Configuring VLAN Trunking on MT Router to Cisco C2924 Switch

I saw that some others had difficulty with vlans as I did.
I thought I’d share how I configured the MT router for VLAN trunking to a Cisco Switch.
These steps worked for me. The statements were pulled from my router.
I have a total of 4 vlans now but I show only two in this example.
I hope this helps others that are trying to use Cisco switches with MT Routers.

Steps I used to configure VLAN trunking on a MT Router to a Cisco C2924 Switch
1.) Configure a port on the switch for Trunking and connect that port to the MT Router
2.) Configure the Vlan Database in the switch with all the vlans that will be used.
3.) Add a bridge in the MT Router.
4.) Add the Vlans to the bridge that would be used on the switch, except the native vlan.
5.) Add the port going to the switch port that was configured for trunking to the bridge
6.) Add an IP address to the bridge created above. It is used to communicate to the switch’s native vlan.
7.) Add an IP address to the vlans. In this example VLAN2
8.) Now set the ports on the switch to access the vlans you want them to communicate on.


\

Example configuration of a MT Router to a Cisco C2924 Switch.
The switch has VLAN1 and VLAN2 with VLAN1 being the native vlan on the
switch. You would add additional vlans like VLAN2.

In this example VLAN 1 uses DHCP. Hosts on VLAN2 are servers with static addresses.


/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes
comment=“” disabled=no forward-delay=15s max-message-age=20s mtu=1500
name=Bridge_VLAN priority=0x8000 protocol-mode=none
transmit-hold-count=6

/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default comment=
Internet disable-running-check=yes disabled=no full-duplex=no
mac-address=00:0C:42:02:37:80 mtu=1500 name=F0/0 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default comment=
“VLAN Trunk to Cisco Switch - Port on Bridge_VLAN” disable-running-check=yes
disabled=no full-duplex=yes mac-address=00:0C:42:02:37:81 mtu=1500 name=
F0/1 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes cable-settings=default comment=
“To DMZ” disable-running-check=yes disabled=no full-duplex=no
mac-address=00:0C:42:02:37:82 mtu=1500 name=F0/2 speed=1Gbps
set 3 arp=enabled auto-negotiation=yes cable-settings=default comment=“To a Computer”
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:0C:42:02:37:83 mtu=1500 name=F0/3 speed=100Mbps

/interface vlan
add arp=enabled comment=“” disabled=no interface=Bridge_VLAN mtu=1500 name=
VLAN2 vlan-id=2

/ip pool
add name=“LAN IP Pool” ranges=10.100.1.64/26

/ip dhcp-server
add address-pool=“LAN IP Pool” always-broadcast=yes authoritative=
after-2sec-delay bootp-support=static disabled=no interface=Bridge_VLAN
lease-time=5m name=“DHCP VLAN Bridge”

/interface bridge port
add bridge=Bridge_VLAN comment=RG disabled=no edge=auto external-fdb=auto
horizon=none interface=F0/3 path-cost=10 point-to-point=auto priority=
0x80
add bridge=Bridge_VLAN comment=“” disabled=no edge=auto external-fdb=auto
horizon=none interface=F0/1 path-cost=10 point-to-point=auto priority=
0x80

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip address
add address=10.100.1.1/24 broadcast=10.100.1.255 comment=LAN disabled=no
interface=Bridge_VLAN network=10.100.1.0 add address=10.100.2.1/24
broadcast=10.100.2.255 comment=Server disabled=no interface=VLAN2
network=10.100.2.0

/ip dhcp-server network
add address=10.100.1.0/24 comment=LAN dhcp-option=“Node Type M-node”
dns-server=10.100.1.1 domain=mydomain gateway=10.100.1.1 netmask=24
wins-server=10.30.1.50

deleted…

I didn’t have a problem. I was sharing a solution.

LOL sorry…

You can add “HOWTO:” on the title or write a article on wiki.

Max

Good idea. HOW TO: sounds good if I share something again. We’ll see about an article. I have 5 vlans going across the trunk including access to the native vlan on the switch. The key, I found, was to understand that the packets from the native vlan of the switch do not have vlan tags. I was trying to get vlan1, the native vlan, to commuicate before I added any more. These steps are how I finally did it.

rgraham!

I just want to put some comments of your post.
This is the common mistake many users are doing .
Adding the vlan interfaces to a bridge, wrong!!!

Think of how a switch work:
if you put a vlan tag (4byte extra) on an interface it adds the tag to traffic leaving the interface, not to the bridge inside the switch.

