⛓️This feature is HUGE on MikroTik! VXLAN is AWESOME!⛓️
ฝัง
- เผยแพร่เมื่อ 5 ส.ค. 2024
- Ever needed to span Layer 2 connectivity between two sites? Has EOIP overhead or VPLS restrictions to the MPLS stack caused issues with getting a working solution? GOOD NEWS, MikroTik has added VxLAN to RoSv7 which allows us to create an overlay network and span Layer 2 connectivity easily and QUICKLY. Hope you enjoy the video!
Support the Channel:
⭐Become a Patreon: / thenetworkberg
⭐Become a TH-cam Member: / @thenetworkberg
Social Media:
🌏 thenetworkberg.com
🌏 / thenetworkberg
🌏 / bergnetwork
🌏 / the-network-berg-39451...
MTCNA Playlist:
• Free MTCNA RoSv6
Timestamps:
00:00 - Introduction
00:38 - Topology Overview
04:58 - VXLAN Config PE1
07:29 - VXLAN Config PE2
08:59 - Testing Connectivity
Thanks again for watching
![เจ้าผู้เดียว - ดิด คิตตี้ [OFFICIAL MV]](http://i.ytimg.com/vi/q0NLCYKBOTo/mqdefault.jpg)
MikroTik VXLAN Documentation:
help.mikrotik.com/docs/display/ROS/VXLAN
A better VXLAN Documenation:
www.juniper.net/documentation/us/en/software/junos/evpn-vxlan/topics/topic-map/sdn-vxlan.html
en.wikipedia.org/wiki/Virtual_Extensible_LAN
Great video! Thanks for the demonstration.
Thanks for watching!
Futurama! The only professor that can have you read " Good News Everybody ! " of a poster and in his voice.
Hello friend, thanks for your excellent lessons! Best regards from Brazil!!!
It sucks that they still don't support the bgp features missing for full EVPN support, as the distributed address tables are a very nice feature for less broadcast noise
Thanks for your great videos, VXLAN on MT just being one of them! Just out of curiosity I was trying to replace an existig EoIP tunnel at home that works across a WLAN bridge with VXLAN. I set it up exactly the same way I did with EoIP. Created a VXLAN interface, VTEP and bridged it on both sides the same way I previously did with the EoIP interfaces (which work fine). I can ping with remote IP I used in the VXLAN interface creation just fine, but I can't reach any interface I bridged with the VXLAN interfaces. Do you have an idea why that is? And do you think VXLAN is appropriate for this? Thank you and keep up your great work!
Hi Sir, the vxlan winbox display is much different now on V7.8 than a year ago. For example there is a VTEP tab on winbox. Suggesting a new video but lets say, vxlan over a wireguard tunnel. (setting WG MTU to 1550). This could be to connect for example two subnets at two different locations. My understanding is that they could even be different subnets, where broadcasts would still work - think unifi controller (at home) to unifi APs ( at second house ).
In other words, explore broad/multi - cast with vxlan and use a wireguard tunnel to carry the vxlan.
Interesting idea, will have to recreate the VXLAN lab and test around with it, in theory it should work, although I can see a lot of encapsulation happening so MTU overhead will definitely be a thing. Thank you for the suggestion.
@@TheNetworkBerg Yes, I started thinking about it because a poster asked about how to get unifi controller at one location to talk to two UNIFI APs at another location.
Via group effort, three solutions were noted, TWO L2 solutions over wireguard EOIP and VXLAN. By the far the better solution was using DHCP Option 43 at the AP location and ensuring a WG path to the unifi controller at the first location - Easy Clean and the two LANS dont need to have the same subnet!! However, in the interest of learning vxlan, I think it is worthwhile exploring how this can be done. The MTU is one factor that I went out on a limb for, as it was recommended in a post I found in the always 100% correct internet. :-) I will post the solution I have in the discord channel.
Sweet !
Hi, Great video as allways :) I am trying to use it instead of eoip but I have a doubt about MTU. I am using ipip tunnels ( via ipsec ) to make vxlan connectivity. ipip tunnels have mtu size of 1402. vxlan by default 1500. is this a problem? should vxlan mtu size be smaller that ipip tunnell? it is working but i wonder if ia can get better performance by changing mtu.
maybe mtu case can be a subject to one of Your videos in the future?
few questions
- can you have more than 2 routers on the same vxlan (eoip allows only point to point) ?
