Hey Paul We are using VRF's for layer 2 services. Our clients PPPoE into us, and the RADIUS server gives them a static /32 IP and puts them in a VRF (CUSTOMERNAME_VRF). All there sites are in the same postion, just with different IPs. We then router a /24 IP over their /32 IP address and we can do what you are thinking, and also apply QOS through the RADIUS server as well. The other great thing is that their IP address will never conflict with ours, or our other clients. You could do this same thing if they come in via a VPN tunnel. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Thursday, 28 August 2014 11:38 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] VLAN Injection..... Thanks Paul for your suggestion, however I think the VRF will only help if everything is layer 3, the customer currently has a purely layer 2 connection between their sites and through our network, and we need to add another layer 2 connection for them at one end to deliver this transit across. If I am wrong here please correct me as VRF's aren't one of my strong points but I thought that they were for layer 3. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Azad Sent: Thursday, 28 August 2014 11:32 AM To: MikroTik Australia Public List Subject: Re: [MT-AU Public] VLAN Injection..... Paul I would suggest putting them min a separate VRF in your DC router. That way everything of theirs is separate to yours. We have done this on our DC router (a cisco), and our clients come in via a layer 2 service. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Thursday, 28 August 2014 9:53 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] VLAN Injection..... Sorry, I know it's confusing..... So we have a customer at a site, at that site we bridge ether1 on their Mikrotik to an EOIP tunnel. That EOIP tunnel then goes through our network to our edge router at a data centre where we then bridge the EOIP tunnel to ether4 on our edge router. The customer then plugs their cross connect to that Ethernet port. So right now we have a layer 2 bridge between ether1 at their site and ether4 on our edge router at the DC, they can effectively do whatever they want across that, vlans, layer 3 traffic, whatever. Problem is that now they want some transit from us, but they only have one cross connect to us at the DC, so somehow we need to be able to feed them a vlan into that ether4 port at the DC so that they can pick up that transit from the vlan. My current thoughts are to add the vlan to the bridge interface which bridges the EOIP tunnel and ether4 at the DC, then they configure that vlan ID on their kit that plugs into ether4 on our router and then we have a /30 across that vlan which we feed them the transit on. Any thoughts ? Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Thursday, 28 August 2014 9:45 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] VLAN Injection..... OK, umm, ... I don't think I understand what you have or what you need :-} So they want to add transit to an existing private link that passes through your network? So you need to kind of 'break out' a vlan at some point where there is no existing routing node? Cheers, Mike. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Thursday, 28 August 2014 9:14 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] VLAN Injection..... Thanks Mike I had yes, but the vlan only needs to be presented at one end of the link as it's coming in from our network. The customer has the trunk through our network and now wants some transit as well, as the trunk port is already plugged into their cross connect and we don't have another cross connect spare we need to try and get this other vlan into one end of the trunk. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Thursday, 28 August 2014 9:08 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] VLAN Injection..... Have you considered a second eoip tunnel? That way, you can add a vlan virtual interface on each side with the relevant tag ID, then bridge that virtual interface to the new eoip tunnel. As in: /interface vlan add interface=etherx vlanid=nn name=vlan-nn-ether-x /interface eoip name=eoip-nn local-address=a.b.c.d remote-address=c.d.e.f tunnel-id=mm /bridge add name=bridge-nn /bridge port add interface=vlan-nn-ether-x bridge=bridge-nn And same/similar on other end. Cheers! Mike. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Wednesday, 27 August 2014 4:09 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] VLAN Injection..... Hi guys, hoping somebody could suggest an option here. We have a customer that we are doing a trunk for which goes from their office to our DC and then to them in that DC. It looks like: Local Site Data Centre Ether1 -> bridge -> EOIP Tunnel -> bridge ->Ether1 This has been setup this way so that they can just push whatever they want through the tunnel, which is basically 4 vlans, so with this design they should be able to send and receive tagged traffic between the two Ethernet ports without an issue. The problem we have is that we now need to supply an additional vlan to the DC end of the link, but because it's a layer 2 trunk I am not sure of the best way to approach this. I have thought of putting a vlan on the physical interface and another on the bridge interface and setting up a /30 between those two vlan interfaces but to be honest I don't know if that will actually work, has anybody experienced this before and have any suggestions before I just try it ? Basically we need to provide them a layer 3 connection as well as the layer two connection but into the same physical interface at the DC. Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au