MikroTik RouterOS MPLS Traffic Engineering: Explicit Path Control

MikroTik RouterOS MPLS Traffic Engineering: Explicit Path Control

RouterOS Version: 6.x / 7.x (syntax differs) Difficulty: Advanced Estimated Time: 60 minutes

Overview

MPLS Traffic Engineering (MPLS-TE) gives you explicit control over how traffic traverses your network. Unlike standard IP routing where packets follow the shortest path calculated by your IGP, TE tunnels let you define specific paths based on bandwidth requirements, link properties, or administrative policies.

The key difference from LDP-based MPLS is control: LDP automatically creates label-switched paths following IGP routes, while RSVP-TE creates paths you define - either explicitly hop-by-hop, or dynamically via Constrained Shortest Path First (CSPF) calculations that respect bandwidth and other constraints.

TE tunnels in RouterOS appear as interfaces. You can route traffic into them, assign IP addresses, and use them as transport for VPLS or MPLS VPNs. They are unidirectional - if you need bidirectional communication, create tunnels in both directions.

When to Use MPLS-TE

MPLS-TE solves specific problems that standard routing cannot:

Scenario	Why TE Helps
Link utilization imbalance	Route traffic away from congested paths
Latency-sensitive applications	Force traffic over lower-latency links
Bandwidth guarantees	Reserve capacity along specific paths
Disaster recovery	Pre-establish backup paths through alternate routes
Multi-tenant isolation	Separate customer traffic onto different physical paths

When NOT to use MPLS-TE: If your network is small, has uniform link capacity, or doesn’t require explicit path control, standard LDP-based MPLS is simpler and sufficient.

Core Concepts

Label Switched Paths (LSPs)

An LSP is the path that MPLS-labeled packets follow through the network. With TE, you control this path rather than leaving it to the IGP.

RSVP-TE Signaling

RSVP-TE establishes the tunnel by sending Path messages from head-end to tail-end, then Resv messages back confirming the reservation. This process:

1. Reserves resources (bandwidth) along the path
2. Distributes labels at each hop
3. Establishes the LSP

Path Types

Explicit Path: You define every hop the tunnel must traverse.

• Use when you need guaranteed routing through specific nodes
• Requires knowing your network topology

Dynamic Path (CSPF): RouterOS calculates the path based on constraints.

• Use when you want constraint-based routing without manual hop specification
• Requires OSPF with TE extensions enabled

Configuration Steps

Step 1: Enable TE on Interfaces

Before creating tunnels, enable Traffic Engineering on interfaces that will participate in TE paths:

# RouterOS 6.x syntax
/mpls traffic-eng interface add interface=ether1 bandwidth=1000000000
/mpls traffic-eng interface add interface=ether2 bandwidth=1000000000

# RouterOS 7.x syntax
/mpls/traffic-eng/interface/add interface=ether1 bandwidth=1000000000
/mpls/traffic-eng/interface/add interface=ether2 bandwidth=1000000000

The bandwidth parameter is administrative - it tells CSPF how much capacity is available for path calculations. Set it to your link speed or the capacity you want to advertise.

Step 2: Configure OSPF for TE (Required for CSPF)

If using dynamic CSPF paths, OSPF must distribute TE information:

# RouterOS 6.x
/routing ospf instance set default mpls-te-area=backbone mpls-te-router-id=10.255.255.1

# RouterOS 7.x
/routing/ospf/instance/set default mpls-te-area=backbone mpls-te-router-id=10.255.255.1

• mpls-te-area: The OSPF area where TE opaque LSAs are flooded
• mpls-te-router-id: Usually your loopback address; identifies this router in TE

Apply this configuration on ALL routers in the TE domain.

Step 3: Create Tunnel Paths

Define how the tunnel should be routed:

Option A: Dynamic Path Using CSPF

/mpls traffic-eng tunnel-path add name=dynamic-to-r4 use-cspf=yes

CSPF calculates the path automatically based on available bandwidth and link metrics.

