802.1q trunk - two VLAN's working, one not

bdx · October 13, 2014, 9:24am

I’m trying to set up a trunk between a Cisco router and a Mikrotik RB951.

The trunk on both devices should be set up to tag traffic on VLANs 1, 10, & 20, with a native of 999. The Cisco and Mikrotik both have IP addresses on each of the VLANs.

For testing purposes I’ve removed all NAT and all access lists/firewalls.

The Mikrotik will end up having multiple SSID’s each on different VLAN’s, hence VLAN’s having switch1_cpu in their port lists.

The problem I’m having is that while I can communicate between VLAN’s 10 and 20 on both devices, I can’t get any traffic to either end when the source or destination is VLAN 1. Any assistance would be appreciated. As far as I can tell, I’ve set up VLAN 1 practically identically to VLAN 10.

Cisco config:

interface Vlan1
 description Data VLAN
 ip address 10.12.68.1 255.255.255.0
interface Vlan10
 description Guest VLAN
 ip address 192.168.0.1 255.255.255.0
interface Vlan20
 description Voice VLAN
 ip address 10.12.69.1 255.255.255.0
interface GigabitEthernet0
 description Trunk to RB951 Eth2
 switchport trunk native vlan 999
 switchport mode trunk
 no ip address

Mikrotik Config:

/interface bridge
add l2mtu=1594 name=VL1-Data-Bridge
add l2mtu=1594 name=VL10-Guest-Data-Bridge
add l2mtu=1594 name=VL20-Voice-Bridge
/interface ethernet
set 0 comment="Uplink to 867VAE (Trunk)" name=eth2
set 1 comment="Reserved for second trunk" name=eth5
set 2 name=ether1-gateway
set 3 master-port=eth2 name=ether3-slave-local
set 4 master-port=eth2 name=ether4-slave-local
/interface vlan
add interface=eth2 l2mtu=1594 name=eth2-vlan1 vlan-id=1
add interface=eth2 l2mtu=1594 name=eth2-vlan10 vlan-id=10
add interface=eth2 l2mtu=1594 name=eth2-vlan20 vlan-id=20
/interface wireless
set name="Data WLAN" security-profile=FullAccess ssid=DataWLAN ...
add master-interface="Data WLAN" name="Guest WLAN" security-profile=GuestAccessOnly ssid=GuestWLAN ...
/interface bridge port
add bridge=VL1-Data-Bridge interface="Data WLAN"
add bridge=VL1-Data-Bridge interface=eth2-vlan1
add bridge=VL10-Guest-Data-Bridge interface=eth2-vlan10
add bridge=VL10-Guest-Data-Bridge interface="Guest WLAN"
add bridge=VL20-Voice-Bridge interface=eth2-vlan20
/interface ethernet switch port
set 0 default-vlan-id=1 vlan-mode=secure
set 1 vlan-mode=secure
set 4 default-vlan-id=10 vlan-mode=secure
set 5 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=no ports=eth2,eth5,switch1_cpu switch=switch1 vlan-id=10
add independent-learning=no ports=eth2,eth5,switch1_cpu switch=switch1 vlan-id=1
add independent-learning=no ports=eth2,eth5,switch1_cpu switch=switch1 vlan-id=20
/ip address
add address=10.12.68.10/24 interface=VL1-Data-Bridge network=10.12.68.0
add address=192.168.0.10/24 interface=VL10-Guest-Data-Bridge network=192.168.0.0
add address=10.12.69.10/24 interface=VL20-Voice-Bridge network=10.12.69.0

ojsa · October 13, 2014, 10:23am

Had a look at this page. http://wiki.mikrotik.com/wiki/Manual:CRS_examples ?

The only thing i’m wondering about it the lack of ingress and egress tagging/untagging.

Not sure if that is only functionality on the CRS switchchip, still a suggestion. I don’t have a rb450 to test on at the moment.

ojsa · October 13, 2014, 10:25am

Or this page, http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

With this on your trunk ports against cisco,

set ether5 vlan-mode=secure vlan-header=add-if-missing

ojsa · October 13, 2014, 10:28am

And be aware of the “native vlan” in cisco, that is set to vlan 1 default. Change it to something else og try another vlan instead of 1.

But try the other suggestions before.