Hi all,
I’ve been looking into segregating management traffic in my network, and have broadly taken the following steps:
- Set up a dedicated management bridge (bridge ports, bridge vlan)
- Set up a VLAN interface (interface vlan)
- Set up a VRF including the access ports and the VLAN interface with a suitable routing-mark
The full config is below:
# jan/04/2002 23:09:06 by RouterOS 6.46.4
# software id = HJ6N-2UT9
#
# model = CRS326-24G-2S+
# serial number = xxxxxxxxxxx
/interface bridge
add frame-types=admit-only-vlan-tagged name=internal vlan-filtering=yes
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=mgt pvid=10 vlan-filtering=yes
/interface vlan
add interface=internal name=VLAN100 vlan-id=100
add interface=mgt name=VLAN200 vlan-id=200
/interface bridge port
add bridge=internal hw=no interface=ether3 pvid=100
add bridge=internal hw=no interface=ether4 pvid=100
add bridge=mgt ingress-filtering=yes interface=ether11 pvid=200
add bridge=mgt interface=ether12 pvid=200
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=internal tagged=internal untagged=ether3,ether4 vlan-ids=100
add bridge=mgt tagged=mgt untagged=ether11,ether12 vlan-ids=200
/ip address
add address=192.168.68.1/24 interface=VLAN100 network=192.168.68.0
add address=192.168.69.1/24 interface=VLAN200 network=192.168.69.0
/ip route
add distance=1 routing-mark=mgt type=blackhole
/ip route vrf
add interfaces=ether11,ether12,VLAN200 routing-mark=mgt
/system routerboard settings
set boot-os=router-os
The configuration looks ok…
/interface bridge port
/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 I ether3 internal no 100 0x80 10 10 none
1 I ether4 internal no 100 0x80 10 10 none
2 H ether11 mgt yes 200 0x80 10 10 none
3 I H ether12 mgt yes 200 0x80 10 10 none
/interface bridge vlan
/interface bridge vlan print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 internal 100 internal
1 mgt 200 mgt ether11
/ip route vrf
/ip route vrf print
Flags: X - disabled, I - inactive
0 routing-mark=mgt interfaces=ether11,ether12,VLAN200
/ip route
/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A SB dst-address=0.0.0.0/0 type=blackhole distance=1 routing-mark=mgt
1 ADC dst-address=192.168.69.0/24 pref-src=192.168.69.1 gateway=VLAN200 gateway-status=VLAN200 reachable distance=0 scope=10 routing-mark=mgt
2 ADC dst-address=192.168.68.0/24 pref-src=192.168.68.1 gateway=VLAN100 gateway-status=VLAN100 reachable distance=0 scope=10
Issue:
The problem is that when I connect to a management access port I can ping both the VLAN200 (mgt) interface and the VLAN100 (main) interface; I’m not expecting to able to hit the VLAN100 interface as that’s outside the mgt VRF.
I’m obviously not understanding something here.
Debug
I’ve (separately) added ip firewall mangle log actions to try to debug the pack processing:
/ip firewall mangle
add action=log chain=input log-prefix=fm-input
add action=log chain=prerouting log-prefix=fm-prerouting
add action=log chain=output log-prefix=fm-output
add action=log chain=forward log-prefix=fm-forward
add action=log chain=postrouting log-prefix=fm-postrouting
with the following results:
ping -c 1 192.168.69.1 (from the connected device):
23:28:32 firewall,info fm-prerouting prerouting: in:VLAN200 out:(unknown 0), src-mac 64:4b:f0:2b:2b:6c, proto ICMP (type 8, code 0), 192.168.69.2->192.168.69.1, len 84
23:28:32 firewall,info fm-input input: in:VLAN200 out:(unknown 0), src-mac 64:4b:f0:2b:2b:6c, proto ICMP (type 8, code 0), 192.168.69.2->192.168.69.1, len 84
23:28:32 firewall,info fm-output output: in:(unknown 0) out:VLAN200, proto ICMP (type 0, code 0), 192.168.69.1->192.168.69.2, len 84
23:28:32 firewall,info fm-postrouting postrouting: in:(unknown 0) out:VLAN200, proto ICMP (type 0, code 0), 192.168.69.1->192.168.69.2, len 84
ping -c 1 192.168.68.1 (from the connected device):
23:28:37 firewall,info fm-prerouting prerouting: in:VLAN200 out:(unknown 0), src-mac 64:4b:f0:2b:2b:6c, proto ICMP (type 8, code 0), 192.168.69.2->192.168.68.1, len 84
23:28:37 firewall,info fm-input input: in:VLAN200 out:(unknown 0), src-mac 64:4b:f0:2b:2b:6c, proto ICMP (type 8, code 0), 192.168.69.2->192.168.68.1, len 84
23:28:37 firewall,info fm-output output: in:(unknown 0) out:VLAN200, proto ICMP (type 0, code 0), 192.168.68.1->192.168.69.2, len 84
23:28:37 firewall,info fm-postrouting postrouting: in:(unknown 0) out:VLAN200, proto ICMP (type 0, code 0), 192.168.68.1->192.168.69.2, len 84
Can anybody offer insights as to what I’m doing wrong (or have misunderstood here) or anything else I can do to try to debug the situation myself?
Thanks in advance
Paul