Community discussions

MikroTik App
 
TimW
just joined
Topic Author
Posts: 10
Joined: Sat Mar 05, 2016 4:33 pm

Management VLAN on bridged CCR

Sat Mar 05, 2016 4:53 pm

Hi Everyone,

We are new to MikroTik hardware and recently bought a CCR-1009-8g-1s-1s+
Great device in terms of performance we tested for the price however we have one issue
which is the management VLAN in the datacenter.

I will explain a bit more about our situation so you will understand our issue.

We want to use the CCR for filtering purposes only, so we only created a bridge
on this device and enabled some firewall rules to block SMTP

The bridge contains the interfaces "sfp-sfpplus1" to the datacenter router and "bond1" which is a 802.11ad bonding
between ether3 and ether4 to our switch.

When the bridge is created without any VLANs in RouterOS itself everything should work as expected.
We can use the 10G fiber uplink and bonding to our switch without any issues.
We have two VLANs in the datacenter which are assigned to us. VLAN205 and VLAN206.

The problem: How do we assign an IP which is in VLAN206 as management IP
in bridge mode so we can remotely manage the device?

Thanks in advance,

Tim
 
ruwi000
just joined
Posts: 13
Joined: Fri Apr 24, 2015 5:39 pm

Re: Management VLAN on bridged CCR

Mon Mar 07, 2016 6:22 pm

Would something like this work? (the interfaces are just as example) you add the vlan interface to the bridge and put an IP on it.

First create the bridge:
/interface bridge
add name=test
/interface bridge port
add bridge=test interface=ether1
add bridge=test interface=ether2

Then add the vlan to the bridge:
/interface vlan
add interface=test name=vlan206 vlan-id=206

Add an IP to the vlan:
/ip address
add address=1.1.1.1/24 interface=vlan206 network=1.1.1.0

PS: interfaces 1,2,3,4 are behind the internal switch that is uplinked to the CPU on a 1G interface. For performance it is better to bond with interfaces 5,6,7,8 that have direct 1G links to the CPU.
 
TimW
just joined
Topic Author
Posts: 10
Joined: Sat Mar 05, 2016 4:33 pm

Re: Management VLAN on bridged CCR

Mon Mar 07, 2016 9:30 pm

Would something like this work? (the interfaces are just as example) you add the vlan interface to the bridge and put an IP on it.

First create the bridge:
/interface bridge
add name=test
/interface bridge port
add bridge=test interface=ether1
add bridge=test interface=ether2

Then add the vlan to the bridge:
/interface vlan
add interface=test name=vlan206 vlan-id=206

Add an IP to the vlan:
/ip address
add address=1.1.1.1/24 interface=vlan206 network=1.1.1.0

PS: interfaces 1,2,3,4 are behind the internal switch that is uplinked to the CPU on a 1G interface. For performance it is better to bond with interfaces 5,6,7,8 that have direct 1G links to the CPU.
Thanks for your response, I did add a VLAN to the bridge before but this dropped all traffic on the network itself so I had to remove the VLANs afterwards, I also couldn't create two bridges with the same sfp-sfpplus1 uplink so this didn't work. The only thing I need is set an IP as management IP which is on VLAN206. So I don't want to route the whole VLAN. On our EdgeSwitch there is a simple option called "Management VLAN ID" but I can't find this on the MikroTik Router.

Since the datacenter is about 80km away I can't test the setup you made right now and have an idea it will not work because it's similar to the things I tried.
Thanks for the recommendation on the bonding interfaces, will fix that asap and hope to fix this issue as well, router is kinda useless right now :(
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Management VLAN on bridged CCR

Mon Mar 07, 2016 10:03 pm

using a single bridge with a VLAN interface attached is definitely the correct way to do this. I'm not sure what broke in your configuration - could there be input chain firewall rules that suddenly blocked your access? If you move the IP address to another interface, then certainly any rules which referenced the old interface won't match anymore....

It should DEFINITELY not break anything to simply create the interface without associating any IP addresses, dhcp client/server configurations / firewall rules with it. It's just going to sit there and do nothing but transmit and receive neighbor discovery messages by default.

