Vlan with Cisco

RouterOS General
1

Hi,

I need config help.

I have configured VLAN and everything is working fine when I connect the AP (Unifi AP AC LR) to my router directly. The AP has 2 SSID one with VLAN tagging and other without one. The issue is that I have many other APs also. The switch I have is Cisco 3750. Now when I connect the APs to the switch, VLAN does not work. To be exact, the SSID with VLAN tagging does not get any IP and gets stuck at “obtaining IP address”.
For testing I made a VLAN on the switch and moved the connected ports to the configured VLAN. But still nothing, now both the SSIDs one with VLAN and without VLAN, both get stuck at obtaining IP address. Normally the one without VLAN is working fine.

Please help; what should I do. I need to connect other APs on the cisco switch

# apr/30/2023 23:20:56 by RouterOS 7.8
# software id = FL7L-RGXY
#
# model = RBD52G-5HacD2HnD
# serial number = C6140DA04443
/interface bridge
add ether-type=0x9100 ingress-filtering=no name="Radius Bridge" \
    vlan-filtering=yes
add admin-mac=08:55:31:7E:46:D4 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=2452 installation=indoor mode=\
    ap-bridge ssid="Radius Testing" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=5635 \
    installation=indoor mode=ap-bridge ssid="Radius Testing" \
    wireless-protocol=802.11
/interface vlan
add interface="Radius Bridge" name=vlan_21 vlan-id=21
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
add hotspot-address=172.19.0.1 html-directory=flash/hotspot \
    http-cookie-lifetime=4w2d login-by=\
    cookie,http-chap,http-pap,trial,mac-cookie name=hsprof1 \
    radius-interim-update=1m use-radius=yes
/ip hotspot user profile
add address-list="Normal Users" idle-timeout=12h incoming-packet-mark=\
    NormalUsers !keepalive-timeout mac-cookie-timeout=4w2d name=Residents \
    outgoing-packet-mark=NormalUsers rate-limit=7M/7M shared-users=2
/ip hotspot profile
add hotspot-address=192.168.223.1 html-directory=flash/hotspot login-by=\
    cookie,http-chap,http-pap,trial,mac-cookie name=hsprof2 \
    trial-user-profile=Residents use-radius=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=172.19.0.10-172.19.3.254
add name=dhcp_pool2 ranges=192.168.121.2-192.168.121.254
add name=dhcp_pool3 ranges=192.168.222.2-192.168.222.254
add name=dhcp_pool4 ranges=192.168.223.2-192.168.223.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface="Radius Bridge" lease-time=8h10m name=\
    dhcp1
add address-pool=dhcp_pool3 interface=bridge lease-time=8h10m name=dhcp2
add address-pool=dhcp_pool4 interface=vlan_21 lease-time=8h10m name=dhcp3
/ip hotspot
add address-pool=dhcp_pool1 addresses-per-mac=1 disabled=no idle-timeout=none \
    interface="Radius Bridge" name=hotspot1 profile=hsprof1
add address-pool=dhcp_pool4 addresses-per-mac=1 disabled=no interface=vlan_21 \
    name=hs-vlan_21 profile=hsprof2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge="Radius Bridge" comment=defconf ingress-filtering=no interface=\
    ether5
add bridge="Radius Bridge" comment=defconf ingress-filtering=no interface=\
    wlan1
add bridge="Radius Bridge" comment=defconf ingress-filtering=no interface=\
    wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge="Radius Bridge" tagged="Radius Bridge,ether5,wlan1,wlan2" \
    vlan-ids=21
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.19.0.1/22 interface="Radius Bridge" network=172.19.0.0
add address=192.168.222.1/24 interface=bridge network=192.168.222.0
add address=192.168.223.1/24 interface=vlan_21 network=192.168.223.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.19.3.254 client-id=1:74:83:c2:90:de:b4 mac-address=\
    74:83:C2:90:DE:B4 server=dhcp1
add address=172.19.3.253 client-id=1:e0:63:da:b0:ad:eb mac-address=\
    E0:63:DA:B0:AD:EB server=dhcp1
/ip dhcp-server network
add address=172.19.0.0/22 dns-server=172.19.0.1 gateway=172.19.0.1
add address=192.168.121.0/24 dns-server=192.168.121.1 gateway=192.168.121.1
add address=192.168.222.0/24 dns-server=192.168.222.1 gateway=192.168.222.1
add address=192.168.223.0/24 dns-server=192.168.223.1 gateway=192.168.223.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade"
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.19.0.0/22
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.223.0/24
/ip hotspot ip-binding
add address=172.19.3.253 mac-address=E0:63:DA:B0:AD:EB to-address=\
    172.19.3.253 type=bypassed
/ip hotspot user
add name=admin
/ip service
set api disabled=yes
set api-ssl disabled=yes
/radius
add address=192.168.68.247 service=hotspot timeout=3s
/system identity
set name="Radius Testing"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

I don’t follow your troubleshooting conclusions.

