Subido por service.enics

pdfcoffee.com mtcine-ip-6-nstructor-pdf-free

Anuncio
MTCINE Bootcamp + IPv6 Workshop
MTCINE + IPV6
MIKROTIK CERTIFIED INTER-NETWORKING ENGINEER
BOOTCAMP + IPV6 WORKSHOP
CAGAYAN DE ORO, PHILIPPINES
Lay Minh (Makito)
Phyo Phyo Hein
CCIE # 47682
CCIE R&S written
MikroTik Certified Trainer
MikroTik Certified Trainer
MikroTik Consultant
MikroTik Consultant
November 03 – 08, 2017
INSTRUCTOR

Lay Minh (Makito)



MikroTik Certified Trainer & Consultant
Chief Technology Officer @ i-BEAM
Experiences:
12 years in ISP industry since 2005
Billing solutions for service providers
 ISP core network design and operations

CCIE # 47682


Certifications:

Areas of interest: BGP, MPLS, IPv6
1
MTCINE Bootcamp + IPv6 Workshop
INSTRUCTOR

Phyo Phyo Hein




B. C. Tech (hons)
MikroTik Certified Trainer & Consultant
Director of Information Beam Co., Ltd.
Experiences:






Cisco instructor since 2005 at i-BEAM Co., Ltd
SingTel Mobile Support Network Engineer at NCS Co., Ltd
Nera Telecommunications (Singapore)
System Integration Manager at Yatanarpon Teleport
Enterprise/ISP Manager at Kinetic Myanmar Technology
Certifications:


Cisco CCNA R&S, CCNP R&S, CCIP, CCIE R&S Written
Juniper JNCIA-Junos, JNCDA
INTRODUCE YOURSELF

Please introduce yourself to the class.





Your name
Your company
Your previous knowledge about RouterOS
Your previous knowledge about networking
What do you expect from this course?
2
MTCINE Bootcamp + IPv6 Workshop
COURSE OBJECTIVES
Understand how BGP and the internet work.
 Understand building blocks of next generation service
provider network.
 Learn about service provider network design and
implementation.
 Learn about MPLS and its enabled services.
 Discussion on RouterOS IPv6 implementation.
 For sure, be certified as MTCINE! 

MIKROTIK CERTIFICATIONS

Certification levels
3
MTCINE Bootcamp + IPv6 Workshop
MIKROTIK CERTIFICATIONS (CONT.)

MTCNA



MTCRE





Fundamental and overall knowledge about RouterOS
First level of MikroTik certification
Load Balancing & Load Sharing
Site-to-site VPN, VLAN
Dynamic routing protocol OSPF
Requires MTCNA
MTCINE



ISP routing protocol BGP
MPLS enabled applications L3VPN, L2VPN, Traffic Engineering
Requires MTCRE
MIKROTIK CERTIFICATIONS (CONT.)

MTCWE





Wireless concepts
Wi-Fi technologies IEEE 802.11a/b/g/n
Proprietary protocols NStreme, NV2, NStreme Dual
Requires MTCNA
MTCTCE





RouterOS packet flow
Advanced Firewall
Bandwidth management, Quality of Service (QoS)
DNS, DHCP, Web Proxy…etc.
Requires MTCNA
4
MTCINE Bootcamp + IPv6 Workshop
MIKROTIK CERTIFICATIONS (CONT.)

MTCUME






Hotspot
PPP BCP
IPSec VPN
MikroTik User Manager
Requires MTCNA
MTCIPv6E




Introduction to IPv6
Transition mechanism
IPv6 interoperability
Requires MTCNA
MTCINE EXAM
Prerequisite: MTCRE
 Official certification exam will be conducted on the last
day of our training.
 Rules of exam are the same as MTCNA and MTCRE.





25 single or multiple choice questions
You have one hour to complete it
Exam will end automatically once your time is running out
Passing score is 60%, score between 50%-59% will get
opportunity to take the exam again
Certificate will be expired after 3 years.
 Same certification exam has to be taken when
certificate is expired.

5
MTCINE Bootcamp + IPv6 Workshop
CLASS SCHEDULE

Class Time







6 days full time bootcamp
November 03 – 08, 2017
Morning 09:00 to 12:30
Afternoon 14:00 to 17:00
Lunch break 12:30 to 14:00
Section break time 10 – 15 minutes
Q&A after each break
CLASS SCHEDULE (CONT.)

Day 1



Border Gateway Protocol
(BGP)
Day 2


Service Provider BGP Design
Multiprotocol Label
Switching (MPLS)
Day 4



Border Gateway Protocol
(BGP) (Cont.)
Day 3


Day 5



MPLS Layer 3 VPN
MPLS Layer 2 VPN
Traffic Engineering (TE)
Certification Exam
Day 6

IPv6 workshop
6
MTCINE Bootcamp + IPv6 Workshop
CLASS FORMAT
This is an advanced official certification class.
 Class topics are following to MTCINE training outline:



http://www.mikrotik.com/pdf/MTCINE_Outline.pdf
Each topic includes lecture and hand-on labs.



Live demo by instructor
Participants might need teamwork to complete some labs
Differs from other classes, all labs in this class are based on
Command Line Interface (CLI)
Some industry standards and design suggestions will be
discussed along the class.
 The class will be running as workshop-style.
 Topics beyond our scope are open to discuss at Q&A time.

CLASS PREREQUISITE

Participants are assumed to know about followings already:




RouterOS Command Line Interface (CLI)
Bridging
Routing concepts
Categories of dynamic routing protocols
Distance Vector
 Link State



Open Shortest Path First (OSPF)
Above topics are covered by MTCNA and MTCRE
certification.
7
MTCINE Bootcamp + IPv6 Workshop
BORDER GATEWAY PROTOCOL
(BGP)
Autonomous System
iBGP & eBGP
BGP Best Path Selection
BGP Traffic Engineering
Route Filtering & Aggregation
AUTONOMOUS SYSTEM (AS)
Set of routers under a single administrative control.
 Routing exchange:



Routers within AS use common IGP
Routers between ASes use EGP

Identified by a unique 32-bit integer, known as
Autonomous System Number (ASN).

Typically one ISP is one AS.


Some ISPs might run multiple ASes for specific purpose
For instance, an AS for internet gateway, another AS for local
peering or connecting to downstream customers
8
MTCINE Bootcamp + IPv6 Workshop
AUTONOMOUS SYSTEM NUMBER (ASN)

Two ranges



Usage:








0-65535 (original 16-bit range)
65536-4294967295 (32-bit range – RFC4893)
0 and 65535 (reserved)
1-64495 (public Internet)
64496-64511 (documentation – RFC5398)
64512-65534 (private use only)
23456 (represent 32-bit range in 16-bit world)
65536-65551 (documentation – RFC5398)
65552-4294967295 (public Internet)
32-bit range representation specified in RFC5396.

Defines “asplain” (traditional format) as standard notation.
BORDER GATEWAY PROTOCOL (BGP)

A Routing Protocol used to exchange routing information
between different ASes.


Exterior Gateway Protocol
Described in RFC4271.


RFC4276 gives an implementation report on BGP
RFC4277 describes operational experiences using BGP
Network topology is not exchanged, only reachability
information.
 The only routing protocol that can handle Internet's size
networks.
 Classified as a path vector protocol (RFC1322).

9
MTCINE Bootcamp + IPv6 Workshop
PATH VECTOR IMPLEMENTATION
Treats whole AS as a single point in the path.
 Prefix is advertised with the list of ASes along the path
called AS Path.


Prefix means a network or a route in CIDR notation
Hides network topology within an AS.
 Does not guarantee loop-free routing within an AS.


IGP (OSPF, IS-IS) will take care of this
PATH VECTOR IMPLEMENTATION (CONT.)

Prefix 10.1.0.0/24 originated from AS100.
10.1.0.0/24
Add AS100 to the path
AS Path: 100
AS100
AS200
Reject, AS100
already in the path
Add AS200 to the path
AS Path: 200,100
Add AS300 to the path
AS Path: 300,200,100
AS300

AS300 receives 10.1.0.0/24 from AS200, AS Path: 200,100.
10
MTCINE Bootcamp + IPv6 Workshop
BGP CAPABILITIES
BGP speaker advertises supported capability codes.
 If received capability is not supported, remote peer
sends back notification.
 BGP speaker attempts to peer without unsupported
capability.
 Some of RouterOS advertised capabilities:




Route refresh
Multi-protocol extension
4-byte AS support
BGP TRANSPORT
Operates by exchanging
Network Layer Reachability Information (NLRI).
 NLRI includes a set of BGP attributes and one or more
prefixes with which those attributes are associated.
 Uses TCP port 179 as the transport protocol.
 Initial full routing table exchange between peers.
 Incremental updates after initial exchange.

11
MTCINE Bootcamp + IPv6 Workshop
PACKET FORMAT

Uses TLVs (Type-Length-Value):

Marker (128-bit)




Length (16-bit)
Type (8-bit)
Value


For authentication
Message body
High extensibility to support new features, i.e. MP-BGP.
BGP MESSAGE TYPES

Four message types:

Open
First message sent after TCP connection establishment, contains
capability list
 Confirmed by keepalive


Keepalive
Does not contain data, sent to keep hold timer from expiring
Default keepalive timer is 30 seconds, and hold timer is 180 seconds.
 Timers are negotiable, peers use the smaller timer



Update



Actual route updates
Contains NLRI and path attributes
Notification

Sent when error condition occurs, contains error code and sub-code
12
MTCINE Bootcamp + IPv6 Workshop
BGP SESSION & UPDATES
Open with ASN4 capability
AS100
Notification unsupported cap.
AS200
Passive
BGP peer
Open without capability
Keepalive
AS200
AS100
Route Refresh message
Update
ENABLE BGP

If Router ID is not specified, it is automatically set to
lowest IP address on the router.
/routing bgp instance
set default as=300 router-id=10.10.10.4
/routing bgp peer
add instance=default remote-address=10.10.10.1 remote-as=3000

Verify BGP connectivity. Any state other than established
indicates that routers can not become neighbors (use
“print status” for more details).
[admin@R1] /routing bgp peer> print
Flags: X - disabled, E - established
#
INSTANCE
REMOTE-ADDRESS
0 E default
10.10.10.1
REMOTE-AS
3000
13
MTCINE Bootcamp + IPv6 Workshop
NETWORKS
Indicates what networks BGP should originate from the
router (max 200).
 By default network is advertised only if corresponding
route is present in routing table.
 Synchronization can be turned off if:



Your AS does not provide transit service
All the transit routers run BGP
Disabling sync allows BGP to converge faster.
 Sync can be dangerous if routes are flapping a lot.
 Configurable from /routing bgp network.

IBGP

& EBGP
There are two types of BGP peer:


iBGP – peering between routers inside an AS.
eBGP – peering between routers from different ASes.
AS200
R2
eBGP
AS100
AS300
R3
R1
R4
R5
R6
iBGP
eBGP
AS400
14
MTCINE Bootcamp + IPv6 Workshop
EXTERNAL BGP PEERING (EBGP)
Almost always formed between directly connected
peers (AS edge/border routers).
 Multi-hop configuration is required if peers are not
directly connected.



Loopback peering
Load sharing across multiple links
Prepend own ASN to advertised prefix's AS Path.
 By default Nexthop is changed to self.




Outgoing interface IP for directly connected peer
Update Source IP for multi-hop peer
Should never run an IGP between eBGP peers.
LAB: EBGP PEERING
AS200
AS100
R1
172.16.1.1/24
eth1
172.16.1.2/24
eth1
R2
10.88.0.0/24
Configure your routers according to the topology.
 Do eBGP peering on connected interface.

