Does MikroTik RouterOS 6.47 support 2 Trunks on the same physical Router (CCR1009 and/or RB4011)?


I am attempting to setup a BASIC router with 2 Trunk ports to two different bridges.

TOPOLOGY
                 Interface E2 ----- Trunk1----Bridge1  port 2---------Vlan 10 ----PC1
                                                                            port 3---------Vlan 20 ----PC2
Router
                 Interface E3 ----- Trunk2----Bridge2  port 2----------Vlan 10 ----PC3
                                                                            port 3----------Vlan 20 ----PC4

PROBLEM: I cannot assign Vlan10 to 2 different interfaces. If I give the second Vlan10 a different name I can assign to E3 but traffic fails.
Anyone know if this is possible or I have run up against another limitation of RouterOS? Packet sniffer shows ICMP traffic is

AND YES I have read the wiki docs and most other publicly available docs and still reading them. The docs show daisy chaining devices and of course daisy chaining your devices creates a serious single point of failure - Yikeeeeesssss

I am really hoping there were some real MikroTik experts out there just waiting for a real challenge !!!!!

What I see:
Packet Captured on Bridge1 E2 Tx
PC1 ICMP packets are egressing Bridge1 E2 with .1q tag as VLAN ID 10. This is correct!

Packet captured on Bridge1 E2 Rx
Return Packets from the Router1 on E2 - Destination host unreachable from 192.168.0.1
Router VLan30 ARPs (broadcast) for 192.168.0.33 MAC address

From PC1, successful pings to VLan10 192.168.0.1, vlan20 192.168.0.17 and Vlan30 192.168.0.33.

Router1 Config
/interface bridge add name=BR-A vlan-filtering=yes

/interface vlan
add interface=E2 name=E2-VL10 vlan-id=10
add interface=E3 name=E3-VL10 vlan-id=10
add interface=E2 name=E2-VL20 vlan-id=20
add interface=E3 name=E3-VL20 vlan-id=20
add interface=E2 name=MGT-E2-VL30 vlan-id=30
add interface=E3 name=MGT-E3-VL30 vlan-id=30

/interface bridge port
add bridge=BR-A interface=E2
add bridge=BR-A interface=E3

/interface bridge vlan
add bridge=BR-A tagged=E2,E3 vlan-ids=10
add bridge=BR-A tagged=E2,E3 vlan-ids=20
add bridge=BR-A tagged=E2,E3 untagged=BR-A vlan-ids=30

/ip address
add address=192.168.0.1/28 interface=E2-VL10 network=192.168.0.0
add address=192.168.0.17/28 interface=E2-VL20 network=192.168.0.16
add address=192.168.0.33/28 interface=MGT_E2-VL30 network=192.168.0.32

add address=192.168.0.14/28 interface=E2-VL10 network=192.168.0.0
add address=192.168.0.17/28 interface=E2-VL20 network=192.168.0.16
add address=192.168.0.33/28 interface=MGT_E2-VL30 network=192.168.0.32

/system identity set name=Router1


Thank you
Frank

Sorry man, but it's a mess. Your "ascii-art" drawing is not in accord with your configuration export.

First, it is correct that at L2 (bridging, switching, L2 forwarding - various names for the same thing), VLAN 10 on one bridge is isolated from VLAN 10 on another bridge. That's no limitation, that's how it should work. Your "ascii-art" drawing suggests there are two distinct bridges; your configuration export doesn't.

Second, you can either attach /interface vlan directly to an Ethernet interface, or you can make that Ethernet interface a member port of a bridge. Not both. If an Ethernet interface is a member port of a bridge, L2 forwarding of frames tagged with VLAN 10 between such interfaces is possible even without any /interface vlan. You only need to create an /interface vlan with vlan-id=10 if you want the router itself to have access into VLAN 10. And if so, the interface parameter of the /interface vlan row must be set to the bridge, not to any of the Ethernet ports grouped into that bridge. So in your export, it would be

/interface vlan
add interface=BR-A name=BR-A-VL10 vlan-id=10
add interface=BR-A name=BR-A-VL20 vlan-id=20
add interface=BR-A name=MGT-BR-A-VL30 vlan-id=30

If you want the same VLAN to be tagged at some ports of a bridge and tagless on other ones, you must use vlan-filtering=yes and specify the tagged list for each vlan-ids list under /interface bridge vlan, as your export properly shows; if you don't need to tag frames on ingress and untag them on egress, vlan-filtering may be left at no.