You said it was working when you connect the UAP-AC-LR to the MikroTik Router, but the tagged vlan no longer works when you introduce the Cisco 3750.

Why do you think the problem is on the MikroTik side instead of the Cisco side?

What do you get on the Cisco 3750 when you use the (non-config mode) show vlan command ?

How To Configure VLANs On the Catalyst Switches Cisco docs

Configuring VLANs on Cisco Switches Ed Harmoush

3

Hint, you need to create “trunk” ports on the C3750 that allow both the untagged vlan (aka “Native vlan”) and vlan21. These trunk ports need to be connected to each UAP and to ether5 of your MikroTik.

See Ed’s article. He also has other useful vlan info. See his vlans-index.

4

I didnt say that the problem is exactly with mikrotik I jest needed help.

Why do you think the problem is on the MikroTik side instead of the Cisco side?

You gave the hint

Hint, you need to create “trunk” ports on the C3750 that allow both the untagged vlan

for that i want to say, “THANK YOU BROTHER” :slight_smile:

I know i need to learn; thank you for pointing me to the right direction. I am going to make that and will contact back if i need help. Please dont get upset with my questions :slight_smile:

5

Please ignore my ignorance and help me

I have configured a port i.e. Port 2 as Trunk. what I did was:

#interface gigabitEthernet0/2
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk native vlan 1
#switchport trunk allowed vlan 1,21

This is connected to Mikrotik

Now the AP is connected to port 24

#interface gigabitEthernet0/24
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk native vlan 1
#switchport trunk allowed vlan 1,21

I havent checked it, as I am not on site, did the settings remotely. Will ask someone to check tomorrow. But please tell me that if these are correct.

Is that all what is needed ?

P.S, do I need to create vlan21 on cisco ?

6

Use the non-config mode command: show vlan br

It needs to show the vlans you are using. If they don’t show up, you skipped Creating the VLAN in the VLAN Database

If it shows both 1 and 21, then it should work.

But notice how many ports are members of vlan 1 (default). Maybe that’s fine in your case, but the default is that every port is a member of vlan 1.

Note that best practice is to not use vlan 1 for your data. So best practice is to define another vlan as the native vlan used by the UAP. (The UAP may think it is vlan 1, but the switch will consider it to be something else).

7

One more note about vlans on Cisco. I am not a big fan of DTP (auto negotiation of trunking mode). If you search for DTP hacking you will see why.

Most of your ports on the switch will normally be access ports and you should explicity set them for access mode. For the others, you should explicitly set the mode to trunk, and best to limit “prune” the allowed vlans to what is really needed. Best practice is to disable unused ports in a production environment.

See Dynamic Trunking Protocol which discusses it and how to disable it.

This isn’t covered in Ed’s article, and it is a time saver when configuring many ports on the switch with the same command. He does mention it in the comments section as a response to a user’s question, and has a link to another of his articles that does use it here.

Here is the Cisco reference: Interface Range Specification

8

I am going to have the switch with me and will do the settings, at the moment i have replaced it with my beloved Mikrotik Switch and it working fine. But I dont have more Mikrotik Switches, so I have to do the Cisco thing. I will contact you once I have done what you have told me to do.

Many thanks for this.

9

But why are you asking about how to configure Cisco switches on a MikroTik forum? There are better places to find information about how to configure the Cisco switches.

Since Cisco is the “defacto” standard, there is much more info available on the Web than there is for MikroTik.

I would be less surprised seeing someone coming from Cisco with a config that works on the Cisco and asking how to achive it with a MikroTik switch, than what you have done.

Really, you should be able to find what you need on the web in the multiple Cisco VLAN configuration tutorials available. What you are looking for is a trunk with a native vlan. The native vlan is the untagged vlan on the trunk link.

You should also be able to find the reasons that vlan 1 is best to avoid for your data.

10

Brother, to be honest, I was totally blank and needed an advice. I didnt think of anywhere else beside this forum. I needed someone to guide me to the right direction. which you did. And I am thankful for that