Community discussions

 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

QinQ VLAN's Help needed

Sun Jun 10, 2018 8:28 pm

I am treading in waters I have not done before and it is a semi live network, so I need to get my ducks in a row, below is what I need:

Cust 1 ---- C-Vlan 10 -----
\
Cust 2 ---- C-Vlan 20 -------\--- CCR1036 -- S-Vlan 50 ---- Co Loc for ISP's
/
Cust 3 ---- C-Vlan 30 ---- /

Customers coming in on their relevant Vlan's to the CCR1036, then encapsulate the C-Vlan's into one Service Vlan to the co location where the S-Vlan will be stripped again and then be routed accordingly to the relevant ISP based on original Vlan's.

I have read somewhere on the Wiki that only "initial" support for this is available on bridges from 6.43RC14 I think it was (can't find it now). I have some concerns running Release Candidate versions in production.

Is above possible at the moment without running RC version, if so, can you provide some guidance on how I can achieve this?

Thanking you in advance
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed  [SOLVED]

Sun Jun 10, 2018 9:34 pm

So you want it like this, right?
Ethernet II, Src: Routerbo_78:5a:37 (64:d1:54:78:4a:37), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
IEEE 802.1ad, ID: 50
    000. .... .... .... = Priority: 0
    ...0 .... .... .... = DEI: 0
    .... 0000 0011 0010 = ID: 50
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 10
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0000 1010 = ID: 10
    Type: ARP (0x0806)
Address Resolution Protocol (request)
I haven't tried yet, but from what the wiki says, the "initial support of QinQ" is relevant to using vlan-filtering on frames with 802.1ad tags on a bridge, so unless you need a bridge hosting several s-vlans, you don't need that feature. So if you want to avoid rc in production and you have enough CPU for adding the s-tag using /interface vlan, it is possible to do it the following way:
                 bridge-x
ether1---tag(c10)===|
ether2---tag(c20)===|---s-vlan50===ether4
ether3---tag(c30)===|
(--- ... tagless side, === ... tagged side)
i.e.
/interface vlan
add interface=ether4 name=s-vlan50 use-service-tag=yes vlan-id=50

/interface bridge
add name=bridge-x vlan-filtering=yes

/interface bridge port
add bridge=bridge-x interface=s-vlan50
add bridge=bridge-x interface=ether1 pvid=10
add bridge=bridge-x interface=ether2 pvid=20
add bridge=bridge-x interface=ether3 pvid=30

/interface bridge vlan
add bridge=bridge-x tagged=bridge-x,s-vlan50 untagged=ether1 vlan-ids=10
add bridge=bridge-x tagged=bridge-x,s-vlan50 untagged=ether2 vlan-ids=20
add bridge=bridge-x tagged=bridge-x,s-vlan50 untagged=ether3 vlan-ids=30
I haven't tested it completely, so be careful.

Of course if the CCR already gets c10,c20,c30 tagged in a single trunk, all you need is
      bridge-x
ether1===|---s-vlan50===ether4
so all shrinks down to just
/interface vlan
add interface=ether4 name=s-vlan50 use-service-tag=yes vlan-id=50

/interface bridge
add name=bridge-x vlan-filtering=yes

/interface bridge port
add bridge=bridge-x interface=s-vlan50
add bridge=bridge-x interface=ether1

/interface bridge vlan
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan50 vlan-ids=10,20,30
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulct
Member Candidate
Member Candidate
Posts: 279
Joined: Fri Jul 12, 2013 5:38 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 10:04 am

I am treading in waters I have not done before and it is a semi live network, so I need to get my ducks in a row, below is what I need:

Cust 1 ---- C-Vlan 10 -----
\
Cust 2 ---- C-Vlan 20 -------\--- CCR1036 -- S-Vlan 50 ---- Co Loc for ISP's
/
Cust 3 ---- C-Vlan 30 ---- /

Customers coming in on their relevant Vlan's to the CCR1036, then encapsulate the C-Vlan's into one Service Vlan to the co location where the S-Vlan will be stripped again and then be routed accordingly to the relevant ISP based on original Vlan's.

I have read somewhere on the Wiki that only "initial" support for this is available on bridges from 6.43RC14 I think it was (can't find it now). I have some concerns running Release Candidate versions in production.

Is above possible at the moment without running RC version, if so, can you provide some guidance on how I can achieve this?