If you want two bridges, then what you have to do is put a vlan interface on each physical interface (or bonding interface in your case) that should have the VLAN available to it, and then add the vlan interfaces to the bridge, and put the IP address for each vlan onto the bridge interface.

I'd recommend the first method - and if you're worried about an 80km drive, you could use safe mode - click the safe mode button, and all changes will be temporary until you un-click the safe mode button. If you get kicked out of the router due to a problem with your configuration changes, then when the session times out, the router will automatically revert to the state it was in when you first enabled safe mode. Read the wiki/docs for more information, as this might be helpful for you if you're worried about configuration problems isolating the router from you.
 
TimW
just joined
Topic Author
Posts: 10
Joined: Sat Mar 05, 2016 4:33 pm

Re: Management VLAN on bridged CCR

Mon Mar 07, 2016 11:41 pm

using a single bridge with a VLAN interface attached is definitely the correct way to do this. I'm not sure what broke in your configuration - could there be input chain firewall rules that suddenly blocked your access? If you move the IP address to another interface, then certainly any rules which referenced the old interface won't match anymore....

It should DEFINITELY not break anything to simply create the interface without associating any IP addresses, dhcp client/server configurations / firewall rules with it. It's just going to sit there and do nothing but transmit and receive neighbor discovery messages by default.

If you want two bridges, then what you have to do is put a vlan interface on each physical interface (or bonding interface in your case) that should have the VLAN available to it, and then add the vlan interfaces to the bridge, and put the IP address for each vlan onto the bridge interface.

I'd recommend the first method - and if you're worried about an 80km drive, you could use safe mode - click the safe mode button, and all changes will be temporary until you un-click the safe mode button. If you get kicked out of the router due to a problem with your configuration changes, then when the session times out, the router will automatically revert to the state it was in when you first enabled safe mode. Read the wiki/docs for more information, as this might be helpful for you if you're worried about configuration problems isolating the router from you.
Well, I only need to configure a VLAN for the management IP only since I'm blind now remotely
and can't use an IP in VLAN206 as management IP like I said before. That's why I can't ssh/winbox/http to the Router
itself. I have to make the drive soon, but I really want to know what's going on before I go there again. I can't find the management IP option on the system itself when I access it locally via MAC in Winbox. Only on the quick setup page and I want a clean config..

The only thing that I need asap is setting an IP from VLAN206 (which is assigned to us from the core cisco router) on the MikroTik Router for remote management.
I think that are two short commands, but I can't find them in the documentation (only in the switch documentation)..
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Management VLAN on bridged CCR

Tue Mar 08, 2016 12:51 am

Honestly, there's no such thing as a "management interface" or "management address" in Mikrotik. Any interface address is as good as another as far as a Mikrotik's concerned.

If your box is a bridge, connecting two interfaces (sfpplus-1 and bond1) then this bridge will pass tagged and untagged frames alike between these two interfaces. If you create a VLAN interface:
/interface vlan add name=mgmt vlan-id=206 interface=bridge1

and then put an IP address on it:
/ip address add interface=mgmt address=a.b.c.d/m

and set a default GW route:
/ip route add dst=0.0.0.0/0 gateway=a.b.c.1 (assuming .1 is the gateway for the management VLAN)

- of course this assumes that the bonding group / 10Gbit interfaces are connected to devices that are using this link as a trunk. If they're only passing un-tagged traffic through the CCR, then you can't do it this way, but it will actually be easy to make a management interface - just pick any other ethernet interface, put the management IP there instead of on the bridge, and connect that interface to some switch where you're connecting the management interfaces of the rest of your gear at the facility. Set the default GW as per above, regardless of which interface mechanism you choose.

And don't worry about the CCR trying to forward traffic from the transparent firewall bridge to the management interface - as long as you don't have an IP address on the bridge interface.
 