So, this is the way it should be done:
Create vlan interfaces to the physical interface connected to the Cisco interface which in trunking mode (I don’t like Ciscos naming, a trunk is bundled ports).
Then if you want to have ports in the MT to be “untagged” (Cisco: access mode). create a bridge for every VLAN that you put in the Cisco “trunk”.
Put the VLAN interfaces of the physical port and the ports you want to be left untagged into the bridge.

Untagged traffic on the “trunk” port is the physical interface traffic ie ether1.

Example of MT interfaces:

ether1 (this is the port connected to the Cisco “trunk” port)
ether1-vl100 (VLAN interface)
ether1-vl200
ether1-vl300

br-vl100 (Bridge for vlan ID 100)
ether1-vl100 (VLAN interface)
ether2 (physical interface untagged traffic)

br-vl200 (Bridge for vlan ID 200)
ether1-vl200 (VLAN interface)
ether3 (physical interface untagged traffic)

br-vl300 (Bridge for vlan ID 300)
ether1-vl300 (VLAN interface)
ether4 (physical interface untagged traffic)
wds-1-vl300 (VLAN interface on the wds-1 interface)
eoip-1 (Ethernet over IP interface in the same Layer2 network)

Summary:
create VLAN interfaces in physical interfaces or WDS interfaces.
create a bridge for each VLAN
I hope this clarify how to do VLAN and bridging in ROS.

I’m not a writer so for you you need some references if you want to read more:
http://gentoo-wiki.com/HOWTO_setup_a_gentoo_bridge
http://www.pixelchaos.net/2008/07/16/vlan-bridging-in-xen
http://mum.mikrotik.com/presentations/2007_1/PL07_Roamingwire.pdf

Thanks,
Paul

First of all, I posted my configuration as a working example. I don’t think Paul understood my goals and hence failed to understand the configuration I was trying to share. Vlans are configured on bridges in order to have multiple vlans communicate across a single interface as I’ll explain.

I’ll begin by saying that I could not find any MikroTik documentation that described what I wanted to accomplish. I researched and read RFCs on 802.1Q, I studied Cisco documentation and I read the Mikrotik documents. What I will describe below was based on what I learned, what the ROS allowed me to configure, and several attempts until I finally figured it all out. It works perfectly to my design. I have multiple sites configured the same way and it makes perfect sense.

I may have failed to show and explain what I wanted to share with everyone the first time. I’ll try to do a better job of explaining how I have my router and switch configured for everyone’s learning pleasure. Names of interfaces and vlans have been changed from the configuration I tried to share before.

I have a 4 port NIC in my router. My routers all run Version 3.11 ROS. I have a Cisco 2924 switch. The 4 port NIC and the switch’s highest speed is 100meg.

My design is to have all connectivity go through my switch and then go to router. To accomplish this I needed multiple VLANs configured on the switch and I needed the router to communicate to all the VLANs.

I also wanted to take full advantage of all 4 ports on the 4 port interface. I have bonded Cisco switch ports before for more throughput so I thought bonding the 4 ports in the router to the switch and have an effectively 400meg trunk between my router and my switch for all traffic would be the best utilization of all 4 interfaces.

I patched all 4 Ethernet ports in the router to the Cisco 2924 switch. I then configured those 4 ports in the switch to be in a port group. They all take on the same configuration for VLAN trunking using 802.1q encapsulation, speed, duplex, etc. See below statements.

interface FastEthernet0/1
description => Port Group to MT Router <=
load-interval 30
duplex full
speed 100
timeout absolute 1 0
port group 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3,99,1002-1005
switchport mode trunk
!
interface FastEthernet0/2
description => Port Group to MT Router <=
load-interval 30
duplex full
speed 100
timeout absolute 1 0
port group 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3,99,1002-1005
switchport mode trunk
!
interface FastEthernet0/3
description => Port Group to MT Router <=
load-interval 30
duplex full
speed 100
timeout absolute 1 0
port group 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3,99,1002-1005
switchport mode trunk
!
interface FastEthernet0/4
description => Port Group to MT Router <=
load-interval 30
duplex full
speed 100
timeout absolute 1 0
port group 1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3,99,1002-1005
switchport mode trunk

I configured the ROS so all 4 ethernet interfaces in the router are on a bonding interface. This completes the bonding of the four ports I configured in the switch as a port group. I now have an effectively 400meg trunk between my router and my switch for all traffic. The 4 interfaces are labeled F0/0-B1,F0/1-B2,F0/2-B3, and F0/3-B4. I labeled my interfaces close to the way Cisco labels theirs as I work mostly with Cisco equipment. See below configuration statements.

