Hi.
My boss wants to start using VLANs on one of our networks - so I have been thrown into the deep end here a bit.
I think my biggest problem is that I don’t seem to quite grasp how VLAN tagging works (it anyone has a link to a free video that would be great).
I have successfully setup-by-YouTube the UBNT Edgeswitch and the 7 VLANs are working fine. Now I need to push the VLANs through to the outside buildings which are connected by a Mikrotik Nstream network.
The setup is basically as follows (attached as file):
Edgeswitch —> RB1 (SXT) —> RB2 (433 - Highsite) —> RB3 (LHG) —> UniFi AP (VLAN3)
—> RB4 (LHG) —> UniFi AP (VLAN4)
—> RB5 (LHG) —> UniFi AP (VLAN5)
The port on the Edgeswitch is set up in VLAN6 as a U Trunk port with VLANs 3, 4, and 5 as T.
WLAN and Eth1 on RB1 and RB2 are bridged, so they should pass the VLAN info through???
If I then on the LHG’s add the WLAN to VLAN6 U and then the ETH1 to VLAN4 T I don’t get any traffic.
Clearly I am not doing this right. Can someone perhaps point me in the right direction?
Find out how far they get from SW1. Use Tools->Torch on RB1 and looks for tagged packets coming from SW1 (they’ll have a number in VLAN column). You’ll need to make sure that SW1 is sending some. I don’t know what exactly you configured, but if you have some device connected to SW1 in given VLAN, there should be some broadcast traffic. If you don’t do VLAN filtering on RB, tagged packets will pass to other bridged interfaces. So look for them on interface connected to RB2, then on RB on interface from RB1, etc…
VLAN tagging inserts four bytes between the MAC addresses at the very beginning of an Ethernet frame and the rest of that frame, the first two bytes inserted are an Ethertype code indicating that the other two bytes contain 12 bits of VLAN ID, 3 bits of CoS (priority) marker and one bit whose purpose I don’t remember.
On “access” ports, frames coming from the wire are marked with a tag carrying the ID of the VLAN to which the port belongs; in the opposite direction, the tag is removed from frames bearing a tag with the access port’s VLAN ID. Frames tagged with any other VLAN ID are not forwarded to the wire.
On “trunk” ports, only tagged frames are let in and out without modification (tagging or untagging).
“Hybrid” ports are a combination of the two above - one VLAN ID, called the “default” one or pvid, is handled like on an access port, all the other ones are handled like on a trunk port.
VLAN ID 0 is reserved for cases where the frame doesn’t belong to any VLAN but you need the tag to transport the CoS bits. VLAN ID 1 is handled various ways by various vendors so better avoid using it.
End of video.
That sounds like it is a hybrid port on which VLANs 3 to 6 are permitted, and out of these four, VLAN 6 is the default one, i.e. is handled like on an access port.
This is true if both member ports of the bridge are Ethernet ones. Standard wireless frames do not support VLAN tags because their structure is different than that of the wired Ethernet frames, and use of nstreme or nv2 doesn’t seem to change anything about that. So to transport VLANs over a wireless link, you need to use this setup which makes the Mikrotiks use a proprietary wireless frame structure. The key is to set wireless interface mode to bridge at one end of the link and to station-bridge on the other; in your case, RB2 will be in bridge mode (AP) and RB1, RB3, RB4, RB5 in station-bridge.
Let the UBNT kit do the tagging and untagging and leave the MikroTik kit in the middle effectively as “dumb” for bridging.
On my home setup I have vlans attached to my main LAN bridge on the main router, all other kit is “dumb” switched and my Unifi AP’s do VLAN tagging on wifi entering via various SSID’s. Works perfectly.
