EoIP bridge configured as a backup

cwachs · June 26, 2018, 3:46pm

We have two identical Mikrotik routers in two locations (A and B). Each router is on a fiber connection to the Internet and configured with a number of VLANs on the LAN side. On each Mikrotik, VLAN 5 is configured in the 10.10.8.0/21 subnet as our management VLAN (no DHCP on VLAN 5). There is a wireless transparent bridge in the network bridging VLAN 5 between location A and B on the LAN side. This works great. However, that wireless bridge is in the 70 GHz range and during heavy rains, it goes down. As a result, we loose all management access to the far (B) side router and devices connected to it. Our monitoring server is on the A side LAN and sends us tons of alerts since it thinks everything on the B side is down, when in reality, the management link is down but all devices are up and on line.

So, the solution (I think) is to build an EoIP tunnel between A and B and only put VLAN 5 on that link. In addition, I want that EoIP tunnel to be a secondary route for VLAN 5. Under normal conditions, all VLAN 5 traffic will pass over the wireless bridge between A and B. If the bridge goes down, VLAN 5 traffic should re-route to the EoIP bridge.

I am having great difficulty making this scenario work. Is there a better solution?

samsung172 · June 26, 2018, 6:16pm

I would split the managment net into 2 subnets, and route one side of the licensed link trough a VPN on side A. Its also possible to do with a eoip - but you need some kind of loop protection like rstp.

sindy · June 26, 2018, 7:35pm

There should be no difficulties at all but it needs careful configuration. The overall concept should be to use an EoIP tunnel inside some other VLAN than 5 on the optical link, set up a bridge called bridge-mgmt for the management subnet at each end and migrate the IP configuration to this bridge interface from the wireless interface you use now. The EoIP tunnel interface and the wireless interface will both be member ports of bridge-mgmt on both boxes, and on one of the boxes, /interface vlan vlan-id=5 will be another member port of bridge-mgmt and its tagged side (the interface parameter) will be on the trunk bridge or interface on the LAN side.

On bridge-mgmt at both boxes, an independent instance of RSTP will be running which will not interfere with eventual other instance running on the trunk bridge or interface.

As the fiber network between the sites seems not to be all yours, you probably want to encrypt the EoIP using IPsec.