPLS literature on the network is enough for an interested reader to learn a lot of new things, but the purpose of this article is to demonstrate the very specific features of RouterOS.
A router in an MPLS network can perform one of three functions:
1. CE-router (Client-edge) - is not a member of the MPLS network, and in general does not know anything about it, it is just a client device that has L2 / L3 connectivity with the provider’s router.
2. PE router (Provider-edge) - an edge MPLS router. It is the gateway for the client and forwards its traffic to the provider's MPLS network. Another name is LER - label edge router.
3. P router (provider router) - MPLS router that transparently passes MPLS traffic without analyzing its contents. Another name is LSR (label-switch router).
VPWS (l2circuit) is a point-to-point channel (aka pseudo-wire).
VPLS is a multipoint channel, for the client it looks like a virtual “dumb” switch, transparently letting through any packets.
Now, when we have decided on terminology, we will consider concrete examples:
1. Mikrotik - Juniper - Mikrotik L2Circuit
Option one: Mikrotik acts as a PE router, Juniper - as a P-router.
Network layout
All images are clickable
Miktorik configuration as a PE router
Raise interfaces and ip-addresses:
/ interface bridge add name = loopback add l2mtu = 1526 name = vpn / ip address add address = 10.0.11.24 / 24 interface = eth2 add address = 172.19.238.33 / 32 interface = loopback network = 172.19.238.33
We configure OSPF, announce networks through which we see our neighbors + loopback:
/ routing ospf instance set [find default = yes] router-id = 172.19.238.33 / routing ospf interface add interface = eth2 / routing ospf network add area = backbone network = 10.0.11.0 / 24 add area = backbone network = 172.19.238.33 / 32
Configuring LDP, don't forget about mpls-mtu (for successful passing of tagged packets and QinQ:
/ mpls interface set [find default = yes] mpls-mtu = 1526 / mpls ldp set enabled = yes lsr-id = 172.19.238.33 transport-address = 172.19.238.33 / mpls ldp interface add interface = eth2
Finally, we raise L2VPN and wrap eth5 there, where our customers will live:
/ interface vpls advertised-l2mtu = 1526 cisco-style = yes cisco-style-id = 5 disabled = no l2mtu = 1526 \ name = junos-l2circuit remote-peer = 172.19.238.34 / interface bridge port add bridge = vpn interface = eth5 add bridge = vpn interface = junos-l2circuit
Cisco-style defines id parameters by which routers recognize each other. l2-mtu determines the maximum frame size that can pass without fragmentation.
On the second PE router, the settings are similar:
/ interface bridge add name = loopback add l2mtu = 1526 name = vpn / ip address add address = 172.19.238.34 / 32 interface = loopback network = 172.19.238.34 add address = 192.168.168.2 / 24 interface = eth2 network = 192.168.168.0 / routing ospf instance set [find default = yes] router-id = 172.19.238.34 / routing ospf interface add interface = eth2 / routing ospf network add area = backbone network = 192.168.168.0 / 24 add area = backbone network = 172.19.238.34 / 32 / mpls interface set [find default = yes] mpls-mtu = 1526 / mpls ldp set enabled = yes lsr-id = 172.19.238.34 transport-address = 172.19.238.34 / mpls ldp interface add interface = eth2 / interface vpls advertised-l2mtu = 1526 cisco-style = yes cisco-style-id = 5 disabled = no l2mtu = 1526 \ name = junos-l2circuit remote-peer = 172.19.238.33 / interface bridge port add bridge = vpn interface = eth5 add bridge = vpn interface = junos-l2circuit
Juniper SRX configuration as a P-router
Configuring interfaces, IP addresses:
interfaces {
fe-0/0/6 {
description mkt.192.168.168.2 - pe;
mtu 1624;
unit 0 {
family inet {
mtu 1500;
address 192.168.168.1/24;
}
family mpls;
}
}
fe-0/0/7 {
description mkt.10.0.11.24 - pe;
mtu 1624;
unit 0 {
family inet {
mtu 1500;
address 10.0.11.23/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 172.19.238.35/32;
}
}
}
}
Then we raise OSPF:
protocols {
ospf {
area 0.0.0.0 {
interface fe-0/0 / 6.0 {
hello-interval 10;
}
interface fe-0/0 / 7.0 {
hello-interval 10;
}
interface lo0.0 {
passive;
}
}
}
}
Finally, configure MPLS:
protocols {
mpls {
interface all;
}
ldp {
egress-policy CONNECTED-ONLY;
transport-address 172.19.238.35;
interface fe-0/0 / 6.0;
interface fe-0/0 / 7.0;
interface lo0.0;
}
policy-options {
prefix-list LOOPBACK-PREFIX {
172.19.238.35/32;
}
policy-statement CONNECTED-ONLY {
from {
prefix-list LOOPBACK-PREFIX;
}
then accept;
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
In this case, SRX, as a P-router, does not install any MPLS connections itself, but only passes LDP packets.
2. Juniper - Mikrotik - Mikrotik L2Circuit
Another option - now Juniper SRX acts as a PE router, and Mikrotik - as a P-router.