[admin@R1]
[admin@R1]
[admin@R2]
[admin@R2]

/routing
/routing
/routing
/routing
bgp
bgp
bgp
bgp
instance>
peer> add
instance>
peer> add
set default as=100
remote-address=172.16.1.2 remote-as=200
set default as=200
remote-address=172.16.1.1 remote-as=100
Advertise prefix 10.88.0.0/24 on R2.
[admin@R2] /routing bgp network> add network=10.88.0.0/24
15
MTCINE Bootcamp + IPv6 Workshop
INTERNAL BGP PEERING (IBGP)
BGP peer within the same AS.
 Not required to be directly connected.


IGP takes care of inter-BGP speaker connectivity
Attributes learned from iBGP are not changed to impact the
path selection to reach outside network.
 AS Path is not manipulated.
 By default Nexthop is unchanged.
 iBGP speakers must be fully meshed:




They originate connected networks
They pass on prefixes learned from outside the ASN
They do not pass on prefixes learned from other iBGP speakers
LOOPBACK INTERFACE

Physical interface may be up/down depends on:


Layer 1 connectivity
Layer 2 line protocol
Once physical interface is down, BGP peering sessions
using that interface will be down.
 Loopback is a virtual interface, its state is always up.
 Eliminates dependency from physical interfaces and
physical topology for establishing TCP connection.
 To configure loopback in RouterOS, create a bridge
without any slave port, assign IP address to the bridge.

/interface bridge add name=lo0
/ip address add address=10.1.1.1/32 interface=lo0
16
MTCINE Bootcamp + IPv6 Workshop
LAB: IBGP PEERING
lo0: 10.1.1.2
lo0: 10.1.1.1
AS100
172.16.1.1/24
eth1
R1
172.16.1.2/24
eth1
R2
10.88.0.0/24
Configure your routers according to the topology.
 Point static route or enable IGP between R1 and R2:

[admin@R1]
[admin@R2]
# OR
[admin@R1]
[admin@R1]
[admin@R2]
[admin@R2]

/ip route> add dst-address=10.1.1.2 gateway=172.16.1.2
/ip route> add dst-address=10.1.1.1 gateway=172.16.1.1
/routing
/routing
/routing
/routing
ospf
ospf
ospf
ospf
network>
network>
network>
network>
add
add
add
add
network=172.16.1.0/24 area=backbone
network=10.1.1.1 area=backbone
network=172.16.1.0/24 area=backbone
network=10.1.1.2 area=backbone
BGP peer configuration:
[admin@R1] /routing bgp peer> add remote-address=10.1.1.2 \
remote-as=100 update-source=lo0
[admin@R2] /routing bgp peer> add remote-address=10.1.1.1 \
remote-as=100 update-source=lo0
LAB: EBGP MULTI-HOP WITH LOOPBACKS
lo0: 10.1.1.1
AS100
R1
lo0: 10.1.1.2
172.16.1.1/24
eth1
172.16.1.2/24
eth1
eth2
172.16.2.1/24
eth2
172.16.2.2/24
AS200
R2
10.88.0.0/24
Configure your routers according to the topology.
 Point static routes so that the neighbors can reach each other:

[admin@R1] /ip route> add dst-address=10.1.1.2 \
gateway=172.16.1.2,172.16.2.2
[admin@R2] /ip route> add dst-address=10.1.1.1 \
gateway=172.16.1.1,172.16.2.1

BGP peer configuration:
[admin@R1] /routing bgp peer> add remote-address=10.1.1.2 \
remote-as=200 multihop=yes update-source=lo0
[admin@R2] /routing bgp peer> add remote-address=10.1.1.1 \
remote-as=100 multihop=yes update-source=lo0
17
MTCINE Bootcamp + IPv6 Workshop
BGP BEST PATH
Best path is the route that BGP selected to use in RIB.
 Path attributes are used to determine best path.



Best path might not be the shortest path, but the most
suitable path from the business point of view
Administrator influent the selection process by routing policy
BGP uses single best path to reach the destination.
 BGP always propagates the best path to the neighbors.
 BGP Multipath is a feature that allows BGP to install
multiple best paths when they have the same metrics.



For load sharing over multiple gateways
RouterOS does not support BGP Multipath, peering with
loopbacks to tweak BGP load sharing
BEST PATH SELECTION
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Nexthop must be reachable.
Highest Weight (default 0).
Highest Local Pref. (default 100).
Shortest AS Path.
Locally originated path (aggregated route or BGP network).
Lowest origin type (IGP < EGP < Incomplete).
Lowest MED (default 0).
Prefer eBGP over iBGP.
Lowest Router ID.
Lowest Originator ID.
Shortest route reflection cluster (default 0).
Lowest neighbor address.
18
MTCINE Bootcamp + IPv6 Workshop
BGP PATH ATTRIBUTES

There are four categories of path attribute:

Well-known mandatory


Well-known discretionary


This attribute must be recognized by all BGP implementations but does
not have to be included in every BGP UPDATE message
Optional transitive


This attribute MUST exist in the BGP UPDATE. If this attribute is missing a
NOTIFICATION error is generated and the session is closed
If the attribute is not recognized by the BGP implementation but the
transitive flag IS set the attribute should be accepted and passed along to
other peers
Optional non-transitive

If the attribute is not recognized by the BGP implementation but the
transitive flag IS NOT set the attribute should be ignored and not passed
on to other peers
BGP PATH ATTRIBUTES (CONT.)
19
MTCINE Bootcamp + IPv6 Workshop
BGP PATH ATTRIBUTES (CONT.)
Type Code (Decimal) Attribute Name
1
ORIGIN
Category
Well-known mandatory
2
AS_PATH
Well-known mandatory
3
NEXT_HOP
Well-known mandatory
4
MULTI_EXIT_DISC (MED)
Optional non-transitive
5
LOCAL_PREF
Well-known discretionary
6
ATOMIC_AGGREGATE
Well-known discretionary
7
AGGREGATOR
Optional transitive
8
COMMUNITY
Optional transitive
9
ORIGINATOR_ID
Optional non-transitive
10
Cluster List
Optional non-transitive
14
Multiprotocol Reachable NLRI
Optional non-transitive
15
Multiprotocol Unreachable NLRI Optional non-transitive
NEXTHOP
IP address that is used to reach a certain destination.
 For eBGP nexthop is neighbor's IP address.
 eBGP advertised nexthop is carried into iBGP.

AS100
172.16.0.0/24
172.16.0.0/24
Nexthop: 10.1.1.1
172.16.0.0/24
Nexthop: 10.1.1.1
R1 10.1.1.1/30
10.1.1.2/30
R3
R2
lo0: 10.30.1.1
lo0: 10.30.1.2
AS200
20
MTCINE Bootcamp + IPv6 Workshop
NEXTHOP SELF

Force iBGP speaker to send its local peer address as nexthop.

Use when P2P link between border router (R2) and eBGP peer (R1)
is not advertised in IGP (OSPF/IS-IS).
AS100
172.16.0.0/24
172.16.0.0/24
Nexthop: 10.1.1.1
172.16.0.0/24
Nexthop: 10.30.1.1
R1 10.1.1.1/30
10.1.1.2/30
R3
R2
lo0: 10.30.1.1
lo0: 10.30.1.2
AS200
[admin@R2] /routing bgp peer> set IBGP-R3-IPV4 nexthop-choice=force-self
WEIGHT

Weight is only significant locally to the router.


This attribute is not advertised to any peer
Use inbound filter to set weight
Prefix without assigned weight has default value of 0.
 Path with higher weight is preferred.
 Weight is well-known
AS200
AS100
as Cisco proprietary,
R3
however MikroTik
R1
RouterOS also
implemented Weight. 10.1.1.0/24
10.1.1.0/24
R2

Weight: 100
Best Path
Weight: 50
AS300
21
MTCINE Bootcamp + IPv6 Workshop
LOCAL PREFERENCE

Local Preference is only significant within local AS.


This attribute is not advertised to eBGP peers
Can be set by either inbound or outbound filter
Indicates which path has preference to exit the AS.
10.1.1.0/24
 Path with higher
AS200
AS100
Local Pref. is
preferred
R5
R1
(default: 100).

10.1.1.0/24
Local Pref.: 200
Best Path
AS300
R4
R2
R3
10.1.1.0/24
Local Pref.:100
10.1.1.0/24 via R2
AS PATH

List of AS numbers that an update has traversed.
AS300
R3
10.1.1.0/24
AS Path:200,100
AS400
R2
10.1.1.0/24
10.1.1.0/24
AS Path:100
AS100
R1
R4

AS200
10.1.1.0/24
AS Path: 300,200,100
Can be manipulated for traffic engineering.

AS Path Prepending in outbound filter
22
MTCINE Bootcamp + IPv6 Workshop
ORIGIN
Information about how the prefix is originated into BGP.
 Prefers IGP over EGP, and EGP over Incomplete.
 IGP




EGP


Interior Gateway Protocol
Prefix is fed into BGP by the network command
Prefix learned via Exterior Gateway Protocol (now obsolete)
Incomplete



Origin is unknown
Occurs when prefix is redistributed from other protocols into BGP
Result of aggregation
MED
Multi Exit Discriminator or Metric, hint to external
neighbor about path preference into an AS.
 Lower metric is preferred (Default: 0).
 Exchanged between AS and used to make decision
inside that AS, not passed to third AS.
 Ignored if received from different ASes.
 IGP Metric is copied to MED when redistributed to BGP.

23
MTCINE Bootcamp + IPv6 Workshop
MED (CONT.)
10.1.1.0/24
MED: 10
AS100
AS300
R4
R1
10.1.1.0/24
MED: 50
10.1.1.0/24
No MED
10.1.1.0/24
10.1.1.0/24
MED not advertised
10.1.1.0/24
MED: 100
R3
R2
AS200
•
R1, R2 and R3 advertise the same network to R4 with different MED values.
•
R4 only compares MEDs coming from the same AS (R2 and R3).
•
MED coming from different AS (R1) is ignored.
•
Other attributes are used to select best path between AS100 and AS200.
ROUTE DISTRIBUTION

IGP (Connected, Static, RIP, OSPF) routes can be
redistributed into BGP.
/routing bgp instance
set default redistribute-static=yes
set default redistribute-ospf=yes
Prefix origin is “incomplete”.
 Redistribution can be used for advertising supernet.



Assign IP to loopback interface and redistribute connected
Point an unreachable static route and redistribute static
Risky to redistribute without filtering.
 Always use routing filters to avoid unwanted route
advertisements.

24
MTCINE Bootcamp + IPv6 Workshop
LAB: ROUTE DISTRIBUTION
lo1: 10.200.0.1/22
lo2: 10.200.0.1/24
lo3: 10.200.1.1/24
lo4: 10.200.2.1/24
lo5: 10.200.3.1/24
AS100
Static Routes:
10.100.0.0/22 Unreachable
10.100.0.0/24 Unreachable
10.100.1.0/24 Unreachable
10.100.2.0/24 Unreachable
10.100.3.0/24 Unreachable
Redistribute Static
R1
ether1
172.16.1.1/24
ether1
172.16.1.2/24
AS200
R2
Redistribute
Connected
Configure your routers according to the topology.
 Do eBGP peering between AS100 and AS200.
 Redistribute static on R1.
 Redistribute connected on R2.

[admin@R1]
[admin@R1]
[admin@R2]
[admin@R2]
/routing
/routing
/routing
/routing
bgp
bgp
bgp
bgp
instance>
peer> add
instance>
peer> add
set default as=100 redistribute-static=yes
remote-address=172.16.1.2 remote-as=200
set default as=200 redistribute-connected=yes
remote-address=172.16.1.1 remote-as=100
ROUTING FILTER
Main tool to control and modify routing information.
 Organized in chains similar to firewall.
 Specify in BGP peer's configuration which chains to use
or BGP instance out filter.
 Prefix passes instance chain, then moves to peer's chain.
 When applied at peer’s inbound direction, it will filter
what prefixes you will get from your peer.
 When applied at BGP instance’s, or peer’s outbound
direction, it will filter what you will advertise to your
peer.

