Hello! Please help with your opinion…
I love MK and have used it in many places, but all projects was small scale!
Now i have chance to plan city network and slowly build it. (Main office, ~20 different branch departments, shoolls, etc)
No talks about budget at present.
Companies who want take part of it - all say: Mikrotik is not an option - need to go with poducts form HP ARUBA, Ruckus, FortiNet, PaloAlto, CISCO, JUNIPER - these are INDUSTRY STANDARTS!
I ask why - Mikrotik is no safe, not stable, hardware is no qualitative, updates are bugy… so on!
One argument i agree - mikrotik dont have DPI what is nice on gateway…
I want to hear opinion/experience from MK community - do i need to go with Industry standart and plan a lot of money, which i think i never get, or go with MK and don’t mind about INDUSTRY STANDART and ask for reasonable amount of $$$
Does MK have so many problems when used in big scale? Your experience?
Thanks!
What’s a standart?
First start with the requirements. What does the SLA look like? Who is going to maintain the solution? Installation? Budget?
Choosing hardware is like one of the latest steps do perform.
I assume you are referring to industry standards!?
“Indystry standarts” -In this case i mean the mainstream high end devices!
Yes i mean industry standarts!
Without details - My main question is - do i even think about Mikrotik as my network backbone, gateway, WiFi..! And why so many IT companies are not even advising to think about MK? It is objective or just marketing? My goal is basic secure network with some more secure zones, stable (the main thing i think)... this is not question with many details...
Thanks!
why so many IT companies are not even advising to think about MK
I don’t know why you think that, maybe you had bad experience with a specific company that is very stuck in the past.
Just think about the fact, that MikroTik is one of the largest companies in Latvia and is exporting the high end models to nearly all countries in the world. Even Google offices use MikroTik CCR devices for their office networks. Even SpaceX uses MikroTik devices.
Don’t get stuck in the past
I don’t think he is the one stuck in the past, rather the “IT companies” (more like Cisco resellers), which prefer to charge 10.000€ for a Cisco that does 1/10 of what a MikroTIk will do at 1/10 the price.
To me, it’s just ignorance and many times arrogance.
For any government bureaucracy and especially in the IT world the number one concern is Timely SUPPORT…price…and…Timely SUPPORT.
From a Features/Capability and SUPPORT Perspective === MikroTik cannot compete in the league of HP ARUBA, Ruckus, FortiNet, PaloAlto, CISCO, JUNIPER or Ubquiti [wireless] … MikroTik can compete on certain functionality and PRICE but NOT on SUPPORT.
So IF YOU can provide that timely support plus provide the functional capability needed using MikroTik +[other brands for wireless] in that government bureaucracy YOU will win on PRICE. Timely support means that you have the financial resources to replace equipment on demand to maintain UP-TIME etc.
I don’t, my partner companies think that! As i mentioned i LOVE MT and previously work only with your products since 2007… (but in small scale up to ~80devices and maybe the security level was not my first priority), but now i accepted to run one city council IT department (In Latvia ~20k inhabitants) and our partners are very skeptic… that why i need some other opinion to fight back… i need provide some arguments for that…
Normis you mentioned Google office, spaceX - but it is just one or few devices in some other brand backbone network! But is there some quite big network which is based on Mikrotik what you can think of?
Thanks!
Hi OnixJonix,
I can imagine what situation you are in and why it is so hard to come up with usable arguments.
Depending on your customer you have to be aware that when setting up a whole new infrastructure, the availability is key. It is key right from the first moment. Once your service becomes shaky, you have lost your reputation and you have close to no chance to get back in business. That is a matter of fact. Reliability counts.
Said that, you have to see if your future hardware supplier has a track record and offers the right service and is capable of immediately jumping on a problem. Usually this is a costly supplier capability and you can find a good portion of this in the hardware and license cost. At the same time, hardware is an investment. This investment you want to do on a company that has a good future and feature oriented timeline. If this timeline does not exist, the hardware investment is on a big question. Why would you spend money on something outdated already tomorrow.
If you look at Mtik, you may find some limitations on which Mtik could potentially grow in future. It could easily be that Mtik is taken into account for non mission critical parts of the infrastructure, but as not the right partner for your crown jewels.
So the answer is in the details and not in a single fact. Marketing, market perception and reputation development are quite important factors.
Possible quick verdict: Okay for some supplementary service like a campus wifi at university but maybe not as a core component for your highly pofitable core infrastructure.
BR
Uwe
u can do anything with mikrotik
As stated if you are providing support the efficiency of cost of MT will allow you to build in redundancy into a system (such that service is not interrupted), or spares are readily at hand and can be manually inserted quickly with minimal down time. (Concurrent Router device providing HA functionality, or sitting on a shelf already programmed ready to go). Key components must have replacement ready to go. Finally, have a mini-lab setup so that programming and testing can occur without interrupting the working network. Yes more devices than strictly needed but with the price performance ratio, you have that advantage. If you are not on-site or providing near real time support (physically) not sure if this is the right path.
This is probably 95% of the issue. I have government clients who purchase high end gear, then pay 25-50% of the purchase price for 24x7x4 hour on site support contracts. I point out that they could have plenty of spares on hand and fully stock a lab environment to boot, and they will be able to fix any failed gear or correct any issues faster than support will most of the time. However, government tends to be a big ship that turns very slowly. And you actually have to have the expertise either on staff or nearby to be able to resolve any issues in the same time-frame as the companies.
The other 4% of the issue is likely your vendors experience (or google search experience) with Mikrotik. Mikrotik updates firmware often and it is very easy to update. When bugs are discovered (which are usually actually simple misconfigurations instead), you see a lot of forum posts about it. However, this completely conflicts with how most government (and private) organizations do updates on network gear. Most only do updates periodically, during service windows, and often test in the lab prior to doing updates. If a validation and planning process is followed, with a valid reversion plan just in case, then Mikrotik is perfectly suitable for most environments.
