Split horizon and new 'dynamic' intefaces

savage · July 20, 2025, 3:44pm

Just want to make sure I am not missing anything here… SUP is open at Mikrotik…

Since they changed the software to dynamically add interfaces to bridges (which I can understand for CRS devices), this is causing problems on CCR devices.

I can no longer add an VLAN interface to a bridge, and for example, apply any of the port settings (uni/multicast floods, split horizon, trusted or not, etc). Basically you can’t do anything in /bridge/port for that dynamic port that has been assigned dynamically.

A simple use case:

From a CRS, I have 24 ports, each tagged with a PVID.
The CRS has a VLAN Trunk, passing all 24 VLANS to a CCR
I wish to flatted the 24 VLANS, and apply a split horizon on the 24 VLANs on the CCR.
- Simple Layer 3 / DHCP service provided;
- Ports should not be able to communicate to each other via the L2 domain – hence Split Horizon is required
- I can’t add the ports to the bridge manually with a split horizon, as the ports are now added dynamically to the bridge

Thanks,

Chris.

mkx · July 21, 2025, 5:10am

Writing “I can no longer add an VLAN interface to a bridge” is hinting at the configuration which is way out of usual (I won’t say wrong although that’s on my mind). So you may want to post the configuration you’ve got for us to see what exactly your setup is …

Also: what exactly do you mean by “I wish to flatted the 24 VLANS” … do you want to make all of them single IP subnet? If that’s so, I’m asking why bothering with separating devices into different L2 domains if you don’t want to segregate devices? If segregation is on the agenda, what’s wrong with routing traffic between subnets?

savage · July 21, 2025, 5:20am

Fine. Forget about VLANs, forget about DHCP, forget about flattening VLANs, etc.

I can’t do Unicast/MultiCast/Broadcast control on a CCR I can’t do STP settings on a CCR I can’t do BPDU Guard on a CCR - All because I can’t add the port to a bridge becaue it is dynamically added.

Short sighted responses… It’s really pointless.

savage · July 21, 2025, 12:32pm

Just a simple example - of where this is required. You can’t do this anymore now with VLANs as you can’t control the VLAN port in the bridge.

Clients are isolated in seperate PVIDs on switches, then (unneed, but required) encapsulated in VXLAN, then ‘flattened’ on the Hotpspot.

#
/interface bridge
add admin-mac=1A:A4:A3:5C:5B:36 auto-mac=no name=Hotspot protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no

/interface vxlan
add dont-fragment=enabled local-address=10.144.0.2 mac-address=32:56:DB:5E:50:53 mtu=5120 name="VXLAN1101 :: SW0-AAA-00000001" vni=1
add dont-fragment=enabled local-address=10.144.0.2 mac-address=8A:DC:D0:12:03:4F mtu=5120 name="VXLAN1102 :: SW0-AAA-00000002" vni=2
add dont-fragment=enabled local-address=10.144.0.2 mac-address=E6:E4:C6:EA:1C:D7 mtu=5120 name="VXLAN1103 :: SW0-AAA-00000003" vni=3
add dont-fragment=enabled local-address=10.144.0.2 mac-address=D2:80:AC:FE:64:DD mtu=5120 name="VXLAN1104 :: SW0-AAA-00000004" vni=4
add dont-fragment=enabled local-address=10.144.0.2 mac-address=2A:A0:50:B2:A6:B4 mtu=5120 name="VXLAN1105 :: SW0-AAA-00000005" vni=5
add dont-fragment=enabled local-address=10.144.0.2 mac-address=72:62:E5:5D:50:BA mtu=5120 name="VXLAN1106 :: SW0-AAA-00000006" vni=6
add dont-fragment=enabled local-address=10.144.0.2 mac-address=9A:AD:74:CC:EE:D6 mtu=5120 name="VXLAN1107 :: SW0-AAA-00000007" vni=7

/ip hotspot profile
add hotspot-address=100.64.0.1 name=hsprof1

/ip pool
add name="Hotspot Pool" ranges=100.64.0.2-100.64.15.254

/ip dhcp-server
add address-pool="Hotspot Pool" bootp-support=none interface=Hotspot name="Hotspot Network"

/ip hotspot
add address-pool="Hotspot Pool" disabled=no interface=Hotspot name=hotspot1 profile=hsprof1

/interface bridge port
add bridge=Hotspot frame-types=admit-only-untagged-and-priority-tagged horizon=20 interface="VXLAN1101 :: SW0-AAA-00000001"
add bridge=Hotspot frame-types=admit-only-untagged-and-priority-tagged horizon=20 interface="VXLAN1102 :: SW0-AAA-00000002"
add bridge=Hotspot frame-types=admit-only-untagged-and-priority-tagged horizon=20 interface="VXLAN1103 :: SW0-AAA-00000003"
add bridge=Hotspot frame-types=admit-only-untagged-and-priority-tagged horizon=20 interface="VXLAN1104 :: SW0-AAA-00000004"
add bridge=Hotspot frame-types=admit-only-untagged-and-priority-tagged horizon=20 interface="VXLAN1105 :: SW0-AAA-00000005"
add bridge=Hotspot frame-types=admit-only-untagged-and-priority-tagged horizon=20 interface="VXLAN1106 :: SW0-AAA-00000006"
add bridge=Hotspot frame-types=admit-only-untagged-and-priority-tagged horizon=20 interface="VXLAN1107 :: SW0-AAA-00000007"

/interface vxlan vteps
add interface="VXLAN1101 :: SW0-AAA-00000001" remote-ip=10.240.0.21
add interface="VXLAN1102 :: SW0-AAA-00000002" remote-ip=10.240.0.21
add interface="VXLAN1103 :: SW0-AAA-00000003" remote-ip=10.240.0.21
add interface="VXLAN1104 :: SW0-AAA-00000004" remote-ip=10.240.0.21
add interface="VXLAN1105 :: SW0-AAA-00000005" remote-ip=10.240.0.21
add interface="VXLAN1106 :: SW0-AAA-00000006" remote-ip=10.240.0.21
add interface="VXLAN1107 :: SW0-AAA-00000007" remote-ip=10.240.0.21

/ip address
add address=10.144.0.34/27 interface=ether1 network=10.144.0.32
add address=10.144.0.2 interface=Loopback network=10.144.0.2
add address=100.64.0.1/20 interface=Hotspot network=100.64.0.0

/ip dhcp-server network
add address=100.64.0.0/20 dns-server=8.8.8.8,1.1.1.1 gateway=100.64.0.1 netmask=20