Capsman and Cisco switch

atomant · December 6, 2025, 11:55pm

Hello,

My setup is following: RB4011—>Cisco Catalyst WS-C2960S-24PS-L-–>cAP ax.

I have setup Capsman and all the wifi configuration with VLAN. If I connect cAP directly to the bridge ports on RB4011 then wifi user gets his IP served from DHCP. The problem is if I connect cAP to the Cisco switch then the IP is never served to the wifi user, the cAP is seen from the Capsman and the wifi user is seen on the winbox Wifi/Registration tab but it can’t get an IP address. In the log from RB4011 is just noted that one client has connected to the wifi but no other info about getting a IP address. Cisco’s ports are all configured as trunk mode for vlan 1-4093 and vlan is working fine through switch because I have some wired vlan hosts.

What am I missing here?

Buckeye · December 7, 2025, 1:16am

Well, it seems from the limited info you have provided, that the issue is with the way the Cisco device is configured, because it works correctly when the switch is not involved.

But it is impossible for anyone to tell you why it doesn't work, because you haven't given us any information about how the RB4011 or the Cisco switch is configured other than a "and vlan is working fine through switch because I have some wired vlan hosts.

How to Report Bugs Effectively

atomant · December 7, 2025, 7:15am

RB4011 has LAN side configured as bridge with VLAN filtering enabled, Cisco is also configured as bridge on all ports with trunk mode enabled for vlans. Both are connected with ethernet cable.

Buckeye · December 7, 2025, 7:29am

Maybe someone else has better psychic powers than I do. I give up. I am not going to play 20 questions.

https://www.co.kerr.tx.us/it/howtoreport.html

https://web.archive.org/web/20240115025942/https://forum.mikrotik.com/viewtopic.php?p=908118

atomant · December 7, 2025, 8:14am

Here is RB4011 export with relevant parts

RB4011.rsc (7.5 KB)

Buckeye · December 7, 2025, 8:45am

If you can't put in the effort to describe your problem, you are very unlikely to get any help here. I am not going to waste any more time on this, until you provide information about what worked (including how it was connected, which vlans work, and which don't work). Were you connected to the same port that the cisco was connected to?

And you give on information about the Cisco switch, which is a key piece, since it is the thing that for some reason is filtering information between the RB4011 and the cAP ax. Evidence: you stated it works correctly when the cAP ax is connected directly to the (unspecified) port on the RB4011.

What is the native vlan configured on the Cisco's trunk port you are connected to.

You obviously haven't read any of the links I posted (with the possible exception of the one from anav). Because you didn't heed any of the advice.

We are just users like you, and we don't get paid to waste our time trying to answer vague questions.

Provide a network diagram of how things are connected, even a photo of a hand drawn sketch. Include the port, the subnets, etc. Tell us what worked (show us output) when connected directly to the RB4011 that didn't work when the cisco was in between.

And from the cisco, the output of current startup config (and remove any ussrs info). make sure you have copied the running config to startup config.

en
wr mem
show startup-config

Then click on the </> icon in the editing ribbon and paste in the config. And sanitize before you press reply.

We need to know what port the cap ax was connected to on the RB4011 when it worked, and if you then reused that port to connect to the cisco. And then what port on the cisco was the RB4011 connected to? (this is why the config of the cisco switch is needed, we don't have any idea how it is configured).

Buckeye · December 7, 2025, 8:53am

From How to Report Bugs Effectively

Writing clearly is essential in a bug report. If the programmer can't tell what you meant, you might as well not have said anything.

I get bug reports from all around the world. Many of them are from non-native English speakers, and a lot of those apologise for their poor English. In general, the bug reports with apologies for their poor English are actually very clear and useful. All the most unclear reports come from native English speakers who assume that I will understand them even if they don't make any effort to be clear or precise.