- are these vteps optional? i mean, when i set group as 239.0.0.1 it works without adding vteps, do i need to add them only if i don't use groups?
so are there 2 ways of configuring it? with vteps and no need for group giving static config, and using group and no vteps so that adding new device would automagically make it join vxlan without setting up all the other? (providing that answer to question 1 is yes of course)
Very good.
not working for me, are your mkt's in bridge mode or router mode? mine are in router mode but I am inside an mpls network where both units can ping each other on eth1 (wan side)
@TheNetworkBerg - What does VxLAN do that IPIP tunnel can not do? Also what does EoIP tunnel can do that IPIP can not do? Thanks.
Hello Berg, thanks for your videos. VxLAN are new to me and I am big fan of the wireguard, which I am using almost two years now. I was very happy when mikrotik implemented into RouterOS. Do you think that there could be some benefits to use VxLAN over wireguard, or it is total nonsense?
Like I wrote VxLAN are new to me and I can't really tell if it will have benefits or no :-)
Don't worry too much about VXLAN if you aren't doing stuff like cloud based hosting and having many servers across many different geo locations. Wireguard is an excellent VPN tunneling protocol and I wouldn't try to add things like VXLAN over Wireguard, I think the performance just would drop a lot :(
So keep going with the Wireguard :D!
@@TheNetworkBerg Thank you! I'll stay with wireguard only and with my PBR rules, which works great for me :-)
please can you make a video about the differences in WIRELESS -- channel width 20/40mhz eC and Ceee / epee eeCe eeeC XXXX etc I would like to optimize the wifi speed of my hAP
0:44 is it true that it is better when a RR does not included in the routing process?
Thank you for bringing vxlan to my attention. I completely missed that. :)
BTW, you are constantly deleting those slashes in cli like it's a console glitch. I think they've added it on purpose, so now all commands look kinda like a tree and only last part/options are added after spaces. Am I wrong? Actually, I haven't seen anything about it on their forum.
Correct I am deleting the slashes, it's not a bug and the commands run fine with them. I might have a bit of OCD and by running the commands so long without the slashes my brain just sort of wants me to delete them. Lol. It's really weird, personally I would like them to get rid of the slashes again :P
03:38 Hi Berg, is that possible to remote the mikrotik in eve-ng environment with private IP without using Romon? i see your private IP is 192 0 0 5, can you add this to static route at windows and access the device with an IP through winbox? Thanks in advance
Yes, that's absolutely achievable and I have done so with various labs. You can setup static routing on your own PC to the IP address that the NIC gets on the management cloud. You could also add each MikroTik directly to the management cloud and access each device either via IP or mac-address on Winbox without having to use ROMON.
Do you know if the remote ip field will accept a domain name or does it have to be an ip address?
Currently it seems as if only IP is acceptable.
Can you please explain the difference (speed, bandwidth usage) between these in summary pertaining to creating a Layer-2 tunnel with bridge and vlan functionality: VxLAN
GRE Tunnel
IP Tunnel
EoIP Tunnel
GRE doesn't have ARP so can't be bridged and no other L2 functionality over it.
VXLAN is otherwise the same as EoIP, the main differences being VXLAN performs better but lacks encryption (therefore unsuitable over the internet).
Does same subnet can have 2 or more gateway despite using VXLAN? I see that SVR1 using 192.168.0.1 as GW and SVR2 using 192.168.0.2 as GW. Can you put a single GW 192.168.0.1 and make it like VRRP?
Yes, you could definitely do that :), this is a great benefit of using VXLAN, you can even introduce VRRP with it and do something like having a floating IP between the routers that both DCs use as a gateway.
PS. I'm more of a Shadowfiend player myself :P
cutting hands on video is fun :)
It hurts!
What is the difference between vxlan and zerotier as both purport to replicate the ethernet switch (clearly vlxlan you still need vpn tunnel and zerotier you are depending upon third party). One advantage of zerotier is that it bypasses MTU issues one can experience with wireguard for example.