/interface ethernet
set 0 arp=enabled auto-negotiation=no cable-settings=default comment=“”
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:0C:41:52:27:80 mtu=1500 name=F0/0-B1 speed=100Mbps
set 1 arp=enabled auto-negotiation=no cable-settings=default comment=“”
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:0C:41:52:27:81 mtu=1500 name=F0/1-B2 speed=100Mbps
set 2 arp=enabled auto-negotiation=no cable-settings=default comment=“”
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:0C:41:52:27:82 mtu=1500 name=F0/2-B3 speed=100Mbps
set 3 arp=enabled auto-negotiation=no cable-settings=default comment=“”
disable-running-check=yes disabled=no full-duplex=yes mac-address=
00:0C:41:52:27:83 mtu=1500 name=F0/3-B4 speed=100Mbps


/interface bonding
add arp=enabled arp-interval=100ms comment=“” disabled=no down-delay=500ms
lacp-rate=30secs link-monitoring=mii-type1 mii-interval=100ms mode=
balance-rr mtu=1500 name=F0/Bonded primary=none slaves=
F0/0-B1,F0/1-B2,F0/2-B3,F0/3-B4 up-delay=500ms


This is the hard part to explain. Remember my design was to have the router be able to communicate to multiple VLANs on the switch. When I tried to configure multiple vlans to communicate across the bonded interface I found that I could not create multiple vlans to the bonded interface. You have to configure a bridge and then add the bonded interface to the bridge. You then create multiple VLANs on the bridge interface for all VLANs you want to communicate across the bonded trunk to the switch. See my ROS configuration statements below.


/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes
comment=“” disabled=no forward-delay=15s max-message-age=20s mtu=1500
name=F0/Bridge priority=0x8000 protocol-mode=none transmit-hold-count=6

/interface bridge port
add bridge=F0/Bridge comment=“” disabled=no edge=auto external-fdb=auto
horizon=none interface=F0/Bonded path-cost=10 point-to-point=auto
priority=0x80

/interface vlan
add arp=enabled comment=“” disabled=no interface=F0/Bridge mtu=1500 name=
VLAN2_Servers vlan-id=2
add arp=enabled comment=“” disabled=no interface=F0/Bridge mtu=1500 name=
VLAN3_DMZ vlan-id=3
add arp=enabled comment=“” disabled=no interface=F0/Bridge mtu=1500 name=
VLAN99_Internet vlan-id=99

I learned that the packets from the default vlan, VLAN1 on the switch, do not have vlan tags. So to communicate to the default vlan the bridge interface is configured with an ip address to communicate to that default vlan, VLAN1, on the switch. To communicate to all the other VLANs you configure ip addresses on the corresponding VLAN interfaces in ROSr. See the below ROS statements.

/ip address
add address=10.100.1.1/24 broadcast=10.100.1.255 comment=LAN disabled=no
interface=F0/Bridge network=10.100.1.0
add address=10.100.3.1/24 broadcast=10.100.3.255 comment=DMZ disabled=no
interface=VLAN3_DMZ network=10.100.3.0
add address=10.100.2.1/24 broadcast=10.100.2.255 comment=Server disabled=no
interface=VLAN2_Servers network=10.100.2.0

I get the IP addresses for VLAN99_Internet from my ISP.

/ip dhcp-client
add add-default-route=yes comment=“” default-route-distance=0 disabled=no
interface=VLAN99_Internet use-peer-dns=yes


Now any of the other Csico 2924 switch ports can be configured to access the VLANs configured as VLAN1 – Workgroup vlan, VLAN2 – Servers Vlan, VLAN3 – DMZ vlan, VLAN99 – Internet vlan. I can easily add as many other vlans to the ROS that I would need to communicate across the bonded trunk to the switch, up to 4095 total vlan interfaces.

This completes how I configured ROS for multiple vlans to a Cisco Switch. The rest of the configuration would be as you would configure ROS firewall filters, nats, DHCP, routing, etc as if these where physical interfaces.

rgraham!

First I want to say that I like your intention
After you clarified your configuration and the purpose of the bonding, bridge and VLANs I get the idea of what you are doing.

I think you are doing something wrong when you can’t add the VLAN to the bonded interface.
I think you have to change the configuration on the switch side to get the bonding to work:

• Add a bonded interface to Cisco (Port-channel)
• Put the physical interfaces to the bonding interface (channel-group)
• Put the VLAN id to the bonded port

I will write a complete How-to in the Wiki pages to do VLANing and port trunking with Mikrotik and a couple of switch brand

/Paul

Paul,

I don’t know if what I did was all that wrong. It might be an extra interface that really isn’t required. What I had worked.

