VLAN for traffic over SFP on CCR1036

degijze · May 28, 2015, 3:04pm

Hi there,

I’ve got the following problem:
We have an optic fibre connection to connect to the internet, which worked untill now. Now we need to interlink two other sites in the country via the same optic fibre link. Our provider wants us to use vlan’s to differenciate traffic streams on the link. All local traffic should have access to all vlans. At this moment I’m just trying to send the internet traffic on this link over vlan, I kind of want this to work first before I add the other vlans.

So this is my config (I took out non-relevant info):

/interface bridge
add name=bridge1

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1590
set [ find default-name=ether2 ] l2mtu=1590
(…)
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no l2mtu=1590 name=sfp-plus1 speed=1Gbps

/interface vlan
add interface=sfp-plus1 l2mtu=1586 name=vlan-DSNIS use-service-tag=yes vlan-id=637

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8

/ip address
add address=41.79.225.30/30 comment=WAN interface=sfp-plus1 network=41.79.225.28
add address=192.168.1.1/22 comment=LAN interface=bridge1 network=192.168.0.0
add address=41.79.225.30/30 disabled=yes interface=vlan-DSNIS network=41.79.225.28

I would think that just disabling the adress on the sfp1 interface and enabling the one at the vlan-interface would be sufficient, but it is not. No connectivity at all if I do that.

Any thoughts?

degijze · June 30, 2015, 9:15am

Anyone?

pukkita · June 30, 2015, 10:13am

The ip should be set on the VLAN interface.

I’m not sure what are you trying to do, does your provider send tagged traffic already?

degijze · June 30, 2015, 2:58pm

Yes, our ISP is providing both an internet link and national interconnection links, all on the same SFP-interface.

Their routing is based on vlan id, so we need to tag traffic to national links with the vlan id provided by them, while using another provided tag for internet traffic. Just changing moving the adress from the physical interface to the vlan interface doesn’t work.

pukkita · June 30, 2015, 6:46pm

They should have provided you another IP for the “rest of traffic” vlan, haven’t they?

degijze · July 2, 2015, 9:00am

They did, actually - it’s the vlan-DSNIS which is already in the config. The adress is at the moment on the physical interface, but I want to move it to the vlan-DSNIS interface to prepare for the other vlans. Only, when activating the adress on the vlan-interface and disabling on the physical interface, there’s no traffic possible anymore on the link.

So basically I’m only trying to get the internet-vlan to work, I can’t test the other vlans yet.

pukkita · July 2, 2015, 4:38pm

No physical interface should have any ip on it but the management one if you wish. All VLANs should “hang” from the phisical interface, each vlan interface should have its proper IP assigned. There isn’t anything else to do.

Check your firewall/nat to make sure rules are using vlan devices, and specially masquerading is being done on the vlan device (not the ether device).

Guess when you refer to “disabling” in

Only, when activating the adress on the vlan-interface and disabling on the physical interface

you mean disabling the IP address?