Thanking you in advance
QinQ is fine for this. However we have only used CCR's for this. We have not tried it in the CRS platforms.
BUT, what happens when you need more than one S-tag?

e.g C-tag 10, 20, 30 to S-tag 100
and
C-tag 11,21,31 to S-tag 101

Then you need Selective q-in-q if it needs to be done on the same uplink interface.
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 10:26 am

This can be obtained using vlan-filtering on the bridge hosting the c-vlans and two s-vlan interfaces:
/interface vlan
add interface=ether4 name=s-vlan-100 use-service-tag=yes vlan-id=100
add interface=ether4 name=s-vlan-101 use-service-tag=yes vlan-id=101

/interface bridge
add name=bridge-x vlan-filtering=yes

/interface bridge port
add bridge=bridge-x interface=s-vlan-100
add bridge=bridge-x interface=s-vlan-101
add bridge=bridge-x interface=ether1

/interface bridge vlan
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan100 vlan-ids=10,20,30
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan101 vlan-ids=11,21,31
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulct
Member Candidate
Member Candidate
Posts: 279
Joined: Fri Jul 12, 2013 5:38 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 10:33 am

This can be obtained using vlan-filtering on the bridge hosting the c-vlans and two s-vlan interfaces:
/interface vlan
add interface=ether4 name=s-vlan-100 use-service-tag=yes vlan-id=100
add interface=ether4 name=s-vlan-101 use-service-tag=yes vlan-id=101

/interface bridge
add name=bridge-x vlan-filtering=yes

/interface bridge port
add bridge=bridge-x interface=s-vlan-100
add bridge=bridge-x interface=s-vlan-101
add bridge=bridge-x interface=ether1

/interface bridge vlan
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan100 vlan-ids=10,20,30
add bridge=bridge-x tagged=bridge-x,ether1,s-vlan101 vlan-ids=11,21,31
Strange - this is from Mikrotik support 3 weeks ago.

"At the beginning it is planned to have one s-tag for all c-tags on port.
Selective tagging might be possible later using Switch Chip ACL rules or by another implementation."
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 10:46 am

Strange - this is from Mikrotik support 3 weeks ago.
"At the beginning it is planned to have one s-tag for all c-tags on port.
Selective tagging might be possible later using Switch Chip ACL rules or by another implementation."
Yes, on port. But my suggestion uses two different ports, on one of them only the c-vlans 10,20,30 are permitted by the vlan-filtering rule, and on the other one only the c-vlans 11,21,31.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulct
Member Candidate
Member Candidate
Posts: 279
Joined: Fri Jul 12, 2013 5:38 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 11:00 am

But my suggestion uses two different ports, on one of them only the c-vlans 10,20,30 are permitted by the vlan-filtering rule, and on the other one only the c-vlans 11,21,31.
Ok which is not ideal in all cases, unless ALL your switches can do this.

e.g Switch A (some other brand or such - managed switch but no q-in-q) - one uplink to switch B (mikrotik) - and then to switch C (Mikrotik) - handover point.
So on switch B you wont be able to say c-tag 10-30 goes to s-tag 100 and c-tag 40-100 goes to s-tag 120.

But either way - nice to know Mikrotik supports it and maybe one day can do the above.
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 12:17 pm

which is not ideal in all cases, unless ALL your switches can do this.

e.g Switch A (some other brand or such - managed switch but no q-in-q) - one uplink to switch B (mikrotik) - and then to switch C (Mikrotik) - handover point.
So on switch B you wont be able to say c-tag 10-30 goes to s-tag 100 and c-tag 40-100 goes to s-tag 120.

But either way - nice to know Mikrotik supports it and maybe one day can do the above.
Sorry, I didn't get your point here. How Mikrotik's "more native" support of this "selective tagging" than using the setup I've suggested would change the fact that the other vendor's equipment cannot do it? And, to extend my mental horizon, what would be the application scenario?

The usual application scenario is that the ISP provides L2 WAN service to several unrelated customers and uses s-vlans to isolate from one another the traffic of these customers, which comes as trunks of c-vlans. In such arrangement, there is little use for c-vlan to s-vlan mapping inside the ISP's network, the traffic is normally s-tagged on the border switch, port-based.