25
MTCINE Bootcamp + IPv6 Workshop
PREFIX FILTERING
Can be configured to receive specific prefixes from peer,
or advertise specific prefixes to peer only.
 Similar to “ip prefix-list” in Cisco IOS.
 Prefixes can either be matched exactly or be matched by
prefix length, for example:


Accept only 10.200.0.0/22, discard others
/routing filter
add chain=EBGP-AS200-IPV4-IN prefix=10.200.0.0/22 action=accept
add chain=EBGP-AS200-IPV4-IN action=discard

Accept any prefixes that has prefix length from /22 to /24 in
subnet 10.200.0.0/22, discard others
/routing filter
add chain=EBGP-AS200-IPV4-IN prefix=10.200.0.0/22 \
prefix-length=22-24 action=accept
add chain=EBGP-AS200-IPV4-IN action=discard
LAB: PREFIX FILTERING
lo1: 10.200.0.1/22
lo2: 10.200.0.1/24
lo3: 10.200.1.1/24
lo4: 10.200.2.1/24
lo5: 10.200.3.1/24
AS100
Static Routes:
10.100.0.0/22 Unreachable
10.100.0.0/24 Unreachable
10.100.1.0/24 Unreachable
10.100.2.0/24 Unreachable
10.100.3.0/24 Unreachable
Redistribute Static

R1
ether1
172.16.1.1/24
ether1
172.16.1.2/24
AS200
R2
Redistribute
Connected
Configure prefix filtering on AS100 (R1):


Accept only prefix 10.200.1.0/24, discard others
Advertise only prefix 10.100.1.0/24, discard others
[admin@R1] /routing bgp peer> set 0 in-filter=EBGP-AS200-IPV4-IN \
out-filter=EBGP-AS200-IPV4-OUT
[admin@R1] /routing filter>
add chain=EBGP-AS200-IPV4-IN prefix=10.200.1.0/24 action=accept
add chain=EBGP-AS200-IPV4-IN action=discard
add chain=EBGP-AS200-IPV4-OUT prefix=10.100.1.0/24 action=accept
add chain=EBGP-AS200-IPV4-OUT action=discard
26
MTCINE Bootcamp + IPv6 Workshop
AS PATH FILTERING
Can be configured to receive prefixes from, or advertise
prefixes to certain ASN only.
 Similar to “ip as-path access-list” in Cisco IOS.
 Supports regular expressions:





“.” – Any single character
“^” – Start of the AS Path
“$” – End of the AS Path
“_” – matches comma, space, start and end of AS Path
LAB: AS PATH FILTERING
lo0: 10.200.0.1/22
lo1: 10.200.1.1/24
lo2: 10.200.2.1/24
lo3: 10.200.3.1/24
lo4: 10.200.4.1/24
AS100
Static Routes:
10.100.0.0/22 Unreachable
10.100.0.0/24 Unreachable
10.100.1.0/24 Unreachable
10.100.2.0/24 Unreachable
10.100.3.0/24 Unreachable
Redistribute Static

R1
ether2
172.16.1.1/24
ether2
172.16.1.2/24
AS200
R2
Redistribute
Connected
Configure AS Path filtering on AS200 (R2):


Accept only prefixes originated from AS100, discard others
Advertise only prefixes locally originated, discard others
[admin@R2] /routing bgp peer> set 0 in-filter=EBGP-AS100-IPV4-IN \
out-filter=EBGP-AS100-IPV4-OUT
[admin@R2] /routing filter>
add chain=EBGP-AS100-IPV4-IN bgp-as-path=“_100\$” action=accept
add chain=EBGP-AS100-IPV4-IN action=discard
add chain=EBGP-AS100-IPV4-OUT bgp-as-path=“^\$” action=accept
add chain=EBGP-AS100-IPV4-OUT action=discard
27
MTCINE Bootcamp + IPv6 Workshop
SET ADVERTISED BGP ATTRIBUTES

In order to manipulate inbound traffic, you can set BGP
attributes of advertised routes using outbound routing filter:

Advertise MED as 5 to manipulate peer AS not to prefer this path
among all paths they received from your AS.
/routing filter
add chain=EBGP-AS100-IPV4-OUT prefix=10.100.0.0/24 \
set-bgp-med=5 action=accept

Prepend AS Path 3 times to manipulate peer AS not to prefer this
path among all paths they received from different ASes.
/routing filter
add chain=EBGP-AS100-IPV4-OUT prefix=10.100.0.0/24 \
set-bgp-prepend=3 action=accept

RouterOS’ AS Path prepending behavior differs from Cisco IOS’:
In RouterOS, prepending AS100 3 times, AS Path: 100,100,100
 In IOS, prepending AS100 3 times, AS Path: 100,100,100,100

BGP SOFT RECONFIGURATION
When “action=discard” is used, routes are not updated
after filter change.
 Solutions:

1.
Use “action=reject” to keep routes in the memory

Similar result to “neighbor X.X.X.X soft-reconfiguration inbound”
command in Cisco IOS
/routing filter
add chain=EBGP-AS200-IPV4-IN prefix=10.200.0.0/22 action=accept
add chain=EBGP-AS200-IPV4-IN action=reject
2.
Dynamic (Peer must support Refresh Capability):
Peer refreshes the routes after the changes are done
 No additional memory is used
 It is not done automatically – need to run “Refresh” command

28
MTCINE Bootcamp + IPv6 Workshop
LAB: BGP TRAFFIC ENGINEERING


Set next-hop-self on all iBGP sessions.
Use AS Path Prepending to manipulate outbound traffic:


From AS99 to AS200’s prefixes via AS100
From AS99 to AS100’s prefixes via AS200
LAB: BGP TRAFFIC ENGINEERING (CONT.)

Configuration requirements:

R1



R2





iBGP with R2
eBGP with R3
R9


iBGP with R1
eBGP with R4
R4


iBGP with R4
eBGP with R9, use “set-bgp-prepend=3” in outbound filter
R3


iBGP with R3
eBGP with R9, use “set-bgp-prepend=3” in outbound filter
eBGP with R1 and R2
Traceroute from AS99 to AS100 and AS200 for verification.
29
MTCINE Bootcamp + IPv6 Workshop
PREFIX AGGREGATION
Summarization of more specific routes into supernet.
 Can be used to hide topology.
AS100
 Works only on the same instance BGP routes.

AS400
R4
10.1.1.0/24
10.0.0.0/8
R1
AS300
R3
10.1.2.0/24
AS200
R2
[admin@R3] /routing bgp aggregate> add instance=default \
prefix=10.0.0.0/8 summary-only=yes inherit-attributes=no
SERVICE PROVIDER
BGP DESIGN
Route Reflector
Confederation
Multi-homing
BGP Community
ISP Routing Policies
30
MTCINE Bootcamp + IPv6 Workshop
BGP ROUTE REFLECTOR

Due to the nature of full mesh iBGP is required, when there are
many BGP routers in the network, it could result huge amount
of iBGP sessions, which is hard to maintain and troubleshoot.


Sessions: n(n-1)/2
10 routers = 45 sessions, 50 routers = 1,225 sessions
Route Reflector can re-advertise iBGP routes to avoid full mesh.
 Reduces communication messages.
 Minimizes amount of data per message:



Only best path is reflected
RouterOS cannot be configured as pure route reflector.

Routes must be installed to RIB to be reflected to other client
ROUTE REFLECTOR CONFIGURATION
AS200
AS200
R3
R1
R2

R1
R3
R2 RR
Route Reflector (RR) is configured by:



Enabling “client-to-client-reflection” on BGP instance
Enabling “route-reflect” on appropriate RR client peer
There is no difference in RR client’s configuration
[admin@R2] /routing bgp instance>
set default client-to-client-reflection=yes
[admin@R2] /routing bgp peer> set IBGP-R1-IPV4 route-reflect=yes
31
MTCINE Bootcamp + IPv6 Workshop
LAB: ROUTE REFLECTOR
1.
2.
Configure iBGP full mesh and advertise all customer LANs
into iBGP, then test connectivity between LANs.
Configure Route Reflectors to eliminate iBGP full mesh
session, then test connectivity between LANs again.
BGP CONFEDERATION
Confederation is another solution for avoiding iBGP full mesh.
 Divides AS into multiple confederation ASes.
 To outside world confederation appears as single AS.
 iBGP in Each AS must be fully meshed (or use RRs).
 eBGP between confederation ASes:



Similar to iBGP behavior, nexthop is unchanged
AS Path inside confederation is in scopes: (30,20)
32
MTCINE Bootcamp + IPv6 Workshop
CONFEDERATION SETUP
AS200
R9 AS300
AS Path: 100,300
R8
R4
R3
R1
AS10
AS20
AS Path: (20,30)
R5
R2
AS400
AS100
R6
AS30
R7
/routing bgp instance set default as=10 confederation=100 \
confederation-peers=10,20,30
SINGLE-HOMED
Stub network, has only one connection to the outside world.
 Typically private ASN is used (64512-65534).
 Upstream ISP originates only default route.
 Upstream ISP advertises networks.
 Has the same routing policy as ISP.
 Actually not necessary to run BGP.

ISP
0.0.0.0/0
Single-homed
Customer
172.16.0.0/16
AS65500
Global Internet
AS300
172.16.0.0/24
33
MTCINE Bootcamp + IPv6 Workshop
DUAL-HOMED
Stub network, has multiple connections to single ISP.
 Typically private ASN is used (64512-65534).
 Receive default route or full route from upstream ISP.
 Upstream ISP advertises networks.
 Has the same routing policy as ISP.
 Use BGP to do load sharing or fail-over.

Dual-homed
Customer
ISP
172.16.0.0/16
AS65500
Global Internet
172.16.0.0/24
AS300
PRIVATE AS REMOVAL
Global Internet
AS65500
172.16.0.0/16

Private AS cannot be
leaked to public



Available for eBGP
neighbors
Announce only
aggregate route
Use following command:
ISP
172.16.0.0/24
AS65501
172.16.1.0/24
AS300
AS65502
172.16.2.0/24
/routing bgp peer set <peer-name> remove-private-as=yes
34
MTCINE Bootcamp + IPv6 Workshop
MULTI-HOMED

Needs to request own IP/ASN from:


Upstream ISP
Local Internet Registry (LIR)





Global Internet
Regional Internet Registry (RIR)


JPNIC, CNNIC, SGNIC…etc.
APNIC, ARIN, RIPE NCC…etc.
Typically receive full route
AS100
from upstream ISPs.
R1
Advertise own address
space to upstream ISPs.
Supports independent routing policies.
Use BGP to do load sharing or fail-over.
AS200
R3
R2
AS300
BGP & CONNECTION TRACKING
Connection tracking is unable to keep valid track of
connections with multi-homed BGP network.
 Packets related to one connection can travel through
different paths.
 Asymmetric routing usually happens in multi-homed
BGP networks.



Outbound through ISP 1
Inbound through ISP 2
Do not drop “invalid” connections in firewall.
 Connection Tracking should be turned off for better
performance.

35
MTCINE Bootcamp + IPv6 Workshop
BGP COMMUNITY

Attribute that groups prefixes for informational or
implementing routing policies.


