Community discussions

MikroTik App
 
Lotar
just joined
Topic Author
Posts: 14
Joined: Fri Jun 15, 2012 2:10 pm

RSTP, multiple Vlans with cisco switches

Tue Aug 04, 2015 1:55 pm

Hi there,

Let me start by saying, I come from a Cisco background, and RouterOS's way of treating vlans/trunk/access ports is a little new to me.

I've been setting up a network for a client of mine and i have run into some problems. My intent is to setup a "simple" network consisting of a main Mikrotik Router, 2 cisco switches, and 3 mikrotik wifi routers as access points.

The network is setup with 3 vlans. Vlan 10 for general access (pcs, printers, etc), vlan 20 for guests (with access to each other and internet), and vlan 100 for management only.

On the main router, I have assigned 2 physical ports (eth2 and eth3) as trunk links (one to each cisco sw), so when a link goes down, the gateway for each vlan is still accessible . Each trunk physical port has 3 vlan interfaces "under" it. The vlan interfaces have been bound in 3 separate bridge interfaces. Each bridge interface has an ip address assigned to it (which serves as a gateway for that specific vlan) Each bridge interface has a dhcp server on it. I have added some access ports to the bidges (general access vlan and management vlan)

The cisco switches have int vlan 100 set for management purposes and default gateway set as the ip address of vlan 100's bridge on the main router. Each sw has a trunk port to the router, another to the other sw, and another to the access point (router as access point)

On the access points, there is eth1 connected to a switch as a trunk port. There is a virtual ap created, for the guest wifi. "Under" the physical trunk port (eth1) there are 3 vlan interfaces set. Each ap has a bridge for its non trunk ports and the wlan1 interface set as access ports to vlan 10. Another bridge is for the virtual ap (for guests) and vlan 20. There is a management ip set on the vlan 100 interface. There is also a default route to the main router's bridge ofor vlan 100

here is the diagrame:
net diagram.jpg
My network is working but i have some problems:

1) First of all, the management interfaces on the APs work sporadically. When i ping them from the main router, about 50% of the packets are lost. The users (on vlan 10 and 20) connected to that ap experience normal internet access (no drops)

A traceroute of AP1 from the main router shows the other APs responding from time to time (weird)

[multipoint@EDGE] /tool> traceroute 192.168.100.10
# ADDRESS LOSS SENT LAST AVG BEST WORST
1 192.168.100.10 0% 42 0.3ms 0.3 0.2 0.5
192.168.100.11
192.168.100.12
-- [Q quit|D dump|C-z pause]


And a ping looks like this

[multipoint@EDGE] > ping 192.168.100.10
SEQ HOST SIZE TTL TIME STATUS
0 192.168.100.12 84 64 0ms redirect host
0 192.168.100.10 56 64 1ms
1 192.168.100.12 84 64 0ms redirect host
1 192.168.100.11 84 64 0ms redirect host
2 192.168.100.11 84 64 0ms redirect host
3 192.168.100.11 84 64 0ms redirect host
4 192.168.100.11 84 64 0ms redirect host
5 192.168.100.12 84 64 0ms redirect host
6 192.168.100.12 84 64 0ms redirect host
7 192.168.100.11 84 64 0ms redirect host
8 192.168.100.11 84 64 0ms redirect host
9 192.168.100.10 timeout
10 192.168.100.10 56 64 0ms
sent=11 received=2 packet-loss=81% min-rtt=0ms avg-rtt=0ms max-rtt=1ms


It appears the packet is bouncing around most of the time.
This makes connecting via winbox very problematic (the ap gets disconnected allot )

2) the root bridge election process is not going as expected. I have set the main router to have a bridge priority of hex 2000 (8192) on every vlan bridge. On vlan 1 (which is the native vlan of the cisco SWs) the root bridge is the main router. But on the other vlans, one of the SWs is the bridge. is there a way to force the router to be the root brige for every vlan ? ? Or how can i convince the cisco SWs to elect the routerboard as Root Bridge for each vlan ?

(configs in next post)
You do not have the required permissions to view the files attached to this post.
 
Lotar
just joined
Topic Author
Posts: 14
Joined: Fri Jun 15, 2012 2:10 pm

Re: RSTP, multiple Vlans with cisco switches

Tue Aug 04, 2015 2:03 pm

main router config:

