QnQ help

hello!
We use a CCR2116 with ROS 7.15.3 and we accentrate there a bunch of VLAN from a carrier.

We use the VLAN in the old way, attached to the interfaces.
We have SFPPLUS3:
vlan tag 8000 (outer)
then we have VLAN 10 (inner), 11, 12 ,13 and so on, inner VLANS.
We then create a bridge and we bridge together only the inner VLANS 10,11,12,13 etc.
We also use the horizon setting to isolate them.
It works.

I would like to ask if exist a working bridge configuration (new way, the single bridge configuration) to have the inner VLANs all togheter but using the switch chip. to have them all hardware offloaded.
We user a /24 ip addressing cover all the vlan bridged together.

Is there a new kind of configuration other than the one here: https://help.mikrotik.com/docs/spaces/ROS/pages/88014957/VLAN#VLAN-Q-in-Q that we use today?


I have read the docs here at https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching#BridgingandSwitching-VLANTunneling(QinQ)

but I was able to have a working example for our scenario.

https://help.mikrotik.com/docs/spaces/ROS/pages/28606465/Bridge+VLAN+Table

check this out. Here you create L2 q-in-q, then just add /interface/vlan ontop of bridge (not bridge existing vlan interfaces as this is a described misconfiguration https://help.mikrotik.com/docs/spaces/ROS/pages/19136718/Layer2+misconfiguration#Layer2misconfiguration-BridgedVLANonphysicalinterfaces)

i hope in the near future we can do Hardware accelerated vlan filtering of QinQ with NNI and UNI interfaces on the same bridge, and of course also been able to integrate it in a L3 Hw offload setup

Hello.
I have read it but I really dont know how to do it.
tomorrow I will export my current configuration and please can you suggest me doing it in the new way ?
I am not able to make a working test. I really dont understand the way to do it.