Already @CZFan's application scenario is quite far from typical, as he
  1. uses c-vlans to isolate his customers from one another instead of s-vlans (but that's exactly what saves him from the need to use rc which would be needed to support vlan-filtering of s-vlans), and
  2. hands over the result already s-tagged to his carrier ISP while the usual approach is that the carrier ISP s-tags the traffic on their own equipment.
Your scenario is even more unusual, as you take several c-vlans and want to map groups of them to different s-vlans, and on top of that you seem to want to change that mapping on an intermediate equipment.

Can you give a practical example where this would be purposeful?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
paulct
Member Candidate
Member Candidate
Posts: 279
Joined: Fri Jul 12, 2013 5:38 pm

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 12:43 pm

which is not ideal in all cases, unless ALL your switches can do this.

e.g Switch A (some other brand or such - managed switch but no q-in-q) - one uplink to switch B (mikrotik) - and then to switch C (Mikrotik) - handover point.
So on switch B you wont be able to say c-tag 10-30 goes to s-tag 100 and c-tag 40-100 goes to s-tag 120.

But either way - nice to know Mikrotik supports it and maybe one day can do the above.
Sorry, I didn't get your point here. How Mikrotik's "more native" support of this "selective tagging" than using the setup I've suggested would change the fact that the other vendor's equipment cannot do it? And, to extend my mental horizon, what would be the application scenario?

The usual application scenario is that the ISP provides L2 WAN service to several unrelated customers and uses s-vlans to isolate from one another the traffic of these customers, which comes as trunks of c-vlans. In such arrangement, there is little use for c-vlan to s-vlan mapping inside the ISP's network, the traffic is normally s-tagged on the border switch, port-based.

Already @CZFan's application scenario is quite far from typical, as he
  1. uses c-vlans to isolate his customers from one another instead of s-vlans (but that's exactly what saves him from the need to use rc which would be needed to support vlan-filtering of s-vlans), and
  2. hands over the result already s-tagged to his carrier ISP while the usual approach is that the carrier ISP s-tags the traffic on their own equipment.
Your scenario is even more unusual, as you take several c-vlans and want to map groups of them to different s-vlans, and on top of that you seem to want to change that mapping on an intermediate equipment.

Can you give a practical example where this would be purposeful?
It's great that Mikrotik supports it, but there are scenarios where selective q-in-q in certain networks is needed. Not Mikrotik's fault as I do realise it is an unusual setup.

e.g say you have 100 buildings - and use a different brand of switch. Why? Well maybe until very recently Mikrotik had no multi ( > 24 port) SFP switches or 48 port ethernet switches. One would not want to replace them all, and they do not support q-in-q. One would simply tag the various ports and then install one "master" Mikrotik switch which can do selective q-in-q.

Why would you want to do this? Maybe to enable open access on your own network.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 11, 2018 9:52 pm

Thank you sindy, all
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Sun Jun 17, 2018 8:35 pm

If I may throw in another curve ball, I am new to the "Nuts & Bolts" of Vlan, so please bear with me.

Have a MT CCR with ether1 as a routed port (Stand alone, not part of a bridge / switch group)
Attach Vlan 10 to ether1, and attach vlan's 20, 30 & 40 to vlan 10, creating QinQ

Ether2 - ethernth in a bridge
Configure bridge for Vlan filter=yes
In Bridge Vlan, ether2 to ether5 & bridge tagged for vlan-ids=20,30,40

Trying to get frames coming in tagged on ether2 - 5 with vlan id ether 20, or 30 or 40, tag must stay on frame and go out via relevant vlan 20, 30 or 40, tunneled into vlan 10 out on ether1?

Hope it makes sense
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Sun Jun 17, 2018 8:48 pm

Drawings are better, but I assume you want ether1 to carry the QinQ frames where VID 10 is the outer one (service-vlan, or S-vlan, ethertype 0x88a8) and VID 20,30,40 are the inner ones (customer-vlan, C-vlan, ethertype 0x8100). If so, the method suggested above is still valid, just modify the picture (and configuration) from
      bridge-x
ether1===|---s-vlan50===ether4
to
     bridge-vlan
ether2===|
ether3===|---s-vlan10===ether1
ether4===|
ether5===|
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Sun Jun 17, 2018 10:16 pm

@sindy, thank you very much. Apologies, was in a rush, but you are 100% correct, drawings will make it more clear, so below drawing and explanation, also explaining how I see it, so please correct me if I am wrong.

