bridge to serve multiple VLAN ?

RouterOS Beginner Basics
1

Hello ,

i need your help to choose if we need to use bridge or not to configure Mikrotik routeur for serving multiple VLAN to SWITCH and Access Point

  • routeur : Mikrotik CCR1036-8G-2S+EM


  • SWITCH1 : HP J9660A


  • Acess point WLAN : Ubiquiti Unifi AP AC LR

this is our network topology :
mikrotik-bridge.pdf (87.8 KB)
could you please tell me if i need to configure on mikrotik routeur ether5 bridge ?
with bridge :

/ interface bridge 
add name=bridge-trunk protocol-mode=rstp
port add interface=ether5 bridge=bridge-trunk

/interface vlan 
add vlan-id=40 name=VLAN-40-INTERNE interface=bridge-trunk disabled=no
add vlan-id=50 name=VLAN-50-DIRECTION interface=bridge-trunk disabled=no


/ ip address
add interface=VLAN-40-INTERNE address=192.168.40.254/24
add interface=VLAN-50-DIRECTION address=192.168.50.254/24


/ ip dhcp-server network
add address=192.168.40.0/24 gateway=192.168.40.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10
add address=192.168.50.0/24 gateway=192.168.50.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10


/ ip dhcp-server
add interface=VLAN-40-INTERNE name=dhcp-server-interne address-pool=static-only  lease-time=90d disabled=no
add interface=VLAN-50-DIRECTION name=dhcp-server-direction address-pool=static-only lease-time=90d disabled=no


/ ip dhcp-server lease
add address=192.168.40.40 mac-address=0c:7d:c4:18:42:00 server=dhcp-server-interne
add address=192.168.40.41 mac-address=0c:7d:c4:d7:28:00 server=dhcp-server-interne
add address=192.168.50.50 mac-address=0c:7d:c4:da:84:00 server=dhcp-server-direction
add address=192.168.50.51 mac-address=0c:7d:c4:b2:70:00 server=dhcp-server-direction

or

without bridge :

/interface vlan 
add vlan-id=40 name=VLAN-40-INTERNE interface=ether5 disabled=no
add vlan-id=50 name=VLAN-50-DIRECTION interface=ether5 disabled=no


/ ip address
add interface=VLAN-40-INTERNE address=192.168.40.254/24
add interface=VLAN-50-DIRECTION address=192.168.50.254/24


/ ip dhcp-server network
add address=192.168.40.0/24 gateway=192.168.40.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10
add address=192.168.50.0/24 gateway=192.168.50.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10


/ ip dhcp-server
add interface=VLAN-40-INTERNE name=dhcp-server-interne address-pool=static-only  lease-time=90d disabled=no
add interface=VLAN-50-DIRECTION name=dhcp-server-direction address-pool=static-only lease-time=90d disabled=no


/ ip dhcp-server lease
add address=192.168.40.40 mac-address=0c:7d:c4:18:42:00 server=dhcp-server-interne
add address=192.168.40.41 mac-address=0c:7d:c4:d7:28:00 server=dhcp-server-interne
add address=192.168.50.50 mac-address=0c:7d:c4:da:84:00 server=dhcp-server-direction
add address=192.168.50.51 mac-address=0c:7d:c4:b2:70:00 server=dhcp-server-direction

Thank you per advance for your help

Best regards

2

I don’t see the need for that bridge in the CCR1036 in this scenario. The need for a bridge would depend on the further uplink of VLAN40 and VLAN50. If the VLAN’s have their endpoint in the CCR1036 then there is no need for a bridge. You would use a bridge if you needed VLAN filtering at L2 in the CCR1036 to lead the VLAN40/50 to other ports, tagged or untagged. I see none of these requirements in this scenario.

3

As @bpw already mentioned, if your use scenario (with regards to CCR) is exactly as shown in network topology, then it would be slightly more resource-efficient to go without bridge.