Post the config and we’ll see

sfpplus 1 (WAN)
sfpplus2 towards provider


/interface vlan
add comment=MIR interface=sfp-sfpplus2 name=2492_service_COS0_100 vlan-id=
2492
add interface=sfp-sfpplus2 name=4029_service_COS0_100 vlan-id=4029
add interface=sfp-sfpplus2 name=4030_service_COS0_100 vlan-id=4030
add interface=sfp-sfpplus2 name=4031_service_COS0_100 vlan-id=4031
add interface=sfp-sfpplus2 name=4032_service_COS0_100 vlan-id=4032
add interface=sfp-sfpplus2 name=4033_service_COS0_100 vlan-id=4033
add interface=sfp-sfpplus2 name=4034_service_COS0_100 vlan-id=4034
add interface=sfp-sfpplus2 name=4035_service_COS0_100 vlan-id=4035
add interface=sfp-sfpplus2 name=4036_service_COS0_100 vlan-id=4036
add interface=sfp-sfpplus2 name=4037_service_COS0_100 vlan-id=4037
add interface=sfp-sfpplus2 name=4038_service_COS0_100 vlan-id=4038
add interface=sfp-sfpplus2 name=4039_service_COS0_100 vlan-id=4039
add interface=sfp-sfpplus2 name=4040_service_COS0_100 vlan-id=4040
add interface=sfp-sfpplus2 name=4041_service_COS0_100 vlan-id=4041
add interface=sfp-sfpplus2 name=4042_service_COS0_100 vlan-id=4042
add interface=sfp-sfpplus2 name=4043_service_COS0_100 vlan-id=4043
add interface=sfp-sfpplus2 name=4044_service_COS0_100 vlan-id=4044
add interface=sfp-sfpplus2 name=4045_service_COS0_100 vlan-id=4045
add interface=sfp-sfpplus2 name=4046_service_COS0_100 vlan-id=4046
add interface=sfp-sfpplus2 name=4047_service_COS0_100 vlan-id=4047
add interface=sfp-sfpplus2 name=4048_service_COS0_100 vlan-id=4048
add interface=sfp-sfpplus2 name=4049_service_COS0_100 vlan-id=4049
add interface=sfp-sfpplus2 name=4050_service_COS0_100 vlan-id=4050
add interface=sfp-sfpplus2 name=4051_service_COS0_100 vlan-id=4051
add interface=sfp-sfpplus2 name=4052_service_COS0_100 vlan-id=4052
add interface=sfp-sfpplus2 name=4053_service_COS0_100 vlan-id=4053
add interface=sfp-sfpplus2 name=4054_service_COS0_100 vlan-id=4054
add interface=sfp-sfpplus2 name=4055_service_COS0_100 vlan-id=4055
add interface=sfp-sfpplus2 name=4056_service_COS0_100 vlan-id=4056
add interface=sfp-sfpplus2 name=4057_service_COS0_100 vlan-id=4057
add interface=sfp-sfpplus2 name=4058_service_COS0_100 vlan-id=4058
add interface=sfp-sfpplus2 name=4059_service_COS0_100 vlan-id=4059
add interface=sfp-sfpplus2 name=4060_service_COS0_100 vlan-id=4060
add interface=sfp-sfpplus2 name=4061_service_COS0_100 vlan-id=4061
add interface=sfp-sfpplus2 name=4062_service_COS0_100 vlan-id=4062
add interface=sfp-sfpplus2 name=4063_service_COS0_100 vlan-id=4063
add interface=sfp-sfpplus2 name=4064_service_COS0_100 vlan-id=4064
add interface=sfp-sfpplus2 name=4065_service_COS0_100 vlan-id=4065
add interface=sfp-sfpplus2 name=4066_service_COS0_100 vlan-id=4066
add interface=sfp-sfpplus2 name=4067_service_COS0_100 vlan-id=4067
add interface=sfp-sfpplus2 name=4068_service_COS0_100 vlan-id=4068
add interface=sfp-sfpplus2 name=4069_service_COS0_100 vlan-id=4069
add interface=sfp-sfpplus2 name=4070_service_COS0_100 vlan-id=4070
add interface=sfp-sfpplus2 name=4071_service_COS0_100 vlan-id=4071
add interface=sfp-sfpplus2 name=4072_service_COS0_100 vlan-id=4072
add interface=sfp-sfpplus2 name=4073_service_COS0_100 vlan-id=4073
add interface=sfp-sfpplus2 name=4074_service_COS0_100 vlan-id=4074
add interface=sfp-sfpplus2 name=4075_service_COS0_100 vlan-id=4075
add interface=sfp-sfpplus2 name=4076_service_COS0_100 vlan-id=4076
add interface=sfp-sfpplus2 name=4077_service_COS0_100 vlan-id=4077
add interface=sfp-sfpplus2 name=4078_service_COS0_100 vlan-id=4078
add interface=sfp-sfpplus2 name=4079_service_COS0_100 vlan-id=4079
add interface=sfp-sfpplus2 name=4080_service_COS0_100 vlan-id=4080
add comment=“CUSTOMER 1” interface=2492_service_COS0_100 name=2492_cvlan_2
vlan-id=2
add comment=“CUSTOMER 2” interface=4029_service_COS0_100 name=4029_cvlan_2
vlan-id=2
add comment=“CUSTOMER 3” interface=4030_service_COS0_100 name=
4030_cvlan_2 vlan-id=2
add comment=“customer 4” interface=4031_service_COS0_100 name=4031_cvlan_2
vlan-id=2
add comment=“customer 5” interface=4032_service_COS0_100 name=
4032_cvlan_2 vlan-id=2
add comment=“customer 6” interface=4033_service_COS0_100 name=
4033_cvlan_2 vlan-id=2

I have pasted only a part, since the list is very long.