Vlans coming into CCR already tagged for 20, 30 & 40.
CCR is configured:
- ether1 is stand alone, router port, not part of any switch group / bridge, used for routing to WAN.
--- on ether1 I have vlan 10 attached to ether1 and vlan's 20, 30, 40 attached to vlan 10 (QinQ Tunneling)
- ether 2 - ether4 configured as part of a bridge
--- under /bridge vlan, I have selected the bridge, with Vlan-Ids=20, 30, 40, tagged=bridge, ether2, ether3, ether4 and untagged=none

So if my understanding is correct, packets/frames will come into the CCR already tagged by CPE devices with relevant ISP Vlan ID, as they come into bridge via ether2, 3 & 4, they will remain tagged, go out of the bridge still tagged, will then be encapsualted with vlan 10, go accross WAN linek, get to Co-Loc, Vlan 10 gets stripped and based on the Vlan tag remaining, will be routed to relevant ISP.

I am of the understanding that if I do the above, it remains 802.1Q (ethertype 0x8100), should I enable the "use service tag", it will become 802.1ad (ethertype 0x88a8), is my understanding correct?
If so, will it work on 802.1Q?
QinQ VLAN.JPG
You do not have the required permissions to view the files attached to this post.
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 12:05 am

I have not tried an actual QinQ, only "Qinad", but I don't see why it should not work with the outer tag being a Q one (0x8100, use-service-tag=no).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 7:57 pm

I cant get above working, anyone that can offer help, please
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1645
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 8:18 pm

I have not tried an actual QinQ, only "Qinad", but I don't see why it should not work with the outer tag being a Q one (0x8100, use-service-tag=no).
yes, in some cases Q-in.Q works, in other cases you have to do Q-in-ad
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 8:21 pm

I have not tried an actual QinQ, only "Qinad", but I don't see why it should not work with the outer tag being a Q one (0x8100, use-service-tag=no).
yes, in some cases Q-in.Q works, in other cases you have to do Q-in-ad

I will try that in lab quickly, thx
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 8:25 pm

Just to be clear what I am trying to achieve, I want tagged vlans coming into a bridge, that must then go out of a routed interface still tagged, the routed interface is not part of the bridge, is that possible?
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1645
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 8:50 pm

Just to be clear what I am trying to achieve, I want tagged vlans coming into a bridge, that must then go out of a routed interface still tagged, the routed interface is not part of the bridge, is that possible?
i think one way to do it is:

ether going to collocation with vlan and vlan in vlan interfaces

ether going in the other direction with vlan interfaces

make a bridge for each tagged vlan and add to that bridge as ports corresponding, for example:

bridge-20: ports: vlan20 ether1. vlan 20 ether2, vlan 20 ether3

in that way for each vlan
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 9:03 pm

Just to be clear what I am trying to achieve, I want tagged vlans coming into a bridge, that must then go out of a routed interface still tagged, the routed interface is not part of the bridge, is that possible?
Now wait a bit. So you want that a packet comes in via VLAN 20 on interface A, gets routed (i.e. not bridged) to VLAN20 on interface B? So the IP subnet living in VLAN 20 on interface A is a different one than the IP subnet living in VLAN 20 on interface B (let's leave QinQ aside for the moment)?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
peson
Trainer
Trainer
Posts: 177
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 9:50 pm

I am treading in waters I have not done before and it is a semi live network, so I need to get my ducks in a row, below is what I need:

Cust 1 ---- C-Vlan 10 -----
\
Cust 2 ---- C-Vlan 20 -------\--- CCR1036 -- S-Vlan 50 ---- Co Loc for ISP's
/
Cust 3 ---- C-Vlan 30 ---- /

Customers coming in on their relevant Vlan's to the CCR1036, then encapsulate the C-Vlan's into one Service Vlan to the co location where the S-Vlan will be stripped again and then be routed accordingly to the relevant ISP based on original Vlan's.

I have read somewhere on the Wiki that only "initial" support for this is available on bridges from 6.43RC14 I think it was (can't find it now). I have some concerns running Release Candidate versions in production.

Is above possible at the moment without running RC version, if so, can you provide some guidance on how I can achieve this?

