I have a Mikrotik connected to a switch via a trunk and I can connect all the way back to the main router (Juniper SRX300) via this trunk via ethernet. I have one ethernet port on vlan 120 and another on vlan 121. The Juniper is the DHCP server. So far, so good.
What I want to do is associate a wireless SSID with vlan 120 and another SSID with vlan 121. How do I do this?
When I associated an ethernet port with a vlan, I did this:
/interface bridge port add interface=“vlan-120” bridge=“br-vlan120” disabled=no
/interface bridge port add interface=“ether4” bridge=“br-vlan120” disabled=no
What is the equivalent command for a wifi interface?
If you configire the wireless interfaces directly, the command is the same:
/interface bridge port
add interface=wlan1 bridge=vlan120
add interface=wlan2 bridge=vlan121
wlan1
is a “physical” AP using one SSID,
wlan2
is a virtual AP using the same hardware as wlan2 but with a different SSID and MAC address.
If you configure the wireless interfaces using CAPsMAN, you define the bridge to be connected to in CAPsMAN configuration for the interface (directly or using the Datapath), and you do not need to use the commands above.
You can assign VLANs to wireless interface or to access list items, and connected clients then work like they’re connected to untagged access port with given id. So nothing changes for them, but if you bridge physical (or virtual) wlan interface with another trunk port, it just works without any other config. If you have AP that itself doesn’t need to be part of VLAN, you don’t need to define anything related to VLANs anywhere else.
One last question please. I use VLAN1 as a management VLAN and all my switches and routers have an IP address in VLAN1 for that purpose. I have tried any one of a number combinations here but can’t quite get to the solution; just not reachable from any of the other managed devices. Any suggestions?
Make sure your trunk port is a tagged member of your management VLAN.
Ideally, avoid the use of VLAN ID 1, which seems to correspond to the default VLAN ID of Mikrotik, therefore used for untagged traffic. Like some other devices, this common default VLAN ID either does not behave exactly like other VLAN IDs or behaves differently with other manufacturer’s devices, in my limited experience.
If in doubt, experiment with another VLAN ID or if still having issues post the result of
You haven’t provided enough information so people have to guess.
A diagram usually makes things much clearer, but: your 'tik is connected to the SRX using a cable. On that cable, there are VLANs 101 and 102 tagged, that’s for sure because it works. The question is whether VLAN 1 comes from the SRX (and is expected there) tagged or tagless. Depending on that we have to choose the proper configuration at 'tik side.
Each of those connections is a VLAN trunk. I use VLAN1 as the management VLAN for all swiches in this network (there are many others in the network, but this is good for this discussion). I can get to the Dell and the Cisco over that VLAN using the IP addresses assigned to them. I want to include the Mikrotik in this management VLAN.
On the Mikrotik, I created an interface called vlan1 with a vlan id of 1. VLAN 1 is added to the trunk connecting the Mikrotik to the Cisco just like the other VLANs.
I gave the interface named vlan1 an IP address in the same subnet as the other devices that are connected in the VLAN. However, I am not getting connectivity to the Mikrotik. I’m sure there’s a way to do this, but I’m going about it incorrectly. A little guidance would be appreciated.
So you confirm that VLAN 1 goes out tagged from the Cisco? Because Cisco loves to have VLAN 1 as the “native VLAN” on the trunk, meaning that it gets untagged on egress.
On the Mikrotik, I created an interface called vlan1 with a vlan id of 1. VLAN 1 is added to the trunk connecting the Mikrotik to the Cisco just like the other VLANs.
>
> I gave the interface named vlan1 an IP address in the same subnet as the other devices that are connected in the VLAN. However, I am not getting connectivity to the Mikrotik. I'm sure there's a way to do this, but I'm going about it incorrectly. A little guidance would be appreciated.
This was what both @squeeze and me are trying to provide :slight_smile:
There are actually just a few possibilities:
1. VLAN 1 packets come tagless from the Cisco. If this is the case, you should attach the IP address you've currently attached to interface ****
```text
vlan-1
directly to interface
ether1
Because the other possibility (****
pvid=1
causing trouble) would be relevant if
ether1
would be a member port of some bridge which is not the case.
With your explanation regarding Cisco stripping the tag on native VLAN1, what squeeze said now makes sense.
I tried turning on/off vlan dot1q tag native on the Cisco, also without any help. I then tried adding the IP address directly to ether1 but that did not help either. Perhaps I should look at using a different VLAN for management as squeeze suggested.