Unable to have a very simply VLAN between two CCR2116 working

exion · July 24, 2023, 8:23am

Dear all,

I am quite embarrassed to ask such a simple question on a forum but since it is not working and I have been bashing my head on a wall for more than two weeks of tests I have exhausted all possible options to understand why such a very simple and straight-forward scenario is not working. Just a quick note I come from the Cisco world and have a CCNA and some 10+ years of experience with them, so it’s not that I started playing with networking just some days ago, but I have zero experience with Mikrotiks.

I would really appreciate your help on this as probably I’m missing something very obvious related to the Mikrotik world but I really cannot find it even going through Mikrotik’s wiki.

Consider this scenario:

VLAN900 10.1.1.1 [rtr1] <----- sfp-sfpplus4 -----> [rtr2] VLAN900 10.1.1.2

Embarrassingly simple right? No, rtr1 cannot ping rtr2 and rtr2 cannot ping rtr1. Both of them can ping self.

[exion@rtr2] > ping 10.1.1.1
SEQ HOST SIZE TTL TIME STATUS
0 10.1.1.1 timeout
1 10.1.1.1 timeout
2 10.1.1.1 timeout
3 10.1.1.2 84 64 101ms570us host unreachable
sent=4 received=0 packet-loss=100%

[exion@rtr1] > ping 10.1.1.2
SEQ HOST SIZE TTL TIME STATUS
0 10.1.1.2 timeout
1 10.1.1.2 timeout
2 10.1.1.2 timeout
3 10.1.1.1 84 64 125ms320us host unreachable
sent=4 received=0 packet-loss=100%

Here below is the relevant configuration:

rtr1:
/interface vlan
add interface=bridge1 name=vlan900 vlan-id=900

/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 hw=no interface=sfp-sfpplus4 pvid=99

/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus4 untagged=vlan900 vlan-ids=900

/ip address
add address=10.1.1.1/24 interface=vlan900 network=10.1.1.0

rtr2:
/interface vlan
add interface=bridge1 name=vlan900 vlan-id=900

/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 hw=no interface=sfp-sfpplus4 pvid=99

/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus4 untagged=vlan900 vlan-ids=900

/ip address
add address=10.1.1.2/24 interface=vlan900 network=10.1.1.0

mkx · July 24, 2023, 9:13am

Here’s corrected config …

About different bridge personalities: http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1

And you should never add vlan interface as untagged port back to bridge upon which this interface is anchored. This creates a kind of a loop.

exion · July 24, 2023, 1:01pm

Thanks!

This solved my issue, it seems it is implicit that a VLAN interface is added as an untagged interface to a bridge… maybe it should be documented somewhere in the Mikrotik wiki?

mkx · July 24, 2023, 5:39pm

VLANs on bridge in ROS are handled somehow differently than with other vendors. You may want to go through this tutorial: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

vlan interfaces (created in /interface/vlan) are kind of pipes with two ends: one is tagged and is “anchored” to intetface, named in “create” command. The other is untagged and has to be used explicitly, e.g. as interface through which ROS interacts with that VLAN (just like you did when you set IP address). The “pipe” filters ingress frames on tagged end, only allowing frames tagged with appropriate VLAN ID. Frames which are alliwed to pass are thrn stripped of (outer) 802.1Q frames and get pushed out (as untagged) through the untagged end. In the opposite direction the untagged end accepts frame, adds 802.1Q header with VLAN ID set to appropriate value, and pushes tagged frame out through tagged end.

So conceptually, vlan interfaces are not bridge ports (neither tagged nor untagged). If used as in your case, they are anchored off the switch-facing interface of the router (it is confusing that all bridge personalities are named equally).