“Industry standard” does not exist. That is what your vendors say when they don’t know how to make their own case. You should ask them for the RFC or other standards documentation that says HP, Cisco, Juniper, etc are “industry standard.” Then move on to vendors that actually know what they’re doing.
I second what is said here.
Industry standard is a super weak argument of those that don’t know better.
For Mtik you have to take care about much more but you pay much less initially.
Just think about what you would need to build a console like Panorama for Mikrotik. Yes, you can blow it up to a certain extent and there are tools to help you. For example the dude environment.
On the other hand you have sometimes hard limits in functionality. You simply can’t control in Mtik, who is allowed to post in F*book and who shall only read. Or at least not out of the box. That continues with many protocols of industrial control systems. Just to give some examples. That application layer is not yet covered in filtering capabilities. If it goes beyond Protocol&Port, dest/orig, state then it becomes very shallow.
Even running a filter proxy for malware domains costs a fortune in CPU cycles. Memory limits can easily be reached. Try the attached file as an example but make sure you know how to handle the filters first!
BR
Uwe
access.rsc (3.54 MB)
Many enterprises is obsessed with 24x7 support from the vendor. If it can’t be delivered, the vendor is simply out.
Many enterprises will require a unbrella system of some kind. Like Cisco Prime, Juniper Space etc. DUDE is a joke.
It’s also important to have long-lived product lines, like the Cisco Catalyst-series and so on. Mikrotik does not.
Agreed, and I don’t think a router should be expected to incorporate this functionality. I think it ends up asking 1 device to do too much, and complicates administration and management. I perfer standalone devices for packet-inspection functionality where required.
For me this is a question about support and what is the outfall of an outage.
So if it is a Office network and there are some problem with the network is that a large incident or is that an inconvenience?
Where I work we have network that we can use MT equipment without issues if we would like to get good equipment for a fair price.
However some stuff we have is far for important and I’m not saying that MT is not good enough but support is. SmartNet from Cisco is state of the art and we had a important core router that had a hardware failure switched within 4 hours.
I cannot remember all times I have meet customers that say we need 24/7 Network in the office. I then ask what happens if the network where to go down.
Many times I get the answer that it’s not a issue as they can use 4G for meetings and the only thing they cannot do is print.
So I would say that everyone need to do a analysis what their needs are and buy accordingly and per usual the answer will be it depends 
Also operational competency needs to be part of the equation as well.
Since we run the largest MikroTik consulting firm in the world, I have some thoughts on this
We have used MikroTik in very large environments for enterprise, data center and ISPs around the world. Like any other piece of network equipment, you have to understand how to design and deploy it.
One of my favorite stories to tell about using MikroTik in critical environments is for a large publicly traded enterprise in the US. The company at the time (~2017) was worth about 19 billion dollars in the US and had data centers around the world.
I was the Network Architect in charge of designing the company’s new flagship Data Center in New York. Originally, the DC was supposed to use 4 Cisco ASR1006-X routers (2 for IP Transit and 2 for aggregation of MPLS L3VPN circuits - I think it was approximately $200,000 USD worth of gear ), we found out that Cisco was delayed on their shipping timelines by 8 weeks and would not have routers for the data center.
Because they had been using MikroTik in non-critical roles, I suggested that we use (4) CCR1036-8G-2S+ since they met the following requirements:
- 1 Gbps of throughput per router for IP Transit
- 1 Gbps of throughput per router for MPLS L3VPN circuits from Verizon
- BGP and BGP Communities
- OSPF
- QoS with DSCP for corp voice and video
The company resisted, but since Cisco had no solution and we could not bring the DC online in time, they agreed to have 4 x CCR1036 shipped to the DC in Manhattan so I could install them and bring the DC online.The company expected to have these online only for a few weeks until the Cisco equipment came in. We brought everything online successfully.
As is often the case in big companies they moved onto other things since the DC was working well. About a year later, someone asked if we even needed $200K worth of Cisco routers since the MikroTik routers had been running the DC successfully for a year.
And the answer was no
Here is a list of what that DC was used for:
- Corp HQ connectivity to the Internet for about 4000 employees across NYC
- Exchange connectivity for roughly 30k employees in North America
- Application connectivity for over 1000 branch locations in North America
- Main DCI connection point to DCs in Europe
And that all ran on $5000 USD worth of routers
This DC ran on CCRs for a total of 2 years until they realized Cisco wouldn’t refund their money and they were forced to use the ASR1006-X routers.
It simple depends on what to do.
If you need wirespeed routing/switching with QoS (honoring 802.1p or DSCP) then Mikrotik is a real PITA.
Also common things like Stacking, MCLAG, proper galvanic isolated PoE-at or VRRP-Grouping simply aren’t possible/available.
If you have an oversized Mikrotik for some minor throughput, it may work quite well. A CCR1009 starts to drop packets at 500Mbps with only a handful of firewall rules. This simply is disappointing.
I think, that Mikrotik is overly complicated in a lot of things.
For example Layer-2 configuration:
- subinterfaces plus bridges
- vlan filtering within the bridge
- vlan-handling on the switch itself
This is very annoying. No other vender forces you to learn three ways to do simple VLAN stuff.
But for some swiss army knife stuff Mikrotik is really nice, because the configuration is quite flexible.
You don’t know why to use the “industry standards”? Look at money. They are not superoverpriced by an coincidence. There need to be a spare budget for bribes to the policians.
You are not going to sell some boxes. The way how you do it should not be important if you guarantee the required quality. You are going to provide a service so think about like this.