Cannot reach switchs "managment IP" from other vlan, but can reach all clients.

neopike · December 6, 2023, 2:30pm

Hello

I’ve probably missed something silly here.

I have a trunk from a Sisco switch to sfp-sfpplus24 in this MikroTik CRS326-24S+2Q+. In this setup and with clients connected to the cisco on vlan22 I can ping both a client (192.168.22.131) connected to the MikroTik and vlan22s IP set in the mikrotik, 192.168.22.5.

If a client in the cisco is connected to vlan11 I can NOT ping the 192.168.22.5 address for the MikroTik switch, but I can ping the clients on the MikroTik switch, for instance 192.168.22.131.

So, is it obvious what I have missed in this config blocking non vlan22 hosts on the cisco to reach the mikrotik vlan22 ip 192.168.22.5? Want to reach it for management purpose.

In summary:

Clients on vlan22 in cisco can reach mikrotik vlan22 IP, 192.168.22.5
Clients on vlan22 in cisco can reach mikrotik vlan22 clients
Clients on vlan11 in cisco can NOT reach mikrotik vlan22 IP, 192.168.22.5
Clients on vlan11 in cisco can reach mikrotik vlan22 clients

Config on the trunkport in cisco:

interface Ethernet1/34
  description *** TRUNK to mikrotik ***
  switchport mode trunk
  switchport trunk allowed vlan 22
  speed 10000

export hide-sensitive
# dec/05/2023 19:50:23 by RouterOS 7.5
# software id = 4RZJ-MY29
#
# model = CRS326-24S+2Q+
/interface bridge
add admin-mac=18:FD:74:49:FB:1E auto-mac=no name=bridge pvid=22 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment="*** 1GbE client vlan22 ***"
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no comment="*** 10GbE client vlan22 ***" speed=10Gbps
set [ find default-name=sfp-sfpplus24 ] advertise=10000M-full auto-negotiation=no comment="*** trunk vlan22 ***" speed=10Gbps
/interface vlan
add interface=bridge name=vlan22 vlan-id=22
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 authentication-protocol=SHA1 encryption-protocol=AES name=mikrodicksucker security=authorized
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment="*** trunk to cisco - vlan22 ***" interface=sfp-sfpplus24 pvid=22
add bridge=bridge interface=sfp-sfpplus2 pvid=22
add bridge=bridge comment="*** client vlan22 ***" interface=sfp-sfpplus1 pvid=22
add bridge=bridge disabled=yes ingress-filtering=no interface=all multicast-router=disabled
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus24,bridge untagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=22
/ip address
add address=192.168.22.5/24 interface=vlan22 network=192.168.22.0
/ip route
add disabled=no dst-address="" gateway=192.168.22.1 routing-table=main suppress-hw-offload=no

mkx · December 6, 2023, 7:33pm

In default route setting, you have to set dst-address=0.0.0/0 (currently it’s set to empty string which is no good).

tdw · December 6, 2023, 7:53pm

Also you have configured the bridge-to-CPU interface to be both tagged and untagged, and there is a mismatch between the bridge ports pvid= and bridge vlan untagged= settings - if you remove all of the untagged= entries these will be created dynamically from the pvid= settings.

Depending on how other devices handle traffic being unexpectedly tagged or untagged communication may not work.

neopike · December 6, 2023, 8:09pm

Nice catch! That was it. Thanks! Oddly I cannot remote the first initial config line I had, it just refuses to remove it but might be me that’s over-tired.

Have this now and all seems to work properly, even though I assume that the first line should be removed (it I could)

/ip route
add disabled=no dst-address="" gateway=192.168.22.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.22.1 routing-table=main suppress-hw-offload=no

neopike · December 6, 2023, 8:28pm

Thanks! I’ve removed the untagged= entries.

Sorry to bother you about this, but I’m probably blind here. Can you point me more directly to these two? I don’t see it. I’m not used to mikrotik syntax so probably obvious and just me not seeing it.

you have configured the bridge-to-CPU interface to be both tagged and untagged
there is a mismatch between the bridge ports pvid=

mkx · December 6, 2023, 8:30pm

The first line should be removed. Try this procedure (done via CLI):

go into /ip/route
execute command “print”
note the index number of the offending route entry. Index number is the number in first column and very lijely tge offending entry will have index numver equal to 0
execute “remove ” where is value, noted in previous step.

neopike · December 6, 2023, 8:38pm

Yes, I’ve tried that. For some reason it’s not doing what, at least I’d, expect it to do.