32-bit value, written in format “XX:YY”
Provide extra information about the prefix, for instance:
“<ASN>:100” = Customer routes
“<ASN>:200” = Prefixes from private peering or Internet eXchange (IX)
 “<ASN>:300” = Internet prefixes from upstream provider




Filters can be easily applied to whole group
Default BGP Communities:




no-export – do not advertise to eBGP peer
no-advertise – do not advertise to any peer
internet – advertise to Internet community
local-as – do not send outside local AS (in non-confederation
network the same as no-export)
BGP COMMUNITY – USE CASE

There are three common use cases of BGP Community in
current industry:

Informational


Traffic Engineering


Instruct upstream provider to implement specific routing policy, such as:
set Local Pref., AS Path prepending, do not advertise to specific link or
peer…etc., sent by downstream customer
Blackhole


provide information about origin of the route, such as: location, network
name, relationship (customer, peer, upstream), sent by upstream provider
Instruct upstream provider to blackhole a specific route (typically /32),
used when being DoS attacked.
Some carriers offer BGP Community support in their IP
Transit service.
36
MTCINE Bootcamp + IPv6 Workshop
BGP COMMUNITY – EXAMPLE 1

Assume that you don't want AS200 (R2) to propagate
routes learned from AS100 (R1).
10.1.1.0/24
AS100
AS300
R3
AS200
R1
R2
[admin@R1] /routing bgp peer> set 0 out-filter=EBGP-AS200-IPV4-OUT
[admin@R1] /routing filter> add chain=EBGP-AS200-IPV4-OUT \
action=accept set-bgp-communities=no-export
BGP COMMUNITY – EXAMPLE 2

AS100 defined traffic engineering BGP Communities for
downstream customers:


100:500 – advertise to all peers
100:501 – advertise to AS400 only
10.1.1.0/24 community=100:500
10.2.2.0/24 community=100:501
AS 400
ISP
AS100
AS300
AS 500
37
MTCINE Bootcamp + IPv6 Workshop
BGP EXTENDED COMMUNITY
Used to carry additional fields in L2VPN and VPNv4 setups.
 Length is 64-bit, written in format “TT:XX:YY”, for instance,
RT:132730:100.
 Some additional fields carried:






Route Targets
Site of Origin
Control flags
MTU
Encapsulation flags
ISP ROUTING POLICIES
There are some best common practices for ISP.
 To upstream providers:





To downstream customers:


Advertise only your own prefixes and your customer prefixes
Advertise aggregation to all providers, /24s to specific provider
Use BGP Community for traffic engineering if your upstream
provider supports, avoid de-aggregation as much as possible
Do inbound filtering, accept only authorized prefixes
To peers:


Advertise only your own prefixes and your customer prefixes
Never leak peer’s prefixes to other peers or any of your
upstream providers
38
MTCINE Bootcamp + IPv6 Workshop
MULTIPROTOCOL
LABEL SWITCHING (MPLS)
Introduction to MPLS
Static Label Mapping
Label Distribution Protocol (LDP)
Label Binding Filtering
Traceroute in MPLS
MPLS LAB SETUP
Run OSPF on all router’s P2P links.
 Run iBGP with Route Reflectors, advertise LAN networks
into iBGP, make sure reachability between LANs.

39
MTCINE Bootcamp + IPv6 Workshop
MPLS LAB SETUP (CONT.)
Reset router's configuration.
 Set up configuration as illustrated.
 Create bridge interface and add loopback addresses.
 Run OSPF on all router point-to-point links.
 Advertise loopback addresses into OSPF.

INTRODUCTION TO MPLS
Stands for Multiprotocol Label Switching.
 Technology used to forward packets, based on short
labels.
 Initial goal: more efficient forwarding than IP routing
(similar to ATM switching).
 Serves as foundation for some “Advanced Services”:





Layer3 VPN
Layer2 VPN, Any Transport over MPLS (AToM)
MPLS Traffic Engineering
Guaranteed bandwidth services
40
MTCINE Bootcamp + IPv6 Workshop
MPLS BASICS (CONT.)
LER – Label Edge Router or Provider Edge router (PE)
 LSR – Label Switch Router or Provider router (P)
 LSP – Label Switched Path

Packets are classified and
labeled at ingress LER
LSRs forward packets
using label swapping
Label is removed at
egress LER
MPLS
Backbone
MPLS BASICS (CONT.)
Also called 2.5 layer protocol.
 Shim header (32-bit) placed between OSI Layer 2 and Layer 3.



Multiple labels can be used for MPLS packet encapsulation


After Layer 2 header and before Layer 3 header
Creation of a label stack
MPLS Label format:

Label (20 bits)
EXP (3 bits)

End of stack flag (1 bit)

TTL (8 bits)



For QoS enforcement
L2
MPLS
Label
L3
EXP
S
TTL
Whether current label is the last in the stack
41
MTCINE Bootcamp + IPv6 Workshop
MPLS BASICS (CONT.)
LSRs always use the top label of the stack.
 Several Label distribution methods exist:





Static label mapping
LDP – maps IGP unicast route into label
BGP – VPN labels for L3VPN and L2VPN
RSVP, CR-LDP – used for traffic engineering and resource
reservation
STATIC LABEL MAPPING
RouterOS allows to add static local and remote bindings
for every destination.
 MPLS dynamic label range must be adjusted to free
labels for static bindings.

/mpls
/mpls
/mpls
/mpls
set dynamic-label-range=1000-1048575
local-bindings
remote-bindings
forwarding-table
42
MTCINE Bootcamp + IPv6 Workshop
STATIC LABEL MAPPING – EXAMPLE
Local:
Remote:
Fwd:
lo0:1.1.1.1
lo0:2.2.2.2
lo0:3.3.3.3
R1
R2
R3
DST
1.1.1.1
2.2.2.2
3.3.3.3
LABEL
impl-null
22
23
DST
1.1.1.1
2.2.2.2
3.3.3.3
LABEL
21
impl-null
23
DST
1.1.1.1
2.2.2.2
3.3.3.3
LABEL
21
22
impl-null
DST
2.2.2.2
3.3.3.3
HOP LABEL
R2 impl-null
R2 23
DST
1.1.1.1
3.3.3.3
HOP LABEL
R1 impl-null
R3 impl-null
DST
2.2.2.2
1.1.1.1
HOP LABEL
R2 impl-null
R2 21
IN
22
23
OUT DST
2.2.2.2
23 3.3.3.3
IN
21
23
OUT DST
1.1.1.1
3.3.3.3
IN
21
22
OUT DST
21 1.1.1.1
2.2.2.2
LAB: STATIC LABEL MAPPING

Create static label bindings for R2 to reach R1 loopback.


Since ECMP is not used in label binding, choose only first gateway
Disable link between R2-R9 for configuration simplicity
[admin@R2] /mpls local-bindings> add dst-address=10.1.1.1 label=201
[admin@R2] /mpls remote-bindings> add dst-address=10.1.1.1 \
nexthop=10.2.4.4 label=401
[admin@R4] /mpls local-bindings> add dst-address=10.1.1.1 label=401
[admin@R4] /mpls remote-bindings> add dst-address=10.1.1.1 \
nexthop=10.3.4.3 label=301
[admin@R3] /mpls local-bindings> add dst-address=10.1.1.1 label=301
[admin@R3] /mpls remote-bindings> add dst-address=10.1.1.1 \
nexthop=10.1.3.1 label=impl-null
[admin@R1] /mpls local-bindings> add dst-address=10.1.1.1 \
label=impl-null

Test if labels are set with traceroute.
[admin@R2] > /tool traceroute 10.1.1.1 src-address=10.1.1.2
43
MTCINE Bootcamp + IPv6 Workshop
LABEL DISTRIBUTION PROTOCOL (LDP)
LDP is used for creating a local label binding to each IP
prefix in IGP and distributes to LDP neighbors.
 More effective and flexible compared to static mapping.
 Commonly used in most MPLS network.

Remote bindings
IGP Prefix
10.1.1.0/24
10.1.1.0/24
Label 21
Local binding
Label 21
10.1.1.0/24
Label 22
Local binding
Label 22
10.1.1.0/24
Label 23
Local binding
Label 23
LABEL DISTRIBUTION PROTOCOL (LDP)
(CONT.)

LDP Hello messages – UDP port 646.

Hellos are sent to “all routers in this subnet” multicast address
(224.0.0.2)
LDP transport session establishment – TCP port 646.
 Label distribution modes:




Downstream-on-Demand (DoD) – each LSR requests its next-hop
label binding (Not yet implemented)
Unsolicited Downstream (UD) – LSR distributes a binding all
adjacent LSRs even if LSRs are requesting a label
Configuring LDP transport and interface.
[admin@R1] /mpls ldp> set enabled=yes \
transport-address=10.1.1.1 lsr-id=10.1.1.1
[admin@R1] /mpls ldp interface> add interface=ether1
44
MTCINE Bootcamp + IPv6 Workshop
LAB: LDP
Remove all static mappings from previous lab.
 Enable LDP and set LSR ID and transport address the
same as loopback address.

[admin@R2] /mpls ldp> set enabled=yes \
transport-address=10.1.1.2 lsr-id=10.1.1.2

Add LDP interfaces connecting neighbor routers.
[admin@R2] /mpls ldp interface> add interface=ether1
[admin@R2] /mpls ldp interface> add interface=ether2

Verify if LDP neighbors are created.
[admin@R2] > /mpls ldp neighbor print

Check MPLS forwarding table.
[admin@R2] > /mpls forwarding-table print

Do traceroute between router loopbacks.
LABEL SPACE

Per interface label space.


Packet is forwarded based on both the incoming interface
and the label
Per platform label space.

Label is not unique per interface
Label1
Path 1
Path 1
Label1
Path 1
Path 1
Path 2
Label1
Path 2
Label1
Path 1
45
MTCINE Bootcamp + IPv6 Workshop
RESERVED LABELS
Default label range is 16-1048575.
 Labels from 0 to 15 are reserved, but only 4 are used at
this point:





0 – explicit NULL
1 – router alert
2 – IPv6 explicit NULL
3 – implicit NULL
PENULTIMATE HOP POPPING (PHP)
Router is egress point for network that is directly
connected to it, next hop for traffic is not MPLS router.
 Advertised with “implicit null” label.
 Penultimate Hop Popping ensures that routers do not
have to do unnecessary label lookup when it is known in
advance that router will have to route packet natively.
 Setting transport address ensures proper Penultimate
Hop Popping (PHP) behavior.

46
MTCINE Bootcamp + IPv6 Workshop
PENULTIMATE HOP POPPING (PHP)
(CONT.)
PHP
Implicit NULL
0
PHP
Explicit NULL
EXPLICIT NULL
If configured, penultimate LSR forwards packet with
NULL label, instead of popping stack.
 Useful to preserve QoS.
 Not required if stack contains at least two labels (inner
label can still carry QoS value).
 Implicit NULL is used by default.

47
MTCINE Bootcamp + IPv6 Workshop
TARGETED LDP

In some cases it is necessary to set up targeted LDP session.



Session between not directly connected LSRs
Targeted LDP is used to establish a Traffic Engineering (TE) tunnel
Configuration:
/mpls ldp neighbor add transport=<REMOTE_IP> send-targeted=yes
Targeted LDP
LDP
LDP
LDP
LABEL BINDING FILTERING
Can be used to distribute only specified sets of labels to
reduce resource usage
 Two types of binding filters:


Which bindings should be advertised


Which bindings should be accepted


Configure in “/mpls ldp advertise-filter”
Configure in “/mpls ldp accept-filter”
Filters are applied only to incoming/outgoing
advertisements. Any changes to filters requires to
disable and re-enable LDP.
/mpls ldp advertise-filter
add prefix=9.9.9.0/24 advertise=yes
add prefix=0.0.0.0/0 advertise=no
48
MTCINE Bootcamp + IPv6 Workshop
LAB: LABEL BINDING FILTERING

Set up label binding filters so that only bindings to loopback
addresses from your group are sent and received.
[admin@R2] /mpls ldp accept-filter>
add prefix=10.1.1.0/24 accept=yes
add prefix=0.0.0.0/0 accept=no
[admin@R2] /mpls ldp advertise-filter>
add prefix=10.1.1.0/24 advertise=yes
add prefix=0.0.0.0/0 advertise=no

Check forwarding table to make sure filters worked.
[admin@R2] > /mpls forwarding-table print

Check if packets are label switched or L3 forwarded with
traceroute .
[admin@R2] > /tool traceroute 10.1.1.1 src-address=10.1.1.2
TRACEROUTE IN MPLS
ICMP error messages are switched further along LSP.
 It will cause false increase in latency for that hop.