Option B: Explicit Path with Strict Hops

/mpls traffic-eng tunnel-path add name=explicit-to-r4 use-cspf=no \
    hops=192.168.12.2:strict,192.168.23.2:strict,192.168.34.2:strict

With strict hops, packets must traverse directly between the specified addresses - they must be adjacent routers.

Option C: Explicit Path with Loose Hops

/mpls traffic-eng tunnel-path add name=loose-to-r4 use-cspf=no \
    hops=10.255.255.2:loose,192.168.34.2:strict

Loose hops allow intermediate routers between specified points. The last hop should typically be strict and use the interface IP (not loopback) of the destination.

Step 4: Create the TE Tunnel

/interface traffic-eng add name=te-to-r4 \
    to-address=10.255.255.4 \
    bandwidth=100000000 \
    primary-path=dynamic-to-r4 \
    disabled=no

• to-address: The tail-end router’s address (usually loopback)
• bandwidth: Bandwidth to reserve (administrative, affects CSPF calculations on other tunnels)
• primary-path: Reference to the tunnel-path entry

Step 5: Enable the Tunnel

Tunnels are disabled by default. Enable after configuration:

/interface traffic-eng enable te-to-r4

Complete Example: Four Router Topology

Consider this network topology:

Goal: Create a TE tunnel from R1 to R3 that goes through R2 (avoiding the R1-R4-R3 path).

R1 Configuration (Head-End)

# Enable TE on interfaces
/mpls traffic-eng interface
add interface=ether1-to-r2 bandwidth=1000000000
add interface=ether2-to-r4 bandwidth=1000000000

# Configure OSPF for TE
/routing ospf instance set default mpls-te-area=backbone mpls-te-router-id=10.255.255.1

# Create explicit path through R2
/mpls traffic-eng tunnel-path add name=via-r2 use-cspf=no \
    hops=192.168.12.2:strict,192.168.23.2:strict

# Create TE tunnel
/interface traffic-eng add name=te-to-r3 \
    to-address=10.255.255.3 \
    bandwidth=100000000 \
    primary-path=via-r2 \
    record-route=yes \
    disabled=no

R2 Configuration (Transit)

# Enable TE on interfaces
/mpls traffic-eng interface
add interface=ether1-to-r1 bandwidth=1000000000
add interface=ether2-to-r3 bandwidth=1000000000

# Configure OSPF for TE
/routing ospf instance set default mpls-te-area=backbone mpls-te-router-id=10.255.255.2

R3 Configuration (Tail-End)

# Enable TE on interfaces
/mpls traffic-eng interface
add interface=ether1-to-r2 bandwidth=1000000000
add interface=ether2-to-r4 bandwidth=1000000000

# Configure OSPF for TE
/routing ospf instance set default mpls-te-area=backbone mpls-te-router-id=10.255.255.3

R4 Configuration (Not in Tunnel Path)

# Enable TE on interfaces (for OSPF TE database completeness)
/mpls traffic-eng interface
add interface=ether1-to-r1 bandwidth=1000000000
add interface=ether2-to-r3 bandwidth=1000000000

# Configure OSPF for TE
/routing ospf instance set default mpls-te-area=backbone mpls-te-router-id=10.255.255.4

Adding Failover with Secondary Paths

For resilience, configure a secondary path that activates if the primary fails:

# Create backup path (dynamic, will find any available route)
/mpls traffic-eng tunnel-path add name=backup-dynamic use-cspf=yes

# Update tunnel with secondary path
/interface traffic-eng set te-to-r3 \
    secondary-paths=backup-dynamic \
    primary-retry-interval=30s

When the primary path fails (link down, RSVP timeout), the tunnel switches to the secondary path. The primary-retry-interval controls how often RouterOS attempts to re-establish the primary.

Using TE Tunnels for Traffic

TE tunnels appear as interfaces. To use them:

Option 1: Static Routes

/ip route add dst-address=10.100.0.0/24 gateway=te-to-r3

Option 2: Assign IP Address and Use Routing

/ip address add address=172.16.0.1/30 interface=te-to-r3

Then establish routing (static or dynamic) over the tunnel.

