Page 1 of 1

VLANs - mixed Cisco/Mikrotik

Posted: Fri Jul 29, 2011 7:32 pm
by Discus
Hi there,

I've been scratching my head and pounding it on the desk in frustration for the past little while.
I have read the VLAN wiki entry numerous times and it hasn't (yet) lead to a lightbulb moment!

I'm trying to split 2 sections of a network off from the rest with a couple of VLANs in a mixed Cisco/Mikrotik environment. Until earlier this week, the entire network was in 192.168.1.0/24 across 4 buildings. There are now a bunch of new VLANs and subnets configured.

Image

Essentially, I would like there to be two networks (bottom left and right), 192.168.2.0/24 and 192.168.3.1/24 in VLANs 2 and 3 respectively able to connect through the intervening architecture and NAT on the RB1000 using real.world.ip.2 and real.world.ip.3 respectively. The NAT part I have figured out - the VLANs, not so much!

Eventually, I would like to enable OSPF so that the links between the RB750s can "fail over/back" between the ~54 megabit wireless link and the ~1.5mbps SDSL, so I would need the solution to support this (over the "triangle" between the 3 RB750s), including the ethernet link.

Network description:
192.168.1.254 is the gateway for our network on the RB1000, which then connects to a real world IP address through "Internet" interface upstream from a real world IP address range (NAT x.x.x.1; subnets/VLAN will also be NATd ). There is a connection to a local INX through "INX" port; routes are exchanged via BGP in a private use ASN.
Starting at the RB 1000 (our core router), there is a physical link from a physical port called "private", which links into Gi1/0/24 on the 3750 (core switch); this is configured as a trunk port on the Cisco, and the mikrotik currently has VLAN 2,3 and 111 configured on "private". The core cisco 3750 switch has VLANs 2,3 110-116 configured on it.
From the core switch, 4 Cisco 2960s are connected to a trunk port each (Gi1/0/13-16); we can ignore these.
More relevantly, there is then a trunk port (Gi1/0/17) from the 3750 into eth5 of the RB750 (A). On the 750A, I've added VLAN 2,3,114,116 to eth2,3&5.
From 750A, eth2 connects to a RB433 and then through a wireless bridge to another RB433 to eth2 on a 750G.
From 750A, eth 3 connects to an SDSL bridge and then to eth3 of RB750(B).
Between 750G and 750(B), there is an ethernet link, forming a nice networking triangle. For now, I prevent loops by manually disabling eth3 of RB750(B), and enabling it if the wireless fails. (R)STP didn't work (too much flapping), and with a flat subnet structure up until now, I couldn't get OSPF to work.
The 2950s (A) and (B) have VLAN 2, 114, 116 and 3, 114, 116 configured on them; Port Gi1/0/24 is configured as a trunk, the rest will be client access ports.

VLAN descriptions:
VLAN 2 - 192.168.2.0/24
VLAN 3 - 192.168.3.0/24
VLAN 110 - Servers (192.168.110.0/24)
VLAN 111 - Data (192.168.111.0/24)
VLAN 112 - Wireless VLAN (not yet used; 192.168.112.0/24)
VLAN 113 - Guest Wireless VLAN (not yet used; 192.168.113.0/24)
VLAN 114 - Management VLAN (Ciscos configured with 192.168.114.0/24)
VLAN 115 - Voice VLAN (not yet used; 192.168.115.0/24)
VLAN 116 - Migration VLAN (carrying 192.168.1.0/24) - this will fall away in time.
All these are present on the core 3750;
110-116 are on the 4x48 port 2960s;
2,114,116 should be present on 2960A
3,114,116 should be present on 2960B

I have put interfaces on all the mikrotiks with the various VLANs; the core cisco 3750 also has VLAN 2 and 3 enabled.
I have added 192.168.2.1/24 to VLAN2 on RB1000
192.168.2.2/24 to port Gi1/0/17 on the 3750
192.168.2.3/24 to (interface) VLAN 2 on 750
192.168.2.4/24 to (interface) VLAN2 on 433 (A)
192.168.2.5/24 to (interface) VLAN2 on 433 (B)
192.168.2.252/24 to the trunk port Gi1/0/24 on the 2950(A)
192.168.2.254/24 to (interface) VLAN 2 on 750G

Problems:
The main thing that is causing me major headaches is I can't for the life of me get pings to travel across the entire network within VLAN 2 (I have yet to start work on VLAN 3). Do I need to configure the VLANs (and a VLAN address) on each physical interface of all the Mikrotiks (I've tried this), or do I need to create some sort of bridge?
Or have I misunderstood VLANs entirely!?

Here's how my pings are going:
192.168.2.1 - nothing reachable
192.168.2.2 - can reach 192.168.2.3, not 192.168.2.1
192.168.2.3 - can reach 192.168.2.2
192.168.2.100 (DHCP client) - can reach 192.168.2.252, 192.168.2.254, nothing below .100.
192.168.2.252 - can reach .254, but not DHCP address (i.e. .2.100)
192.168.2.254 - can reach 192.168.2.252, nothing else

I'm currently accessing all the routerboards through their old 192.168.1.0/24 addresses.

750G is running a DHCP server on VLAN2 interface handing out 192.168.2.100-192.168.2.200 addresses. Machines there can successfully DHCP and can ping 192.168.2.252, .254 and each other (but .252 can't ping them!). DHCP leases specify 192.168.2.254 as gateway.

