Community discussions

MikroTik App
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

IP Services - Management - VRF - Excellent News!

Tue Dec 14, 2021 3:43 pm

Hey guys...
RouterOS_v7_IP-Services-VRF.png
https://help.mikrotik.com/docs/display/ ... ific%20VRF

This is awesome!

You really should celebrate this! Announce on publicity materials.

I didn't test it yet... (I will do it soon).
VRF parameter It is missing on Winbox, but this is a minor issue...

Congrats!
You do not have the required permissions to view the files attached to this post.
 
mark73
just joined
Posts: 8
Joined: Thu Dec 10, 2009 1:13 am

Re: IP Services - Management - VRF - Excellent News!

Wed Dec 15, 2021 12:10 pm

In general VRF-aware services are pretty cool yes, but we are missing the possibility to have a service working in multiple VRFs (eg vrf=main,mgmt) or just being able to use "all" or "any".
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: IP Services - Management - VRF - Excellent News!

Wed Dec 15, 2021 1:32 pm

In general VRF-aware services are pretty cool yes, but we are missing the possibility to have a service working in multiple VRFs (eg vrf=main,mgmt) or just being able to use "all" or "any".
What will solve your issue is some type of route-leaking between VRFs.
https://help.mikrotik.com/docs/display/ ... d%20of,N/A
The service will be attached to a specific VRF, but the routing between VRF will allow communication between those VRFs and then reach that service.
This is the best solution if you need non-blocking performance between VRF.

Another solution to that is a Virtual Tunnel interconecting VRFs (a virtual coffin hook).
Considering we are talking about Management this is the best solution!
With this, we can dedicate an ACL (Firewall Rules) to this interface and protect the box.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IP Services - Management - VRF - Excellent News!

Wed Dec 15, 2021 1:39 pm

Yes, it is possible to use workarounds mentioned by fischerdouglas, but adding support form multiple VRFs is in a TODO list.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: IP Services - Management - VRF - Excellent News!

Wed Dec 15, 2021 8:11 pm

Yes, it is possible to use workarounds mentioned by fischerdouglas, but adding support form multiple VRFs is in a TODO list.
Actually, considering other vendors implementations, and best pratices considering the separation between Control-Plane and Data-Plane, Management Services should listen only to one VRF.
 
donatoroman
newbie
Posts: 30
Joined: Tue Dec 07, 2021 9:03 pm

Re: IP Services - Management - VRF - Excellent News!

Fri Dec 17, 2021 8:01 pm

Does this mean we can define exactly which interface we want to use for management/monitoring? I'm used to cisco/arista devices where essentially all of that can be done from the mgmt0 interface which can be set on its own vrf, and you can define the source-interface to be used for services like ssh/tftp to upload/download images.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: IP Services - Management - VRF - Excellent News!

Fri Dec 17, 2021 8:47 pm

Does this mean we can define exactly which interface we want to use for management/monitoring? I'm used to cisco/arista devices where essentially all of that can be done from the mgmt0 interface which can be set on its own vrf, and you can define the source-interface to be used for services like ssh/tftp to upload/download images.
I believe that this "vrf" thing of IP services has to do only with the listeners/sockets of services.
I don't think this is related to the source ip/interface of communications outgoing from router-os.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IP Services - Management - VRF - Excellent News!

Fri Dec 17, 2021 9:53 pm

Those services are servers, so yes settings are for listeners.
For client side tools, that also could be executed on RouterOS has their own parameter, like
/system/telnet 1.1.1.1 vrf=my_mgmt
 
mainTAP
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Oct 02, 2012 4:01 am

Re: IP Services - Management - VRF - Excellent News!

Sun Jan 02, 2022 6:57 pm

The multi VRF support would be great.

Has anyone successfully accessed the management from a different VRF using the route leaking workaround ?
 
mark73
just joined
Posts: 8
Joined: Thu Dec 10, 2009 1:13 am

Re: IP Services - Management - VRF - Excellent News!

Fri Jan 21, 2022 5:34 pm

Yes, it is possible to use workarounds mentioned by fischerdouglas, but adding support form multiple VRFs is in a TODO list.
Actually, considering other vendors implementations, and best pratices considering the separation between Control-Plane and Data-Plane, Management Services should listen only to one VRF.
I see a lot of scenarios where it is cool to have multi-vrf.
Sometimes it is just nice to have the possibility to manage a device "in-band" and "out-of-band" for example.
Or think of the deployment of a redundant connected CPE (combining DSL and LTE in two VRFs). Very nice too, being able to manage the device on both links if one fails. ;-)
 
mark73
just joined
Posts: 8
Joined: Thu Dec 10, 2009 1:13 am

Re: IP Services - Management - VRF - Excellent News!

Tue Jul 19, 2022 12:15 pm

Yes, it is possible to use workarounds mentioned by fischerdouglas, but adding support form multiple VRFs is in a TODO list.
Any ETA here? Doing staging using "remote hands" it is often very anoying if one has to switch VRFs all the time. And as you often have a "chicken and egg problem" you need to use two services (e.g. ssh and winbox).
It would be very cool if "all" would be the default setting and the you could just change to the VRF (usually MGMT) where you need the service when going into production.
 
marcodmb
just joined
Posts: 7
Joined: Sat Feb 12, 2022 1:57 pm

Re: IP Services - Management - VRF - Excellent News!

Fri Sep 30, 2022 8:39 pm

Me too... multi VRF support requested, come on ;)
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Wed Jan 09, 2013 8:26 am

Re: IP Services - Management - VRF - Excellent News!

Tue Oct 11, 2022 6:28 pm

In general VRF-aware services are pretty cool yes, but we are missing the possibility to have a service working in multiple VRFs (eg vrf=main,mgmt) or just being able to use "all" or "any".
What will solve your issue is some type of route-leaking between VRFs.
https://help.mikrotik.com/docs/display/ ... d%20of,N/A
The service will be attached to a specific VRF, but the routing between VRF will allow communication between those VRFs and then reach that service.
This is the best solution if you need non-blocking performance between VRF.

Another solution to that is a Virtual Tunnel interconecting VRFs (a virtual coffin hook).
Considering we are talking about Management this is the best solution!
With this, we can dedicate an ACL (Firewall Rules) to this interface and protect the box.
in version 6 it worked after updating to version 7, I could not do it
i tried leaking and marking

Who is online

Users browsing this forum: DigitalOcean [Bot], oliverlexis and 20 guests