Community discussions

MikroTik App
 
richardallan
just joined
Topic Author
Posts: 1
Joined: Fri Jun 11, 2021 1:05 pm

Stacked VLAN bridges and interfaces

Mon Jun 14, 2021 12:41 pm

I am currently working on a project which requires a slightly unusual VLAN configuration for routing between multiple sites. I've worked with Mikrotik and various other network vendors for several years, but I've not had to deal with this particular configuration before so was looking for advice on configuring this on a Mikrotik CCR2004.

The CCR2004 will be hosted in a co-location facility. The initial setup, which will be built out later, is a single 10G-LR fibre to the WAN provider switch, connected to sfp-sfpplus1. Each site circuit leads aggregates at the WAN provider switch and is then trunked across the single 10G link to the CCR with a unique VLAN. There is also a dedicated internet breakout on the WAN provider switch which is the default VLAN and untagged. From each site circuit I have management traffic on a tagged VLAN unique to that site. The WAN provider uses 0x8100 ethertype tags as outer tags, which will stack onto the 0x8100 tags which I use for management addresses at each site.

What I'm trying to configure is the following:
sfp-sfpplus1 - Untagged traffic only - IP address A.A.A.A/29 - WAN provider provided public IP address routing to WAN provider default GW
bridge1 - WAN provider tagged traffic, no inner tag - IP address B.B.B.B/24 - Bridge all untagged traffic from sites, tagged by WAN provider, public IP as gateway for sites
bridge1.vlan10x - Tagged management traffic from sites, interface per site - IP address 10.100.10x.1/24 - Site management IP address, inner tag from site after outer stripped.

I've included a diagram of the site connections. I'm really looking for some clarity on the configuration of the bridge and VLAN filtering to ensure that only the relevant traffic actually hits each interface.

Many thanks,
Richard
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Stacked VLAN bridges and interfaces

Mon Jun 14, 2021 6:53 pm

One of ways to achieve QinQ in ROS is to use multiple bridges in layered manner. Probably that's not the only way ...

In your case you'd use one layer since you only have one interface carrying QinQ traffic. So what yoz can do is:
  1. create number of VLAN interfaces, one per remote location. All anchored off WAN interface (sfp-sfpplus1):
    /interface vlan
    add interface=sfp-sfpplus1 name=link1001 vlan-id=1001
    add interface=sfp-sfpplus1 name=link1002 vlan-id=1002
    add interface=sfp-sfpplus1 name=link1003 vlan-id=1003
    
  2. create matching number of bridges. Add corresponding link100x vlan interface to them as trunk port. E.g.:
    /interface bridge
    add name=bridge1001 vlan-filtering=yes
    /interface bridge port
    add name=bridge1001 port=link1001
    /interface bridge vlan
    add bridge=bridge1001 tagged=bridge1001,link1001 vlan-ids=101
    
    For the untagged traffic towards site 1001 you can either use bridge1001 directly (as untagged port) or you make link1001 untagged member of some VLAN on bridge1001 and bridge1001 as tagged member of same ... let's assume you want to do it like this, see further config example ...
    /interface vlan
    add interface=bridge1001 name=mgmt101 vlan-id=101
    add interface=bridge1001 name=untagged1001 vlan-id=2001 # vlan-id can be chosen at will, just has to be unique in CCR
    /interface bridge vlan
    add bridge=bridge1001 tagged=bridge1001 untagged=link1001 vlan-ids=2001
    
    And in similar manner for other links towards remote locations.

    Keep in mind that vlan interface (created under /interface vlan) always strips onelayer of 802.1q headers off packet received from "anchor" interface (the one configured as interface=xxx property) and passes resulting packet on the other end (and resulting packet may still have 802.1q header if original packet was a QinQ packet). Likewise it always adds a tag to packet received from the "native" end (the one named as name=yyyy property) even if the received packet already carried a VLAN header. The only "big problem" is how to create a layers of VLAN-aware bridges to make mikrotik stack additional 802.1q header.
  3. now configure IP addresses facing towards remote locations. E.g. if site 1001 will be using 10.01.0.0/24 for LAN and your CCR will have IP address in that subnet 10.1.0.1/24 ... and if management for site 1001 will have 192.168.1.0/24 with CCR's IP address 192.168.1.1, you would configure IP addresses as:
    /ip address
    add interface=untagged1001 address=10.1.0.1/24
    add interface=mgmt101 address=192.168.1.1/24
    
    And in similar manner for other links towards remote locations.

Who is online

Users browsing this forum: BrianTax, coreshock, johnson73 and 70 guests