RB2011 VLAN Tagged and Untagged, 2 Access Ports and 1 Trunk on the Same Router.

RouterOS General
1

Good morning everyone,

Nice to be in this great community.

I am stuck in a situation where i have a routerboard RB2011uias-rm and i need to create a simple (in my opinion) VLAN configuration. The current setup is the following:

RB2011 has currently 2 running interfaces ETH1 for lan and ETH5 for connecting to a different network and i’ll explain what that is right away.

The Current Setup is the following:

RB2011
==> ETH1 ==> Physically Connected to an Unmanaged 16port 3com Switch where several PC’s are connected to
==> ETH2 ==> WAN1
==> ETH3 ==> WAN2
==> ETH5 ==> Physically Connected to a Cisco 2950 Switch in Port 24 Tagged as VLAN40
==> BRIDGE1 ==> ETH1,ETH5
==> IP 192.168.40.254/24
==> DHCP Server Enabled and running over Bridge1 192.168.40.0/24 POOL 192.168.40.100-150

Note: No VLAN configuration has been made to the Mikrotik just a bridge of ETH1,ETH5 where all local services (dhcp etc) are running on.

Cisco 2950 Switch
==> ETH1 Cisco 880 series Router (WAN)
==> IP 192.168.100.254/24
==> DHCP Server Enabled and Running Over VLAN 100 192.168.100.0/24 POOL 192.168.100.100-192.168.100.150
==> ETH2-ETH16 ==> Tagged as VLAN100
==> On these interfaces pc’s are connected which use network services (dhcp etc) from the Cisco Network.
==> ETH17-ETH24 ==> Tagged as VLAN40
==> On these interfaces pc’s are connected which use network services (dhcp etc) from the Mikrotik Network.

The Above setup is working flawlessly.

So far so good. We have two different companies (same GROUP recently merged) but with different IT’s. The first one runs on a totally unmanaged network (Mikrotik Side) while the other one is fully managed with cisco devices. For the record currently i have no access to the cisco Network so i can’t provide any more info.

Now as stated before, this is the current setup. What i need to achieve now is to be able to run VLAN100 over the a Mikrotik Interface, let’s say ETH4 .

My first idea was to setup ETH5 as VLAN trunk which will have two tagged interfaces (call them VLAN40-ETH5 and VLAN100-ETH5) running over ETH5 and add a second vlan interface (Call it VLAN40-ETH1) running over ETH1. But then where should i put the dhcp server to run on? VLAN40-ETH1 or VLAN40-ETH5 (problem 1)

My Second idea was to setup a tagged VLAN Interface on ETH5 (Call it VLAN40) and then create a bridge (Call it Bridge1) that will have 2 ports ETH1, VLAN40 and then run dhcp services over bridge1. Tried it. Doesn’t work (problem 2)

My Third idea was to setup a tagged VLAN interface on ETH1 (Call it VLAN40-ETH1) and a tagged VLAN interface on ETH5 (Call it VLAN40-ETH5) and then create a bridge (Call it Bridge1) which will run dhcp services on. Tried it Doesn’t work. (problem 3)

Then i realised that i am making a mistake because i can’t tag the ETH1 interface since it is connected to an unmanaged switch. So what i needed to do is what other switch could do. Keep it as a member of VLAN40 but remove the tag of the outgoing packets. So after a lot of reading i found out that i could do that on switch chip where i could set the specific interface to always strip vlan tags. And this worked!..well almost. As i said before i need to run dhcp services on both interface ETH1 and Tagged as VLAN40 ETH5. So i need to create a bridge (call it Bridge1) with two interfaces ETH1 (with stripped tag on it) and VLAN40-ETH5 and run services over the Bridge1. Still doesn’t work. (problem 4)

So guys i am out of options now here can you please assist because i’ve spent nights and days over this problem and my time has already run out.

Don’t know if this will be of any help but to keep it simple mind this: Say that you need to create a VLAN trunk over an interface (call it ETH5) which will contain two VLAN id’s 40 and 100 and then add VLAN40 to ETH1 where you will plug a pc and VLAN100 to ETH4 where you will plug another pc and run different dhcp services over these two different VLANs and send the services over the trunk too. How would you accomplish that?

Thank you in advance.

Kostas.

2

Anyone please?

3

After reading your problem description I must say you were very close to make it work.

Here is configuration to achieve it:

  1. Add necessary VLAN interfaces on ethernet ports where tagged packets are planned

/interface vlan
add interface=ether5 name=eth5-vlan40 vlan-id=40
add interface=ether5 name=eth5-vlan100 vlan-id=100

  1. Add bridges for every VLAN

/interface bridge
add name=bridge-vlan40
add name=bridge-vlan100

  1. Add VLAN interfaces to their corresponding bridges and ethernet interfaces where untagged traffic is necessary

/interface bridge port
add bridge=bridge-vlan40 interface=eth5-vlan40
add bridge=bridge-vlan40 interface=ether1

add bridge=bridge-vlan100 interface=eth5-vlan100
add bridge=bridge-vlan100 interface=ether4

  1. Add IP addresses with DHCP servers to the bridges

In the end you should set switch chip VLAN settings to default values to avoid any configuration conflicts.