Label: 12
R1
Label: 23
R2
Label: 34
R3
Label: 32
R4
Label: 43
49
MTCINE Bootcamp + IPv6 Workshop
MPLS LAYER 3 VPN
Virtual Routing and Forwarding (VRF)
Multiprotocol BGP (MP-BGP)
Route Distinguisher
Route Target
PE-CE Routing Protocols
MPLS L3VPN




MPLS Layer 3 VPN is also known as IPVPN.
Service provider participates in customer routing.
Service provider takes care of convergence and fail-over.
Offers more flexibility and reliability compared to traditional
overlay and peer-to-peer VPNs.






Ease of service provision and maintenance
Cost effective and scalable
Can employ high availability and bandwidth-guarantee SLA
Service provider network MUST be MPLS enabled.
PE (Provider Edge) is a provider router that connecting to
customer site.
CE (Customer Edge) is a customer router that connecting to
provider.
50
MTCINE Bootcamp + IPv6 Workshop
MPLS L3VPN (CONT.)
VPN A
Site 1
RR
CE
CE
VPN B
Site 2
PE
PE
CE
CE
PE
VPN B
Site 1
VPN A
Site 2
CE
iBGP VPNv4
OSPF/BGP CE-PE
VPN B
Site 3
VPN A
Site 3
L3VPN BUILDING BLOCKS

Multiprotocol BGP (MP-BGP) is used to distribute VPN prefixes
and labels between PEs.


PE-CE Routing Protocols:




VPNv4 Address Family
Static Route
OSPF
BGP
Key Components:



Virtual Routing and Forwarding (VRF)
Route Distinguisher
Route Targets
51
MTCINE Bootcamp + IPv6 Workshop
VRF
Stands for Virtual Routing and Forwarding.
 Functionality of completely independent routing tables
on one router.



Routing tables can be used for Policy Based Routing (PBR).
Multiple VRFs solves the problem of overlapping
customer IP prefixes.

Different customers can use the same IP address
When nexthop resolving fails it is not resolved in main
table (compared to PBR).
 Any router management (Winbox, telnet, SSH...etc.) is
not possible from VRF interface.
 Ping and traceroute tools are updated to support VRFs.

VRF CONFIGURATION

Create VRF and add interface to VRF:
/ip route vrf add routing-mark=VPN-A interfaces=ether4
Route leaking is route exchange between separate VRFs.
 Static inter-VRF route:


Explicitly specified routing table (works with “main”)
/ip route add dst-address=5.5.5.0/24 \
gateway=10.3.0.1@main routing-mark=VPN-A

Explicitly specify interface
/ip route add dst-address=5.5.5.0/24 \
gateway=10.3.0.1%ether2 routing-mark=VPN-A
52
MTCINE Bootcamp + IPv6 Workshop
MULTIPROTOCOL BGP (MP-BGP)


BGP was initially designed for IPv4 routing.
While more and more requirements of supporting new
address types, and considering ease of management and
operations, BGP was developed into MP-BGP, Address Family
attribute was introduced to carry new types of address.


Due to nature of BGP’s TLV packet format, the protocol is very
extensible for supporting new features.
RouterOS supported Address Families:





IPv4
IPv6
L2VPN
VPNv4
Cisco Style L2VPN
ROUTE DISTINGUISHER

Route distinguisher (RD) is used to make IPv4 prefixes unique
when advertised into VPNv4 address family.



Format:





64-bit length
RD + IPv4 prefix = VPNv4 prefix (96-bit), so that different customers
can use overlapping addresses
<IP>:<Unique Number>
<ASN>:<Unique Number>
RD has to be configured in appropriate VRF for VPNv4 to work.
Normally one RD per VPN customer.
Some complex VPN scenarios may require more than one RD.

Load balancing to dual-homed VPN sites
53
MTCINE Bootcamp + IPv6 Workshop
ROUTE TARGET
Route Target (RT) identifies which VRF(s) keep which
VPN prefixes.
 RT is an 8-byte BGP Extended Community attribute.
 Each VRF in PE is configured with a set of Route Targets.




Import and Export Route Targets must be the same for anyto-any IPVPN
Different Import/Export Route Targets for hub-and-spoke
IPVPN topology
Export Route Target values are attached to VPNv4
prefixes advertisements.
ROUTE TARGET (CONT.)

Use RTs to determine which prefixes should be imported
for which VPN sites.
VPN B
Import: 200:1
Export: 200:1
VPN A
Site 1 CE
Import: 100:1
Export: 100:1
CE
Site 1
PE2
PE1
Import: 100:1
PE3 Export: 100:1
PE4
VPN B
Site 2
CE
Import: 200:1
Export: 200:1
CE
VPN A
Site 2
54
MTCINE Bootcamp + IPv6 Workshop
CONFIGURING L3VPN

Create VRF instance.
/ip route vrf add routing-mark=VPN-A \
route-distinguisher=100:1 \
import-route-targets=100:1 \
export-route-targets=100:1

Configure BGP to use VRF and VPNv4 Address Family.

OSPF as PE-CE routing protocol
/routing bgp instance vrf add instance=default \
routing-mark=VPN-A \
redistribute-connected=yes \
redistribute-ospf=yes
/routing bgp peer add name=IBGP-R3-VPNV4 \
remote-as=100 remote-address=10.1.1.3 \
address-families=vpnv4 update-source=lo0

Results
/routing bgp vpnv4-route print
PE-CE ROUTING PROTOCOLS

Static Route as PE-CE


Technically static route can be used between PE-CE, however this
leads to too much administrative overhead
CE needs to configure static routes manually for each destination
/ip route add dst-address=10.200.1.0/24 gateway=10.100.1.2 \
routing-mark=VPN-A

OSPF as PE-CE

Enable VRF-aware OSPF, redistribute VPNv4 routes into OSPF
/routing ospf instance set default \
routing-table=VPN-A redistribute-bgp=as-type-2

BGP as PE-CE (Recommended)


Eliminate the need of route redistribution
Provides more controls on filtering and policy implementation
/routing bgp instance add name=VPNV4-VPN-A as=100 \
routing-table=VPN-A
55
MTCINE Bootcamp + IPv6 Workshop
LAB: MPLS L3VPN
LAB: MPLS L3VPN (CONT.)
This lab is based on “MPLS Lab Setup” full scale lab topology.
 The purpose of this lab is to provide MPLS L3VPN (a.k.a
IPVPN) to customers with our MPLS backbone.





Green Customer Sites
Blue Customer Sites
Red Datacenter as Extranet
VPN rules:




All Green sites should HAVE access to other Green sites
All Blue sites should HAVE access to other Blue sites
Green sites and Blue sites should NOT have access to each other
Green sites and Blue sites should BOTH have access to Red
Extranet
56
MTCINE Bootcamp + IPv6 Workshop
LAB: MPLS L3VPN (CONT.)
Add a CE router between your PC and PE.
 Configure your PC to use the CE router as default gateway.
 Configure PE routers according to instruction on diagram.







VRF, RD, Import/Export RTs
PE-CE routing protocol (in VRF)
PE advertises PE-CE link
VPNv4 BGP sessions
Route redistribution between PE-CE routing protocol and VPNv4
Configure CE routers according to instruction on diagram.


PE-CE routing protocol (regular)
CE advertises Customer LAN
MPLS LAYER 2 VPN
Virtual Private LAN Services (VPLS)
Pseudowire
LDP Based VPLS
BGP Based VPLS
MPLS MTU
57
MTCINE Bootcamp + IPv6 Workshop
VIRTUAL PRIVATE LAN SERVICES (VPLS)

MPLS L2VPN in RouterOS is mainly about VPLS


Virtual Private LAN Services
There are some other technologies in other vendor’s
implementations, such as: AToM in Cisco IOS
Glues together individual LANs across MPLS
 Two deployment options:


LDP Based VPLS



BGP Based VPLS



Manual Discovery
LDP Signaling (RFC 4762)
BGP Discovery (RFC 6074)
BGP Signaling (RFC 4761)
L2VPNs are built with Pseudowire technology.
VIRTUAL PRIVATE LAN SERVICES (VPLS)
(CONT.)
PW Label Customer's L2 frame
Transport Label
L2 header
Site 1
CE1
PE1
PE2
Site 3
P1
CE3
PE3
MPLS backbone
Pseudowire
Site 2
CE2
CE – Customer's edge router
PE – Provider’s edge router
P – Provider's core router
58
MTCINE Bootcamp + IPv6 Workshop
VPLS BUILDING BLOCKS

LDP or MP-BGP is used to distribute pseudowire labels
between PEs.



PE-CE Attachment Circuit (AC):


LDP Based VPLS uses Targeted LDP
BGP Based VPLS uses L2VPN Address Family
Ethernet type media
Key Components:


Pseudowire
Control Word (CW)
PSEUDOWIRE
Pseudowire provides a common intermediate format to
transport multiple types of network services over a
Packet Switched Network (PSN).
 Pseudowire de-multiplexor field (PW Label) is used to
identify VPLS tunnel.
 Pseudowire has MAC learning, flooding and forwarding
functionality.
 Pseudowire technology provides Like-to-Like transport
and also Interworking (IW).


RouterOS does not have Interworking implementation, since
it supports only VPLS, which is Ethernet type media
59
MTCINE Bootcamp + IPv6 Workshop
LDP BASED VPLS

Create VPLS tunnels on PEs, requires full mesh:
/interface vpls
add name=VPLS-A-R3 remote-peer=10.1.1.3 vpls-id=100:13
add name=VPLS-A-R5 remote-peer=10.1.1.5 vpls-id=100:15
Dynamic targeted LDP neighbor is added.
 VPLS tunnel ID must be unique for every VPLS.
 Related VPLS tunnel information can be viewed by:
“/interface vpls monitor” command.
 Bridge VPLS interface with local one to provide
transparent connectivity.

/interface bridge add name=BR-VPLS-A
/interface bridge port
add interface=ether4 bridge=BR-VPLS-A
add interface=VPLS-A-R3 bridge=BR-VPLS-A
add interface=VPLS-A-R5 bridge=BR-VPLS-A
BRIDGE HORIZON
Forward Ethernet frame coming from PE to connected CEs.
 Packets are not forwarded to interfaces with the same
horizon value.
 Horizon value is set in bridge port configuration.

[admin@PE-2] /interface bridge port>
add interface=VPLS-A-PE1 bridge=BR-VPLS-A horizon=1
add interface=VPLS-A-PE3 bridge=BR-VPLS-A horizon=1
CE1
CE3
PE1
1
PE3
1
CE2
1
1
CE4
PE2
60
MTCINE Bootcamp + IPv6 Workshop
LAB: LDP BASED VPLS
LAB: LDP BASED VPLS (CONT.)
This lab is based on “MPLS Lab Setup” full scale lab topology.
 The purpose of this lab is to provide MPLS L2VPN (a.k.a
Metro Ethernet) to customers with our MPLS backbone.
 VPN rules:





All customer sites should be connected as single broadcast domain
Layer 2 traffic between sites should be sent/received directly
Internet access must go through HQ router, which has DHCP
server, firewall, and bandwidth management policies
Configure PE routers according to instruction on diagram.



Full mesh Pseudowires between PEs
Bridge Pseudowires and Attachment Circuit
Enable RSTP on the Bridge
61
MTCINE Bootcamp + IPv6 Workshop
LAB: LDP BASED VPLS (CONT.)
Remove IP address on your PC NIC, set it as DHCP client.
 Make sure you got IP address from DHCP server at HQ.
 Send traffic between PCs, and monitor traffic pattern.
 Test Internet connectivity.

You may realize some traffic paths are sub-optimal, frames
are forwarded to RSTP Root Bridge PE before going to
destination PE.
 Try to eliminate RSTP by using Bridge Horizon value, then
monitor the traffic pattern again.

