I need your help concerning the configuration of multiple bridges with the same physical interface. Here enclosed is depicted schema of what I want to achieve. From our L3 switch we have a trunk interface towards the Mikrotik router office which accommodates vlan 101 and 102. These vlans must be carried all the way up to wifi equipments. Between our office router (hub) and the other mikrotik lte routers (spokes) we already successfully built the first Eoip/IPsec tunnel, and I was going to build the second one. All of eoip/ipsec tunnels are going to be accommodated by only one physical interface(ether1). Between our office router and the provider of sim cards(he is going to allocate private ip addresses for each sim card) we build an IP-in-IP tunnel over the physical interface ether1 which is going to accommodate all the eoip/ipsec tunnels.
The problem is that I have managed to bridge the vlans from the first eoip/ipsec1 to the trunk interface(ether2) towards the layer3 switch but I don’t know how can I bridge the same vlans(101, 102) from eoip/ipsec2 to the same trunk interface(vlan 101 & 102) ether2 towards switch. For sure we are going to have multiple eoip/ipsec that are foreseen to carry vlan 101 and 102 and should be bridged towards the switch via the same physical interface. What would be the solution to bridge the same vlans from multiple virtual interfaces (eoip tunnels) to the same physical interface?
One physical port cannot be a member of multiple bridges. However, there are scenarios where you need that forwarding between particular ports of the same bridge is disabled while those same ports can forward to/from other ports of the same bridge.
So either you simply haven’t realized that a bridge can have more than just two ports so it is enough to add the second EoIP interface to the same bridge or, although you haven’t expressly stated that, for some reason you don’t want frames to be forwarded between the AP sites, only between the Cisco side and any of the AP sites.
Thank you very much Sindy and Sebastia for clarification.
To be honest I didn’t realized that a bridge can have multiple ports assigned to it . I was trying to use one physical port for multiple bridges.
The problem is fixed now.
Hi Sindy,
Though I have understood the purpose of the bridge and how vlan works, I am still struggling with vlan and bridging staffs when they are configured together. For example , i saw somewhere when they put the same port in different bridges ?
I tried to google but I couldn’t get clear explanation. 1. Could you sate if there is a general rule /advice on how bridge and vlan implemented together? 2. What does it mean two vlans in the same bridge ? 3. What is the purpose of putting vlans and ports in a bridge and then bridging this bridge with other ports ?
And could direct me some sources, please ?
Thank you so much
I wonder where. You cannot put the same port itself into more than a single bridge; what you can do is to attach several interface vlan (which are just pipes tagging frames in one direction and untagging them in another direction) to the same underlying interface (which must not be a member port of any bridge in such case) and then make these /interface vlan member ports of different bridges. This used to be the only way to work with VLANs in pre-6.40 versions - each vlan had its own bridge.
Unless you need very special arrangements, use the “single common bridge for all VLANs” approach, with vlan-filtering set to yes on the bridge. This way, it works the same like on hardware switches, where tagless ingress frames get tagged if the egress port’s pvid differs from the ingress port’s one, and tagged ingress frames whose VID matches the pvid of the egress port get untagged. In this case, all /interface vlan must be attached to the bridge itself. The bridge actually represents two elements - a “bridge” in the sense of a “switch emulated in software” and a “bridge port” in the sense of a virtual interface which is a member port of the emulated switch. This also explains why in /interface bridge vlan the bridge name is used twice, once to identify the “emulated switch” for which the row applies, and once to identify the “virtual port”.
That’s hard to answer because I don’t understand what you actually ask. It is normal to have many VLANs on the same bridge in terms that frames tagged with various VIDs live on that bridge. It is also normal to make two /interface vlan member ports of the same bridge if their underlying interfaces are not the same.
I don’t get what you have in mind without a particular example. The normal purpose of tagging frames with VLAN IDs is to create multiple independent topologies on a common physical infrastructure. In the “single common bridge for all VLANs” setup, the /interface vlan are there only to provide access to the VLANs for tagless frames provided by upper layers of the network stack; in the “own bridge for each VLAN” setup, they are used to create independent topologies for the VLANs by means of those additional bridges.