4

Dear Becs,

First of all i’d like to thank you very much for your response.

Today i set up a lab here in my office to test the whole configuration with two mikrotik and one cisco 2940 that i have available. And it worked! Well, sort of. It worked only when i plugged directly mikrotik to mikrotik. When i installed the cisco switch which has two interfaces, one set as a trunk and one running only one specific vlan, the configuration didn’t work. It’s like somehow the cisco is corrupting the whole process. The weird thing is that when i plug the cables on the first mikrotik which runs the dhcp server an ip seems to be leased on the mac address of the opposite mikrotik while the dhcp client status which runs on the opposite mikrotik show searching instead of Bound and no ip address is assigned.
Weird ha? Currently i am trying different configurations on the cisco switch like VTP and STP but still i’m hitting the wall here.

Any thoughts would be much appreciated.

Thank you

Kostas.

5

Check the logs on the switch to see what’s happening. Shouldn’t be any problem with this configuration since it’s straight forward. By looking at the logs it’ll be easier to check that’s happening to it.

VTP is only for sending information related to vlans between cisco switches so it shouldn’t interfere with this, spanning tree might however if there’s a loop, but on this configuration shouldn’t.

Did you create the vlans on the switch?
Are the vlans allowed on the trunk interface?
Is the switch’s trunk interface set to 802.1q encapsulation?
Is the switch administratively set to trunk? With no DTP

Per vlan spanning tree could mess with this kind of implementations but only if you have a cisco switch connected to an untagged port on mikrotik (in access mode), which is bridged to a tagged port connected to another cisco switch in trunk mode.

6

Dear shaoranrch

Thank you for your response.

It finally worked. I reset the cisco switch to it's defaults and started all over. What the problem was is that i was connecting the second mikrotik to a static access port where i should have created an 802.1q trunk allowing only the specific vlan that i needed. Although i think i did changed that before, sometime during the tests before i reset the switch, i must had also a bit of a faulty config because i remember one time that an error occured in the console of the switch stating something about the spanning tree and it blocked me out. So you probably are right regarding the span tree. So to share my solution with everyone in case someone ever face the same problem here it is:

Mikrotik RB1:

Create VLAN40 and relative bridge with ports VLAN40 and ETHER1
/interface vlan add interface=ether5 name=vlan40 vlan-id=40
/interface bridge add name=br-vlan40
/interface bridge port add interface=ether1 bridge=br-vlan40
/interface bridge port add interface=vlan40 bridge=br-vlan40

Create VLAN100 and relative bridge with ports VLAN100 and ETHER2
/interface vlan add interface=ether5 name=vlan100 vlan-id=100
/interface bridge add name=br-vlan100
/interface bridge port add interface=ether2 bridge=br-vlan100
/interface bridge port add interface=vlan100 bridge=br-vlan100

Add required services for each bridge

VLAN40
/ip address add address=192.168.40.254/24 comment="VLAN40-ip" interface=br-vlan40 network=192.168.40.0
/ip pool add name=dhcp-pool-vlan40 ranges=192.168.40.100-192.168.40.150
/ip dhcp-server add address-pool=dhcp-server-vlan40 always-broadcast=yes disabled=no interface=br-vlan40 name=dhcp_vlan40
/ip dhcp-server network add address=192.168.40.0/24 comment="dhcp-network-vlan40" dns-server=192.168.40.254 gateway=192.168.40.254 netmask=24

VLAN100
// This is just to verify services from the second rb are working. You could just add a pc to the Ether2 port and check that vlan100 services are working.

/ip dhcp-client add interface=br-vlan100 add-default-route=no

\

Cisco switch Configuration
// Not really familiar with iOS so if anyone can assist translating the below to iOS code be my guest.

Add a cable from the Mikrotik RB1 Ether5 to a port on a cisco switch (let's say eth5) and setup the port as 802.1q trunk and add allowed VLANs 40,100 only.
Add another cable from a port on the cisco switch (let's say eth4) setup the port as 802.1q trunk and add allowed VLANs 40,100 only and connect that cable to Mikrotik RB2 on port Ether5.

==============================================================================

Mikrotik RB2:

Create VLAN40 and relative bridge with ports VLAN40 and ETHER1
/interface vlan add interface=ether5 name=vlan40 vlan-id=40
/interface bridge add name=br-vlan40
/interface bridge port add interface=ether1 bridge=br-vlan40
/interface bridge port add interface=vlan40 bridge=br-vlan40

Create VLAN100 and relative bridge with ports VLAN100 and ETHER2
/interface vlan add interface=ether5 name=vlan100 vlan-id=100
/interface bridge add name=br-vlan100
/interface bridge port add interface=ether2 bridge=br-vlan100
/interface bridge port add interface=vlan100 bridge=br-vlan100

Add required services for each bridge

VLAN100
/ip address add address=192.168.100.254/24 comment="VLAN100-ip" interface=br-vlan100 network=192.168.100.0
/ip pool add name=dhcp-pool-vlan100 ranges=192.168.100.100-192.168.100.150
/ip dhcp-server add address-pool=dhcp-server-vlan100 always-broadcast=yes disabled=no interface=br-vlan100 name=dhcp_vlan100
/ip dhcp-server network add address=192.168.100.0/24 comment="dhcp-network-vlan100" dns-server=192.168.100.254 gateway=192.168.100.254 netmask=24

VLAN40
// This is just to verify services from the first rb are working. You could just add a pc to the Ether1 port and check that vlan40 services are working.

