Vlan interface and bridging query

chrisgibbs · August 10, 2016, 10:48am

Hey All,

I have been looking at this for a while and cant seem to make it work.

version: v6.35rc48
model: RB1100AHx2

Trying to run ARP (and DHCP) on a vlan interface and also have it hand out addresses on the layer 2 bridge. If I have vlan 10 tagged traffic come in ARP / DHCP works as expected if I have the DHCP attached to the vlan interface. However ARP / DHCP does not work for the physical interface that I have also added to the bridge (ether5).

If I swap around the IP address to be attached to the bridge then I get the reverse situation, No ARP / DHCP for tagged traffic coming into the router but working for the physical port.

We really need both situations to work if possible.

The config shown is for the first situation, ie. IP address attached to the vlan interface.

[admin@MikroTik] > /interface bridge print 
Flags: X - disabled, R - running 
 0  R name="CCTV-bridge" mtu=auto actual-mtu=1500 l2mtu=1600 arp=enabled mac-address=E4:8D:8C:1F:0A:4C protocol-mode=rstp 
      priority=0 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 
      ageing-time=5m 

 1  R name="lan-bridge" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled mac-address=E4:8D:8C:1F:0A:4B protocol-mode=rstp 
      priority=0 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 
      ageing-time=5m 

 2  R name="vlan-10-bridge" mtu=auto actual-mtu=1500 l2mtu=1594 arp=enabled mac-address=E4:8D:8C:1F:0A:4B protocol-mode=rstp 
      priority=0 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 
      ageing-time=5m

[admin@MikroTik] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                                             BRIDGE                                             PRIORITY  PATH-COST    HORIZON
 0    ether2                                                lan-bridge                                             0x80         10       none
 1    ether3                                                lan-bridge                                             0x80         10       none
 2 I  ether4                                                lan-bridge                                             0x80         10       none
 3 I  ether7                                                lan-bridge                                             0x80         10       none
 4 I  ether8                                                lan-bridge                                             0x80         10       none
 5    ether9                                                lan-bridge                                             0x80         10       none
 6    ether10                                               lan-bridge                                             0x80         10       none
 7 I  ether11                                               CCTV-bridge                                            0x80         10       none
 8    ether12                                               CCTV-bridge                                            0x80         10       none
 9    ether2-vlan-10                                        vlan-10-bridge                                         0x80         10       none
10    vlan-10-int                                           vlan-10-bridge                                         0x80         10       none
11    ether9-vlan-10                                        vlan-10-bridge                                         0x80         10       none
12    ether10-vlan-10                                       vlan-10-bridge                                         0x80         10       none
13    ether5                                                vlan-10-bridge                                         0x80         10       none
14 I  ether6                                                vlan-10-bridge                                         0x80         10       none

[admin@MikroTik] > /interface vlan print 
Flags: X - disabled, R - running, S - slave 
 #    NAME                                                   MTU ARP        VLAN-ID INTERFACE                                                
 0 R  ether2-vlan-10                                        1500 enabled         10 ether2                                                   
 1 R  ether9-vlan-10                                        1500 enabled         10 ether9                                                   
 2 R  ether10-vlan-10                                       1500 enabled         10 ether10                                                  
 3 R  vlan-10-int                                           1500 enabled         10 vlan-10-bridge

[admin@MikroTik] > /interface print      
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  WAN                                 ether            1500  1598       9498 E4:8D:8C:1F:0A:42
 1  RS ether2                              ether            1500  1598       9498 E4:8D:8C:1F:0A:43
 2  RS ether3                              ether            1500  1598       9498 E4:8D:8C:1F:0A:44
 3   S ether4                              ether            1500  1598       9498 E4:8D:8C:1F:0A:45
 4  RS ether5                              ether            1500  1598       9498 E4:8D:8C:1F:0A:46
 5   S ether6                              ether            1500  1598       9498 E4:8D:8C:1F:0A:47
 6   S ether7                              ether            1500  1598       9498 E4:8D:8C:1F:0A:48
 7   S ether8                              ether            1500  1598       9498 E4:8D:8C:1F:0A:49
 8  RS ether9                              ether            1500  1598       9498 E4:8D:8C:1F:0A:4A
 9  RS ether10                             ether            1500  1598       9498 E4:8D:8C:1F:0A:4B
10   S ether11                             ether            1500  1600       9500 E4:8D:8C:1F:0A:4C
11  RS ether12                             ether            1500  1600       9116 E4:8D:8C:1F:0A:4D
12     ether13                             ether            1500  1600       9116 E4:8D:8C:1F:0A:4E
13  R  CCTV-bridge                         bridge           1500  1600            E4:8D:8C:1F:0A:4C
14  RS ether2-vlan-10                      vlan             1500  1594            E4:8D:8C:1F:0A:43
15  RS ether9-vlan-10                      vlan             1500  1594            E4:8D:8C:1F:0A:4A
16  RS ether10-vlan-10                     vlan             1500  1594            E4:8D:8C:1F:0A:4B
17  R  lan-bridge                          bridge           1500  1598            E4:8D:8C:1F:0A:4B
18  R  pppoe-wan                           pppoe-out        1480
19  R  vlan-10-bridge                      bridge           1500  1594            E4:8D:8C:1F:0A:4B
20  R  vlan-10-int                         vlan             1500  1590            E4:8D:8C:1F:0A:4B