[admin@sw001] > ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY       DISTANCE
0  As 0.0.0.0/0        192.168.22.1         1
  DAc 192.168.22.0/24  vlan22               0


[admin@sw001] > ip/route/export
/ip route
add disabled=no dst-address="" gateway=192.168.22.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.22.1 routing-table=main suppress-hw-offload=no


[admin@sw001] > ip/route/remove 
numbers: 0


[admin@sw001] > ip/route/print 
Flags: D - DYNAMIC; A - ACTIVE; c, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY  DISTANCE
DAc 192.168.22.0/24  vlan22          0


[admin@sw001] > ip/route/export 
/ip route
add disabled=no dst-address="" gateway=192.168.22.1 routing-table=main suppress-hw-offload=no
[admin@sw001] >

tdw · December 6, 2023, 9:49pm

A Mikrotik bridge has two roles, see http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1

For translating between Cisco and Mikrotik switch port terminology this may be useful http://forum.mikrotik.com/t/why-does-this-work-with-cisco-and-not-with-mikrotik/156721/3

mkx · December 7, 2023, 5:10am

Ah, the route is dynamic, so you can’t remove it. The question then is what does add it? My suspicion is on “detect internet”, check if it’s enabled and set its interface list to “none”.

neopike · December 7, 2023, 6:27am

Will look further into that. Not sure there’s a good way to trace what’s triggering something to be dynamic…? Don’t think it’s detect internet, looks to be no interfaces with it.

interface/detect-internet/print
    detect-interface-list: none
       lan-interface-list: none
       wan-interface-list: none
  internet-interface-list: none

mkx · December 7, 2023, 6:52am

You’re right, it doesn’t seem to be “detect internet”.

You may want to post (again) (complete) config of your CRS … we might be able to spot some other suspect of doing that …

Sometimes, after extensive configuration changes, things may go out of sync and actual running setup is not what config says it should be. Sometimes device reboot fixes things. Sometimes it is necessary to reset config (to factory default, I believe that with CRS that’s empty config) and to re-apply config (preferably by reapplying commands from exported text config, binary backup may contain the unwanted hidden config).

neopike · December 7, 2023, 3:55pm

Thanks. I did a config reset and redid it. Now I don’t see it in terminal but still a dynamic route in GUI. So seems to be a bit of a mismatch of what you see in gui and terminal. But it works, so I think I’m fine with it. Thanks again.

[admin@sw001] > export hide-sensitive 
# jan/02/1970 02:35:49 by RouterOS 7.5
# software id = 4RZJ-MY29
#
# model = CRS326-24S+2Q+
/interface bridge
add admin-mac=18:FD:74:49:FB:1E auto-mac=no comment=defconf name=bridge pvid=22 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=qsfpplus1-1 ] auto-negotiation=no disabled=yes speed=1Gbps
set [ find default-name=qsfpplus1-2 ] advertise=1000M-full disabled=yes
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment="*** 1GbE client vlan22 ***"
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no comment="*** 10GbE client vlan22 ***" speed=10Gbps
set [ find default-name=sfp-sfpplus24 ] advertise=10000M-full auto-negotiation=no comment="*** trunk vlan22 ***" speed=10Gbps
/interface vlan
add interface=bridge name=vlan22 vlan-id=22
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment="*** trunk vlan22 ***" interface=sfp-sfpplus24 pvid=22
add bridge=bridge interface=sfp-sfpplus2 pvid=22
add bridge=bridge comment="*** client vlan22 ***" interface=sfp-sfpplus1 pvid=22
add bridge=bridge disabled=yes ingress-filtering=no interface=all multicast-router=disabled
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus24,bridge vlan-ids=22
/ip address
add address=192.168.22.5/24 interface=vlan22 network=192.168.22.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.22.1 routing-table=main suppress-hw-offload=no
/system identity
set name=sw001
/system routerboard settings
set boot-os=router-os
[admin@sw001] >

I read the links suggested by @tdw. Not sure I’m wiser about those error spotted in config though. But since it seems to work and be stable I’ll keep it as is.

Thanks again.

(oh yes… need to set that date)