BGP BASED VPLS

LDP Based VPLS Drawbacks:




Scalability issues due to static nature.
Requirement to maintain full mesh of pseudowires.
Configuration adjustment on all routers forming VPLS.
BGP VPLS functionality


Auto Discovery – No need to configure each VPLS router
Signaling – Labels for VPLS tunnels distributed in BGP updates
No need for targeted LDP sessions.
 No scalability issues.
 No significant advantages over LDP in case of full mesh iBGP.

62
MTCINE Bootcamp + IPv6 Workshop
BGP BASED VPLS (CONT.)

iBGP full mesh or use RR.

Address Family L2VPN
/routing bgp peer add remote address=10.1.1.2 remote-as=100 \
update-source=lo address-families=l2vpn

Create VPN bridge.
/interface bridge add name=BR-VPLS-A

Configure BGP signaled VPLS interface.
/interface vpls bgp-vpls add bridge=BR-VPLS-A bridge-horizon=1 \
site-id=1 route-distinguisher=1:1 \
import-route-targer=1:1 export-route-target=1:1



Route Distinguisher – Value that gets attached to VPLS NLRI to
distinguish advertisements, value should be unique for each VPLS
Import/Export Route Targets – Determine pseudowire mappings
Site ID – Unique setting among members of particular VPLS
LAB: BGP BASED VPLS
63
MTCINE Bootcamp + IPv6 Workshop
LAB: BGP BASED VPLS (CONT.)
This lab is based on “LDP Based VPLS” full scale lab
topology.
 The purpose of this lab is the same as “LDP Based VPLS”,
and VPN rules are the same.
 But this time we will use BGP to automate Pseudowire
discovery and signaling.

Make sure you got IP address from DHCP Server at HQ.
 Send traffic between PCs, and monitor traffic pattern.
 Test Internet connectivity.

MPLS MTU
MPLS MTU = IP MTU (L3) + MPLS headers.
 MPLS MTU is adjustable from “/mpls interface” menu.



Default: 1508
If MTU is too large and next header is IP.


Then generate “ICMP Need Fragment” error
Else silently discard packet
Eth(14)
VLAN(4)
MPLS(4)
IP(20)
DATA(1480)
IP (L3) MTU
MPLS MTU
L2 MTU
Full Frame
64
MTCINE Bootcamp + IPv6 Workshop
VPLS L2MTU
L2MTU: 1500
Eth(14) IP(20)
DATA(1480)
R1
L2MTU: 1526 Eth(14) MPLS(4) VPLS(4) CW(4) Eth(14) IP(20)
DATA(1480)
R2
L2MTU: 1526 Eth(14) MPLS(4) VPLS(4) CW(4) Eth(14) IP(20)
DATA(1480)
R3
L2MTU: 1522
Eth(14) VPLS(4) CW(4) Eth(14) IP(20)
DATA(1480)
R4
L2MTU: 1500
Eth(14) IP(20)
DATA(1480)
CONTROL WORD (CW)
4-byte Control Word
(CW) is used for
packet fragmentation
and reassembly
inside VPLS tunnel.
 Optional CW is added
between PW Label
and packet payload.
 CW can be turned off
for compatibility with
other vendors (Cisco
BGP based VPLS).

65
MTCINE Bootcamp + IPv6 Workshop
TRAFFIC ENGINEERING (TE)
IP Routing Limitation
Resource Reservation Protocol Traffic Engineering extension (RSVP-TE)
Constrained Shortest Path First (CSPF)
Static Tunnel Path
Auto Bandwidth
IP ROUTING LIMITATION
Traditional IP routing decision is based on packet
destination IP address.
 After two IP traffic flows for the same destination are
merged, it is technically hard to split them and reroute
over different paths.
 Overloaded link from Router C to Router E.

A
E
C
F
D
50Mbps traffic from A to F
B
50Mbps traffic from B to F
66
MTCINE Bootcamp + IPv6 Workshop
TRAFFIC ENGINEERING (TE)
MPLS Traffic Engineering (TE) solves the problem.
 Can be used to steer traffic to less utilized links.
 Constraint based routing – Path for the traffic flow is shortest
path that meets resource requirements (constraints).
 Upgrade of congestion link can be delayed.
 TE can also reserve bandwidth for specific service level.

A
E
C
F
D
B
TE Tunnel1 50Mbps
TE Tunnel2 50Mbps
HOW TE WORKS?

TE establishes/maintains the tunnel using RSVP-TE.

Resource Reservation Protocol Traffic Engineering extension
Tunnel path at any point is determined based on network
resources and tunnel requirements.
 Available resources are flooded via OSPF.
 Tunnel paths are calculated at the tunnel head-end based
on a fit between required and available resources
(constraint-based routing).
 TE tunnels are unidirectional.

67
MTCINE Bootcamp + IPv6 Workshop
HOW TE WORKS? (CONT.)
Tunnel head-end appears as TE interface.
 Auto TE works within the range of one OSPF area.
 Traffic can be forwarded automatically to TE if:



Remote endpoint of pseudowire is the same as TE endpoint.
BGP nexthop is tunnel endpoint.

Can be turned off by setting “use-te-nexthop=no” in Routing Filter
RSVP-TE




Tunnel signaled with TE
extensions to RSVP.
Soft state maintained with
downstream PATH messages.
Soft state maintained with
upstream RESV messages.
New RSVP objects






LABEL_REQUEST (PATH)
LABEL (RESV)
EXPLICIT_ROUTE
RECORD_ROUTE (PATH/RESV)
SESSION_ATTRIBUTE (PATH)
MPLS Forwading table
populated using RSVP labels
allocated by RESV messages.
68
MTCINE Bootcamp + IPv6 Workshop
TUNNEL PATH OPTION

Tunnel path is routed based on routing table.


Statically configured explicit path.


Tunnel path: use-cspf=no and empty hops
Tunnel path: use-cspf=no hops=<explicit hops config>
Constrained Shortest Path First (CSPF) – head end router
calculates path to tail end using knowledge of network state.
Needs assistance form IGP.

Tunnel path: use-cspf=yes, empty hops or explicitly configured
hops
TUNNEL PATH HOPS

Static path is established by setting strict or loose hops:

Strict – Defines that there must not be any other hops between
previous hop and "strict" hop
Fully specified path
 For example, if you want to let R9 go to R2 via R1-R3-R4 strictly, then use
“hops=10.1.9.9:strict,10.1.9.1:strict,10.1.3.1:strict,10.1.3.3:strict,10.3.4.3:
strict,10.3.4.4:strict,10.2.4.4:strict,10.2.4.2:strict”


Loose – There are acceptable other hops between previous hop
and defined hop


Not fully specified path
For example, if you want to let R9 go to R2 via R4, you don’t care which
routers it will go through, then you can use “hops=10.1.1.4:loose”
69
MTCINE Bootcamp + IPv6 Workshop
CONFIGURING TE

Enable MPLS TE feature in OSPF for your backbone area.
[admin@R9] /routing ospf>
set 0 mpls-te-area=backbone mpls-te-router-id=lo0

Configure RSVP bandwidth on all MPLS enabled interface.
[admin@R9] /mpls traffic-eng interface>
add interface=ether1 bandwidth=50M
add interface=ether2 bandwidth=50M

Create path option with static path.
[admin@R9] /mpls traffic-eng tunnel-path> add name=PATH-R9-R2
use-cspf=no hops=10.1.9.9:strict,10.1.9.1:strict,
10.1.3.1:strict,10.1.3.3:strict,10.3.4.3:strict,10.3.4.4:strict,
10.2.4.4:strict,10.2.4.3:strict

Create TE Tunnel interface.


Use “PATH-R9-R2” as Primary Path
Request 10Mbps bandwidth from 10.1.1.9 to 10.1.1.2
[admin@R9] /interface traffic-eng interface> add name=TE-R9-R2 \
bandwidth=10M primary-path=PATH-R9-R2 \
from-address=10.1.1.9 to-address=10.1.1.2
MONITORING TE

Monitor TE tunnel status.
[admin@R9] /interface traffic-eng> monitor 0

Monitor VPLS transport status.
[admin@R9] /interface vpls> monitor 0

TE tunnel PATH and RESV state.
[admin@R9] /mpls traffic-eng path-state> print
[admin@R9] /mpls traffic-eng resv-state> print
[admin@R9] /mpls traffic-eng interface> print
70
MTCINE Bootcamp + IPv6 Workshop
LAB: STATIC PATH TE
LAB: STATIC PATH TE (CONT.)
This lab is based on “LDP Based VPLS” full scale lab topology.
 The purpose of this lab is to implement following policies
using MPLS Traffic Engineering:



Traffic from R1 to R2 must travel through R3 and R4
Traffic from R4 to R3 must travel through R2, R9, and R1
Enable RSVP on all OSPF interfaces of backbone router.
 Enable MPLS TE support for OSPF Area 0.
 Configure TE tunnel on R1 and R4 using static path option.
 Send traffic between PCs, and monitor traffic pattern.
 Test Internet connectivity.

71
MTCINE Bootcamp + IPv6 Workshop
SECONDARY TE TUNNEL PATH

TE does not switch paths automatically to secondary,
tunnel must be re-optimized:



Manually by “optimize” command
Automatically at configured “reoptimize-interval”
TE tries to switch back to primary every minute.

Can be changed by “primary-retry-interval”
Switching paths may take some time, depends on: OSPF
timeouts, routing table updates, TE timeout settings.
 RouterOS does not support MPLS Fast Reroute.

AUTO BANDWIDTH
By default TE tunnels do not apply rate limitations,
“bandwidth” settings are only for reservation accounting
 To make tunnels more flexible two features were added:




“bandwidth-limit” – Hard rate limit allowed to enter the
tunnel, limit is percent of tunnel bandwidth.
Auto bandwidth adjustment – measures average rate during
“auto-bandwidth-avg-interval”, tunnel keeps highest average
rate seen during “auto-bandwidth-update-interval”. When
update interval expires, tunnel chooses new highest rate from
“auto-bandwidth-range”.
Both options can be used in combination.
72
MTCINE Bootcamp + IPv6 Workshop
LAB: TE WITH BACKUP PATH
AND BANDWIDTH LIMIT
LAB: TE WITH BACKUP PATH
AND BANDWIDTH LIMIT (CONT.)
This lab is based on “LDP Based VPLS” full scale lab topology.
 The purpose of this lab is to implement following policies
using MPLS Traffic Engineering:





Traffic from R1 to R2 must travel through R3 and R4
When primary path failed, use R9 as backup path
TE’s initial bandwidth reservation is 10Mbps
Allow this TE tunnel to automatically adjust bandwidth reservation
between 5Mbps and 50Mbps, with 20% increment per update
Do the same configuration for RSVP and OSPF as previous lab.
 Configure TE tunnel on R1 with backup path.
 Send traffic between PCs, monitor bandwidth reservation
changes, and monitor link fail-over events.

73
MTCINE Bootcamp + IPv6 Workshop
QUESTIONS & ANSWERS
If you have any questions, feel free to ask!
Or you would like to review a specific topic, please request.
MTCINE EXAM
This is an open book exam, you ARE ALLOWED to read
the book, use search engine, or login to the router.
 YOU ARE NOT ALLOWED to print screen, record, capture,
copy, save, disclose, or share any exam question!
 DO NOT talk to other participants during the exam!
 If you face any technical problem on exam portal, please
RAISE YOUR HAND and talk to the trainer or training
assistant.
 If you are going to do testing on your router, make sure
you are not accessing to exam portal via it.