Well... one disadvantage may be that VXLAN has a pretty big overhead as well, about 50 bytes. So it's pretty hard to run this over the internet like ZeroTier, though it is definitely a lot more flexible for an administrator and gives you direct control. You can pretty much do VLANs over your VXLAN bridges as well. I definitely much more recommend this for spanning L2 services for Data Centers where possible and where you control the entire path.
VXLAN can be part of true overlay E-W, but VXLAN require network reachability like multicast or IS-IS protocol's , currently this part is missing from MikroTik deployment. So they think about GRE + VXLAN, but that way to match overhead . With directly connected networks like MAN and Wifi Mesh it can be useful to ran VXLAN instead WDS.
VXLAN is cool yeah, but statically defined VXLANs and Tunnels are useless.. they did the hard part, great to them, but now they MUST extend MP-BGP and enable EVPN, otherwise i feel that they wasted time
Hey Andrea, yes totally I agree with this comment 100% hopefully MT will start implementing this now since V7 has officially released.
This is a jump start for 2022 for MikroTik but still far to go the mp-bgp evpn route, not to mention the numerous reliability issues of rOS7 they have to address. I`d rather go do my r&d with cisco than do it with tik. my opinion only.
how can i use vxlan to overcome the max entries of firewall connections ???
i have a firewall connections exceeding 7Millions on other firewall like pfsense, but when i operate mikrotik, connections limited to 800K which cause problem in online games, educational websites and many websites
i also tried many solutions on mikrotik like fasttrack but i was unable to control bandwidth speed
any suggestions ?
VXLAN is a L2 concept, it does not really have anything to do with increasing the amount of connections that can be tracked by the FW, what you could perhaps do though is create a VXLAN tunnel to something like your pfsense FW that can handle more connection tracking and use that as a gateway via the VXLAN tunnel
@@TheNetworkBerg is there any way to increase FW connections on mikrotik or bypass the FW with bandwidth control
Cool stuff. What about the overhead? How much is it? Will this cause any MTU mismatch issues? Why does this bring to the table in comparison to EoIP?
The overhead is approximately 50 bytes, which is another reason I would also not recommend trying to run this over the internet. VxLAN is also industry standard meaning you could use various gears to create the VxLAN tunnels, so it doesn't have to be MikroTik to MikroTik.
If it's not to be run over the internet, then the only purpose seems to be to replace VLANs in cases you have more than 65k VLANs in your network? Am I getting something wrong here?
@@agukasian 4k VLANs not 64k
@@agukasian VxLAN is not looking to replace VLANs.. If any is only going to extend them.. Like QinQ but it's oriented to connectivity instead of isolation
@@TheNetworkBerg Isn't EoIP overhead 24 bytes?
I was going to comment Futurama (before reading the comments), but someone already beat me to it. VxLAN is a bit of a fog of war for me so this video will be useful :)
Hehe, you can probably just consider VXLAN the evolution of VPLS, it's still a little bit funky on MikroTik for my own liking so I definitely wouldn't use it in a production environment yet, but definitely something to keep an eye on especially once the long-term release is out and everything is working as intended.
@@TheNetworkBerg Ahh right, I have to re-watch your VPLS video to refresh myself on it :P My understand (I could be wrong) is that VPLS, VXLAN, and EoIP can be used in very similar ways. With VXLAN I assume I can essentially setup Data Centre redundancy for the same subnet/VLAN between the two Data Centres with VRRP? So if CPE-VXLAN-01 is in a Data Centre in Cape Town and CPE-VXLAN-02 is in a Data Centre in Johannesburg you can make the same 192.168.0.0/24 subnet failover between the two? Like if the Cape Town Data Centre went completely offline you can set it up to failover to Johannesburg? I am still trying to wrap my little brain around the practical applications of it all :) Keep up the great work mate!
Hi, Berg! Could you make a video with Russian subtitles? Please 🙏🙏
for some reason vxlan is quite slow. between two CRS125-24G-1S i get around 200Mbps (EoIP on the same setup runs 520Mbps) and cpu hits 100% i wonder if it can be optimized in future
Hmmmmm, I think it should be optimized in the future, I would personally expect VXLAN to run better than EOIP. Maybe bring this up with MIkroTik on their forums or email their support as well so that they can be aware of that.
I saw you mentioned previous a high overhead with vxlan. Could it be slower due ti fragmentation? If so, allowing larger packet sizes across the path between the two devices MIGHT help - just a thought.
