This question came up after attempts to make this config even 'better'. I quote the better because the setup is working according to client spec but it would be nice to get it done the way I like. So hope to gain some valuable insights and suggestions from the forum.
Network is a multi-tenant, co-working space with various units. Each units receives its own private /24 over Cat6 ethernet plus dynamically assigned Radius WPA-PEAP assures that clients land in their own VLAN while using WiFi. The stack is made up of 1xCCR1009, 6xCRS326, 2xCRS112PoE, 8xwap ac & 1 Radius server, all running 6.42.1 RouterOS/Boot. Stack is not running (M)STP
Management Vlan 666 lives on Bridge called 'Core' together with IP config plus DHCP. Bridge Core is also CapsMAN enabled, it contains the management vlan as slaveport that feeds the switches. All clients have their own bridge (405,406 etc) that connect to the respective CapsMAN vlan and the switch vlan.
The reason for this post is that I would like to extend the Bridge-VLAN based approach to also include the CCR1009. In the current situation there is a demarcation between the CCR and the rest of
My guess is that it should be something related to access to the cpu when enabling vlan-filtering. I have tried adding the bridge throughout the network on all the vlans. However cpu access should not be necessary for the CRS326 customer vlans since that only service access ports to clients.
Thanks, Alex
CCR1009 (bridge vlan-filtering is disabled)
Code: Select all
/interface bridge
add fast-forward=no name=Core protocol-mode=none
add fast-forward=no name=br405 protocol-mode=none
add fast-forward=no name=br406 protocol-mode=none
add fast-forward=no name=br407 protocol-mode=none
add fast-forward=no name=br408 protocol-mode=none
add fast-forward=no name=br409 protocol-mode=none
/interface bridge port
add bridge=br405-cust1 interface=s1.vlan405
add bridge=br405-cust1 interface=caps.vlan405
.. similar port config per customer ..
add bridge=Core interface=s1.core666
add bridge=Core interface=ether6 comment="Radius uplink"
/interface bridge settings
set allow-fast-path=no
/interface vlan
add interface=Core name=caps.vlan405 vlan-id=405
add interface=Core name=caps.vlan406 vlan-id=406
add interface=Core name=caps.vlan407 vlan-id=407
add interface=Core name=caps.vlan408 vlan-id=408
add interface=Core name=caps.vlan409 vlan-id=409
add interface=sfp-sfpplus1 name=s1.core666 vlan-id=666
add interface=sfp-sfpplus1 name=s1.vlan405 vlan-id=405
add interface=sfp-sfpplus1 name=s1.vlan406 vlan-id=406
add interface=sfp-sfpplus1 name=s1.vlan407 vlan-id=407
add interface=sfp-sfpplus1 name=s1.vlan408 vlan-id=408
add interface=sfp-sfpplus1 name=s1.vlan409 vlan-id=409
/caps-man datapath
add bridge=Core name=RadiusDatapath vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=Radius
/caps-man configuration
add country=netherlands datapath=RadiusDatapath distance=indoors mode=ap multicast-helper=full name=RadiusConfig security=Radius ssid=VLAN WiFi
Code: Select all
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=405
add bridge=bridge1 interface=ether2 pvid=406
add bridge=bridge1 interface=ether3 pvid=407
add bridge=bridge1 interface=ether24 pvid=666 comment=Management access
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether1 vlan-ids=405
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether2 vlan-ids=406
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether3 vlan-ids=407
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether24 vlan-ids=666
/interface vlan
add interface=bridge1 name=s1.405 vlan-id=405
add interface=bridge1 name=s1.406 vlan-id=406
add interface=bridge1 name=s1.407 vlan-id=407
add interface=bridge1 name=s1.666 vlan-id=666
Code: Select all
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=666 comment=AP1
add bridge=bridge1 interface=ether2 pvid=666 comment=AP2
add bridge=bridge1 interface=ether3 pvid=666 comment=AP3
add bridge=bridge1 interface=ether4 pvid=666 comment=AP4
add bridge=bridge1 interface=sfp12 pvid=1
/interface bridge settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether8 untagged=ether1,ether2,ether3,ether4 vlan-ids=666
Code: Select all
/interface wireless cap
set certificate=request discovery-interfaces=ether1 enable
wlan1,wlan2