Community discussions

MikroTik App
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Has anyone ever set up a Ethernet Virtual Private Line

Sat Jan 15, 2022 7:22 pm

hello,

Has anyone ever set up a Ethernet Virtual Private Line with 2 routers. We have have two ccr2004 with a 1gb EVPL that need set up. can this be done? and if so how would you set it up with the vlan
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Has anyone ever set up a Ethernet Virtual Private Line

Sat Jan 15, 2022 7:38 pm

By the name of it, it should behave the same as if you connected your two CCRs together using a patchcord.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Has anyone ever set up a Ethernet Virtual Private Line

Sat Jan 15, 2022 7:45 pm

Well I believe
L3 connections can be established via WIreguard (or the upscale tailscale )
L2 connections can be established using zerotier (but relying on a third party)

Finally I am not sure but EOIP over wireguard may give you L2 over the tunnel (self contained)
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Has anyone ever set up a Ethernet Virtual Private Line

Sat Jan 15, 2022 8:01 pm

I believe
...
L2 connections can be established using zerotier (but relying on a third party)
EVPL is not connected to internet, so Zerotier makes no sense here.

Finally I am not sure but EOIP over wireguard may give you L2 over the tunnel (self contained)
The question is whether the OP trusts the service provider regarding eavesdropping on the service, and whether the regulation applicable for their business allows them to do so.

If the trust is missing, then a ciphered tunnel has to be established. And since Mikrotik currently only supports ciphering of L3 traffic, some kind of L2 over L3 tunnel is required for L2 transparency, which leaves us with a choice between EoIP and BCP, each having its pros and cons.

@networkrevolt, if you do need encryption, what is the MTU provided by the EVPL service provider, and what is the required MTU? This determines the choice of L2 tunnel type. With EoIP, it is easier to configure VLANs, with BCP, it is easier to deal with MTU limitations.
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Has anyone ever set up a Ethernet Virtual Private Line

Sat Jan 15, 2022 8:11 pm

Yes, for example VPLS. If you need encryption then EoIP may be the better choise.

If you are suggesting Carrier Ethernet features, then no, there is no support for CE in RouterOS.
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: Has anyone ever set up a Ethernet Virtual Private Line

Sun Jan 16, 2022 9:19 pm

so this is what they have told me, its a 1gb full duplex with layer 2 (MTU) heeds to 1600-9100, un-tagged standard frame and CoS.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Has anyone ever set up a Ethernet Virtual Private Line

Sun Jan 16, 2022 9:33 pm

That answers the doubt that dawned on me later, whether you are actually going to use that EVPL or provide it to someone else.

But you haven't answered the other questions - do you need to encrypt the traffic between your CCRs?
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: Has anyone ever set up a Ethernet Virtual Private Line

Sun Jan 16, 2022 10:33 pm

What kind of traffic needs to go over it and what are you transporting it over - fiber,copper or wireless?

Will you need multicast, strict packet ordering, RFC2544 qualification, etc?

When building this for client networks, I usually ask these questions to help determine which way to build an L2 overlay.
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: Has anyone ever set up a Ethernet Virtual Private Line

Mon Jan 17, 2022 3:33 am

I would like to use encrypt. This is for a small school, They have a main building and just got a 2 building down the road. they have a comcast 1 gb fiber EPL to each. They want to send all traffic over this and internet.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Has anyone ever set up a Ethernet Virtual Private Line

Mon Jan 17, 2022 10:17 am

All encryption protocols currently available at Mikrotik handle only L3 (IP) traffic. For performance reasons, you have to choose between IPsec and Wireguard. Wireguard is simpler to set up, IPsec is more flexible (which doesn't matter in your application) and may or may not allow more bandwidth thanks to hardware encryption - Wireguard throughput figures are not published on the product page. As CCR2004 can (according to the product page) only run ROS 7.x, you have no choice and thus Wireguard is available. However, check whether use of Wireguard is compliant to the relevant legislation, it's a relatively new protocol.

For L2 tunneling over IP, you have to choose between EoIP and L2TP+BCP. Of the two, EoIP is easier to set up and has no problems with vlan-filtering on a bridge; L2TP+BCP is better to overcome MTU related issues, but you'd have to use bridge stacking to permit vlan-filtering to work. Since the EVPL declares to support jumbo frames, MTU should not be a concern even with EoIP.

Of other types of L2 tunnels, VPLS does not use IP as transport so cannot be encrypted, PPTP+BCP has no advantage as compared to L2TP+BCP, and SSTP+BCP can be used without IPsec or Wireguard as it provides also IP encryption but it has poor performance.

They want to send all traffic over this and internet.
Should I read this that they will have separate internet connectivity in each building? If yes, will it use the same physical infrastructure like the EVPL?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3292
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Has anyone ever set up a Ethernet Virtual Private Line

Mon Jan 17, 2022 12:29 pm

 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Has anyone ever set up a Ethernet Virtual Private Line

Mon Jan 17, 2022 12:54 pm

Can VXLAN be used:
Yes, sure it can, I forgot about it, as I'm still a bit ROSv6-centric :)

The advantages as compared to EoIP should be that it is not a Mikrotik-proprietary tunnel, the multipoint capability, and to some extent also the fact that it uses UDP rather than GRE as transport. None of these plays a role in this particular scenario - once a third site will be added, this will change.
 
aesmith
Member Candidate
Member Candidate
Posts: 264
Joined: Wed Mar 27, 2019 6:43 pm

Re: Has anyone ever set up a Ethernet Virtual Private Line

Mon Jan 17, 2022 7:00 pm

I think we need to know whether they want to connect the two sites together at Layer 2, the same subnet addressing at both sites etc. Or whether they just happen to have a Layer 2 connection between the sites, but don't necessarily want to bridge everything at L2. In the latter case it's not much different to having an Ethernet cable between the sites, and does stop them running L3 over the top of it.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Has anyone ever set up a Ethernet Virtual Private Line

Mon Jan 17, 2022 7:17 pm

I think we need to know whether they want to connect the two sites together at Layer 2, the same subnet addressing at both sites etc.
From the OP:
if so how would you set it up with the vlan
So I'd say transport of VLANs across the link is planned (remember they are extending an existing network an probably want to keep its general structure unchanged). But yes, a lot of guessing here, @networkrevolt seems to be typing on a mobile phone :)
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: Has anyone ever set up a Ethernet Virtual Private Line

Mon Jan 17, 2022 9:42 pm

yes, sorry i was on my phone. What they are planning on doing is taking the new building and making it part of the old network. All servers will be at the old school. Comcast sold them this Line to the new school over fiber. There will be no internet at the new school everything has to come back over this EVP. to our TIK router were we have a 2gb fiber for internet. At the new building i was going to put in a router or switch because they way they are saying its a direct line to us over comcast core switches.
This is what comcast set us..... resource is present at time of service turn up to program the customer provided Layer 3 equipment.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Has anyone ever set up a Ethernet Virtual Private Line

Mon Jan 17, 2022 9:49 pm

OK. Is the information provided so far about the L3 encryption options and L2-over-L3 tunneling options sufficient?
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Has anyone ever set up a Ethernet Virtual Private Line

Tue Jan 18, 2022 5:35 pm

So, you are provided with a EPL service via an operator from one site to another?

Well, just consider it a regular L2-link, like Ethernet cable from one place to another. No need for tunneling or strange setups.

Who is online

Users browsing this forum: anav, Jeans, jmszuch1, sindy and 92 guests