Thanking you in advance
Are the customers behind the same physical interface?
What's on the other end of the CCR, a Mikrotik, Cisco...?
The CCR only acts as a L2 bridge for customers VLANs and S-Vlan them upstream?
Last edited by peson on Mon Jun 18, 2018 9:57 pm, edited 1 time in total.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 9:57 pm

@chechito, thx, but tried that, then I can get the the Vlan20 on the far side router, but no devices behind it

Here is exports of what I have done so far in my lab, maybe it will make more sense:

Router1:
# jan/02/1970 00:44:46 by RouterOS 6.42.3

#
# model = RouterBOARD 931-2nD

/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=bridge-vlan20 vlan-id=20
add interface=ether1 name=vlan10 use-service-tag=yes vlan-id=10
add interface=vlan10 name=vlan10-vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=20
/ip address
add address=10.0.0.1/24 interface=bridge1 network=10.0.0.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.20.1/24 interface=bridge-vlan20 network=10.10.20.0
/system routerboard settings
set silent-boot=no
Router2:
# jan/02/1970 00:45:18 by RouterOS 6.42.3

#
# model = 951Ui-2HnD

/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridge1 name=bridge-vlan20 vlan-id=20
add interface=ether1 name=vlan10 use-service-tag=yes vlan-id=10
add interface=vlan10 name=vlan10-vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=20
/ip address
add address=10.0.0.2/24 interface=bridge1 network=10.0.0.0
add address=10.10.10.2/24 interface=vlan10 network=10.10.10.0
add address=10.10.20.2/24 interface=bridge-vlan20 network=10.10.20.0
/system routerboard settings
set silent-boot=no
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 177
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:30 pm

Those configs won't work for you.
Please, try to explain the whole chain of what you're trying to achieve.
Review my questions above.
Is it something like this:
Cust2 -- untagged -- CCR:ether2 -- some core -- tagged 20@ISP router
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:46 pm

Those configs won't work for you.
Please, try to explain the whole chain of what you're trying to achieve.
Review my questions above.
Is it something like this:
Cust2 -- untagged -- CCR:ether2 -- some core -- tagged 20@ISP router
@peson, did you read my post, viewtopic.php?f=2&t=135504&p=669035#p668784
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:49 pm

@CZfan, can you respond to post #20?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:58 pm

@CZfan, can you respond to post #20?
@sindy, my answer to that was post 22, with the lab config, I just tried with untagged, as I do not have equipment to provide tagged data

In a nutshell, from CPE comes tagged with vlan20 to CCR (Bridge) then out with Vlan20 still tagged, gets tunneld into vlan10 and out of ether1 to other side. Ether1 is not poart of bridge, but a stahndalone port on the CCR.

Make sense?
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 10:59 pm

@sindy, apologies, accidentally accepted your last post as solved, meant to click on quotation marks to quote your post
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 177
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:05 pm

Those configs won't work for you.
Please, try to explain the whole chain of what you're trying to achieve.
Review my questions above.
Is it something like this:
Cust2 -- untagged -- CCR:ether2 -- some core -- tagged 20@ISP router
@peson, did you read my post, viewtopic.php?f=2&t=135504&p=669035#p668784
Sorry, wasn't logged in the first time, so I couldn't see the drawing.
So it's a L2 configuration you need.
Is the Co-Loc an MT or some other equipment?
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:08 pm

@peson, Sorry, cant answer for equipment other side, I asked numerous occasions but still did not get answer, have meeting with collocation engineers in the morning at 10:00
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 177
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:13 pm

@peson, Sorry, cant answer for equipment other side, I asked numerous occasions but still did not get answer, have meeting with collocation engineers in the morning at 10:00
But they request you to have a s-vlan 10 carrying the customers inside with c-vlan 20, 30 and 40?
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:16 pm

@peson, correct, it is a deployment / project that i got involved late, asked info and got very little, i.e. network design, etc
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 177
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:21 pm

@peson, correct, it is a deployment / project that i got involved late, asked info and got very little, i.e. network design, etc
Do you need to interfere with the customers vlans on layer 3. or is it only L2 tunneling you need.?
Any queuing or shaping involved?
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:26 pm

@sindy, my answer to that was post 22, with the lab config, I just tried with untagged, as I do not have equipment to provide tagged data
In a nutshell, from CPE comes tagged with vlan20 to CCR (Bridge) then out with Vlan20 still tagged, gets tunneld into vlan10 and out of ether1 to other side. Ether1 is not poart of bridge, but a stahndalone port on the CCR.
Make sense?
I must be missing some point. I don't understand what "routed interface" means, that's the first point.

When talking about QinQ (or "Qinad"), we normally stay in the L2 domain, no routing is related.