Option 3: VPLS Transport

/interface vpls add name=vpls1 remote-peer=10.255.255.3 use-explicit-path=te-to-r3

Verification

Check 1: Verify TE Interfaces

/mpls traffic-eng interface print

Expected Output:

Flags: X - disabled
 #   INTERFACE        BANDWIDTH
 0   ether1-to-r2     1000000000
 1   ether2-to-r4     1000000000

Check 2: Verify Tunnel Status

/interface traffic-eng print

Expected Output:

Flags: X - disabled, R - running
 #   NAME       TO-ADDRESS     BANDWIDTH     PRIMARY-PATH   ACTUAL-PATH
 0 R te-to-r3   10.255.255.3   100000000     via-r2         via-r2

The R flag indicates the tunnel is running (established).

Check 3: Monitor Tunnel Details

/interface traffic-eng monitor te-to-r3 once

Expected Output:

             tunnel-id: 1
    primary-path-state: established
  secondary-path-state: not-configured
           active-path: via-r2
          active-lspid: 1
          active-label: 18
        explicit-route: 192.168.12.2->192.168.23.2
        recorded-route: 192.168.12.2[18]->192.168.23.2[impl-null]
    reserved-bandwidth: 100000000

Key fields:

• primary-path-state: established - Tunnel is up
• explicit-route - The path being used
• recorded-route - Actual path with labels

Check 4: Verify OSPF TE Configuration

/routing ospf instance print

Expected Output:

      name: default
   mpls-te-area: backbone
   mpls-te-router-id: 10.255.255.1

Check 5: Check MPLS Forwarding Table

/mpls forwarding-table print

Expected Output: Should show label bindings for the tunnel.

Troubleshooting

Problem: “Tunnel stuck on hold, never establishes”

Cause: RSVP protocol not running on intermediate routers.

Solution:

1. Verify all routers along the path have TE interfaces configured
2. For mixed vendor networks (e.g., Cisco), ensure RSVP is enabled:

   ! Cisco IOS
   interface GigabitEthernet0/0
     ip rsvp bandwidth
     mpls traffic-eng tunnels

3. Check RSVP neighbors: /mpls rsvp interface print

Problem: “CSPF not finding a path”

Cause: OSPF not distributing TE information or bandwidth exhausted.

Solution:

1. Verify OSPF TE configuration on all routers:

   /routing ospf instance print

   Must show mpls-te-area and mpls-te-router-id
2. Check available bandwidth:

   /mpls traffic-eng interface print

3. Reduce tunnel bandwidth requirement or increase interface bandwidth

Problem: “Tunnel establishes but traffic doesn’t flow”

Cause: Routing not configured to use the tunnel.

Solution:

1. Add static route pointing to tunnel interface:

   /ip route add dst-address=DESTINATION gateway=te-tunnel-name

2. Or assign IP to tunnel and configure dynamic routing

Problem: “Path takes unexpected route”

Cause: CSPF bug in some RouterOS versions or metric misconfiguration.

Solution:

1. Use explicit path with loose hops to constrain the route:

   /mpls traffic-eng tunnel-path set [find name=my-path] \
       hops=INTERMEDIATE_ROUTER:loose,FINAL_HOP:strict

2. Upgrade RouterOS if using an older version

Problem: “Last hop in explicit path rejected”

Cause: Last hop must be interface IP of destination router, not loopback.

Solution: Use the actual interface IP that receives traffic on the tail-end router:

# Wrong - loopback as last hop
hops=192.168.12.2:strict,10.255.255.3:strict

# Correct - interface IP as last hop
hops=192.168.12.2:strict,192.168.23.2:strict

Problem: “Bandwidth not being enforced”

Cause: TE bandwidth is administrative only - RSVP reserves it for path calculations but doesn’t police traffic.