/interface bridge
add name=BRIDGE_provider port-cost-mode=short protocol-mode=none


/interface bridge port
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
2492_cvlan_2 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4079_cvlan_2 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4080_cvlan_2 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4076_cvlan_3 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4078_cvlan_3 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4080_cvlan_7 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4078_cvlan_2 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4077_cvlan_2 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4080_cvlan_5 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4073_cvlan_4 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4080_cvlan_8 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4074_cvlan_2 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4080_cvlan_12 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4080_cvlan_6 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4078_cvlan_5 internal-path-cost=10 path-cost=10
add bridge=BRIDGE_provider horizon=1 ingress-filtering=no interface=
4076_cvlan_5 internal-path-cost=10 path-cost=10

So we put in the bridge only the inner vlans.

Then we have the ip on the provider port to 100.64.0.254/24 (for example) and we use the bridge as virtual interface.
I know that it is not the best way to do it so I ask your suggestions

Looking at your config, to make it according to docs, this looks like it’s something to be done from scratch almost:

1. Remove all VLANs from /interface bridge port
2. Add all physical ports to /interface bridge port and add appropriate PVID, check Tag stacking=yes where appropriate. Setup bridge horizon.
3. In /interface bridge vlan add 2-4094 entry and add bridge as Tagged, also add trunk ports here. Enable VLAN filtering on bridge.
4. In /interface vlan move all vlans from physical ports to bridge itself. Use service-tag check where appropriate.

However, according to https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading HW offloading would be disabled per port, when bridge horizon is setup. So you may consider another type of port isolation.

Thank you for your reply.
I have a phisical port towards the carrier that is giving me the VLANs.
So the PVID could be anything.

I will try to add all the VLANs, but wich one? The OUTER vlans, or the inner?
I could avoid the isolation, it is not necessary.

The issue will be… how to have a single bridge where all the vlans converge into?

So, can you specify, you receive tagged 802.1Q traffic from sfpplus2 right? This would be trunk port with customer tags.
Then you apply additional tag and then push traffic to sfpplus1 with Q-in-Q?
Maybe a network diagram of desired setup would help more, if I got you wrong.

Yes
I receive from the sfpplus2 some q-q

A VLAN (the first list of vlans in the configuration) attached to the interfaces.
then I add a second VLAN (inner vlan) , attached to the first vlan (attached to the interfaces)
then i bridge together only the inner vlans!

According to your description, here’s what I think

/interface bridge
add name=bridge vlan-filtering=yes ether-type=0x88a8

/interface bridge port
add interface=sfpplus2 bridge=bridge pvid=100 tag-stacking=yes
add interface=sfpplus1 bridge=bridge

/interface bridge vlan
add bridge=bridge tagged=sfpplus1 untagged=sfpplus2 vlan-ids=100
#all bridge config with ether-type=0x88a8 only care about the service tags, not the ones coming from sfpplus2

/interface vlan
add name=outer_100 interface=bridge vlan-id=100 use-service-tag=yes #this is your outer vlan

#not sure tho if this should be on a bridge or on the outer vlan as both examples exist, but think in this config the latter one is appropriate
add name=inner_4000 interface=bridge vlan-id=4000
add name=inner_4001 interface=outer_100 vlan-id=4001

So here you receive 40xx vlans (which are inner) from sfp2, then you append outer tag 100 and this traffic passes to sfp1 with two tags

hello
unfortunately it doesnt work, I tried but doesnt work.

I will try to explicate here again, because the setup is very simple on the paper but not so simple on the reality.
My objective is to migrate the old-style vlans on the interface, on the new configuration on a single bridge. I currently use the single bridge configuration everywhere but NOT where I have qnq since I am not able to have it working.

I receive from the provider port a QNQ
Outer VLAN and INNER vlan.
I configure the outer VLAN on the phisical port, and the inner VLAN on the VLAN I have just created on the port (the configuration is in the post above).
Then I create a bridge where I put inside all the INNER vlans. I assign a 100.64.0.254/24 and I can communicate with all the inner vlan.
I would like to understand if it is even possibile to to the same configuration but on the single bridge way so I can also use the l3-hw routing in the near future.