In one of my first posts, there is a Wireshark dissection of a frame created using the configuration I've suggested - the tagless side of a local /interface vlan has an IP configuration attached to it, the tagged side of that /interface vlan uses bridge-x as its carrier interface and has use-service-tag set to no, so it adds 802.1Q tags to the frames coming to its tagless side before forwarding them to the bridge. Then, the tagless side of another /interface vlan is made a member port of bridge-x, that /interface vlan uses ether1 as the carrier interface at its tagged side and has use-service-tag set to yes, so it takes already 802.1Q tagged frames from bridge-x and adds 802.1ad tags to them before sending them out via ether1.

I've dissected an ARP packet because I did not configure a second 'Tik the same way, so I could not generate any other than ARP traffic (I've pinged an address in the same subnet to which the IP address attached to the first /interface vlan belongs, so the router generated an ARP packet to determine that address, and that's the packet I've sniffed and dissected).

Neither of your configuration exports matches this, plus you have attached IP configuration to the /interface vlan with pvid=10.

So no, for me the configuration export in post #22 did not clarify your intention, and was not an answer to my question in post #20.

If the intention is to take frames already tagged with 802.1Q tag with VIDs 20,30,40 and just tag them one more time with VID 10 (no matter whether with an 802.1Q or 802.1ad tag) before sending them towards the colocation, my configurations from post #2 do exactly that; if the intention is different, describe how the frame should look when it comes in to the CCR from the left side and how the frame should look like when it goes out to the right side, and whether you expect it to be routed inside the CCR.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Mon Jun 18, 2018 11:48 pm

@sindy, what I mean by "routed Interface"

Take any MT router, lets say Hap AC Lite, usually you will configure ether 2 - 5 as members of a bridge, then ether 1 will be your WAN port.
Now imagine you have a VoIP phone and your SIP provider is connected to your ISP, but on Vlan 20, but your ISP requires you to send that Vlan 20 accross your WAN port tunneled into Vlan 10.
So you configure on the VoIP phone itself that it must use Vlan 20, so the phone will come into your bridge on your Hap AC Lite as tagged with vlan 20, must then be encapsualted / tunneled into Vlan 10 and out on the WAN port to your ISP.
At your ISP, the ISP will then decapsulate / strip Vlan 10, which will leave only Vlan 20 on the packet. The ISP sees, ahhh, Vlan 20 belongs to SIP Provider 1, send the packet to them
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Tue Jun 19, 2018 12:18 am

What you describe is still a mere bridging with QinQ and has nothing to do with routing, so my suggestion from post #2 should work.

Falling asleep, let's see what those guys tell you tomorrow at ten.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Tue Jun 19, 2018 12:28 am

What you describe is still a mere bridging with QinQ and has nothing to do with routing, so my suggestion from post #2 should work.

Falling asleep, let's see what those guys tell you tomorrow at ten.
Thx sindy, yes, will revert back tomorrow, also falling asleep here
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 177
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Tue Jun 19, 2018 4:52 am

This might be helpful:
/interface bridge
add name=br-QinQ vlan-filtering=yes
/interface vlan
add interface=ether1 name=vl10-QinQ use-service-tag=yes vlan-id=10
/interface bridge port
add bridge=br-QinQ interface=vl10-QinQ
add bridge=br-QinQ interface=ether2
add bridge=br-QinQ interface=ether3
add bridge=br-QinQ interface=ether4
/interface bridge vlan
add bridge=br-QinQ tagged=vl10-QinQ,ether2,ether3,ether4 vlan-ids=20,30,40
Use horizon values if you need to block traffic between customers.
If you need L3 termination in the CCR you have to add the vlan interfaces (/interface vlan add...)and the bridge itself in tagged vlan list.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Tue Jun 19, 2018 8:11 pm

@sindy, @peson, thx for your feedback so far.

Info received after meeting today, the other side is apparently a Cisco ASR1002,

Today we have cut over to an additional / new layer 2 fibre link so all is currently working via that link. I have been told the older / existing link is also suppose to be a layer 2 link, so I am not sure why they originally configured ether1 as a "routed / WAN" interface. From my understanding, with the info supplied now, it should be a lot easier, as I can configure the CCR as a switch, i.e. bridge all ports, then the vlan issue becomes a bit simpler.