@@TheNetworkBerg Hi Berg, can you do a lab test of this. If EoIP is faster then there is probably no reason to use it over EoIP. Maybe play with MSS Clamp, MTU, (R)STP, don't fragment, fast-path,...and let us know how VxLAN holds. I have seen EoIP do 10Gbps with 9000 MTU and 1.5Gbps with 1500 MTU. This youtube lab test was done over LAN but created the condition of IP Transit with 1500 MTU limited so when EoIP can do that why use VxLAN?
@@classicalmusic2425 I can check if I can do a lab test, although I believe Kevin Meyers from IP Architects has already been conducting tests using VxLAN which were very promising, pushing nearly 100Gbps of aggregated data over the link.
VxLAN is also an open standard, similar to OSPF. You are able to use this between different vendor's equipment, unlike EoIP which is MikroTik proprietary.
MikroTik's VxLAN is still in its infancy though, and with time they should be adding what most other vendors have, that being able to span VxLAN tunnels using BGP, similar to what you can do with VPLS. Which is a big game changer compared to EoIP.
You get 500mbit over eoip? im lucky to break 300 and thats crs1036 to 1036
You look very exited about VXLAN, but at the end you say it is very insecure. Should we use it? How to secure it?
Well, I am very excited for it in a data center environment and where I potentially have full control of the network or I know the network I am peering is good, I however wouldn't run it directly over the internet due to it adding around 50 bytes of overhead so can run into MTU issues. This traffic is also all just UDP and if you are running VXLAN with no security in mind someone malicious could potentially get their hands on information that would make log4j look like a joke :P
There are definitely things you could do by creating the connection over another tunnel, though that could potentially cause more overhead. Here are some articles highlighting some of the flaws of VXLAN specifically over the internet. (Perhaps I can look at a video looking at how to address some security concerns on MikroTik as well)
udspace.udel.edu/handle/19716/22824
eos.arista.com/vxlan-security/
@@TheNetworkBerg thank you for the aswer. Looking forward to your next video, how to secure VXLAN on MiktoTik. :)
this is normal that eoip l2 tunnel is faster that vxlan ?
In Theory, no, VXLAN should be the more superior protocol. I've seen Kevin from stubarea51 having phenomenal labs and throughput using VXLAN.
Im not understanding the difference between this vs Eoip. Seem to be exactly the same function
This has less overhead compared to EOIP, once MikroTik fleshes it out you will also be able to signal VxLAN tunnels with BGP which makes it very scalable as well. Unfortunately MikroTik currently just allows for static creation.
what about securing this with something to encrypt the traffic? let's say encrypt the L3 transport?
That's definitely a possibility, in theory you could potentially build the VxLAN tunnel over another type of encrypted tunnel such as IPSEC. Although you better get ready for a bit of MTU overhead :P
@@TheNetworkBerg i planned a little lab with wireguard and how much i can get throug if the initial layer2 link is MTU 1600
But VXLAN not sitting above MPLS or?
No, I do not believe VXLAN sits on top of MPLS or requires MPLS to work. I've even seen some people set this up over direct internet. Probably a bit risky to do though.
Futurama
Hehe, indeed! I love that series :D! Wish they didn't cancel it permanently :(
I have two questions hope you get back
1- I have two adsl lines, when I use pppoe client connection through bridge modems the upload is not doubled as download. Im using NTH .
2- Shall I enable ipv6? Is it faster will I achieve any extra speed?
That sound is like a baby 🤣
Feature that is need for Mikrotik to compete against others is to FIX GOD DAMN WIFI drops!
I don't personally use MikroTik for Wifi, although I would suggest logging a call with MikroTik if you are experiencing some drops related to the hardware. Wifi has always been tricky due to various factors that can cause drops like interference or even client issues.
ur voice not loud enough. maybe u can use like his mic in th-cam.com/video/nwlircveTHU/w-d-xo.html
Really? I haven't received feedback like this in a while. Will take a look :)
@@TheNetworkBerg yes. with ur video I need to set max 100% sound but still not loud enough but with video in the link 40% sound is loud enough
why is my putty.exe not Colored like yours...... i need that happy Colorful 🙂
Just need to update the foreground colors in your Putty default session and save it, then it looks like you are working in the matrix :D!