An /interface vlan is just a stupid pipe that tags frames in one direction and untags them in the reverse direction. The tagged end of it must be attached to some underlying interface, the tagless end becomes an interface itself and you can attach e.g. IP configuration to it. So you can attach two /interface vlan with the same vlan-id to two distinct Ethernet ports, but if you want frames tagged with that VLAN-ID to make it from one of these interfaces to the other one, you must create a dedicated bridge for that VLAN and make both these /interface vlan member ports of that dedicated bridge (using /interface bridge port rows). That is the old way of doing things in RouterOS before vlan-filtering has been implemented.

Third, your apparent intention was to attach two distinct IP addresses from the same subnet to /interface vlan attached to two different Ethernet interfaces. Attaching addresses from the same subnet to unrelated interfaces only makes sense in some very specific scenarios. Plus you've actually attached both to E2-VLxx which I guess was a typo.

If the above hasn't shed enough light, draw by hand what is your actual intended topology and post a photo of the drawing.

 
 
Update:
The router in this setup is configured for Intervlan-routing and as such

I see when you create a VLan, you must assign:

• a Name

• VLAN ID # and

• Interface

When you create an IP address for this VLan, you have to use the VLAN name not the interface because the interface is performing as a L2 bridge interface (Trunk).
I see the RouterOS does not complain if you assign the same IP address/mask to a different VLan name.

EXAMPLE
192.168.0.1/28    E2-VL10
192.168.0.1/28    E3-VL10
192.168.0.17/28  E2-VL20
192.168.0.17/28  E3-VL20
192.168.0.33/28  MGT-E2-VL30
192.168.0.33/28  MGT-E3-VL30

Problem solved. This is not normal but this crap works

EDITed this post the following morning Aug 26, 2021:
Even though my configuration above appeared to function correctly (traffic was flowing end-to-end), traffic did finally stop flowing. The PC ping run overnight and by the next morning it had failed. Rebooting all devices did not fix the failure and traffic did not flow end-to-end. I could only reach the Router gateway for Vlan10 and that was it. Sindy provides the Router configuration that does work. I rebooted all devices to ensure this wasn't another RouterOS "slow to notice a configuration change" failure
Thanks
Frank

EXAMPLE
192.168.0.1/28    E2-VL10
192.168.0.1/28    E3-VL10
192.168.0.17/28  E2-VL20
192.168.0.17/28  E3-VL20
192.168.0.33/28  MGT-E2-VL30
192.168.0.33/28  MGT-E3-VL30

Problem solved. This is not normal but this crap works

Nope. The crap above doesn't work - it only appears to work, and it will eject a small baseball stick and bash your head when you'll expect it least.

Hi Sindy,

Sorry this fourms app doesn't allow much flexibility in diagrams. I did my best.

Yes my 1 ROUTER has 2 Trunked interfaces E2 and E3 physically connected to 2 different physical bridges. (All physical infrastructure RouterOS devices, The 2 physical bridges are RB4100 and Router is CCR1009) I didn't provide the bridge configurations as bridge 1 worked and bridge 2 had the same config except for the IP and name.

Thanks for taking the time to write that long explanation. I came back from lunch and thought I would just try some off the wall stuff and hey it worked.

Thanks again
Frank

 
  

I'll run through the sniffer traces and see what I have but at this point I have connectivity from end-to-end!!
Thanks
Frank

What you need to do is read this excellent reference.
viewtopic.php?f=23&t=143620

and dont be shy about posting your config
/export hide-sensitive file=anynameyouwish

 
 
The configuration I posted does work. It may not be the most elegant way to setup this topology up but it does provide the end-to-end connectivity needed for my 1 router TRUNKING to multiple physical bridges WITHOUT daisy chaining devices. If there is a better way that is more correct to some hidden standard - reply back with the correct configuration and we will all rejoice!!!!!!
 
Thanks
Frank

OK, sorry, so bridge1 and bridge2 are not bridges on the router but external devices acting as bridges. Nevertheless, read my short post or the long one suggested by @anav. I can't see how PC1 can talk to PC3 with your weird configuration - if it does, it's due to some unexpected side effect.

I actually did post the correct configuration in my first post.

Hey Sindy,

Ahh I missed that.
What you are saying is to give the VLAN multiple names separated by ",".