I will test in my lab tonight and take from there
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 2:42 pm

@sindy, thank you, your solution in post #2 worked, the reason I could not get it to work was I used my youngest son's laptop on the other end of my lab setup. Seems the OS on that laptop is broken and I am unable to ping it, not even directly from the router it connected to, hence I thought QinQ tunneling was not working when I tried to ping it from my laptop via QinQ setup.
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 3:33 pm

It may not even be broken, many embedded firewalls do not respond to pings by default in "unknown" networks. I was quite confident it did work as my test has confirmed it, so I was expecting some misconfiguration rather than a mistake of the concept.

But this @peson's remark is worth considering given the application case you've described:
Use horizon values if you need to block traffic between customers.
I mean, if the c-vlans are used to connect customers' networks to different VoIP providers which possibly use their own private address spaces to avoid NAT-related problems, it makes sense to permit only traffic between the VoIP provider's access point and the customers but not from one customer to another.


Off topic, two weeks ago I've obtained a pair of glasses after all and it does make a difference :-)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 5:44 pm

Yes, I should give credit where due, thank you @peson, will definitely implement "horizon" config.

@sindy, I have disabled firewall on his laptop, still could not ping it. Many games and crap on that laptop...

off topic, whose name did I spell wrong this time... :-)
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 6:12 pm

Off topic, no victims this time, I've just used this topic to deliver the update because it is yours and solved :-)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 7:14 pm

off topic, FYI, I am at the stage already where I have 2 pairs of glasses, one for every day use and another for reading, it definitely helps, but unfortunately not in all scenarios :-(

@peson, I read up a bit more on the horizon (I just wonder why these things are not covered in training / certification classes) and yes, will definitely use it.
MTCNA, MTCTCE, MTCRE & MTCINE
 
peson
Trainer
Trainer
Posts: 177
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 9:39 pm

Split horizon is covered in the MTCINE training (https://mikrotik.com/pdf/MTCINE_Outline.pdf)
I teaching it in the MTCNA classes I have since it's a very useful feature when configuring port isolation which is common used in ISPs networks.

Of topic:
I still have only one pair of glasses, but I need to take them off when reading ;-)
 
User avatar
CZFan
Forum Guru
Forum Guru
Topic Author
Posts: 1219
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: QinQ VLAN's Help needed

Wed Jun 20, 2018 9:51 pm

Split horizon is covered in the MTCINE training (https://mikrotik.com/pdf/MTCINE_Outline.pdf)
I teaching it in the MTCNA classes I have since it's a very useful feature when configuring port isolation which is common used in ISPs networks.

Of topic:
I still have only one pair of glasses, but I need to take them off when reading ;-)
Aaahhhh, that's good to know, if all works out well, I will be attending MTCINE end July 2018. Sounds like an awesome course looking at outline, very excited
MTCNA, MTCTCE, MTCRE & MTCINE
 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Fri Apr 12, 2019 1:16 pm

Hi there,

I'm looking for a qinad solution aswell. Currently I'm running 2 x CRS317 with a metro vlan provider in between them. There are several vlans on both sides that require to be connected by the s-vlan together. I'm running the vlan aware bridge configuration on both CRS'es. Some of the vlans are entering the device as tagged and some as untagged. The complex part is ether4. I thought it would be a good idea to create seperate bridges, but ether4 cant be attached to both bridges at the same time. See also attached image.
802.1ad-example.png
Anyone got a configuration suggestion / example?
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Fri Apr 12, 2019 9:41 pm

I'm afraid none of the currently available Mikrotik products can fulfil your requirement completely in hardware without using crude hacks, at least because you need to add/remove two tags on the path between ether2 and ether4, whilst all the bridge implementations cannot add more than one tag on ingress and remove more than one tag on egress. So if you need to make use of the 10 Gbit/s bandwidth of the uplink, you may have to stack two CRS317, unless the partitioning of the switch chip and VLAN filtering is so good that you can connect together two ports of the same switch belonging to different partitions without creating a forwarding loop (you need per-VLAN forwarding tables in the switch chip as a minimum, plus you probably need that no VLAN ID is used for both a C-VLAN and an S-VLAN as the switch chip likely only uses the VID as an index to the table, not the tag type).

The topology would be the following:

ascii-art code

              S-bridge                     C-bridge A
                  ║                             ║
                  ║                             ║---access---
                  ║---access---~~~~~====trunk===║   PVID 10
      hybrid      ║  PVID=100        VID 10,20  ║
===VIDs 100,999===║                             ║===trunk====
     PVID=999     ║                             ║   VID 20
                  ║
                  ║                        C-bridge B
                  ║                             ║
                  ║---access---~~~~~====trunk===║===trunk====
                  ║  PVID=999          VID 30   ║   VID 30
C-bridge B is only necessary to prevent ingress of frames tagged with any other VID than 30 as S-bridge only cares about S-tags.