Network layout
Juniper SRX configuration as a PE router
Interface Configuration
interfaces {
fe-0/0/5 {
description vpws2 - pe;
vlan tagging;
mtu 1624;
encapsulation vlan-ccc;
unit 0 {
encapsulation vlan-ccc;
vlan-id 1806;
}
}
fe-0/0/7 {
description mkt.10.0.11.24 - p;
mtu 1624;
unit 0 {
family inet {
mtu 1500;
address 10.0.11.23/24;
}
family mpls {
mtu 1526;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.19.238.35/32;
}
}
}
}
Of the features worth noting encapsulation vlan-ccc; which tells us that this port is wrapped in a cross connect. mpls-mtu should match that of another PE device.
Routing Setup
routing-options {
static {
route 0.0.0.0/0 {
next-hop 172.19.238.1;
no-readvertise;
preference 200;
}
}
}
protocols {
mpls {
interface all;
}
ospf {
area 0.0.0.0 {
interface fe-0/0 / 7.0 {
hello-interval 10;
}
interface lo0.0 {
passive;
}
}
}
ldp {
egress-policy CONNECTED-ONLY;
transport-address 172.19.238.35;
interface all;
}
l2circuit {
neighbor 172.19.238.34 {
interface fe-0/0 / 5.0 {
virtual-circuit-id 5;
mtu 1526;
}
}
}
}
Here we build l2circuit, specify id and mpls-mtu.
Mikrotik configuration as a P-router
/ interface bridge add name = loopback / ip address add address = 10.0.11.24 / 24 interface = eth3 add address = 172.19.238.33 / 32 interface = loopback network = 172.19.238.33 add address = 192.168.168.1 / 24 interface = eth2 / routing ospf instance set [find default = yes] router-id = 172.19.238.33 / routing ospf interface add interface = eth2 add interface = eth3 / routing ospf network add area = backbone network = 10.0.11.0 / 24 add area = backbone network = 172.19.238.33 / 32 add area = backbone network = 192.168.168.0 / 24 / mpls interface set [find default = yes] mpls-mtu = 1526 / mpls ldp set enabled = yes lsr-id = 172.19.238.33 transport-address = 172.19.238.33 / mpls ldp interface add interface = eth2 add interface = eth3
Everything is absolutely standard, you do not need to create vpls-interfaces.
3. Juniper - Mikrotik VPLS
The third option is to configure not L2circuit (it’s CrossConnect Circuit in Juniper implementation), but a full-fledged multipoint VPLS.
Mikrotik configuration as a P-router
/ interface bridge add name = loopback / ip address add address = 10.0.11.24 / 24 interface = eth3 add address = 10.0.12.24 / 24 interface = eth5 add address = 172.19.238.33 / 32 interface = loopback network = 172.19.238.33 add address = 192.168.168.1 / 24 interface = eth2 add address = 192.168.88.1 / 24 interface = eth4 / routing ospf instance set [find default = yes] router-id = 172.19.238.33 / routing ospf interface add interface = eth2 add interface = eth3 add interface = eth4 add interface = eth5 / routing ospf network add area = backbone network = 10.0.11.0 / 24 add area = backbone network = 10.0.12.0 / 24 add area = backbone network = 172.19.238.33 / 32 add area = backbone network = 192.168.168.0 / 24 add area = backbone network = 192.168.88.0 / 24 / mpls interface set [find default = yes] mpls-mtu = 1526 / mpls ldp set enabled = yes lsr-id = 172.19.238.33 transport-address = 172.19.238.33 / mpls ldp interface add interface = eth2 add interface = eth3 add interface = eth4 add interface = eth5
Miktorik configuration as a PE router
/ interface bridge add name = loopback add l2mtu = 1526 name = vpn / ip address add address = 172.19.238.34 / 32 interface = loopback network = 172.19.238.34 add address = 192.168.168.2 / 24 interface = eth2 network = 192.168.168.0 / routing ospf instance set [find default = yes] router-id = 172.19.238.34 / routing ospf interface add interface = eth2 / routing ospf network add area = backbone network = 192.168.168.0 / 24 add area = backbone network = 172.19.238.34 / 32 / mpls interface set [find default = yes] mpls-mtu = 1526 / mpls ldp set enabled = yes lsr-id = 172.19.238.34 transport-address = 172.19.238.34 / mpls ldp interface add interface = eth2 / interface vpls advertised-l2mtu = 1526 cisco-style = yes cisco-style-id = 5 disabled = no l2mtu = 1526 \ name = junos-l2circuit remote-peer = 172.19.238.33 / interface bridge port add bridge = vpn interface = eth5 add bridge = vpn interface = junos-l2circuit horizon = 1
Similar to the configuration for l2circuit, but there are a couple of nuances:
1. Channels in the same VPLS domain must have one vpls-id.
2. Connectivity should be full-mesh (each with each) to ensure the greatest reliability. However, this condition is not mandatory.
