Community discussions

MUM Europe 2020
 
Biker111
newbie
Topic Author
Posts: 32
Joined: Thu Aug 11, 2016 1:21 am
Location: Denmark

VRF Lite

Mon Jan 13, 2020 5:20 am

Hi guys

I'm working on a hub and spoke ipsec solution. The usual stuff,- Ipsec, tunnels, certificates, QoS, ospf running over tunnels.
Everything is running fine,- I did have some problems at a point, I contacted Mikrotik support,- and they found a configuration error in my setup.
Simply me missing a important detail. Brilliant and helpful people at Mikrotik.

Now,- in some cases I would like to add a vrf lite configuration. Some advanced designs would be possible implementing vrf lite.
But I simply can't find any solid examples about this topic. Mikrotik documentation is directed towards classic vrf/BGP/MPLS implementations.

I have done tons of classic BGP/MPLS/vrf and vrf lite on Cisco and Juniper equipment. Done it for many years, but with Mikrotik something goes wrong?
Iperf test and throughput going up and down, One second 200Mb, next second 2Mb.
No problems with CPU, ram or routing. It's something else.

Has anyone a example of a proven and tested vrf lite implementation? Just local on a router, interfaces/vlans/bridge.

Cheers
Biker
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1102
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: VRF Lite

Tue Jan 21, 2020 3:42 am

VRF Lite in MIkroTik would be using the routing marks as a standalone without MPLS/VPNv4. This is supported.

Are you trying to use routing protocols in a VRF as well?
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
Biker111
newbie
Topic Author
Posts: 32
Joined: Thu Aug 11, 2016 1:21 am
Location: Denmark

Re: VRF Lite

Sat Jan 25, 2020 8:16 am

VRF Lite in MIkroTik would be using the routing marks as a standalone without MPLS/VPNv4. This is supported.

Are you trying to use routing protocols in a VRF as well?
Thank's a lot for your answer :D

Yes,- there is several layers:
1. Ipsec connections in a Hub-and-Spoke setup, using certificates. Runs perfectly.

2. Next layer is tunnels. This is for having "interfaces" to apply routing and QoS on.

3. Running OSPF inside the the tunnels. Gives connectivity between chosen subnet on spoke sites. No problems. But only with the standart default route out the WAN.
Restrictions begin to set in. The router can't have a default route into the tunnels. Things go down. I guess it equal to Cisco "recursive routing lookup faillure".
Fair enough and expected.

But I want "more". Some spoke subnets should have a default route into the ipsec tunnels, other subnets out the WAN,- or not knowing about the ipsec network at all.

This is where I use VRF Lite,- and use OSPF inside. Place relevant interfaces into the VRF, run OSPF on those infaces.
I do get "perfect" routing tables,- even the default route inside OSPF/VRF,- the HUB OSPF process advertising the default route.

This would work in a Cisco/Juniper design,- but something else happens on a Mikrotik? :D

Performance and throughput is very unstable,- it can hit 180Mb(RB750Gr3 + aes256),- but then drop to zero?

I have been thinking about the marking feature in Mikrotik, on a Cisco box we have tagging, I guess it's the same idea?

I guess I don't understand Mikrotik yet, If the interfaces are inside the VRF,- then things should be simple? Why use marking?
I would be happy if you could explain me where I am misunderstanding :D

Best regards
Biker
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1102
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: VRF Lite

Sat Jan 25, 2020 8:25 pm

OSPF is not an ideal routing protocol for hub/spoke tunnels, issues with one spoke can affect all the others - it's not scalable. You'll find similar guidance in Cisco as well. BGP is really the way to go as it has much better filtering options and you can assign a different AS for each spoke site to simplify routing and avoid the use of an IGP for iBGP.

We designed a large scale VPN aggregation solution in the US using SSTP and BGP that is currently in production for over 2000 remote sites. It was also a presentation from one of our engineers at the MUM in Bulgaria in 2019

https://mum.mikrotik.com/presentations/ ... 918854.pdf

As far as terminology, in MikroTik, routing mark = VRF even for VPNv4 and MPLS
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
Biker111
newbie
Topic Author
Posts: 32
Joined: Thu Aug 11, 2016 1:21 am
Location: Denmark

Re: VRF Lite

Sat Jan 25, 2020 10:31 pm

Hi

Thank's for your info,- I've been thinking the same thing about scalability,- either stub areas + default route or BGP. That's the way to go.

Regarding my throughput problem - could it be missing markings (?),- I found this one:
https://mum.mikrotik.com/presentations/ ... 118918.pdf

I translated it into my language,- he seems to have some ideas. I'm probably still too much brainwashed towards the Cisco/Juniper style after +20 years with them :D

I'll better experiment with some markings, and see if I can make things stable. Without VRF's everything is running smoothly.
I do get incredible throughputs for such inexpensive routers, and rather advanced setups with DHCP on WAN, automatic tunnel setup with ipsec against HUB and management.

Best regards
Biker

Who is online

Users browsing this forum: No registered users and 7 guests