If you don't need the full 10 Gbit/s speed (actually even just 1 Gbit/s may be too much to expect), you can implement a similar topology using software bridges and see whether the CPU will cope with the traffic or not. In this case, instead of cables between ports, you would use /interface vlan:

/interface vlan
add name=vcable-a interface=s-bridge vlan-id=100 use-service-tag=yes
add name=vcable-b interface=s-bridge vlan-id=999 use-service-tag=yes


and make the tagless sides of these /interface vlan member ports of c-bridge-a and c-bridge-b respectively:

/interface bridge port
add bridge=c-bridge-a interface=vcable-a
add bridge=c-bridge-b interface=vcable-b
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
peson
Trainer
Trainer
Posts: 177
Joined: Tue Jul 20, 2004 10:33 am
Location: Sweden

Re: QinQ VLAN's Help needed

Sat Apr 13, 2019 12:17 am

Hi there,

I'm looking for a qinad solution aswell. Currently I'm running 2 x CRS317 with a metro vlan provider in between them. There are several vlans on both sides that require to be connected by the s-vlan together. I'm running the vlan aware bridge configuration on both CRS'es. Some of the vlans are entering the device as tagged and some as untagged. The complex part is ether4. I thought it would be a good idea to create seperate bridges, but ether4 cant be attached to both bridges at the same time. See also attached image.

802.1ad-example.png

Anyone got a configuration suggestion / example?
Haven't looked into this in Mikrotik, but is tag stacking per port usable?
https://wiki.mikrotik.com/wiki/Manual:B ... g_Stacking
/Paul
 
sindy
Forum Guru
Forum Guru
Posts: 3284
Joined: Mon Dec 04, 2017 9:19 pm

Re: QinQ VLAN's Help needed

Sat Apr 13, 2019 3:24 pm

is tag stacking per port usable?
I understand the description in the manual you refer to in such a way that tag-stacking=yes only makes the /interface bridge port handling ignore the already existing tags on the ingress frames even if the topmost ethertype of the ingress frame matches the ether-type of the bridge and always act as an access port, i.e. add another tag in front of the existing one on ingress. But still it is just a single tag to be added on ingress and removed on egress, not two. Whereas in his post above, @deepmedia asks for adding a C-tag 10 to tagless frames received at ether2 and then adding also an S-tag 100 before sending them out ether4, so two ingress crossings of bridge (or switch) border are required.

So a single bridge approach could only work if you could add two tags in a single ingress handling step, but the switch chip of the CRS317 doesn't provide such (rarely required) functionality in hardware, so even if it was implemented to the bridge, the throughput would still be limited by the CPU power and by the bandwidth of the internal connection between the switch part of the chip and the CPU's packet interface.

I suspect from the feature overview on the respective manual page that the switch chips used in CRS1xx/2xx can add both a C-tag and an S-tag in a single ingress step, but 1) I don't have a possibility to test this practically and 2) these devices have just up to two 10 Gbit/s ports so the bandwidth limitation might still affect @deepmedia's use case.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
deepmedia
just joined
Posts: 15
Joined: Sat Dec 29, 2018 4:19 pm

Re: QinQ VLAN's Help needed

Tue Apr 16, 2019 2:27 am

Also on advice of MT support I decided to go with CVID tag stacking instead of c-vlan within s-vlan.

I build following config:
/interface bridge
add ingress-filtering=yes name=bridge vlan-filtering=yes

/interface vlan
add interface=sfp-sfpplus1 name=vlan-gs-ser vlan-id=309
add interface=bridge name=vlan-mgmt vlan-id=20

/interface bridge port
add bridge=bridge ingress-filtering=yes interface=vlan-gs-ser tag-stacking=yes
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus1

/interface bridge vlan
add bridge=bridge comment=transport-gs-ser tagged=bridge,sfp-sfpplus1,vlan-gs-ser vlan-ids=309
add bridge=bridge comment=mgmt tagged=bridge,vlan-gs-ser,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,trunk-ccr2-crs2 vlan-ids= 20
Without tag-stacking option on the vlan-gs-ser port everything seem to work fine, but as soon as I enable tag stacking it got broken. Anyone got an idea?

Who is online

Users browsing this forum: Google [Bot] and 21 guests