Good luck in your exam!
74
MTCINE Bootcamp + IPv6 Workshop
INTRODUCTION TO IPV6
IPv6 Packet Format
IPv6 Addressing
IPv6 Subnetting
IPv6 Protocols
INTRODUCTION TO IPV6
New version of Internet Protocol version 6 which can
support 2128 bits – 340 decillion IPv6 addresses.
 IPng protocol was initially developed in 1994 for solving
the issue of IPv4 addresses exhaustion.
 IPv6 was also called IPng in the early days of IPv6
protocol development stage.
 IPv6 deployment started in 1999.
 It is expressed in hexadecimal digits as shown as below


2001:0db8:0582:ae33::29
75
MTCINE Bootcamp + IPv6 Workshop
IPV4 AND IPV6 HEADER COMPARISON
IPV4 VS. IPV6
IPv4
IPv6
Address Space
32-bit
128-bit
Possible Addresses
232
2128
Address Format
192.0.2.1
2001:db8:3:4:5:6:7:8
Header Length
20 bytes
40 bytes
Header Fields
14
8
IPsec
Optional
Should
76
MTCINE Bootcamp + IPv6 Workshop
IPV6 HEADER


Version = 4-bit value set to 6.
Traffic Class = 8-bit value.



Flow Label = 20-bit value.
Payload Length = 16-bit value.


Replaces IPv4 TOS field
The size of the rest of the IPv6 packet following the header –
replaces IPv4 Total Length
Next Header = 8-bit value.

Replaces IPv4 Protocol, and indicates type of next header

Hop Limit = 8-bit value.

Source address = 128-bit value.
Destination address = 128-bit value.


Decreased by one every IPv6 hop (IPv4 TTL counter)
HEADER FORMAT –
EXTENSION HEADERS


All optional fields go into extension headers.
These are daisy chained behind the main header.



The last 'extension' header is usually the ICMP, TCP or UDP header
Makes it simple to add new features in IPv6 protocol without
major re-engineering of devices.
Number of extension headers is not fixed / limited.
77
MTCINE Bootcamp + IPv6 Workshop
HEADER FORMAT –
COMMON HEADERS

Common values of Next Header field:










0 Hop-by-hop option (extension)
2 ICMP (payload)
6 TCP (payload)
17 UDP (payload)
43 Source routing (extension)
44 Fragmentation (extension)
50 Encrypted security payload (extension, IPSec)
51 Authentication (extension, IPSec)
59 Null (No next header)
60 Destination option (extension)
HEADER FORMAT –
ORDERING OF HEADERS

Order is important because:




Hop-by-hop header has to be processed by every
intermediate node
Routing header needs to be processed by intermediate
routers
At the destination fragmentation has to be processed before
other headers
This makes header processing easier to implement in
hardware.
78
MTCINE Bootcamp + IPv6 Workshop
PATH MTU AND PATH MTU DISCOVERY

Path MTU:




Path MTU (PMTU) is the largest packet size that can traverse
between a source and destination without fragmentation
IPv6 requires MTU 1280 bytes or greater
IPv4 requires MTU 68 bytes
Path MTU Discovery:



determining the path MTU between two IP hosts
To discover and take advantage of PMTU greater than 1280,
it is strongly recommended to implement PMTU discovery
For packets that are larger than PMTU fragmentation is used.
IPV6 ADDRESS SPACE

IPv4:



32 bits
= 4,294,967,296 possible addressable devices
IPv6:


128 bits: 4 times the size in bits
=340,282,366,920,938,463,463,374,607,431,768,211,456
nodes
79
MTCINE Bootcamp + IPv6 Workshop
IPV6 ADDRESSING REPRESENTATION

16-bit fields in case insensitive colon hexadecimal
representation.


Leading zeros in a field are optional, can be omitted.


2031:0000:130F:0000:0000:09C0:876A:130B
2031:0:130F:0:0:9C0:876A:130B
Successive fields of 0 represented as ::, but only once in an
address.

2031:0:130F::9C0:876A:130B

IPv4-compatible address representation.

Loopback address representation.

Unspecified address representation.



0:0:0:0:0:0:192.168.30.1 => ::192.168.30.1 =>:: C0A8:1E01
0:0:0:0:0:0:0:1=> ::1
0:0:0:0:0:0:0:0=>::
EXERCISE




2001:0db8:0000:0000:0000:0000:0000:0000
2001:0db8:0000:0000:d170:0000:1000:0ba8
2001:0db8:00a0:0000:0000:00f6:0000:00aa
2001:0db8:0fc5:007b:ab70:0210:0000:00bb
80
MTCINE Bootcamp + IPv6 Workshop
IPV6 ADDRESSING

Generally there are three address types:



Unicast : One to One (Global, Unique Local, Link local)
Anycast : One to Nearest (Allocated from Unicast)
Multicast : One to Many
There is no broadcast in IPv6.
 A single interface may be assigned multiple IPv6
addresses of any type (unicast, anycast, multicast).

IPV6 ADDRESSING (CONT.)
81
MTCINE Bootcamp + IPv6 Workshop
IPV6 ADDRESS ALLOCATION

The allocation process is:




The IANA is allocating out of 2000::/3 for initial IPv6 unicast use
Each registry gets a /12 prefix from the IANA
Registry allocates a /32 prefix (or larger) to an IPv6 ISP
Policy is that an ISP allocates a /48 prefix to each end-customer
INTERFACE ID

Lowest order 64-bit field of unicast address may be
assigned in several different ways:




Auto-configured from a 64-bit EUI-64, or expanded from a
48-bit MAC address (e.g., Ethernet address)
Auto-generated pseudo-random number (to address privacy
concerns)
Assigned via DHCP
Manually configured
82
MTCINE Bootcamp + IPv6 Workshop
EUI-64

EUI-64 address is formed by inserting FFFE between the
company-id and the manufacturer extension, and setting the
“u” bit to indicate scope.


Global scope: for IEEE 48-bit MAC
Local scope: when no IEEE 48-bit MAC is available (eg serials, tunnels)
UNIQUE-LOCAL

Unique-Local addresses used for:




Local communications & inter-site VPNs
Local devices such as printers, telephones, etc
Site Network Management systems connectivity
Not routable on the Internet
83
MTCINE Bootcamp + IPv6 Workshop
LINK-LOCAL

Link-Local addresses used for:



Automatically assigned by Router as soon as IPv6 is enabled.



Communication between two IPv6 device (like ARP but at Layer 3)
Next-Hop calculation in Routing Protocols
Mandatory Address
Only link specific scope.
Remaining 54 bits could be Zero or any manual configured value.
MULTICAST USE

Broadcasts in IPv4:


Interrupts all devices on the LAN even if the intent of the request
was for a subset
Can completely swamp the network (“broadcast storm”)
Broadcasts in IPv6 are not used and replaced by multicast.
 Multicast:



Enables the efficient use of the network
Multicast address range is much larger
84
MTCINE Bootcamp + IPv6 Workshop
IPV6 MULTICAST ADDRESS
IP multicast address has a prefix FF00::/8
 The second octet defines the lifetime and scope of the
multicast address.

IPV6 MULTICAST ADDRESS EXAMPLES
All nodes (on link) : FF02::1
 All routers (on link) : FF02::2
 RIPng:




The multicast address All RIP Routers is FF02::9
Note that 02 means that this is a permanent address and has
link scope
OSPFv3:


The multicast address All OSPF Routers is FF02::5
The multicast address All DR Routers is FF02::6
85
MTCINE Bootcamp + IPv6 Workshop
ANYCAST ADDRESS
Multiple hosts can have the same anycast address.
 Send to any one member of this group (usually the nearest).
 Indistinguishable from a unicast address.
 Use cases: load balancing, content delivery networks (CDN).
 When using anycast address, Duplicate Address Detection
has to be disabled for that IP.

SUBNETTING
Network Engineer needs to know the solid
understanding how to subnet the network for efficiently
using the IPv6 addresses.
 IPv6 Subnetting is similar concept with IPv4 subnetting.
 One Hex Digit = 4 bits :




0x4 = 0100
0x6 = 0110
0xA = 1010
86
MTCINE Bootcamp + IPv6 Workshop
SUBNETTING EXAMPLE

Provider A has been allocated an IPv6 block:

2001:0DB8::/32
Prefix-length is defined the same as CIDR value in IPv4.
 Provider A will delegate /48 blocks to its customers.
 Find the blocks provided to the first 4 customers.
 Original Block : 2001:0DB8::/32.
 Rewrite as /48 Block: 2001:0DB8:0000:/48.

SUBNETTING EXAMPLE

2001:0DB8:0000::/48
In bits
2001:DB8:
0000 0000 0000 0000
2001:DB8:0000::/48
2001:DB8:
0000 0000 0000 0001
2001:DB8:0001::/48
2001:DB8:
0000 0000 0000 0010
2001:DB8:0002::/48
2001:DB8:
0000 0000 0000 0011
2001:DB8:0003::/48
87
MTCINE Bootcamp + IPv6 Workshop
EXERCISE I (IPV6 SUBNETTING)

Identify the first four /36 address blocks out of
2001:DB8::/32.
1.-----------------------------2.-----------------------------3.-----------------------------4.------------------------------
EXERCISE II (IPV6 SUBNETTING)

Identify the first six /37 address blocks out of
2400:ABCD::/32.
1.-----------------------------2.-----------------------------3.-----------------------------4.-----------------------------5.-----------------------------6.------------------------------
88
MTCINE Bootcamp + IPv6 Workshop
NEIGHBOR DISCOVER PROTOCOL
Replaces ARP on IPv4.
 Tracks and discovers other IPv6 hosts.
 Auto-configures address.
 Uses ICMPv6 protocol.
 Has 5 message types:






Router solicitation (type 133)
Router advertisement (type 134)
Neighbor solicitation (type 135)
Neighbor advertisement (type 136)
Redirect (type 137)
NEIGHBOR DISCOVER PROTOCOL

Router Discovery


DAD (Duplicate Address Detection)


Each IPv6 host will wait to use its address unless it knows that no
other device is using the same address
MAC Address Discovery


NDP is used to learn about all available IPv6 routers in the subnet
Once a host has done the DAD check and is using an IPv6 address,
it will have to discover the MAC addresses of hosts it wants to
communicate with
SLAAC (Stateless Address Auto-configuration)

We’ll cover SLAAC in next slide, but NDP is used to learn what
address and prefix length the host should use
89
MTCINE Bootcamp + IPv6 Workshop
NS AND NA MESSAGE
It is used to look for MAC Link Layer address as
replacement of ARP.
 It can be used for DAD (Duplicate Address Detection)

ADDRESS CONFIGURATION

Auto configuration of link local address


Stateless address auto-configuration (SLAAC)


Additional options with DHCPv6
Stateful


Stateless
DHCPv6
Static

Manually assign the IPv6 address on the interface
90
MTCINE Bootcamp + IPv6 Workshop
STATELESS AUTO-CONFIGURATION
PC sends router solicitation (RS) message
 Router responds with router advertisement (RA)




This includes prefix and default route
RFC6106 adds DNS server option
PC configures its IPv6 address by concatenating prefix
received with its EUI-64 address
DHCPV6

DHCP for IPv6 is called DHCPv6 and comes in two forms:


Stateless
Stateful
A stateless DHCPv6 server doesn’t keep track of
anything for clients.
 When you use SLAAC, you still need stateless DHCPv6 to
learn about the DNS servers.
 Stateful DHCPv6 works similar with DHCP for IPv4.
 It provides IP information (IP addresses, Prefix Length,
Default Gateway, DNS Servers, and other DHCP options)
to clients.
 DHCPv6 uses a Solicit, Advertise, Request and Reply
message.

91
MTCINE Bootcamp + IPv6 Workshop
STATELESS DHCPV6
If necessary additional configuration can be obtained
(for example static routes)
 It is done by DHCPv6.
 To configure open IPv6 → ND
 Configure:



Required interfaces and
Enable “Other Configuration”
STATELESS DHCPV6 (CONT.)

Add new DHCP Server on Interface
92
MTCINE Bootcamp + IPv6 Workshop
STATELESS DHCPV6 (CONT.)
Note: For MS Windows clients it is necessary to
configure DHCPv6 in order to obtain DNS configuration.
 Make sure, that IPv6 DNS server is configured in
IP → DNS.