.... AND I see in the Winbox, IP, Addresses,+, New Addresses tab, both names (separated by a ,) appears as a single line item and a single address can be assigned to both VLAN names in 1 statement.


.......but wait........ I have 2 physical interfaces on Router 1 - how can I make both E2 and E3 Trunk interfaces to carry the same VLans???

Is this where Interface List come into play???

Thanks
Frank

See attachment, Microsoft Paint format

The tagged end of it must be attached to some underlying interface, the tagless end becomes an interface itself and you can attach e.g. IP configuration to it. So you can attach two /interface vlan with the same vlan-id to two distinct Ethernet ports, but if you want frames tagged with that VLAN-ID to make it from one of these interfaces to the other one, you must create a dedicated bridge for that VLAN and make both these /interface vlan member ports of that dedicated bridge (using /interface bridge port rows). That is the old way of doing things in RouterOS before vlan-filtering has been implemented.

 
 
Is it possible to write this differently - I am struggling with what you are trying to say. Is it also possible to leave the old way out as we are using the up to date RouterOS 6.47. And YES we are using vlan-filtering on all bridges. Screen shots would be welcomed as-well!!!

Thanks again
Frank

Forget about interface list for now, it is not related. I gave you a link to the post with drawings how L2 forwarding/bridging/switching is linked to L3 routing etc. yesterday.

The basic configuration to have two trunk ports bridged together on a router, handling VLANs 10, 20, and 30 in particular, is as follows:

/interface bridge
add name=BR-A vlan-filtering=yes

/interface bridge port
add bridge=BR-A interface=ether2
add bridge=BR-A interface=ether3

/interface bridge vlan
add bridge=BR-A vlan-ids=10 tagged=ether2,ether3
add bridge=BR-A vlan-ids=20 tagged=ether2,ether3
add bridge=BR-A vlan-ids=30 tagged=ether2,ether3

With this configuration, devices in each VLAN can talk to all the other devices in the same VLAN, but there is no way they could reach devices in any other VLAN than their own one.

Now if you want the router itself to have access to the VLANs, in order that it could route the traffic among devices in different VLANs, you must add BR-A to the tagged lists in /interface bridge vlan, so they will look as follows:

/interface bridge vlan
add bridge=BR-A vlan-ids=10 tagged=BR-A,ether2,ether3
add bridge=BR-A vlan-ids=20 tagged=BR-A,ether2,ether3
add bridge=BR-A vlan-ids=30 tagged=BR-A,ether2,ether3

Next, you create the /interface vlan (their names may be different):

/interface vlan
add name=BR-A.10 interface=BR-A vlan-id=10
add name=BR-A.20 interface=BR-A vlan-id=20
add name=BR-A.30 interface=BR-A vlan-id=30

Finally, add IP addresses to the VLAN interfaces:

/ip address
add interface=BR-A.10 address=192.168.10.1/24
add interface=BR-A.20 address=192.168.20.1/24
add interface=BR-A.30 address=192.168.30.1/24

As you attach an IP address to an interface, a route to the associated subnet is dynamically added to the routing table.

Regarding screenshots - sorry, not my way of doing things. The text gives you much more information per pixel than a screenshot.

Regarding re-wording the description of /interface vlan... the most important feature of a VLAN is that it is virtual, i.e. there is no physical separation between the VLANs. The fact that a particular frame belongs to a particular VLAN is expressed by a 12-bit field in the header of that frame - the VID field in the VLAN tag. An access port to a particular VLAN adds the VLAN tag bearing the ID of that VLAN to the frames as it receives them from the wire, and strips the tag from the frames it sends out to the wire; a trunk port expects the frames to come already tagged from the wire, and does not remove the tag as it sends frames out.

Inside the router, the /interface vlan do the same - you can imagine each of them as a virtual access port to one VLAN on the bridge.

HI Sindy,

THANK YOU!!

Your latest Router configuration - All is good and operational now. I think I now understand how the vBRIDGE functions within RouterOS 6.47+, I see it as just another interface. (I'm gonna name it ether11).

BTW, I just edited my previous post indicating my crazy configuration did eventually fail just as you predicted. LOL. I knew that configuration was weird but much of this product is strange to me. I'm a 20+ year Cisco and Juniper guy. Nice thing with Cisco and Juniper, these folks publish updated doc with every new OS release.
Thank you again and I'm sure I'll have more questions.

Do you mind if I use this example to publish a how to doc? I'll provide you credit for your help!!!!

Frank