Guys, we are looking to implement a new network using the attached design and was hoping to get some advise on configuration options and assistance with how to set it up. Forgive me if this is the wrong forum.
We are going to be terminating L2TP tunnels from our carrier which will deliver our DSL tails to our router directly. We then want to run multiple private networks with the ability to use overlapping subnets or the same subnet multiple times. I can find plenty of information about how to do this with MPLS but it all seems to revolve around having multiple routers in an MPLS network, however we only have 1 router which terminates the DSL tails and then needs to handle the routing. I thought VRF’s were what we needed, but just can’t seem to get my head around how it would all work in this scenario.
I would really appreciate it if somebody could have a look at this configuration and advise on the correct configuration to use on the Mikrotik core router. I know it could be done with EOIP and bridges, but it’s not scalable and really not the right way to do it.
I use similiar scenario, where my dsl clients l2tp into my core router and i create each one their unqiue vrf’s on the mpls network, if its on one router, u dont need mpls , just the vrf
i have problem where i lose my vrf interface from dynamic l2tp client, so i make the l2tp client to the dsl client ( in reverse) bit uglier but works
Would you have any sort of example you could show me or explain ?
With you losing your VRF interfaces, couldn’t you just define a L2TP server interface for each DSL client terminating on your router ?
Paul, you a champion, tested it now and works, cant believe i overlooked it, now i can use my radius accounting as well, bump now i have to redo all my clients
I would suggest look at the ip route vrf examples, also look at routing bgp instance vrf , make sure u on 3.25 as the previous version had invalid lables
its more simpler than u think
add the interface into a vrf with unique RD
add the vrf to a bgp instance, make sure to redistribute-connected
u good to go, if u want to extrend it to a mpls cloud, then u need look at MP-BGP where u use vpnv4-route, i had previous example on the forum with my config , may help some syntax, make sure your bgp peers is your lobridge ip and not WAN ip
once u go vrf u wont go back, u will want to call your future kids mpls, vrf and bgp
LOL, glad I could help, it’s often the simple things we overlook more often than not.
I have to learn how to do the VRF and BGP stuff, then all this will probably fall into place, unfortunately I have never done any advanced routing, so this is a baptism of fire for me, once I figure out how to do it I’m sure it will be plain sailing from there.
So when you so lobridge, you mean a loopback interface, yes ?
So I receive the L2TP session into a L2TP server interface
I add that interface into a VRF (say VRF1)
Add the VRF into a BGP instance (somehow:-))
Make sure I have BGP redistribute set to on (I have seen this option)
Presto, all should be good, so the routing table is populated from whatever the client puts on their end correct, I assume I have to enable BGP on the interface at the client router end using the same BGP instance ID?
on the client just route the remote network through the vpn and u good to go
now when u extend your backbone (say wireless like mine) u need mpls and lobridge and bgp peering to be able to add other clients into the same vrf’s, but for now u dont need it
Thanks for the suggestion on that, I have considered that but am not sure how I would handle the termination of the L2TP sessions to automatically go to the backup router, is there something obvious there which I should be doing which is straight forward as I would rather be running two routers for redundancy.
OK, I have got the VRF stuff working amazingly…
I have two subnets the same running through the same test core router and I can ping from end to end within the customer networks, so all is good there.
I ended up using OSPF whether that is the best way or not it’s what I learnt first So I am using that to distribute the routes for the local networks on the CE routers back into the VRF routing tables.
How do I allow a customer to get out of their VRF and route out to the Internet for example ?
I realise I will have to use NAT for them, but I am bound to need to do this and should understand the concepts before doing any more I think.
Is anybody able to help with getting the customer out of their VRF to another gateway for Internet access ??
Also, if I am terminating my DSL tails with a L2TP tunnel onto the router, how do you use dynamic interfaces for this so that they get added into the customers VRF automatically ??
I assume that you need to be able to do this to have redundancy for the termination of the DSL tails across MPLS and multiple routers, yes ?
Eising, in the first wiki, the line: “/ip route add routing-mark=cust-one gateway=10.0.0.1@main” is used but there is not an IP on the diagram showing that gateway address, rather the gateway is shown as 10.5.5.2 (loopback address ??).
Am I missing something obvious is is that a typo ?
Also, a question about loopback interfaces, I assume that you are only able to reach a loopback adapter when you are using OSPF or similar to distribute routes, is that correct ?
I am still to get my head around the loopback concept
Yes, I get your point. The first wiki wasn’t as excellent as I wanted it to be, but it shows the basic concept of leaking routes to the main table. There are several issues here that aren’t properly addressed, such as NAT.
I hate to tell you this, but I can only suggest that you experiment with these concepts in a lab, as many MPLS concepts essentially aren’t really documented yet.
I haven’t had the time to explore this topic myself, as it’s not very important to my own MPLS implementation. We tunnel all our internet traffic to a virtualised firewall, thus avoiding the need of doing MPLS NAT.
Essentially, you would want your internet gateway/PE router configured so that each customer’s has a subnet that doesn’t overlap, so you can leak it and allow the return traffic. Most larger service providers use public addressing entirely in their infrastructure, but since ipv4 addressing has become sparse, it’s not really scalable for us smaller isp’s.
Regarding your loopback question: A loopback interface is a software-only interface. In RouterOS it’s a bridge without physical interfaces and will therefore need to be redistributed via your routing protocol.
The primary argument for using loopbacks, is to allow forwarding protocols to bind to an interface that never goes down, adding a little stability to your network. It’s considered the best practice to peer your IBGP routers using the loopback address, and distribute the information about the loopback addresses using an IGP such as static routing or OSPF.
By the way, I think that wiki article refers to a gateway not visible in the topology drawing that is the actual internet gateway used by the provider, so /ip route add routing-mark=cust-one gateway=10.0.0.1@main refers to 10.0.0.1 which is also the default gateway of the internet-pe.
So in my case I need overlapping networks on the network, hence the requirements for VRF’s, so would a source-nat rule allow you to define the source routing mark or something to help with the NAT process ?
I was wondering if you have had any luck with this so far?
I’m starting to see a need for this in the network I’m building, so if you have had any luck so far, I’d like to hear about it!
Hi, yes I have the VRF’s working with OSPF doing the route propogation, however I haven’t had the chance to go back to the Internet access part as yet.
Unfortunately though I have learned that the Mikrotik L2TP implementation can’t terminate L2TP tunnels from my DSL provider as it doesn’t support being a LNS which is a shame. Most of the work I have now done is useless but I will probably keep the lab together and try and get this internet piece working though.