3. To get rid of the possibility of a loop, use the following option:
/ interface bridge port set 0 horizon = 1
Juniper SRX configuration as a PE router
Interface Setup
interfaces {
fe-0/0/5 {
description vpws2 - pe;
mtu 1624;
encapsulation ethernet-vpls;
unit 0 {
family vpls;
}
}
fe-0/0/6 {
description mkt.192.168.168.2 - pe;
mtu 1624;
unit 0 {
family inet {
mtu 1500;
address 192.168.168.1/24;
}
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 172.19.238.35/32;
}
}
}
}
If we specified encapsulation vlan-ccc for cross-connect, then for VPLS we need encapsulation ethernet-vpls and specify family vpls in the unit settings.
Routing Setup
protocols {
mpls {
interface all;
}
ospf {
area 0.0.0.0 {
interface fe-0/0 / 6.0 {
hello-interval 10;
}
interface fe-0/0 / 7.0 {
hello-interval 10;
}
interface lo0.0 {
passive;
}
}
}
ldp {
egress-policy CONNECTED-ONLY;
transport-address 172.19.238.35;
interface all;
}
}
policy-options {
prefix-list LOOPBACK-PREFIX {
172.19.238.35/32;
}
policy-statement CONNECTED-ONLY {
from {
prefix-list LOOPBACK-PREFIX;
}
then accept;
}
}
security {
forwarding-options {
family {
mpls {
mode packet-based;
}
}
}
}
Configuring VPLS Connections
routing-instances {
vpls-re {
instance-type vpls;
interface fe-0/0 / 5.0;
protocols {
vpls {
no-tunnel-services;
vpls-id 5;
mtu 1526;
neighbor 172.19.238.34;
neighbor 172.19.238.105;
}
}
}
}
VPLS connections are also built, if possible “every with each”, although this is not necessary.
4. Verification
PE Juniper
snake @ srx1> show ldp neighbor Address Interface Label space ID Hold time 172.19.238.34 lo0.0 172.19.238.34 aion 42 10.0.11.24 fe-0/0 / 7.0 172.19.238.33 () 11
snake @ srx1> show l2circuit connections status
Layer-2 Circuit Connections:
Legend for connection status (St)
EI - encapsulation invalid NP - interface h / w not present
MM - mtu mismatch Dn - down
EM - encapsulation mismatch VC-Dn - Virtual circuit Down
CM - control-word mismatch Up - operational
VM - vlan id mismatch CF - Call admission control failure
OL - no outgoing label IB - TDM incompatible bitrate
NC - intf encaps not CCC / TCC TM - TDM misconfiguration
BK - Backup Connection ST - Standby Connection
CB - rcvd cell-bundle size bad SP - Static Pseudowire
LD - local site signaled down RS - remote site standby
RD - remote site signaled down XX - unknown
Legend for interface status
Up - operational
Dn - down
Neighbor: 172.19.238.34
Interface Type St Time last up # Up trans
fe-0/0 / 5.0 (vc 5) rmt Up Nov 9 18:27:45 2012 1
Remote PE: 172.19.238.34, Negotiated control-word: No
Incoming label: 300096, Outgoing label: 21
Negotiated PW status TLV: No
Local interface: fe-0/0 / 5.0, Status: Up, Encapsulation: VLAN
PE Mikrotik
[admin @ pe-router] / mpls ldp neighbor> print
Flags: X - disabled, D - dynamic, O - operational, T - sending-targeted-hello, V - vpls
# TRANSPORT LOCAL-TRANSPORT PEER SEND-TARGETED ADDRESSES
0 DO 172.19.238.33 172.19.238.34 172.19.238.33 Audio no 10.0.11.24
172.19.74.2
172.19.238.33
192.168.88.1
192.168.168.1
1 DOTV 172.19.238.35 172.19.238.34 172.19.238.35 Spray yes 10.0.11.23
172.19.238.4
172.19.238.30
172.19.238.35
172.19.238.58
[admin @ pe-router] / mpls> forwarding-table print Flags: L - ldp, V - vpls, T - traffic-eng # IN-LABEL OUT-LABELS DESTINATION INTERFACE NEXTHOP 0 expl-null 1 L 16 56 172.19.238.56 / 30 eth2 192.168.168.1 2 L 17 10.0.11.0/24 eth2 192.168.168.1 3 L 18 57 172.19.238.28/30 eth2 192.168.168.1 4 L 19 58 172.19.238.35/32 eth2 192.168.168.1 5 L 20 172.19.238.33 / 32 eth2 192.168.168.1 6 V 21 junos-l2circuit
[admin @ pe-router]> interface vpls monitor junos-l2circuit once
remote label: 300096
local-label: 21
remote-status:
transport: 172.19.238.35/32
transport-nexthop: 192.168.168.1
imposed-labels: 58,300096
If the channel does not rise right away, then Mikrotik will turn off and on the VPLS interface. In other cases, the channel, as they say, "either works or not."
On this, in fact, everything.
5. Theory
Manuals on the topic:
1. MPLS
2. MPLS Overview
3. MPLSVPLS
4. L2VPN with Juniper
PS I apologize in advance for the large volume and large number of configs, but here, as they say, it is better to see the config once than to go into theoretical arguments.
PPS Transferred to “Network Equipment”
Source: https://habr.com/ru/post/169103/
All Articles