Be specific. If you can do the same thing two different ways, state which one you used. "I selected Load" might mean "I clicked on Load" or "I pressed Alt-L". Say which you did. Sometimes it matters.
Be verbose. Give more information rather than less. If you say too much, the programmer can ignore some of it. If you say too little, they have to come back and ask more questions. One bug report I received was a single sentence; every time I asked for more information, the reporter would reply with another single sentence. It took me several weeks to get a useful amount of information, because it turned up one short sentence at a time.
Be careful of pronouns. Don't use words like "it", or references like "the window", when it's unclear what they mean. Consider this: "I started FooApp. It put up a warning window. I tried to close it and it crashed." It isn't clear what the user tried to close. Did they try to close the warning window, or the whole of FooApp? It makes a difference. Instead, you could say "I started FooApp, which put up a warning window. I tried to close the warning window, and FooApp crashed." This is longer and more repetitive, but also clearer and less easy to misunderstand.
Read what you wrote. Read the report back to yourself, and see if you think it's clear. If you have listed a sequence of actions which should produce the failure, try following them yourself, to see if you missed a step.

Summary

The first aim of a bug report is to let the programmer see the failure with their own eyes. If you can't be with them to make it fail in front of them, give them detailed instructions so that they can make it fail for themselves.
In case the first aim doesn't succeed, and the programmer can't see it failing themselves, the second aim of a bug report is to describe what went wrong. Describe everything in detail. State what you saw, and also state what you expected to see. Write down the error messages, especially if they have numbers in.
When your computer does something unexpected, freeze. Do nothing until you're calm, and don't do anything that you think might be dangerous.
By all means try to diagnose the fault yourself if you think you can, but if you do, you should still report the symptoms as well.
Be ready to provide extra information if the programmer needs it. If they didn't need it, they wouldn't be asking for it. They aren't being deliberately awkward. Have version numbers at your fingertips, because they will probably be needed.
Write clearly. Say what you mean, and make sure it can't be misinterpreted.
Above all, be precise. Programmers like precision.

atomant · December 7, 2025, 9:30am

Ok Buckeye.

Let’s say the facts then to be clear:

RB4011 is the main router, WAN port ether1 connected to a cable modem,
RB4011 is only DHCP server,
RB4011 LAN bridge contains eth ports 2-8 and sfp port, VLAN filtering enabled,
RB4011 and Cisco native vlan=1
Cisco switch connected from it’s port 25 to the RB’s LAN bridge port sfp,
Currently I have Cisco AP’s with VLAN’s (100, 200, 10) connected to the Cisco switch and are working without any problems, IP is being served to the clients

Working scenario:

cAP ax connected to the ANY of the LAN bridge ports (except sfp of course) on RB4011 - IP is served to the wifi clients on all VLAN’s

Not working scenario:

cAP ax connected to the switch port 16 (tried also other eth ports except 23 which is occupied) - IP is not served on any VLAN to the clients

Here are the relevant settings from the Cisco:

spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending

interface FastEthernet0
 description MGMT
 ip address 192.168.99.2 255.255.255.0
!
interface GigabitEthernet3/0/1
 description Pungi uplink
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/2
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/3
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/4
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/5
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/6
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/7
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/8
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/9
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/10
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/11
 description Netgear-dnevna
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/12
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/13
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/14
 description AP Garage
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/15
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/16
 description Netgear-P-6k
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/17
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/18
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/19
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/20
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/21
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/22
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/23
 switchport access vlan 100
 switchport mode access
!
interface GigabitEthernet3/0/24
 description Alexa-P-11
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/25
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/26
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/27
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface GigabitEthernet3/0/28
 switchport trunk allowed vlan 1-4093
 switchport mode trunk
!
interface Vlan1
 ip address 192.168.0.11 255.255.255.0
!
ip default-gateway 192.168.0.1

I hope it is clearer now what is my issue.

peterda · December 7, 2025, 9:51am

My working config:


interface GigabitEthernet0/9
 description RBR-232
 switchport trunk allowed vlan 10-250
 switchport mode trunk


/snip

interface Vlan1
 no ip address
 shutdown
!
!
interface Vlan99
 ip address dhcp

Nothing more is needed to make it work.
Do not use Vlan1 in any config, it is not needed, safe and can cause problems.
Se link below or search why.

https://cordero.me/vlan-1-and-why-you-should-not-use-it/

Read this:

holvoetn · December 7, 2025, 10:15am

That rule is not only applicable for Cisco.

