MikroTik

Hello,

According to the RouterOS Manual, under Vlan:
"As VLAN works on OSI Layer 2, it can be used just as any other network interface without any restrictions. VLAN successfully passes through regular Ethernet bridges."

And according to 802.1q a VLAN ID is inserted in the ethernet header between the SOurce MAC Address and Type fields, and this is 4 bytes.

THE DESIGN
The Design I am trying to achieve (see image) and notes below:

I wish to use vpls (pseudowire) to interconnect two data centers. Each Data center has a cisco siwtch which has a number of vlans. I wish to extend these vlans to the other data center.
The cisco switches dont have the ability to handle mpls/vpls due to licensing restriction.

THE QUESTION
My question is, will the dot1q vland ids be passed through the bridges within the RB1200 Mikrotiks?

Obviously the VPLS tunnel will be built with PW Type set to tagged ethernet. I am NOT proposing to add the actual VLAN Subinterfaces to the mikrotik ether1. I am hoping that the router will just pass the vlan ids straight through the bridge to the vpls tunnel as a pure trunk.

Before anyone asks, I havent built this yet, so I cant export configs, I am just looking to gurus who can comment on the specific question of Mikrotik ability to retain vlan headers through the bridges.

Many thanks in advance for the advice. Its really appreciated.

Alex

It will work, however you will have to watch the MTUs, and make sure the infrastructure between your 2 1200s supports big enough MTUs.

All the VLANs will be transparently bridged over the ethernets and VPLS tunnels, no need to create any additional interfaces.
VPLS tunnel will need 1504 L2 MTU, which means you will need to carry 1526 byte frames on the leased line link if you want no fragmentation.

VPLS supports transparent fragmentation and re-assembly, however, I would advise avoiding fragmentation if you can.

But why do you even want to carry the data inside a VPLS tunnel, why not just bridge the VLANs straight onto the leased line link?

Tomaskir,

Thanks so much for your quick reply and for taking the time to clarify mtu.

We use the VPLS tunnels a lot in another application without the tagged ethernet PW Type so we are familiar with the MTU issue. Our leased line provider gives us jumbo frame capability, and its a pure ethernet link.

You get karma for this.

Alex

Just read about your question re bridging vlans straight to leased line.

We have tried this before, and have also tried simply plugging the leased line ethernet in to the switch, this resulted in immediate phone calls from the service provider complaining about bpdu and other stuff.

They have subsequently wrtiten contracts that state that we MUST terminate on a router and must not have more than X number of mac addresses showing via arp.

Personally cant see what the issue is....

Alex

Just read about your question re bridging vlans straight to leased line.

We have tried this before, and have also tried simply plugging the leased line ethernet in to the switch, this resulted in immediate phone calls from the service provider complaining about bpdu and other stuff.

They have subsequently wrtiten contracts that state that we MUST terminate on a router and must not have more than X number of mac addresses showing via arp.

Personally cant see what the issue is....

Alex

No issue, was just wondering what was the reason

Just to finish off the discussion.

Do you have any thoughts towards encrypting the vpls tunnel with IPSec?

Alex

That is not possible.

The VPLS tunnel itself cannot be encrypted, since in RouterOS, MPLS and VPLS traffic doesnt pass the L3 routing logic, where IPSec processes are placed.
MPLS handlers are located before IP Routing handlers, so the VPLS traffic never even gets to the routing engine (and IPSec engine).

And since you are just briding VLANs inside of the VPLS tunnel, no way to encrypt/decrypt those either, since L2 processing is also done before the IPSec engine.

What you could do is build an EoIP tunnel, and enrcypt the EoIP tunnel. Since EoIP is GRE, you can use IPSec in transport mode to encrypt it.

Here is the packet flow diagram, where you can see why you cant do any IPSec for VLANs inside VPLS:
http://forum.mikrotik.com/viewtopic.php?f=2&t=72736

Hi Alex,

Are you able to pass VLAN's over VPLS transparently? I'm trying to do same as yours but no luck.

Chatur