DNS OVERVIEW

DNS maps one resource to another resource:


IP address to hostname (and vice versa)
Useful for long addresses (such as IPv6)
Globally distributed, hierarchical tree structure.
 Three components: namespace, resolvers, servers.
 Resource records are the actual mappings:


RR Types: A, AAAA, PTR, CNAME, etc
93
MTCINE Bootcamp + IPv6 Workshop
HOW DNS WORKS
LAB: IPV6 CONNECTIVITY TEST
This lab needs two people in the group.
 It is just for testing directly connected link.
 Assign the IP address on the link as shown in figure.
 Your PC will be connected with ether2 of router and will
receive the prefix length that the router advertised by
using SLAAC.
 Ping to gateway IP from PC.
 Ping router to router .

94
MTCINE Bootcamp + IPv6 Workshop
IPV6 STATIC ROUTING





For supporting IPv6, RouterOS must have IPv6 package.
Link-local addresses are configured as gateways if the interface
is specified.
Administrative Distances are same as IPv4.
For dropping traffic in routing table, there is no “blackhole” and
“prohibit” route types, there is only “unreachable”.
Command Line:


/ipv6 route add dst-address=2002::/16
gateway=fe80::21a:4dff:fe56:1f4d%ether1
[admin@MikroTik] > /ipv6 route print
detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static,
r - rip, o - ospf, b - bgp, U - unreachable ...
1 A S dst-address=2002::/16
gateway=fe80::21a:4dff:fe56:1f4d%ether1 reachable distance=1
scope=30 target-scope=10
LAB : IPV6 STATIC ROUTING
This lab needs two people in a group.
 Configure static route on R1 to reach
2001:DF1:C700:A002::/64 via R2.
 Configure static route on R2 to reach
2001:DF1:C700:A001::/64 via R1.
 You should be able to ping between two PCs.

95
MTCINE Bootcamp + IPv6 Workshop
IPV6 TRANSITION
TECHNOLOGIES
Dual-Stack
6to4 & 6in4
6RD
DS-Lite
Teredo
TRANSITION TECHNOLOGIES
Currently we are still using IPv4 networks.
 We do need the transition technologies to let IPv6
compatibly work with IPv4.
 There are some transition technologies we would like to
explain here:






Dual-Stack
6to4 & 6in4
6RD
Teredo
DS-Lite
96
MTCINE Bootcamp + IPv6 Workshop
DUAL-STACK




Parallel Usage of IPv4 and IPv6 on a host.
Hosts and routers are able to communicate either protocol.
The most recommended way of implementing IPv6.
Most operating systems now preferred IPv6 over IPv4 while
both protocols are available on the host.
6TO4 TUNNEL
Allows isolated IPv6 domains to be connected over an
IPv4-only network.
 Can be point-to-multipoint.
 IPv6 packets are encapsulated in IPv4 packets.





Using IP Protocol 41
20 bytes encapsulation overhead
Allocated Prefix 2002::/16
Two key components:


6to4 relay (anycast address 192.88.99.1)
6to4 client
97
MTCINE Bootcamp + IPv6 Workshop
6TO4 OPERATIONS
Client connects to the nearest Relay from its routing
prospective.
 Each client is automatically assigned a /48 by embedding
its public IPv4 address into 2002::/16 prefix:



For example, client with IPv4 address 103.97.110.10 is
connecting to a 6to4 relay, its IPv6 prefix will be:



2002:<client-public-ipv4>::/48
Convert 103.97.110.10 to Hexadecimal  67 61 6E 0A
Embed 67 61 6E 0A into 2002::/16  2002:6761:6E0A::/48
Client points default gateway to 6to4 relay for getting
internet access.
6TO4 EXAMPLE
6to4 Network Design Sample
 2002:<router-ip-address-in-hex>::/48
 Create Tunnel between two IPv6 Network over IPv4 only
network.

98
MTCINE Bootcamp + IPv6 Workshop
6IN4
In contrast with 6to4, 6in4 requires manual configuration,
but it uses the same encapsulation (IP Protocol 41).
 Two key components:



IPv6 Tunnel Broker Server
IPv6 Tunnel Broker Client
Works similar to EoIP/GRE, tunnel has to be configured
manually on both peers (server and client)
 Static addressing.





No allocated prefix 2002::/16
Client’s IPv6 prefix have to be assigned manually
IPv6 prefix is independent from its public IPv4
IPv6 prefix won’t change when IPv4 endpoint changes
LAB: IPV6 TUNNEL BROKER
99
MTCINE Bootcamp + IPv6 Workshop
LAB: IPV6 TUNNEL BROKER (CONT.)







This lab is based on previous “Route Reflector” full scale lab
topology.
The purpose of this lab is to allow the users to have access to
other IPv6 networks and IPv6 Internet via an IPv4-only network.
Restore your “Route Reflector” full scale lab backup.
Configure additional IPv4/IPv6 addresses as necessary
according to the diagram.
Add a CPE router between your PC and ISP.
Configure your PC to use the CPE router as default gateway.
Configure IPv6 DNS manually on PCs using Windows.
LAB: IPV6 TUNNEL BROKER (CONT.)
R9 is Tunnel Broker Server.
 R1, R2, R3, R4 are Tunnel Broker Clients.
 Create a 6to4 tunnel between each TB Client to TB Server.
 Tasks on TB Server (R9):




Tasks on TB Clients (Other routers):




Assign IPv6 point-to-point address to each 6to4 tunnel
Route a /56 User LAN prefix to each user’s 6to4 tunnel
Configure IPv6 point-to-point address
Point default gateway to TB Server
Configure LAN using the first /64 of the routed /56 prefix
Test connectivity from your PC to IPv6-enabled websites.
100
MTCINE Bootcamp + IPv6 Workshop
6RD
IPv6 Rapid Deployment is 6to4 derivative.
 IPv6 relay is controlled by your ISP.
 From client to ISP is IPv4 network only.
 On the client side additional software is needed to
encapsulate IPv6 into IPv4 packets.

DS-LITE
Stands for Dual-Stack Lite.
 IPv6-only links are used between the ISP and the client.
 Client has native IPv6 connectivity.
 When and IPv4 packet needs to be sent, it is
encapsulated into an IPv6 packet.
 Sent to the ISP’s NAT box which decapsulates and
forwards it as IPv4 traffic.

101
MTCINE Bootcamp + IPv6 Workshop
DS-LITE (CONT.)
NAT is centralized at ISP-level.
 Clients use private IPv4 addresses.



e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
ISP → Client network is IPv6 only.
TEREDO
Teredo encapsulates IPv6 traffic into IPv4 UDP packets.
 The traffic is sent through IPv4 Internet.
 Unlike 6to4, Teredo works behind an IPv4 NAT.
 Uses Teredo prefix 2001::/32.
 Can only provide a single IPv6 address per tunnel endpoint.
 Cannot be used to distribute addresses to multiple hosts
like 6to4.
 Developed by Microsoft.
 Described in RFC4380.

102
MTCINE Bootcamp + IPv6 Workshop
ISP IPV6 ROUTING
Open Shortest Path First version 3 (OSPFv3)
MP-BGP IPv6 Address Family
Dual-Stack ISP network deployment
IPV6 ROUTING
IPv6 routing works similar to IPv4.
 Static and dynamic routing can be used.
 IPv6 dynamic routing protocols:





RIP next generation (RIPng)
OSPF version 3 (OSPFv3)
MP-BGP IPv6 Address Family
IPv6 link-local addresses can be used to communicate
between hosts in the same broadcast domain.


Link-local automatically appears on every IPv6 link
Fully functional internal IPv6 network can be created with
link-local addresses
103
MTCINE Bootcamp + IPv6 Workshop
OPEN SHORTEST PATH FIRST VERSION 3
(OSPFV3)
RouterOS supports OSPFv3 for IPv6.
 There are some similarities and some differences
between OSPFv2 and OSPFv3 as shown below.
 Similarities:








Packet Type
Interface Type
Neighbor Discovery Pattern
LSA flooding & aging
Administrative Distance
Cost…etc.
Differences are explained in next slide.
OSPFV2 VS. OSPFV3
Function
OSPFv2
OSPFv3
Routed Protocol Support
IPv4
IPv6
IPv4 (Not implemented in ROS)
OSPF All Routers Multicast
224.0.0.5
FF02::5
OSPF DR and BDR Multicast
224.0.0.6
FF02::6
Supports Multiple OSPF
instances per interface
No
Yes
Authentication
Plain text or MD5
IPSec Authentication
(Not implemented in ROS)
Header Size
24 bytes
16 bytes
LSA Types
7
9 (LSA 8, LSA 9)
Interface ID
IPv4 address
Link-local address
Running OSPF
Add OSPF network
Add OSPF interface
104
MTCINE Bootcamp + IPv6 Workshop
OSPFV2 LSA VS. OSPFV3 LSA

OSPFv2


Type 1 and Type 2 LSAs are used for topology and network
information. A single LSA contains information about the
topology and the networks that are used
OSPFv3



No Prefix information in Type 1 and Type 2
Link-local addresses to be used for next hops – Type 8 LSA
Prefixes – Type 9 LSA
MP-BGP IPV6 ADDRESS FAMILY
Multiprotocol BGP (MP-BGP) is supported in RouterOS.
 There are two deployment options for advertising IPv6
prefixes in BGP.

1.
2.

Turn on IPv6 Address Family over IPv4 BGP session
Initiate another separate IPv6 BGP session with IPv6
Address Family
We are going to configure the 2nd option in our
upcoming “Dual-Stack ISP Network” lab.
105
MTCINE Bootcamp + IPv6 Workshop
LAB: DUAL-STACK ISP NETWORK
LAB: DUAL-STACK ISP NETWORK
(CONT.)
This lab is based on previous “Route Reflector” full scale lab
topology.
 The purpose of lab is to enable IPv6 in the ISP network for
offering Dual-Stack connectivity to customers.

Restore your “Route Reflector” full scale lab backup.
 Configure additional IPv4/IPv6 addresses as necessary
according to the diagram.
 Add a CPE router between your PC and ISP.
 Configure your PC to use the CPE router as default gateway.
 Configure IPv6 DNS manually on PCs using Windows.

106
MTCINE Bootcamp + IPv6 Workshop
LAB: DUAL-STACK ISP NETWORK
(CONT.)

Run OSPFv3 between ISP backbone routers.


Configure new iBGP sessions using IPv6 Loopbacks.







R3 and R4 are Route Reflectors
R1, R2, R9 are Route Reflector Clients
Set “next-hop-self”
Advertise customer prefixes into iBGP.


The same as what you did with IPv4 OSPF
ISP-to-Customer link 2001:df1:c700:b64R::/64
Customer LANs 2001:df1:c700:cR00::/56
CPE routers point default gateway to ISP routers.
ISP routers route Customer LAN prefix to CPEs.
Test IPv6 connectivity between customers and IPv6 Internet.
LAB: DUAL-STACK ISP NETWORK –
RECURSIVE LOOKUP FAILED

After you have configured the routers as described in
previous slide, you would realize…
IT DOES NOT WORK!! 

But don’t be afraid, this is normal behavior in current
version of RouterOS:




Recursive next hop look up between dynamic routing
protocols is broken
BGP route FAILS to lookup its next hop with OSPF/RIP routes
BGP route CAN lookup its next hop with static routes
This is a bug!
107
MTCINE Bootcamp + IPv6 Workshop
LAB: DUAL-STACK ISP NETWORK –
WORKAROUND

So what can we do?

Workaround:
1.
2.
Manually configure static routes to all backbone router’s
Loopbacks, for BGP to look up
Implement routing filter, manually set all BGP next hops to be
appropriate IPv6 point-to-point address or link-local address
Yes, you will lose the capabilities of fail-over and re-routing
when links are down.
 Eventually, this has to be fixed by MikroTik, in later version
of RouterOS.

QUESTIONS & ANSWERS
If you have any questions, feel free to ask!
Or you would like to review a specific topic, please request.
108
MTCINE Bootcamp + IPv6 Workshop
THE END
THANKS FOR YOUR ATTENTION!
Contact Me
[email protected]
109
Descargar