we are starting to use Mikrotik routers in one of ours racks but I’m a cisco guy and I’m strugling to do something like the image bellow.
Long story, short. I need to use two vlans, 10 and 20, to separe two different companies workloads. That’s easy, and I can do (I hope so! ). But I need to create a vlan interface (ports ether1 and ether2), tag the vlan 3207 and use IP represented on image as x.x.x.x/28 as default route (Internet) for both vlans (10, 20).
I’ve decided to simplify things, removing the second vlan. So, the new diagram is on the image. The ether1 is the uplink to our co-location network and ports ether2 through ether10 are our server’s vlan. To our uplink works we need to tag vlan 3207 on ether1 (and have a vlan interface on vlan 3207)
My full configuration, till now, is bellow. My problem now is that I cant get an IP address (But I still need to check the uplink configuration in real world on my co-location datacenter)
If ether1 should have only tagged VLAN 3207, then it shouldn’t have pvid=200, keep default 1. You can also set ingress-filtering=yes frame-types=admit-only-vlan-tagged.
10.0.200.1/24 should be on vlan200 and not on bridge1. Same goes for DHCP server.
When you add interface as bridge port, router no longer sees it as individual interface. You don’t need all those ports in “VLAN” interface list.
Tip: Until you’re sure what you’re doing, don’t configure all ports at once. Keep one aside and use it for configuring. You can add it to bridge later. If you mess up the bridge, you won’t be locked out.
Presenting info in such a stilted manner is not conducive to feedback.
Sob likes torture and thus manages well.
In future please post full config.
/export file=anynamyouwish (minus router serial number and any public WANIP info)
(that’s because you’ve set bridge interface to be tagged only in bridge setup frame-types=admit-only-vlan-tagged - the first actual configuration command in config export posted).
Also henceforth use vlan200 interface in any of config, e.g.
/interface list member
add interface=vlan200 list=VLAN
And with this configuration every port on bridge1 (all ports) will be a trunk interface, right? My trunk interface is just ether1 (should be ether2 too in a port-channel, but I’m letting this problem to another moment )
says bridge interface is tagged. Period. And that’s true for any VLAN, untagged frames are blocked on ingress on this interface. Bolded property setting annihilates any PVID setting on bridge interface (default setting is PVID=1, explicit setting wouldn’t matter either in this case). For egress it’s possible to set bridge interface to be untagged nember of multiple VLANs, but net effect will still be no bi-directional traffic of untagged frames through bridge interface.
See this article to find out about different bridge personalities.
The quoted config stanza is not about bridge - the switch like entity -, it’s about bridge interface. And doesn’t affect the rest of bridge ports in any way.
(2) REMOVE VLAN3207 from the bridge. Remove ether1 from the interface bridge ports, remove vlan3207 from interface bridge vlans Assuming this vlan is required due to your ISP providing its service on this vlan ???
If anything it should be applied to the ether1 interface NOT the bridge when defining it.
(3) to be on the safe side. /interface list member add interface=vlan3207 list=WAN
add interface=ether1 list=WAN add interface=bridge1 list=VLAN
Sorry Mkx, I misunderstood Sob’s comment about this command: set ingress-filtering=yes frame-types=admit-only-vlan-tagged and put it in a wrong place. Now I understood your point. Thanks!!!
Anav, you’re right. My ISP delivery my connection through vlan 3207, so I need a trunk connection and a vlan interface on 3207.
If was a Cisco could be something like this:
vlan 3207
name INTERNET
interface GigabitEthernet1/0/1
switchport
switchport mode trunk
switchport trunk allowed vlan 3207
channel-group 1 mode active
no shut
interface GigabitEthernet1/0/2
switchport
switchport mode trunk
switchport trunk allowed vlan 3207
channel-group 1 mode active
no shut
interface port-channel 1
switchport
switchport mode trunk
switchport trunk allowed vlan 3207
interface Vlan3207
ip address x.x.x.117 255.255.255.240
ip route 0.0.0.0 0.0.0.0 x.x.x.113
Tomorrow I’m going to do the adjustments that you sent and let you know the result.
here the command line should be: add bridge=bridge1 interface=ether2 pvid=200 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged, right?
Well I dont understand your use of vlan3207 but if sob says its okay, then I will assume it is.
I use vlan for my ISP and do not do what you have done,
If it was me recommend
a. remove vlan3207 from bridge1 add interface=bridge1 name=vlan3207 vlan-id=3207
b. All you need to do is define the vlan like so. add interface=ether1 name=vlan3207 vlan-id=3207DONE!!
c. THere should be no need to manually create the IP address for the ISP connection… and should be removed.
add address=...117/28 interface=vlan3207 network=...112
UNLESS, for some reason, your ISP tells you to apply IP address yourself but I doubt it.
Normally this is dynamically created!
We’re deploying our first rack on this datacenter, so I don’t know/undestand their structure yet.
But, in my understament, the datacenter’s router (default gateway) where my rack is connect is in somewhere behind some layer 2 switches and my connection with this router is through vlan 3207. So I need a vlan interface in this same vlan and a trunk connection with the layer 2 switch next my rack (I’m using ether1 for this). Make any sense?
What @anav tries to say is: if you only intend to use VLAN 3207 on single port (ether1) and you only intend to use ether1 to carry said VLAN, then there’s no need to involve bridge for that VLAN. Because performance wise nothing can be done by switch chip alone (even if bridge was offloaded to switch chip which is not on RB3011), everything will pass CPU anyway. It’s actually the opposite: with your current config WAN traffic has to be dealt with by bridge code, if ether1 was treated separately bridge would not have to pass WAN traffic.
From configuration readability treating ether1 completely separate would be bettter because it would clearly show ether1 and vlan3207 as being special (i.e. WAN interface).
Since the vlan is coming from on high, you have two options.
Set IP DHCP Client to the vlan for the connection or manually set it as you have in IP addresses.
). But I need to create a vlan interface (ports ether1 and ether2), tag the vlan 3207 and use IP represented on image as x.x.x.x/28 as default route (Internet) for both vlans (10, 20).
)