/ip dhcp-client add interface=br-vlan40 add-default-route=no


After all of the above is set, we can also configure other ports on cisco as static access mode and allow only VLAN100 or VLAN40 and enjoy services deployed over the specified vlan. We can do the same on the mikrotik side just by adding another port of the mikrotik to the relative bridge.

Hope this helps some else too overcome any related issues.

Becs and Shaoranrch
Thank you once again for the valuable help you gave me.


Kostas.

7

Good to know it’s working now, regarding this:

==============================================================================
Cisco switch Configuration
// Not really familiar with iOS so if anyone can assist translating the below to iOS code be my guest.

Add a cable from the Mikrotik RB1 Ether5 to a port on a cisco switch (let’s say eth5) and setup the port as 802.1q trunk and add allowed VLANs 40,100 only.
Add another cable from a port on the cisco switch (let’s say eth4) setup the port as 802.1q trunk and add allowed VLANs 40,100 only and connect that cable to Mikrotik RB2 on port Ether5.

==============================================================================

would be something like this

interface ether5
 switchport trunk encapsulation dot1q (read below *)
 switchport mode trunk
 switchport trunk allowed vlan 40,100 
interface ether4
 switchport trunk encapsulation dot1q (read below*)
 switchport mode trunk
 switchport trunk allowed vlan 40,100

#when using the commands don’t add the things between ()

  • This is added because on older switches that accept ISL you need to tell it to use 802.1q encapsulation in order for it to become a trunk port. If the command fails just don’t use it (means doesn’t support ISL)

The other thing I’d like to point you is the following:

If, for instance, now you want to connect a Cisco switch (let’s say to routerA, ether10, which is inside Bridge-VLAN100). And you don’t feel the necessity of using VLANs here because the Cisco switch will only be used for VLAN100, so you decide to put this port in access mode, you’ll have a problem.

The reason being the cisco add-on to spanning-tree called “Per Vlan”. Mikrotik doesn’t understand PV-RSTP+ frames, which are sent always tagged (and with a propietary format), so it’ll flood them (exactly as it’s supposed to because of the transparent bridging principles). This will be the scenario:

Switch A (the current one) will send tagged (100) PV-RSTP+ frames to Mikrotik, the router won’t understand them and it’ll flood them.
Switch B (the new one) will receive an untagged PV-RSTP+ inside a port that’s supposed not to get them, so it’ll block the port, you’ll notice in the logs this, something like: PORT ERRDISABLED STP PORT-INCONSISTENCY

The solution here is either to filter BPDUs on SWITCH B on the port directly connected to Mikrotik, or set the switch port as trunk and tag frames on mikrotik going towards it.

Hope this help you in case you happen to need to use this particular configuration.

8

I recently had a very similiar problem like you,and i didn’t solve that yet.I will explain you my problem and if someone can help me i will be thankful.My problem is that i have some Huawei router with 13 public ip addreses,router is configured by my isp,and they tell me that something about 11 ports are configured as trunk ports and assigned to vlan 300 and vlan 400.Vlan 300 is for my DMZ(public addresses) and vlan 400 is for some private vpn favor.The idea is to set 3 of 13 public ip addresses to my mikrotik router via fiber cable with 3 lan ip addreses.Problem is when i try to ping Huawei router from my mikrotik and he did not response,and that tells me that I’m wrong with config mikrotik.I need to set for begining 1 interface into vlan 300 and configure him as trunk(as far as i know) and set one of my public ip addreses and i should be able to access to internet.
What i configure and it didnt work:
On interface tab i create name=vlan300,id 300,interface ether1
Then i create bridge1,and assign ether1 interface and vlan300
Then i set ip address to that vlan,and set one of my ip addresses,create route,nat,firewall,dns and everythin else.
The results is that i cant ping huawei router.What i am doing wrong.Please help.

9

Not 100% sure I understand correct bur from what I read you do not want to use the switchswip in this case.

I use several VLAN and all have to be assigned to a ethernet port (or sfp) and then you create a port (bridge) from VLAN to Bridge

This is a workning VLAN config from my 3011. I have modified it for you.

/interface vlan
add interface=ether1 name=VLAN300 vlan-id=300

/interface bridge
add name=bridge1 protocol-mode=none

/interface bridge port
add bridge=bridge1 interface=VLAN300

/ip address
add address=x.x.x.x/x comment=“Insert_Comment_Here” interface=bridge1
network=x.x.x.x