Configuring VLANs with DHCP Server and Cisco switch Uplink

npiechocki · September 12, 2018, 12:37am

Hi,

I’m having a hard time trying to configure VLAN tagging in a Mikrotik router. The same has 5 interfaces which I’ll describe below:

Interface 1 and Interface 2 → ISPs

Interface 3 → Uplink to a Cisco core switch with VLAN 1 in access mode, no trunking

Interface 4 → Uplink to a Cisco core switch with VLAN 2 in access mode, no trunking (DHCP enabled here, also configured on Mikrotik)

Interface 5 → Uplink to a Cisco core switch with VLAN 3 in access mode, no trunking (DHCP enabled here, also configured on Mikrotik)

So, what I wanted to do is to use one interface for all my LAN traffic so I thought about using VLANs, first of all in my cisco switch I configure this:

interface GigabitEthernet1/0/5
description uplinkToMikrotikiface5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3
switchport mode trunk
!

As far as I’m concerned there is nothing weird there.

So in Mikrotik I created a VLAN interface tagging VLAN 3 and mapping that to Interface 5, this didn’t work so after some research I discovered that I have to use bridges instead of mapping to the interface, so I create a bridge, I create a port for this bridge to the VLAN and I’ve also created a port for this bridge to the Interface. This didn’t work, honestly I’m not so sure if using bridges is a good approach but it’s all I found online. At some point the configuration went well but the DHCP server was refusing to accept the configuration, if I configure the DHCP server to use the VLAN interface it will just greyed out that.

Any ideas?

harvey · September 14, 2018, 6:36am

It looks like you have created your trunk on your switch port, I presume you have also created your untagged vlan’s on the switch for your access ports?

On the Mikrotik side, you’ll need to use bridging in one way or another. The newest way which requires ROS 6.4.1 or newer is Bridge VLAN filtering which is detailed here in the wiki https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

I recently posted in the forum an example I was working on and it can be found here: http://forum.mikrotik.com/t/bridge-vlan-filtering-help/123202/1

Without knowing your full config you should consider something like this:-

/interface bridge
add name=bridge1 vlan-filtering=no
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
/ip pool
add name=dhcp_vlan10 ranges=192.168.10.100-192.168.10.200
add name=dhcp_vlan20 ranges=192.168.20.100-192.168.20.200
add name=dhcp_vlan30 ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=dhcp_vlan10 disabled=no interface=vlan10 name=dhcp-vlan10
add address-pool=dhcp_vlan20 disabled=no interface=vlan20 name=dhcp-vlan20
add address-pool=dhcp_vlan30 disabled=no interface=vlan30 name=dhcp-vlan30
/interface bridge port
add bridge=bridge1 interface=ether5
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 vlan-ids=10
add bridge=bridge1 tagged=ether5,bridge1 vlan-ids=20
add bridge=bridge1 tagged=ether5,bridge1 vlan-ids=30
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip firewall filter
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan

Then when all done, enable VLAN filtering on the bridge:-

/interface bridge
add name=bridge1 vlan-filtering=no

I would however recommend not using VLAN1, go with something like VLAN10,20,30 etc as per the example. The above code will also block inter-vlan traffic. If you want this remove the following sections:-

/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip firewall filter
add action=drop chain=forward in-interface=all-vlan out-interface=all-vlan

If your running ROS pre 6.4.1 you’ll need to use the alternative method as seen here: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN#Layer2_VLAN_examples I can help with examples of this if needed.

CZFan · September 15, 2018, 10:33pm

You don’t need bridges, the concept is called router on a stick, google it.

Just create the VLAN’s you want on the Mikrotik, assign them to the uplink interface, assign DHCP to the vlan interfaces, connect you switch after you configured and you are done

npiechocki · September 17, 2018, 8:35pm

Router on a stick is exactly what I need thanks! I’ve never heard about that before. I’ll follow this post and let you know: https://wiki.mikrotik.com/wiki/SwOS/Router-On-A-Stick

Thanks!