Rule 1 and 2.

Once you use Vlan, avoid vlan 1.

Buckeye · December 7, 2025, 10:18am

If you plug a non-vlan aware pc into a trunk port on the switch, does it get an ip address via dhcp from the LESSTUP_LAN pool (192.168.0.50-192.168.0.254) ?

atomant · December 7, 2025, 10:26am

Yes, it gets the IP from the LESSTUP_LAN pool.

Buckeye · December 7, 2025, 10:44am

It's 5:45 AM here and I need to get to bed. There should be others that can help, now that you have provided a bit more info.

If the cisco if really using vlan 1 for the native vlan, then a pc should get an ip address from the ip subnet associated with the base bridge interface.

If it doesn't then the cisco may be tagging vlan 1, and that won't work if the cap ax needs to communicate over the untagged vlan. I know nothing about capsman or wireless config on MikroTik, I have no MikroTik routers with wifi (only RB760iGS and RB5009), and use Ubiquiti Unifi APs at home.

So I don't know if the Capsman needs to communicate with untagged traffic or not.

If what @atomant said about the Cisco APs working and their wifi clients are getting ip addresses from the RB4011, then it seems there is a working connection between the RB4011 and the Cisco 2960 via the sfp. So there must be something that the cap ax is using that the cisco APs are not.

But we haven't seen the cap ax config, all we have been told is that the cap ax works when it is connected to one of the RB4011 bridge-ports (that all appear to be configured as trunks, with pvid 1).

So what the cause of the incompatibility is, I don't know.

While it is best practice to avoid using vlan 1, I don't think that using vlan 1 is what is causing the problem, unless the cisco is tagging vlan 1, and we were told it is not.

Having all ports configured as trunks is more of an issue in my opinion, (but we know nothing about how this switch is being used).

It's been a while since I have used Cisco switches, about 5 years, and then they were not using latest IOS version. So take anything I say about Cisco config with a grain of salt.

Buckeye · December 7, 2025, 10:48am

Just saw your latest message after I posted.

Are you 100% sure you were connecting to the cap ax when it was connected to the RB4011?

Just trying to understand why the switch would be changing anything.

You may want to configure a span port on the c2960 and capture some traffic on port 15 and port 16 (or what ever the cap ax is connected to), and compare to traffic connected to one of the Cisco AP connected to one of the other c2960 ports that are configured the same, but working.

good night...

atomant · December 7, 2025, 1:48pm

cAP ax is configured in cap mode so no additional configuration other than one received from the Capsman.

Yes I have connected to the cAP ax when it was connected directly to RB because I have created different SSID for cAP ax for testing purposes.

I have now tried to use only native vlan1 for datapath and it is working, users get the IP address from native vlan pool. So if I use native vlan 1 it works but if I use other vlans then the users won’t get IP address. This is really strange.

tdw · December 7, 2025, 2:15pm

Mikrotik do not implement this Cisco proprietary protocol, as it is not compatible with standard spanning tree I would suggest RSTP

cpunk · December 7, 2025, 2:33pm

It needs the bridge datapath to be set up. That is not handled automatically via CAPsMAN. See this example from the help.

atomant · December 7, 2025, 3:16pm

there are only options:

mst Multiple spanning tree mode
pvst Per-Vlan spanning tree mode (default)
rapid-pvst Per-Vlan rapid spanning tree mode

atomant · December 7, 2025, 3:19pm

This doesn’t make sense. The whole point of using Capsman is that you do all the configuration centraly. Imagine you have lets say 100 cAP and you need to configure each one. If that is the case then the Capsman lost its purpose.

atomant · December 7, 2025, 3:34pm

Ok, I have found the problem. It was in the Cisco configuration. I have made factory reset and then recreate new configuration with all the vlans and voala it works.

Thank you all for your help.