Community discussions

MikroTik App
 
Biker111
newbie
Topic Author
Posts: 37
Joined: Thu Aug 11, 2016 1:21 am
Location: Denmark

VRF Lite

Mon Jan 13, 2020 5:20 am

Hi guys

I'm working on a hub and spoke ipsec solution. The usual stuff,- Ipsec, tunnels, certificates, QoS, ospf running over tunnels.
Everything is running fine,- I did have some problems at a point, I contacted Mikrotik support,- and they found a configuration error in my setup.
Simply me missing a important detail. Brilliant and helpful people at Mikrotik.

Now,- in some cases I would like to add a vrf lite configuration. Some advanced designs would be possible implementing vrf lite.
But I simply can't find any solid examples about this topic. Mikrotik documentation is directed towards classic vrf/BGP/MPLS implementations.

I have done tons of classic BGP/MPLS/vrf and vrf lite on Cisco and Juniper equipment. Done it for many years, but with Mikrotik something goes wrong?
Iperf test and throughput going up and down, One second 200Mb, next second 2Mb.
No problems with CPU, ram or routing. It's something else.

Has anyone a example of a proven and tested vrf lite implementation? Just local on a router, interfaces/vlans/bridge.

Cheers
Biker
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: VRF Lite

Tue Jan 21, 2020 3:42 am

VRF Lite in MIkroTik would be using the routing marks as a standalone without MPLS/VPNv4. This is supported.

Are you trying to use routing protocols in a VRF as well?
 
Biker111
newbie
Topic Author
Posts: 37
Joined: Thu Aug 11, 2016 1:21 am
Location: Denmark

Re: VRF Lite

Sat Jan 25, 2020 8:16 am

VRF Lite in MIkroTik would be using the routing marks as a standalone without MPLS/VPNv4. This is supported.

Are you trying to use routing protocols in a VRF as well?
Thank's a lot for your answer :D

Yes,- there is several layers:
1. Ipsec connections in a Hub-and-Spoke setup, using certificates. Runs perfectly.

2. Next layer is tunnels. This is for having "interfaces" to apply routing and QoS on.

3. Running OSPF inside the the tunnels. Gives connectivity between chosen subnet on spoke sites. No problems. But only with the standart default route out the WAN.
Restrictions begin to set in. The router can't have a default route into the tunnels. Things go down. I guess it equal to Cisco "recursive routing lookup faillure".
Fair enough and expected.

But I want "more". Some spoke subnets should have a default route into the ipsec tunnels, other subnets out the WAN,- or not knowing about the ipsec network at all.

This is where I use VRF Lite,- and use OSPF inside. Place relevant interfaces into the VRF, run OSPF on those infaces.
I do get "perfect" routing tables,- even the default route inside OSPF/VRF,- the HUB OSPF process advertising the default route.

This would work in a Cisco/Juniper design,- but something else happens on a Mikrotik? :D

Performance and throughput is very unstable,- it can hit 180Mb(RB750Gr3 + aes256),- but then drop to zero?

I have been thinking about the marking feature in Mikrotik, on a Cisco box we have tagging, I guess it's the same idea?

I guess I don't understand Mikrotik yet, If the interfaces are inside the VRF,- then things should be simple? Why use marking?
I would be happy if you could explain me where I am misunderstanding :D

Best regards
Biker
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: VRF Lite

Sat Jan 25, 2020 8:25 pm

OSPF is not an ideal routing protocol for hub/spoke tunnels, issues with one spoke can affect all the others - it's not scalable. You'll find similar guidance in Cisco as well. BGP is really the way to go as it has much better filtering options and you can assign a different AS for each spoke site to simplify routing and avoid the use of an IGP for iBGP.

We designed a large scale VPN aggregation solution in the US using SSTP and BGP that is currently in production for over 2000 remote sites. It was also a presentation from one of our engineers at the MUM in Bulgaria in 2019

https://mum.mikrotik.com/presentations/ ... 918854.pdf

As far as terminology, in MikroTik, routing mark = VRF even for VPNv4 and MPLS
 
Biker111
newbie
Topic Author
Posts: 37
Joined: Thu Aug 11, 2016 1:21 am
Location: Denmark

Re: VRF Lite

Sat Jan 25, 2020 10:31 pm

Hi

Thank's for your info,- I've been thinking the same thing about scalability,- either stub areas + default route or BGP. That's the way to go.

Regarding my throughput problem - could it be missing markings (?),- I found this one:
https://mum.mikrotik.com/presentations/ ... 118918.pdf

I translated it into my language,- he seems to have some ideas. I'm probably still too much brainwashed towards the Cisco/Juniper style after +20 years with them :D

I'll better experiment with some markings, and see if I can make things stable. Without VRF's everything is running smoothly.
I do get incredible throughputs for such inexpensive routers, and rather advanced setups with DHCP on WAN, automatic tunnel setup with ipsec against HUB and management.

Best regards
Biker
 
Biker111
newbie
Topic Author
Posts: 37
Joined: Thu Aug 11, 2016 1:21 am
Location: Denmark

Re: VRF Lite  [SOLVED]

Mon Feb 03, 2020 5:44 am

Hi again

As I wrote, it's a hub and spoke topology. Ipsec, OSPF, tunnels, - everything runs fine.

Connected clients on the spokes gets a iperf3 throughput ~180Mb. That's fine.
If I implement "VRF Lite" on a spoke router,- thoughput becomes very unstable, 180Mb - then 1Kb - then 0 - then 10Mb etc.
No problem in logs, no high CPU?

As IPANetEngineer tells, marking should be used,- I simply does not understand this feature,- I'm coming from Cisco/Juniper :shock:

"Funny" detail,- I just tried to do packet capures on the encrypted tunnel (on the VRF lite router),- now I get a steady throughput ~120Mb?
And some rather high CPU, but it runs?

Seems like Mikrotik packet capture does some kind of binding/ARP-memory and makes the VRF lite work?
Quite interesting, no idea?

Cheers
Biker
 
elico
Member Candidate
Member Candidate
Posts: 143
Joined: Mon Nov 07, 2016 3:23 am

Re: VRF Lite

Wed Nov 04, 2020 11:22 pm

Hi again

As I wrote, it's a hub and spoke topology. Ipsec, OSPF, tunnels, - everything runs fine.

Connected clients on the spokes gets a iperf3 throughput ~180Mb. That's fine.
If I implement "VRF Lite" on a spoke router,- thoughput becomes very unstable, 180Mb - then 1Kb - then 0 - then 10Mb etc.
No problem in logs, no high CPU?

As IPANetEngineer tells, marking should be used,- I simply does not understand this feature,- I'm coming from Cisco/Juniper :shock:

"Funny" detail,- I just tried to do packet capures on the encrypted tunnel (on the VRF lite router),- now I get a steady throughput ~120Mb?
And some rather high CPU, but it runs?

Seems like Mikrotik packet capture does some kind of binding/ARP-memory and makes the VRF lite work?
Quite interesting, no idea?

Cheers
Biker
Just asking loud, Have you tried to disable Route Cache and FastPath?

Who is online

Users browsing this forum: saktie, wirelesslywired and 16 guests