Hello Everyone:
I run a small AS with a handful of BGP peers, and internally OSPF, MPLS/LDP, L3VPN and VPLS. Some of the (MPLS-) links are GREs or L2TP, with IPsec. No BFD so far. Hardware is a mix of physical devices, and CHR instances. On ROS 6.49.x the setup is rock stable - for example some BGP sessions via VPLS have uptimes of a year (resp. since the last ROS update..)
Question: Is 7.12 now ready for use in such a network? I understand there are still BGP limitations (number of prefixes received from peer), but beyond inconveniences, are we at the point where ROS V7 is stable and reliable for such a setup??
Thanks –
As what everyone should do - set up a testing environment using CHR and GNS3 - should be able to test your desired config and conduct failover/stability testing.
Thanks joegoldman - that would then be exactly the next step. Takes 2-3 days of work though, that is why I ask here first.
I may be doing something wrong (configuration wise) but alas. This is my experience: I have a wifi link (ax, wifi6) between two AX3, and over this link I run a MPLS/VPLS link.
The Wifi link is unstable - it sometimes freezes for no reason and does not reconnect unless something is done to it like switching is direction (set the ap to station and the station to ap).
When the link returns the MPLS reconnects 100% of the time without issues
But the VPLS does not reconnect automatically. I am not sure if it timesout, or it tries to connect too fast and goes into passive mode, or what is going on. But frequently enough whenever the link does fail VPLS will fail to reconnect. The foolproof way to make it reconnect is to disable-enable the VPLS on both devices. Eventhough sometimes just doing this in one of the sides is enough.
This has happened for me in all versions of ROS7 up to 7.11.2
I currently have version 7.12,1 installed and I am waiting for the link to fail to see if VPLS reconnects or not.
We have 7.12 running on border and core routers in a few of our main datacenters (probably about 5-8GB) traffic. Running OSFP and BGP and using a mix of 2216 and 2100 routers. It’s been solid over the last 3 months. I haven’t been brave enough to try hardware offload yet. But that will be our plan as the firmware matures. Also, we aren’t doing much with VPLS. But I’ve heard of issues with VPLS and hardware offload when running high traffic.
There is hardware offload support for label switching in RouterOS for now.
There is no hardware MPLS support in RouterOS v7 at this point.
There is however a FastPath MPLS modules that will bypass the Linux Kernel for P routers and provide higher performance.
It’s strange, isn’t it? The Marvell ASICs that MikroTik uses supports MPLS/VXLAN/EVPN in hardware, but MikroTik decided it was a terrible idea to support these three on the ASICs.
Hate to tell you, but your “inside source” is not trustworthy.
Wow, that’s good news but the million dollar question is when this going to see the light of the day 
most of the Chinese cheapos switches now a days support this like Rujie/Maipu et al, please add Q-in-Q in hardware in the pipeline please
I am pretty sure it’s just a case of “Good things take time” rather than any decision not to support them.
Ha, what inside source? The last company, I’d want an “inside source” from is MikroTik. I was poking sarcasm at the obvious fact that MikroTik ROSv7 has been a mess, and you’re all very slow in bringing the hardware offloading that your hardware actually supports, to the table. But there’s a lot of focus on containers, storage features etc. But where’s EVPN/MPLS/VXLAN on the ASICs? Nope, nothing, nada, only unicorns and rainbow.
Explain to me, how Cumulus, SONiC, OcNOS supports hardware offloading for most of this stuff in 2023 and MikroTik (a company that started in 1996), doesn’t?
Heck MikroTik’s own (potentially) largest partner IPArchitechs have been touting OcNOS in the public domain:
https://iparchitechs.com/ecosystem/ipinfusion/
Each of those OS is quite focused on service providers and cloud providers… RouterOS is a universal networking operating system trying to meet the needs of customers from home users through SMB’s right up into enterprise and ISP’s.
Also, can they provide all of the functionality of RouterOS at under 20watts DC ?
IPArchitechs are an independent consulting company, they can use/sell/promote whatever they want. Right tool for the job, Horses for courses 
Hm, maybe some participants here should start their own networking equipment company, if they know so much better? Good luck.
Meanwhile, MT will continue to deliver a surprisingly robust and versatile platform.
Is anyone running a production network with MPLS/LDP and VPLS already under 7.12? MT testlab ???
thx! a.
I think this would be a much better idea than antagonizing Mikrotik and it’s customers.
I have quite a complex test lab running and it is stable. However, my main focus has been on RSVP-TE and VPNv4
I tried VPLS between RB951G-2HnD and cAP AC, it works but every 5-10 minutes the RB951G-2HnD had kernel failure and reboot. Between two reboot I can reach bridged devices trough VPLS but would be better to rise this time to infinity
Is there any known issue with MIPSBE and LDP/VPLS?
PS: I tried with 7.13beta3, and no problems with EoIPV6 tunnel.
Don`t use MPLS VPN4 ROS 7 because you CPE will be completely open for remote side of tunnel.
Firewall fail to detect inbound interface and mark it as unknown and if you filter something using :
add action=drop chain=input in-interface= traffic will reach you CPE without any limitation.
This firewall rule will not work. Same will happens with forward. Mikrotik firewall on PE just blind for transit VPN4 traffic.
VPN4 in ROS 7 completely not secure due to blindness of firewall. Bug was reported to mkt and confirmed but they prefer to fix docker containers.
Is this ChatGPT? What the hell are you talking about? An ISP should never put any kind of data plane firewall in an MPLS core. MPLS core P and PE routers only have firewall rules for the control plane of the P and PE routers. What dumb approach is this?
CE devices should have localised firewall as any other normal CE router in the world. The CE doesn’t run MPLS, you either sell L3VPN or L2VPN services to the CE, the CE only either sends a tagged/untagged VLAN or it configures a direct IP addressing on the port connected to the PE.
Most probably you is ChatGPT guy and not understand how VPN4 MPLS works. I suggest for you to learn at 1st what is PE router in MPLS VPN. Have a nice day. Please don`t answer to me.
PS: most probabaly i confused with example firewall rule it have to be not mpls interface which looking to core it have to be VRF interface which looking to CE.