RouterOS Versions:
The RB 1000 is running ROS 3.30; the RB750s and RB433s are all on ROS 5.4.

Gateways on this network are normally configured at the top of the subnet. (i.e. .254)

So....
What am I doing wrong and how can I fix it?
Many, many thanks in advance. :)

Re: VLANs - mixed Cisco/Mikrotik

Posted: Fri Jul 29, 2011 8:11 pm
by fewi
VLANs are inherently a layer 2 technology, which means bridging. While RouterOS is outstanding at bridging when it comes to wireless I'm confused as to why you're using all those RB750Gs. Those are routers, with a bit of switching thrown in via the switch chips - but compared to even the most basic managed switches they are lacking a lot of functionality. Routers shouldn't be used as bridges, they should be used as routers. That means they should be layer 3 gateways for broadcast domains (a router's purpose is to connect broadcast domains). VLANs -ARE- broadcast domains. So trying to get one VLAN to span across multiple routers fundamentally doesn't make any sense - that's something you use switches sometimes wireless bridges for.

However, you could just redesign your network to not have end to end VLANs for VLAN 2 and VLAN 3. From your diagram I see absolutely no need whatsoever for 192.168.2.0/24 (VLAN 2) to be available on anything other than eth5 on the "RB 750G" router, or for 192.168.3.0/24 (VLAN 3) to be available on anything other than eth5 on the "RB 750 (B)" router. All other links between routers should be /30s - routed links, in other words. The RB750 routers become the layer 3 gateways for the two VLANs, and traffic back to the core is routed. Establish an OSPF area between all the involved routers and they'll figure out how to get to each other automatically, including link failover, multiple active paths (if you want them), preferred paths, etc. This has many other advantages, such as you being able to control traffic via normal IP firewalls close to the packet source, and broadcast packets not propagating throughout the entire network. You may want to read up on "hierarchical networks". While you are definitely going down the right path by converting your network from one large layer 2 topology to something more segmented, you're just trying to go to multiple overlaid layer 2 topologies that all co-exist on the same physical paths. This approach is better than one large topology, but doesn't fix most of the major drawbacks. It would be much more beneficial to instead go to multiple connected layer 3 topologies - in your case you actually wouldn't really have to use VLANs 2 and 3 at all - they'd just be layer 3 networks on a routed port on the RouterBOARDs.

Re-reading my post before hitting the submit button I now think it's fairly dense and confusing, I hope it makes sense in some fashion. You are trying to build a moderately complex network, so it's kind of hard to cover it all in a few paragraphs.

Re: VLANs - mixed Cisco/Mikrotik

Posted: Fri Jul 29, 2011 8:30 pm
by fewi
Bored in a meeting. Here a quickie scribble of how I'd implement that network, keeping all the hardware you show exactly in its place. OSPF between all the routers, with either ECMP between the SDSL and WLAN paths, or one of them preferred due to more available bandwidth with the other only used for failover. Static gateways pointing to the "RB 750(A)" router on the WLAN bridges and the SDSL bridges (those static routes wouldn't be used at all for routing customer traffic, only for administrative traffic - on the WLAN bridges, for example, the WLAN and copper interfaces are bridged, with the IP assigned to the bridge. Same for the SDSL bridges. Those links are layer 2 between the RB750s.

This doesn't account for your VLAN 116. But that VLAN is not needed after migration, so I'd rather implement everything at once rather than migrate slowly. It also doesn't account for your VLAN 114 - which isn't needed, either. You don't need an end to end management VLAN. You could make the links between the 2960s at the bottom and their RB750 uplink trunks, and carry two VLANs - one for users, one for management. But they would be local only between the switch and its immediate uplink. Alternatively you just give the switch an IP on the immediate client network and protect it from being accessed by sources from the client VLAN. Two VLANs is much cleaner, but would have made the drawing rather muddy.

Re: VLANs - mixed Cisco/Mikrotik

Posted: Sat Jul 30, 2011 2:31 pm
by Discus
fewi - Many, many thanks for your invaluable advice!

I figured out why a lot of the inter-router VLAN traffic was broken. Some idiot forgot to allow VLAN 2 on the trunk between the 3750 and the core RB1000... Oops...!

Anyway, your proposed network makes a lot more sense, so I'm going that route!

I'm currently modifying my network to take into account your suggestions - I'll let you know how it goes as soon as I'm done! :)

Thanks++++ :D

Re: VLANs - mixed Cisco/Mikrotik

Posted: Tue Aug 02, 2011 6:21 pm
by martini
use transparent bridge on all rb750 and rb433, and configure STP (rstp) on routers and switches (for backup), its much simply than use many vlans in your schema.

Re: VLANs - mixed Cisco/Mikrotik

Posted: Tue Aug 02, 2011 7:03 pm
by blake
use transparent bridge on all rb750 and rb433, and configure STP (rstp) on routers and switches (for backup), its much simply than use many vlans in your schema.
[sarcasm] Right! Because separating traffic at layer 2 is such a bad idea. [/sarcasm]

Re: VLANs - mixed Cisco/Mikrotik

Posted: Sun Aug 07, 2011 9:37 am
by martini
use transparent bridge on all rb750 and rb433, and configure STP (rstp) on routers and switches (for backup), its much simply than use many vlans in your schema.
[sarcasm] Right! Because separating traffic at layer 2 is such a bad idea. [/sarcasm]
)) and you dont know how to setup Vlan , gvrp, vtp .. thru transparent bridge on RB ??? :lol: