BGP VPLS

volga629 · Tue Jan 12, 2016 6:09 am

Hello Everyone,
I have installed 2 routers each in remote location, WAN interface in different subnets. I am trying connect BGP address-families=l2vpn to propagate routes and VPLS . BGP establish connection, but none routes is coming up. Also VPLS interface set inactive.

Any help thank you.[


[volga629@canlrt03] > /routing bgp peer print status 
Flags: X - disabled, E - established 
 0 E name="nl-peer01" instance=default remote-address=second router public ip remote-as=65524 tcp-md5-key="" nexthop-choice=default 
     multihop=no route-reflect=no hold-time=3m ttl=255 in-filter="" out-filter="" address-families=l2vpn 
     default-originate=never remove-private-as=no as-override=no passive=no use-bfd=no remote-id=ip addr of loop back
     local-address=158.69.151.91 uptime=42m12s prefix-count=0 updates-sent=1 updates-received=1 withdrawn-sent=0 
     withdrawn-received=0 remote-hold-time=3m used-hold-time=3m used-keepalive-time=1m refresh-capability=yes 
     as4-capability=yes state=established

Tue Jan 12, 2016 12:14 pm

BGP does not propagate any ipv4 routes when address family is set to l2vpn.

For BGP VPLS to come up you need workign label distribution protocol along the path (LDP or RSVP)

volga629 · Tue Jan 12, 2016 4:52 pm

Thank you for reply.
I configured ldp to each side public ip as lsr-id, but it not completing negotiations, because 2 ends is in different subnet ranges. Is this make sense ?

Tue Jan 12, 2016 4:57 pm

Please follow this configuration example to set up LDP
http://wiki.mikrotik.com/wiki/Manual:MPLSVPLS

And then to set up BGP VPLS
http://wiki.mikrotik.com/wiki/Manual:BGP_based_VPLS

Tue Jan 12, 2016 5:15 pm

Thank you for reply.
I configured ldp to each side public ip as lsr-id, but it not completing negotiations, because 2 ends is in different subnet ranges. Is this make sense ?

Make sure you set the LSR ID = the router's loopback IP in each router, and that the loopback IP addresses of all routers are visible in OSPF.

volga629 · Tue Jan 12, 2016 5:56 pm

I just verified my setup and everything looks exactly as you described. I tired bring up TE, but it not working either. What log I can enable ?

volga629 · Tue Jan 12, 2016 6:00 pm

Here TE settings.

Both IP of each end loop back, where on OSPF set redistribute connected as-type 1


[volga629@canlrt04] /interface traffic-eng> print value-list 
                            name: te1
                             mtu: 1500
           disable-running-check: no
                    from-address: 10.2.254.1
                      to-address: 10.1.254.1
                       bandwidth: 1kbps
                    primary-path: dyn
                 secondary-paths: 
          primary-retry-interval: 1m
                    record-route: yes
                 bandwidth-limit: disabled
            auto-bandwidth-range: 0bps
          auto-bandwidth-reserve: 0%
     auto-bandwidth-avg-interval: 5m
  auto-bandwidth-update-interval: 1h

OSPF

[volga629@canlrt04] /interface traffic-eng> /routing ospf lsa print 
AREA                                                    TYPE         ID             ORIGINATOR     SEQUENCE-NUMBER        AGE
backbone                                                router       10.2.254.1     10.2.254.1          0x80000002        654
backbone                                                opaque-area  1.0.0.0        10.2.254.1          0x80000001        659
external                                                as-external  10.2.254.1     10.2.254.1          0x80000001        659
external                                                as-external  my public ip 10.2.254.1          0x80000001        659

Tue Jan 12, 2016 6:22 pm

I didn't notice 10.1.254.1/32 in your OSPF LSA printout - so make sure that the remote router is also properly configured.

Both IP of each end loop back, where on OSPF set redistribute connected as-type 1

Get out of this habit now.

Routing protocols treat redistributed routes differently than they treat native-to-the-protocol routes. Make sure that all of your loopback interfaces' IP addresses have corresponding OSPF networks that properly add them into your OSPF "cloud."

There is a time and a place to redistribute a route into a protocol, but this is only for situations where the destination cannot be included in your protocol for technical reasons (the destination router doesn't support OSPF) or for administrative reasons (the destination router belongs to another organization), and not just the fact that it's easy to turn on "redistribute connected" to fire-and-forget it.

If you want the 'proper' "fire and forget" ospf configuration - set the default OSPF interface state to be passive, and specify network=0.0.0.0/0 area=router's area, and then manually specify interfaces as active where you want them to form adjacencies.

/routing ospf interface
add network-type=broadcast passive=yes
add interface=ether4 network-type=broadcast
/routing ospf network
add area=backbone network=0.0.0.0/0

I'd recommend that even if you do this, then the "adjacency" interfaces should be covered by their own network statements, just so that if you ever need to remove the blanket statement, you won't break OSPF.....
add area=backbone network=10.2.254.1/32
add area=backbone network=10.2.3.0/30
etc....

volga629 · Tue Jan 12, 2016 6:46 pm

Interesting that if I set on BGP update-source loop back interface it sit on connect state never established only my wan interface works.

Tue Jan 12, 2016 7:41 pm

Interesting that if I set on BGP update-source loop back interface it sit on connect state never established only my wan interface works.

Both ends should use each other's loopback addresses for iBGP, both as the source and as the destination.
If you're using an interface IP now, and one side switches to source=loopback, then the other side needs to update the remote's IP as well.

If you just change the source on R1, then R2 is going to start seeing iBGP requests from an "unknown peer"

(eBGP of course should use the IP of the interface between itself and the neighboring router)

But just to make sure this is the problem, and not a routing issue, try to ping R1 loop IP from R2, with R2's loop IP as the source IP. If this ping test fails, then you have some other issue (vrf, firewall filters, nat, etc, missing routes, etc)

volga629 · Tue Jan 12, 2016 9:26 pm

In y case I think it will not work, because both routers on WAN side in different networks. So I will need run some thing like GRE tunnel to reach each loop back. Or some thing else which I s on't know about.

My setup.

IP address of WAN-eth1 assigned by each ISP.

Router 1 WAN-eth1 -----> ISP 1 ----INTERNET ---ISP2 ----WAN-eth1 Router2

Tue Jan 12, 2016 9:32 pm

Yes - you cannot run MPLS across the Internet without some sort of tunneling protocol such as GRE.

That sure was an important detail.

I have installed 2 routers each in remote location, WAN interface in different subnets.

I don't know about other readers but when I read this, it means "two different locations, but with my own internal connectivity between them" - just because of the fact that we're talking about MPLS and iBGP.

Your MTU is going to be low - be sure that your PE routers are able to adjust TCP MSS, or make sure that ICMP isn't dropped inside of your network for PMTUD functionality - if you don't do one of these, your CPU utilization is going to increase a lot if you have high bandwidth and the routers are forced to do fragmentation.

volga629 · Tue Jan 12, 2016 10:22 pm

I got working case with ipip tunnel BGP come up and vpls link come up too, but from lan server ip I can't ping another end same server says UNREACHABLE

[volga629@canlrt03] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                                     BRIDGE                                     PRIORITY  PATH-COST    HORIZON
 0    LAN-eth1                                      LAN-lo0                                        0x80         10       none
 1  D vpls8                                         LAN-lo0                                        0x80         50          1

Tue Jan 12, 2016 10:44 pm

You should make a specific bridge for the VPLS to use, and not the lo0 bridge.

Out of curiosity - have you tried a simple EoIP tunnel between these two sites?

Are you trying to set this up so that you can use MPLS to sell layer2 vpn services to customers, or just to connect your sites together? This is a pretty involved topic if you're just needing to bridge two sites together across the Internet.....

Of course your next concern is security - remember that this traffic is going to be going un-encrypted across the public Internet....

volga629 · Tue Jan 12, 2016 11:19 pm

I have 5 sites to connect together. I am trying get working at least 2 sites for right now. Encryption will done on application layer. Still doing some troubleshooting one side of vpls not established correctly, might be firewall issue.

volga629 · Tue Jan 12, 2016 11:22 pm

I see on drop log

input: in:ipip-tun01 out:(none), proto UDP, ipip_tunnel_ip:646->224.0.0.2:646, len 62

Tue Jan 12, 2016 11:30 pm

I see on drop log

input: in:ipip-tun01 out:(none), proto UDP, ipip_tunnel_ip:646->224.0.0.2:646, len 62

This is an OSPF hello.
(224.0.0.2 is the multicast group for "all OSPF routers on the local link")

volga629 · Wed Jan 13, 2016 12:01 am

yes, this is unrelated to the topic.

One side of VPLS show up and another not

[volga629@canlrt03] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                                     BRIDGE                                     PRIORITY  PATH-COST    HORIZON
 0    LAN-eth1                                      LAN-lo0                                        0x80         10       none
 1  D vpls9                                         LAN-lo0                                        0x80         50          1

[volga629@canlrt04] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                                     BRIDGE                                     PRIORITY  PATH-COST    HORIZON
 0    LAN-eth1                                      LAN-lo0                                        0x80         10       none
 1 ID vpls12                                        LAN-lo0                                        0x80         50          1

volga629 · Wed Jan 13, 2016 2:04 am

I found the issue with firewall, but I think MPLS binding is not completing properly. I don't see out label on AD

[volga629@canlrt03] /interface vpls>  /mpls remote-bindings print
Flags: X - disabled, A - active, D - dynamic 
 #    DST-ADDRESS        NEXTHOP         LABEL                                                     PEER                      
 0  D 10.1.254.1/32                                  33                                                        10.2.254.1:0                         
 1 AD 10.2.254.1/32      10.90.34.2         impl-null                                                 10.2.254.1:0

[volga629@canlrt04] /interface vpls>  /mpls remote-bindings print                      
Flags: X - disabled, A - active, D - dynamic 
 #    DST-ADDRESS        NEXTHOP         LABEL                                                     PEER                      
 0  D  local_subnet                                       impl-null                                                 10.1.254.1:0              
 1  D 10.2.254.1/32                                      32                                                        10.1.254.1:0                         
 2 AD 10.1.254.1/32      10.90.34.1          impl-null                                                 10.1.254.1:0

volga629 · Wed Jan 13, 2016 2:01 pm

After some troubleshooting. I don't see why always label get null-exp 0.

Wed Jan 13, 2016 5:35 pm

I recommend that you just use a simple EoIP tunnel to each site from the hub site. All of your traffic is going to have to flow through the hub site anyway, so VPLS isn't helping you achieve anything fancy here.

If you're building a full mesh of tunnels, then vpls isn't helping ease administrative burden, but in fact adds unnecessary extra complexity.

Either way, you should just use EoIP tunnels.

volga629 · Wed Jan 13, 2016 6:18 pm

Thank you for reply. I will try you recommendation today. What is performance wise if I will terminate 3 or 4 ipip tunnels on each device with EoIP.

volga629 · Wed Jan 13, 2016 7:01 pm

I guess with EoIP no need ipip.

volga629 · Wed Jan 13, 2016 7:53 pm

I setup EoIP with secure ipsec. Did speed test with ipsec and without ipsec and with ipsec getting less 40Mb/s then without which significant difference.

Without IPsec

[volga629@ws01 ~]$ sudo iperf -s -p 2000
------------------------------------------------------------
Server listening on TCP port 2000
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  4] local my_lan_ws01 port 2000 connected with my_lan_ws02 port 60934
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-12.9 sec   348 MBytes   227 Mbits/sec
[  5] local my_lan_ws01 port 2000 connected with my_lan_ws02 port 60936
[  5]  0.0-20.1 sec   420 MBytes   176 Mbits/sec
[  4] local my_lan_ws01 port 2000 connected with my_lan_ws02 port 60938
[  4]  0.0-10.1 sec   220 MBytes   182 Mbits/sec

With Ipsec

[volga629@ws01 ~]$ sudo iperf -s -p 2000
------------------------------------------------------------
Server listening on TCP port 2000
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  4] local my_lan_ws01 port 2000 connected with my_lan_ws02 port 32780
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.2 sec   164 MBytes   135 Mbits/sec
[  5] local my_lan_ws01 port 2000 connected with my_lan_ws02 port 32782
[  5]  0.0-20.1 sec   300 MBytes   125 Mbits/sec

Wed Jan 13, 2016 8:09 pm

Encryption definitely adds to the CPU load of the router. Also, the extra overhead takes away from the total payload size. Have you tried testing using IPSec and a packet size that won't cause fragmentation? (try 1200-byte packets in your test to see if there's any difference in performance)

Fragmentation / reassembly take more CPU cycles to perform, so if your traffic fits into the pipe without needing this, then you can push more throughput.

volga629 · Wed Jan 13, 2016 9:20 pm

I tried 1200b and getting little bit less speed.


[volga629@ws01 ~]$ sudo iperf -s -p 2000 -l 1200
------------------------------------------------------------
Server listening on TCP port 2000
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
[  4] local 10.18.130.49 port 2000 connected with local_ip_ws02  port 32906
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.2 sec   147 MBytes   122 Mbits/sec

volga629 · Wed Jan 13, 2016 9:21 pm

This virtual router run on kvm hpv

BGP VPLS

BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Re: BGP VPLS

Who is online