However, if you do choose bridge solution, then config you showed is missing quite a few important settings, such as setting of vlan-filtering=yes on bridge-trunk and all settings under /interface bridge vlan. In addition, VLAN-aware variant of xSTP is MSTP. The config which goes under /interface bridge should look something like this:


/interface bridge 
add name=bridge-trunk protocol-mode=mstp vlan-filtering=yes
/interface bridge port
add bridge=bridge-trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5
/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=40
add bridge=bridge-trunk tagged=bridge-trunk,ether5 vlan-ids=50

You could merge the two /iterface bridge vlan commands into one (setting vlan-ids=40,50), but for readability reasons I showed it as two lines. If there was another port in the game (which would actually be the reason to go with bridge setup in the first place) and that port would not carry the same VLANs as ether5, then you’d have to use separate config lines anyway. I don’t think there’s any difference between using single- or multi- line config performance-wise.

4

Hello,

Thank you very much @bpwl & @mkx for you great answers.

i need to show you the network topology to have a big picture of our network

as you can see on this picture , we have another dedicated switch UBIQUITI US-16-XG for VMware ESXi servers with 3 Vlans :

  • VLAN 40


  • VLAN 50


  • VLAN 17

mikrotik-HP-Ubiquiti.pdf (110 KB)
VLAN 17 is created only on dedicated switch UBIQUITI US-16-XG because it is a separate VLAN for VMware Management VMkernel adapter

Thanks for your advises : i add it on my new config bellow :

/ interface bridge 
add name=bridge-trunk protocol-mode=mstp vlan-filtering=yes
port add bridge=bridge-trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5
port add bridge=bridge-trunk frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether6

/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether5,ether6 vlan-ids=40
add bridge=bridge-trunk tagged=bridge-trunk,ether5,ether6 vlan-ids=50
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=17

/interface vlan 
add vlan-id=40 name=VLAN-40-INTERNE interface=bridge-trunk disabled=no
add vlan-id=50 name=VLAN-50-DIRECTION interface=bridge-trunk disabled=no
add vlan-id=17 name=VLAN-17-SRV interface=bridge-trunk disabled=no


/ ip address
add interface=VLAN-40-INTERNE address=192.168.40.254/24
add interface=VLAN-50-DIRECTION address=192.168.50.254/24
add interface=VLAN-17-SRV address=172.17.0.254/24


/ ip dhcp-server network
add address=192.168.40.0/24 gateway=192.168.40.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10
add address=192.168.50.0/24 gateway=192.168.50.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10
add address=172.17.0.0/24 gateway=172.17.0.254 domain=foi.local dns-server=172.17.10.110,172.17.10.111,172.17.10.10


/ ip dhcp-server
add interface=VLAN-40-INTERNE name=dhcp-server-interne address-pool=static-only  lease-time=90d disabled=no
add interface=VLAN-50-DIRECTION name=dhcp-server-direction address-pool=static-only lease-time=90d disabled=no
add interface=VLAN-17-SRV name=dhcp-server-srv address-pool=static-only lease-time=90d disabled=no

/ ip dhcp-server lease
add address=192.168.40.40 mac-address=0c:7d:c4:3c:c7:00 server=dhcp-server-interne
add address=192.168.40.41 mac-address=0c:7d:c4:09:e1:00 server=dhcp-server-interne
add address=192.168.50.50 mac-address=0c:7d:c4:f7:a3:00 server=dhcp-server-direction
add address=192.168.50.51 mac-address=0c:7d:c4:55:f3:00 server=dhcp-server-direction
add address=172.17.0.17 mac-address=0c:7d:c4:54:7d:00 server=dhcp-server-srv

could you please tell me , if this configuration is correct ?

Thank you per advance for your help

Best regards

5

I dont see any errors but I would be tempted (but not necessary) to combine the two lines into one line.

/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether5,ether6 vlan-ids=40,50
add bridge=bridge-trunk tagged=bridge-trunk,ether6 vlan-ids=17