What I thought I’d do is go back and try what you suggest. I moved my vlans so they are now under the bonding interface. I also migrated all my other configurations that where for the bridge interface to the bonding interface. I eliminated the bridge interface. All still works fine.

I know I had tried this before and I couldn’t configure multiple vlans on the bonding interface before, that is way I went with creating a bridge. Did this get fixed in some version of 3.x OS I wonder?

I do like this better as it makes the configuration cleaner.

Look forward to seeing your documentation on Wiki pages, Paul.


Randy

Is there any way to make this work with bonded ports, say i wanted to have a 4gig trunk into my cisco switch?

You can add VLAN tags to bonded (LAGG) ports.

Would like to see the How To on this if you have time. I have been working on testing dvd burning capabilities on different machines and this data would be very helpful for me as I move forward and progress the project. Thanks in advance for your help, as this community has been a great resource for my knowledge progression in technical aspects of my work.

To get this same setup to work with a HP ProCurve switch instead of a Cisco the ROS Bonded group need to be in “balance-alb” mode.

My network guy and I looked over this earlier today in an effort to re-design my ESX environment. We ran into two issues. For the NIC teaming, port channels are required. However, you apparently can’t port channel across core switches (we’ve got two Cisco 4506′s linked together.) This poses a problem for redundancy, since 4 NICs go to core 1 and the other 4 go to core 2 (so 8 NIC ports for the VMs – plus two others for SC and VKernel.) The other problem is that the load-balance command you mentioned is a global command and would affect all of the ports, not just the ones that are port-channeled. When we tried to test this, Cisco did not recognize the command on that interface. So I assume maybe that you have your ESX boxes on their own switch?

We also looked at the native vlan options you discussed in your Vmotion and VLAN security article. However in our case, you can already route between our VLANs so hopping wouldn’t be an issue (or so I’m told.) He made the point that you’d have to be inside the building to even get to our private VLANs, at which point, we’d have a much bigger problem

Thoughts and comments are more than welcomed. As I mentioned, I’m in the process of redesigning 8 different sites so that they’re all setup the same way
Thanx

Of course you can’t etherchannel across multiple chassis - there’s a protocol involved that has to talk between all ports of a channel, so that can’t be spread across multiple chassis. Just like spanning tree is per chassis. You can, if you really need the redundancy, upgrade your core switches into a VSS configuration (will probably require new supervisors) where you slap the two chassis together as two bodies with one brain. They literally “merge brains” to the point that you configure both from the same supervisor. Pricey, but nice.

While the command that sets the etherchannel load-balance algorithm is global on IOS of course it doesn’t affect all ports, it only affects etherchanneled ports.

During typing all this I realized I have completely lost any idea how this relates to Mikrotik, though. Your questions might be better posted in a Cisco forum.

If I think Ok about tag and untag traffic in Mikrotik:

Traffic go from R1 to R2:

• R1: To tag it’s neccesary make a bridge with the vlan (create in wan or trunk port) and the port where come the traffic that we want tag. In the vlan create IP Adrress of vlan
• R2: To untag only need create a vlan in reception trunk port. In the vlan create gateway adreessing.

If we want replace one of this switch to other cisco, hp, etc. The connection should work.

Regards

Hi,

I am new to Mikrotik Router.

I have a unifi Access Points, that i’m going to configure with 2 SSID’s . 1 for my internal users and 1 for the guest users.

I have a mikrotik router. im planning to make that router as only dhcp and a vlan for my guest.
and i will connect this mikrotik to one of the port on my cisco switch as trunk.

guest vlan is vlan 40
10.0.40.1/24

how am i going to configure my mikrotik router as a dhcp server and vlan for this vlan id 40 and dhcp for my guest which is 10.0.40.0 network
and on my cisco port to which the mikrotik will be connected. what is the config of my cisco port.


thanks

Hi,

I am new to Mikrotik Router.

I have a unifi Access Points, that i’m going to configure with 2 SSID’s . 1 for my internal users and 1 for the guest users.

I have a mikrotik router. im planning to make that router as only dhcp and a vlan for my guest.
and i will connect this mikrotik to one of the port on my cisco switch as trunk.

guest vlan is vlan 40
10.0.40.1/24

how am i going to configure my mikrotik router as a dhcp server and vlan for this vlan id 40 and dhcp for my guest which is 10.0.40.0 network
and on my cisco port to which the mikrotik will be connected. what is the config of my cisco port.


thanks

how to forward the VLAN traffic from a Cisco Switch to another Cisco Switch using Mikrotik RB SXT 5 PTP Wireless Bridging?

as the SXT has just 1 X Eth and 1 X WLAN port both in Bridge mode how can i achieve forwarding of all VLAN traffic on the network??