Greetings, and pardon my being a novice at configuring network devices (my first rodeo). I’m trying to make the above two switches play nice. I’ve got them connected via SFP (Cisco G0/1 to Mikrotik sfp1). The Cisco is our existing access switch and I’m adding the Mikrotik to support more devices. The office data network communicates on VLAN 31 on the .31 subnet.
On the Cisco:
1.) I made sure the Cisco will service unsupported transceivers (the SFP link wouldn’t light up until I did so)
2.) On the Cisco I gave switchport access to vlan 31 over the G0/1 trunk.
3.) I think that’s all I have to do?
On the Mikrotik (using WinBox):
1.) I made all access ports on the Mikrotik (save port 1) slave to the SFP port
2.) Under the interfaces section I created a vlan with an ID of 31 (to match Cisco) and named it the same
3.) Under the switch section I created the same vlan with ID of 31
4.) I Created an Eg.Tagging entry and pointed it to vlan 31
5.) I Created a “In.VLAN Tran” and “Eg.VLAN Tran” entry with “New Customer VID” set to 31 & “Customer VID” set to 0
6.) Under the IP > Addresses section I added: 192.168.31.1/24 on network 192.168.31.0 using the vlan 31 interface
7.) I’m plugged into port 2 on the switch
I can see lights blinking and traffic activity on port 2, the SFP port, and on the VLAN I created, but I get no internet and I can’t ping anything on the Cisco switch.
I’ve read a number of tutorials on how to set up VLANs on a Mikrotik, but I seem to be hitting a wall. Any help would be greatly appreciated!
Interestingly I can’t even ping my Mikrotik when I’m on a port that is slave to the sfp1. I can ping when I’m slave to ether1 (master port).
I wanted a clean slate so I did a factory reset and I noticed I can see the Cisco as a neighbor and the vise-versa from the Cisco to the Mikrotik. Of course ping fails because the Cisco is connected via a trunk port looking for tagged traffic, but it’s encouraging that they are at least visible to each other… You would think “if I created a VLAN and tagged the outbound traffic with an ID that the Cisco was looking for, that would do the trick” but that’s what I’ve been failing at thus far…
Every time I set “Ingress.VLAN.Translation” new-customer-vid to 31 (an ID that the Cisco should accept) on the port I’m currently using, it boots me out of Winbox and I can’t even find the switch to connect again. I have to plug into a different port to get back on. Thing is, that’s what most tutorials are telling me to do… I’m not sure where the disconnect is…
Please halp
I might also mention… I’m trying to use this as a layer2 device, I don’t want or need it to do any routing. I just want it to communicate to my current network via the sfp trunk port on the proper VLAN… Is this possible? Two straight days later I’m beginning to wonder.
Management connection to CPU is lost if you configure port from which you are connected because ingress VLAN translation rules work only combined with egress-vlan tagging entries.
Here are steps what should be done to do it if you want to start configuring this setup from scratch.
Reset configuration on CRS125 with no defaults.
Configure ports for switching.
/interface ethernet
set ether2 master-port=ether1
set ether3 master-port=ether1
set ether4 master-port=ether1
...
So I gave it a shot and it did cause a mild heart attack in the office
After configuring the settings above (I chose Option 1 in regard to VLAN filtering -not the global option) I connected two PCs, one for management on port 3 and the other on port 2 which is on vlan31. Neither PC was receiving it a recognizable IP from our domain, so I set the Mikrotik to get an IP automatically and set the “local network” IP to a .31 address that didn’t look like it was being used on our network and rebooted it (and one of the PCs).
This killed our Cisco VOIP system and slight panic ensued. I yanked the SFP connection and things slowly came back to life. In looking at the Catalyst switch log I noticed the following entries:
%GBIC_SECURITY_CRYPT-4-ID_MISMATCH: Identification check failed for GBIC in port Gi0/1
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
%LINK-3-UPDOWN: Interface FastEthernet0/27, changed state to down
%SWITCH_QOS_TB-5-TRUST_DEVICE_LOST: cisco-phone no longer detected on port Fa0/27, operational port trust state is now untrusted.
So now I’m afraid to plug the Mikrotik back in before resetting it…
Yesterday, I had to execute the following commands on the Catalyst in order to get any light activity on the SFP:
service internal
no errdisable detect cause gbic-invalid
service unsupported-transceiver
Is there something else I need to do to correct the GBIC Security Cryptography to keep the Mikrotik from labeling network traffic as untrusted? I will note that we do have a 131 vlan that contains VOIP traffic, is this conflict because the Mikrotik doesn’t have that VLAN set up yet?
Again, sorry for my inexperience with this sort of thing.
Are there any others out there who have successfully connected a VLAN via SFP trunk between a Mikrotik CSR and a Cisco Catalyst device? How did you did it?
I’ve been having trouble at it and might have to settle with configuring it as a passive switch via a standard access port. If anyone can have a look at my post and recognize the problem I’m having, further advice would be great!
