Remote access through VLAN on CRS317

inquiery · Fri Aug 27, 2021 8:00 pm

Hi

I'm trying to figure out a detail for a VLAN scenário that is rendering me unable to access one of the switchs.
In the diagram attached, I have a switch (named "Switch" in the diagram) and two CRS317 (named "CRS #1" and "CRS #2" in the diagram). I have a network on my office, where the PC in the diagram is connected and used to access the devices for configuration.
The CRS #2 is on a remote site, and then I created a VLAN for management.
On CRS #1, port 14 is configured with PVID 1000, and all used SFP ports are on a bridge (ether1 is not).

[user@CRS_#1] > /interface bridge port pr
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE            BRIDGE           HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H sfp-sfpplus1         bridge-uplink    yes    1     0x80         10                 10       none
 1   H sfp-sfpplus5         bridge-uplink    yes    1     0x80         10                 10       none
 2   H sfp-sfpplus6         bridge-uplink    yes    1     0x80         10                 10       none
 3   H sfp-sfpplus2         bridge-uplink    yes    1     0x80         10                 10       none
 4   H sfp-sfpplus15        bridge-uplink    yes    1     0x80         10                 10       none
 5   H sfp-sfpplus16        bridge-uplink    yes    1     0x80         10                 10       none
 6   H sfp-sfpplus14        bridge-uplink    yes 1000     0x80         10                 10       none

And the VLAN 1000 is configured as tagged on port 15 and untagged on 14:

 2   bridge=bridge-uplink vlan-ids=1000 tagged=sfp-sfpplus15 untagged=sfp-sfpplus14 
     current-tagged=sfp-sfpplus15 current-untagged=sfp-sfpplus14

And on CRS #2, all ports are on a bridge (sfp and ethernet), with PVID 1000 on sfp ports 15, 16 and ether1.

[user@CRS_#2] > /interface bridge port pr
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE      BRIDGE         HW  PVID PR  PATH-COST INTERNA...    HORIZON
 0   H ether1         bridge         yes 1000 0x         10         10       none
 1   H sfp-sfpplus1   bridge         yes    1 0x         10         10       none
 2   H sfp-sfpplus2   bridge         yes    1 0x         10         10       none
 3   H sfp-sfpplus3   bridge         yes    1 0x         10         10       none
 4   H sfp-sfpplus4   bridge         yes    1 0x         10         10       none
 5 I H sfp-sfpplus5   bridge         yes    1 0x         10         10       none
 6 I H sfp-sfpplus6   bridge         yes    1 0x         10         10       none
 7 I H sfp-sfpplus7   bridge         yes    1 0x         10         10       none
 8 I H sfp-sfpplus8   bridge         yes    1 0x         10         10       none
 9 I H sfp-sfpplus9   bridge         yes    1 0x         10         10       none
10 I H sfp-sfpplus10  bridge         yes    1 0x         10         10       none
11 I H sfp-sfpplus11  bridge         yes    1 0x         10         10       none
12 I H sfp-sfpplus12  bridge         yes    1 0x         10         10       none
13 I H sfp-sfpplus13  bridge         yes    1 0x         10         10       none
14 I H sfp-sfpplus14  bridge         yes    1 0x         10         10       none
15   H sfp-sfpplus15  bridge         yes 1000 0x         10         10       none
16   H sfp-sfpplus16  bridge         yes 1000 0x         10         10       none

And the VLAN 1000 is configured as tagged on sfp 1 and bridge, and untagged on ether1, sfp 15 and 16.

 2   bridge=bridge vlan-ids=3902 tagged=sfp-sfpplus1,bridge untagged=ether1,sfp-sfpplus16,sfp-sfpplus15 
     current-tagged=bridge,sfp-sfpplus1 current-untagged=ether1,sfp-sfpplus15,sfp-sfpplus16

I have then created a VLAN interface, on bridge port, to give it an address to access it from my PC.

[user@CRS_#2] /interface vlan> pr det
Flags: X - disabled, R - running 
 0 R name="vlan1000" mtu=1500 l2mtu=1588 mac-address=CC:2D:E0:57:F2:08 arp=enabled arp-timeout=auto loop-protect=default 
     loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=1000 interface=bridge 
     use-service-tag=no

From my PC I can ping CRS #1 (throguth it's ether1 that is not on any bridge), and I can ping OLT 1, OLT 2 and OLT 3, but I can't ping CRS #2.

I'm trying to figure out the right way to do that, and I couldn't yet. From CRS #1 I can use MAC Telnet to access CRS #2 and configure it, but I can't yet ping it directly to access it via winbox.

Thanks for anyone who have the patience to read it through to try to help me.

mikeeg02 · Sat Aug 28, 2021 10:45 pm

According to the code section written above on CRS2 your are using tagged 3902, though you have told us just before that, you are using 1000.

post.png

Also, I think its recommended not to specify untagged ports, they will be dynamically added when you set port pvid.

inquiery · Tue Aug 31, 2021 12:54 am

Sorry for that.

Actually, the VLAN I use is 3902, but after I exported the configs to create the topic, I thought "I will change the 3902 to 1000 for easier reading", and I forgot to change that one.

But in my configs, the ID is all 3902, I have already checked many times if I didn't wrote the wrong ID somewhere, and I didn't.

Anyway, for some reason, it is now working. I don't know why. I think it took some time to actually refresh the MACs on the right ports, since some MACs appeared in wrong interfaces before I finished the configuration.

I will take more time and see if I changed anything from the configs I posted here, but I don't think so, I think the configuration I have now is exact the same as I posted here (considering that where I wrote VLAN 1000 it is actually 3902), and it is working.

Remote access through VLAN on CRS317

Remote access through VLAN on CRS317

Re: Remote access through VLAN on CRS317

Re: Remote access through VLAN on CRS317

Who is online