TimW
just joined
Topic Author
Posts: 10
Joined: Sat Mar 05, 2016 4:33 pm

Re: Management VLAN on bridged CCR

Tue Mar 08, 2016 1:59 pm

Honestly, there's no such thing as a "management interface" or "management address" in Mikrotik. Any interface address is as good as another as far as a Mikrotik's concerned.

If your box is a bridge, connecting two interfaces (sfpplus-1 and bond1) then this bridge will pass tagged and untagged frames alike between these two interfaces. If you create a VLAN interface:
/interface vlan add name=mgmt vlan-id=206 interface=bridge1

and then put an IP address on it:
/ip address add interface=mgmt address=a.b.c.d/m

and set a default GW route:
/ip route add dst=0.0.0.0/0 gateway=a.b.c.1 (assuming .1 is the gateway for the management VLAN)

- of course this assumes that the bonding group / 10Gbit interfaces are connected to devices that are using this link as a trunk. If they're only passing un-tagged traffic through the CCR, then you can't do it this way, but it will actually be easy to make a management interface - just pick any other ethernet interface, put the management IP there instead of on the bridge, and connect that interface to some switch where you're connecting the management interfaces of the rest of your gear at the facility. Set the default GW as per above, regardless of which interface mechanism you choose.

And don't worry about the CCR trying to forward traffic from the transparent firewall bridge to the management interface - as long as you don't have an IP address on the bridge interface.
I think I forgot to set the default gateway! That is probably the problem, but would this matter
if I have two VLANs with different gateways, or should I only set the gateway for the VLAN I would like to use for management?

Also if my management IP will be 10.80.82.90 should I use
/ip address add interface=mgmt address=10.80.82.90/27
or
/ip address add interface=mgmt address=10.80.82.90/32

Since I found different methods in the wiki's.

Thanks in advance for your help, If the gateway command is not an issue I will visit the datacenter asap and will let you know if this worked.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: Management VLAN on bridged CCR

Tue Mar 08, 2016 4:27 pm

if I have two VLANs with different gateways, or should I only set the gateway for the VLAN I would like to use for management?

Also if my management IP will be 10.80.82.90 should I use
/ip address add interface=mgmt address=10.80.82.90/27
or
/ip address add interface=mgmt address=10.80.82.90/32

Since I found different methods in the wiki's.

Thanks in advance for your help, If the gateway command is not an issue I will visit the datacenter asap and will let you know if this worked.
Use the actual netmask of the network the device is participating in - use /27
Since the router is acting as a transparent bridge on the main vlan, it's not participating in IP, so no routes are needed (nor would they be able to affect) on the other vlan(s) in the router.
 
TimW
just joined
Topic Author
Posts: 10
Joined: Sat Mar 05, 2016 4:33 pm

Re: Management VLAN on bridged CCR

Tue Mar 08, 2016 5:00 pm

if I have two VLANs with different gateways, or should I only set the gateway for the VLAN I would like to use for management?

Also if my management IP will be 10.80.82.90 should I use
/ip address add interface=mgmt address=10.80.82.90/27
or
/ip address add interface=mgmt address=10.80.82.90/32

Since I found different methods in the wiki's.

Thanks in advance for your help, If the gateway command is not an issue I will visit the datacenter asap and will let you know if this worked.
Use the actual netmask of the network the device is participating in - use /27
Since the router is acting as a transparent bridge on the main vlan, it's not participating in IP, so no routes are needed (nor would they be able to affect) on the other vlan(s) in the router.
Thanks! I will test this later this week and will reply back with my findings!
 
TimW
just joined
Topic Author
Posts: 10
Joined: Sat Mar 05, 2016 4:33 pm

Re: Management VLAN on bridged CCR

Sun Mar 13, 2016 9:49 pm

Unfortunatly no succes.. The router won't use 10.80.82.90 as it's management IP..
I even tried putting that IP on ether7 and connecting ether7 directly to a port on the switch (untagged)
but that didn't work either. Also when I connect with Winbox via MAC the IP shows up as 0.0.0.0

Who is online

Users browsing this forum: AtomikRoach, EmuAGR, raiod and 39 guests