[admin@MikroTik] > /ip dhcp-server print
Flags: X - disabled, I - invalid 
 #   NAME                           INTERFACE                         RELAY           ADDRESS-POOL                         LEASE-TIME ADD-ARP
 0   lan-dhcp                       lan-bridge                                        wifi-pool                            8h         yes    
 1   staff-dhcp                     vlan-10-int                                       staff-wifi-pool                      10m        yes

[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                            
 0   10.0.0.1/16        10.0.0.0        ether2                                                                                               
 1   192.168.1.1/24     192.168.1.0     CCTV-bridge                                                                                          
 2   192.168.10.1/24    192.168.10.0    vlan-10-int                                                                                          
 3 D xx.xx.xx.xx/32  10.20.22.121    pppoe-wan

When I torch on ether5, i see tagged traffic for ARP to destination 0.0.0.0. Makes me think a tag is not being dropped somewhere on egress.

Any help would be greatly appreciated.

squeezypiano · August 10, 2016, 11:31am

Hi,

There looks to be an extra interface in there, vlan-10-int, which looks like it is not needed. Try disabling/removing it and assigning the IP address and DHCP server to the bridge, vlan-10-bridge, instead.

chrisgibbs · August 10, 2016, 9:47pm

Thanks for the reply.

As I understand it, the vlan-10-int (vlan interface) is necessary to terminate tagged traffic and applies a tag onto the IP address 192.168.10.1.

Any other suggestions anyone please?

ZeroByte · August 11, 2016, 6:53pm

Basically, bridges just forward frames, and don’t care about vlan tags. So if there’s a way that a tagged frame reaches a bridge, then the bridge will forward it to the destination port(s) with the tag intact. If there’s an untagged frame, then that frame will be forwarded with out any tag.

Now, vlan interfaces - think of them as having a “front” side and a “back” side.
The “front” side is whatever interface they’re configured as a sub-interface of.
The “back” side is usually the CPU, but if you add one as a bridge port (not a sub, but a port), then the back of the vlan interface is wired to the bridge.

The front of vlan interfaces transmits any frame that was received from the back side, but adds the vlan-id=XXXX tag to every frame that it transmits onto the media in front of it.
So if it’s a sub of ether4, then any traffic transmitted by it will egress ether4, and with tag XXXX added. Note that this is true even if the original frame was tagged. If a frame with tag WWWW is to be transmitted via a vlan interface, then it will come out double-tagged with XXXX as the outer tag, and WWWW as the inner tag.

The front side of vlan interfaces will listen for frames with the matching vlan-id=XXXX tags. The vlan interface will receive these frames, remove the tag, and transmit the remaining frame via the “back side.” If the “back” side of the interface is added to a bridge as a port, then that bridge will get the un-tagged frame.

So if you have a bridge “my-vlan” with three ports: ether1, ether2, and vlan10-ether3, this means that “my vlan” is untagged on ether1 and ether2, but tagged with whatever the vlan-id is set on vlan10-ether3 (ideally, it would be 10 in order to make sense here).
Note that you could later add another interface “vlan20-ether4” and connect that to ether4… so “my vlan” would be untagged on ether1 and ether2, tagged as 10 on ether3, and tagged as 20 on ether4.

If you have a set of interfaces that you want to act as trunks for all of the same vlans, then you can make a single bridge that connects those interfaces. In this case, if you want to participate in a particular vlan that exists on those interfaces, you’d make a vlan sub-interface of the bridge itself, and put IP addresses / DHCP / etc onto the vlan sub-interface.
If you then also want that vlan to appear un-tagged on some other interface, you’ll need an additional bridge which connects the vlan sub-interface and the physical interface. You would need to move the IP/DHCP/etc settings off of the vlan interface and onto the new bridge, but only for that one particular vlan.