Problems with VLAN passtrough

RouterOS General
1

Hi

I’m using CRS518-16XS-2XQ and I just can’t get make my setup to work right… I wan’t classic switching, only L2

This is my current setup on Huawei switch:
Incoming port is trunk with VLAN’s 10,20 and 30
Port with VLAN 10 is access.
Port with VLAN 20 is trunk.
Port with VLAN 30 is dot1q-tunnel

My Mikrotik:
On port sfp28-1 I’m getting VLAN 10, 20 and 30.
VLAN 10 needs to be passed to sfp28-11 which is access type port. Router with BGP.
VLAN 20 needs to be passed to sfp28-12 which is classic trunk port, connection to another switch.
VLAN 30 needs to be passed to sfp28-13 but like Q-in-Q. Behind is switch with vlan 30 and need to have acces of underlaying VLAN’s.

Thank you

2

To start things off, an export of the config would be helpful to see what is going on at the moment:

/export file=anynameyouwish (minus sensitive info)

3

This is all of my config except management port and address…Am I missing something?

/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=sfp28-1
add bridge=bridge interface=sfp28-11 pvid=10
add bridge=bridge interface=sfp28-12
add bridge=bridge interface=sfp28-13
/interface bridge vlan
add bridge=bridge tagged=sfp28-1 untagged=sfp28-11 vlan-ids=10
add bridge=bridge tagged=sfp28-1,sfp28-12 vlan-ids=20
add bridge=bridge tagged=sfp28-1,sfp28-13 vlan-ids=30

If I set bridge type to 0x8100, then I can connect to router on VLAN 10 but my q-in-q isn’t working.
If I set it to 0x88a8 then I can’t ping but then my q-in-q is workig…

4

I hope you find some of this information useful. The description is not in English, but everything can be understood. There are instructions for Vlan config router, switch, etc. https://www.sys2u.online/XPERT_TOPIC142_how-to-config-MikroTik-UniFi-AP-set-multi-VLAN-multi-SSID--MikroTik.html

5

I havent done Q-in-Q with Mikrotik (yet) but below should work for your first two vlans (regular tagged and untagged):


# Create the bridge
/interface bridge add arp-timeout=4m frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes

# Add interfaces to bridge
/interface bridge port add bridge=bridge1 frame-types=admit-all interface=sfp28-1 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp28-11 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp28-12 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp28-13 pvid=10

# Define which vlans are tagged on which interfaces - note you dont have to define the untagged (pvid) interfaces since that will be added automatically by ROS
/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp28-1 vlan-ids=20,30
/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp28-12 vlan-ids=20
/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp28-13 vlan-ids=30

That is with above I assume that (if I intrepreted your first post correctly):

sfp28-1:
VLAN10: untagged
VLAN20: tagged
VLAN30: tagged

sfp28-11:
VLAN10: untagged

sfp28-12:
VLAN10: untagged
VLAN20: tagged

sfp28-13:
VLAN10: untagged
VLAN30: tagged

So if above works (as a start) you “just” need to figure out how the config will be when involving Q-in-Q :slight_smile:

Also above is with current 7.15.2 stable (like autoadding pvid as untagged was added in ROS v7 or late in v6).

6

sfp28-1 is connection to main switch. There is no untagged traffic. All VLAN’s are going from and to that port

7

In that case (again without Q-in-Q config since I have not much experience from that with Mikrotik) something like this:


# Create the bridge
/interface bridge add arp-timeout=4m frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes

# Add interfaces to bridge
/interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp28-1 pvid=1
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp28-11 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp28-12 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp28-13 pvid=10

# Define which vlans are tagged on which interfaces - note you dont have to define the untagged (pvid) interfaces since that will be added automatically by ROS
/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp28-1 vlan-ids=10,20,30
/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp28-12 vlan-ids=20
/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp28-13 vlan-ids=30
8

Edit: pvid for sfp28-1 can of course be some unused vlan to isolate untagged traffic through vlanconfig aswell. For example put pvid 1001 for int1 if untagged is unused (and 1024 for int24 if untagged is unused). The “admin-only-vlan-tagged” should however take care of that to only allow incoming tagged frames. The pvid can however be used for LLDP, STP and such so your mileage may vary regarding what to configure the pvid when you dont allow untagged traffic.

9

Tha main problem, I think, is that type is defined on bridge instead of port. I should be able to set Q-in-Q on port, not on bridge.

10

Maybe to better understand what you try to achieve a simple network diagram would be needed. Also, does VLAN 30 arrive at the Mikrotik as .1Q tunnel and which are/should be its inner VLANs?