Solution: Add queue to limit actual traffic:

/queue simple add name=te-limit target=te-to-r3 max-limit=100M/100M

Common Pitfalls

1. Forgetting Tunnels Are Unidirectional

Wrong: Expecting return traffic to use the same path

# Only creates tunnel R1 → R3
/interface traffic-eng add name=te-to-r3 to-address=10.255.255.3 ...

Right: Create tunnels in both directions

# On R1: tunnel to R3
/interface traffic-eng add name=te-to-r3 to-address=10.255.255.3 ...

# On R3: tunnel to R1
/interface traffic-eng add name=te-to-r1 to-address=10.255.255.1 ...

2. Using Loopback as Last Explicit Hop

Wrong: Loopback address as final hop

/mpls traffic-eng tunnel-path add name=path1 hops=192.168.12.2:strict,10.255.255.3:strict

Right: Interface IP as final hop

/mpls traffic-eng tunnel-path add name=path1 hops=192.168.12.2:strict,192.168.23.2:strict

3. Missing OSPF TE Configuration

Wrong: Creating tunnels without OSPF TE

# No mpls-te-area configured - CSPF won't work
/interface traffic-eng add name=te1 to-address=10.255.255.3 primary-path=dynamic-path

Right: Configure OSPF TE first

/routing ospf instance set default mpls-te-area=backbone mpls-te-router-id=10.255.255.1

4. Assuming Bandwidth Limits Traffic

Wrong: Thinking reserved bandwidth enforces limits

# This doesn't actually limit traffic to 100Mbps
/interface traffic-eng add name=te1 bandwidth=100000000 ...

Right: Add queues for traffic policing

/interface traffic-eng add name=te1 bandwidth=100000000 ...
/queue simple add name=te1-limit target=te1 max-limit=100M/100M

5. RouterOS 7 Syntax Mismatch

Wrong: Using v6 syntax in v7

/mpls traffic-eng interface add interface=ether1  # Fails in v7

Right: Use v7 slash syntax

/mpls/traffic-eng/interface/add interface=ether1

Advanced Configuration

Auto-Bandwidth Adjustment

RouterOS can automatically adjust tunnel bandwidth based on actual usage:

/interface traffic-eng set te-to-r3 \
    auto-bandwidth-avg-interval=5m \
    auto-bandwidth-update-interval=1h

• auto-bandwidth-avg-interval: Window for calculating average traffic
• auto-bandwidth-update-interval: How often to update the reservation

Reoptimization

Force the tunnel to recalculate its path:

# Manual reoptimization
/interface traffic-eng reoptimize te-to-r3

# Automatic reoptimization
/interface traffic-eng set te-to-r3 reoptimize-interval=5m

Preemption Priorities

Control which tunnels can preempt others when bandwidth is scarce:

/interface traffic-eng set te-to-r3 \
    setup-priority=3 \
    holding-priority=3

• Priority 0 is highest (can preempt anything)
• Priority 7 is lowest (can be preempted by anything)
• setup-priority: Ability to preempt existing tunnels
• holding-priority: Resistance to being preempted

Limitations

• No Fast Reroute: RouterOS doesn’t support MPLS local protection. Failover relies on RSVP re-signaling (seconds, not milliseconds)
• No Link/Node Protection: Pre-established backup paths at transit routers not supported
• Administrative Bandwidth: Doesn’t reflect actual link capacity or enforce traffic limits
• IPv4 Only: IPv6 TE tunnel support is limited/experimental
• Documentation Gaps: Some v7 features may not be fully documented

Related Topics

MPLS Fundamentals

• MPLS Basics - LDP-based MPLS introduction
• VPLS - Layer 2 VPN over MPLS

Routing Protocols

• OSPF - required for CSPF
• BGP - BGP over MPLS-TE tunnels
• Static Routes - routing traffic into tunnels

Bandwidth Management

• Simple Queues - enforce TE bandwidth limits
• Queue Tree - advanced QoS on TE tunnels

High Availability

• VRRP - gateway redundancy
• BFD - fast failure detection

Related Features

• Interfaces Overview - TE tunnel interfaces
• Firewall Mangle - traffic marking for TE

References

• MikroTik MPLS Overview
• MikroTik Traffic Engineering
• RFC 3209 - RSVP-TE - Extensions to RSVP for LSP Tunnels
• RFC 3630 - OSPF-TE - Traffic Engineering Extensions to OSPF