[multipoint@EDGE] > /export
# aug/04/2015 13:56:52 by RouterOS 6.30.2
# software id = 1HNL-A3Z5
#
/interface bridge
add name=bridge_vlan10 priority=0x2000
add name=bridge_vlan20 priority=0x2000
add name=bridge_vlan100 priority=0x2000
/interface ethernet
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] poe-out=off
/interface vlan
add interface=ether2 l2mtu=1594 name=vlan10_etf2 vlan-id=10
add interface=ether3 l2mtu=1594 name=vlan10_etf3 vlan-id=10
add interface=ether2 l2mtu=1594 name=vlan20_etf2 vlan-id=20
add interface=ether3 l2mtu=1594 name=vlan20_etf3 vlan-id=20
add interface=ether2 l2mtu=1594 name=vlan100_etf2 vlan-id=100
add interface=ether3 l2mtu=1594 name=vlan100_etf3 vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool4 ranges=192.168.100.100-192.168.100.254
add name=dhcp_pool5 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool1 ranges=192.168.100.100-192.168.100.254
add name=dhcp_pool2 ranges=192.168.100.100-192.168.100.254
add name=dhcp_pool6 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool7 ranges=192.168.20.100-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge_vlan100 name=dhcp1
add address-pool=dhcp_pool6 disabled=no interface=bridge_vlan10 name=dhcp2
add address-pool=dhcp_pool7 disabled=no interface=bridge_vlan20 name=dhcp3
/interface bridge port
add bridge=bridge_vlan10 interface=vlan10_etf2
add bridge=bridge_vlan10 interface=vlan10_etf3
add bridge=bridge_vlan20 interface=vlan20_etf2
add bridge=bridge_vlan20 interface=vlan20_etf3
add bridge=bridge_vlan100 interface=vlan100_etf2
add bridge=bridge_vlan100 interface=vlan100_etf3
add bridge=bridge_vlan10 interface=ether6
add bridge=bridge_vlan100 interface=ether10
/ip address
add address=x.x.x.x/30 comment=WAN interface=ether1 network=x.x.x.x
add address=192.168.100.1/24 interface=bridge_vlan100 network=192.168.100.0
add address=192.168.1.1/24 interface=bridge_vlan10 network=192.168.1.0
add address=192.168.20.1/24 interface=bridge_vlan20 network=192.168.20.0
/ip dhcp-server network
add address=192.168.1.0/24 comment="dhcp settings vlan 10 (main)" dns-server=\
192.168.100.1 gateway=192.168.1.1 netmask=24
add address=192.168.20.0/24 comment="dhcp settings vlan 20 (guest)" dns-server=\
192.168.100.1 gateway=192.168.20.1 netmask=24
add address=192.168.100.0/24 comment="dhcp settings vlan 100 (maintenance)" \
dns-server=192.168.100.1 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=x.x.x.x,x.x.x.x

/ip route
add comment="default route" distance=1 gateway=x.x.x.x

/system identity
set name=EDGE
/system ntp client
set enabled=yes primary-ntp=x.x.x.x server-dns-names=xxxxxxxxx
 
Lotar
just joined
Topic Author
Posts: 14
Joined: Fri Jun 15, 2012 2:10 pm

Re: RSTP, multiple Vlans with cisco switches

Tue Aug 04, 2015 2:04 pm

cisco sw1: (2 is setup the same)

Current configuration : 3577 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW_2
!
enable secret 5 xxxxxxxxxxxxx
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/13
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/14
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/15
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/16
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/17
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/18
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/19
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/20
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/21
switchport mode trunk
!
interface FastEthernet0/22
switchport mode trunk
!
interface FastEthernet0/23
switchport mode trunk
!
interface FastEthernet0/24
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan100
ip address 192.168.100.2 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.100.1
ip http server
!
line con 0
line vty 0 4
password xxxxx
login
line vty 5 15
password xxxxx
login
!
!
end
 
Lotar
just joined
Topic Author
Posts: 14
Joined: Fri Jun 15, 2012 2:10 pm

Re: RSTP, multiple Vlans with cisco switches

Tue Aug 04, 2015 2:09 pm

one of the AP

[multipoint@AP1] > /export
# aug/04/2015 11:05:26 by RouterOS 6.30.2
# software id = 5581-ZRNW
#
/interface bridge
add mtu=1500 name=Bridge-Guest-Wifi
add mtu=1500 name=Bridge-vlan10
/interface ethernet
set [ find default-name=ether1 ] mac-address=4C:5E:0C:A9:DE:F8
set [ find default-name=ether2 ] mac-address=4C:5E:0C:A9:DE:F9 name=\
ether2-master-local
set [ find default-name=ether3 ] mac-address=4C:5E:0C:A9:DE:FA master-port=\
ether2-master-local
set [ find default-name=ether4 ] mac-address=4C:5E:0C:A9:DE:FB master-port=\
ether2-master-local
set [ find default-name=ether5 ] mac-address=4C:5E:0C:A9:DE:FC master-port=\
ether2-master-local
/interface vlan
add interface=ether1 l2mtu=1594 name=vlan10 vlan-id=10
add interface=ether1 l2mtu=1594 name=vlan20 vlan-id=20
add interface=ether1 l2mtu=1594 name=vlan100 vlan-id=100
/interface wireless security-profiles

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no frequency=2427 l2mtu=1600 mode=ap-bridge security-profile=\
wifi_nromal ssid=xxxxxxx tx-power=15 tx-power-mode=all-rates-fixed
add comment="wifi guest" disabled=no l2mtu=1600 mac-address=4E:5E:0C:A9:DE:FB \
master-interface=wlan1 name=wlan-guest security-profile=xxxxxx=\
xxxxx wds-cost-range=0 wds-default-cost=0
/interface wireless manual-tx-power-table
set wlan-guest comment="wifi guest"
/ip neighbor discovery
set wlan-guest comment="wifi guest"
/interface wireless nstreme
set *C comment="wifi guest"
/interface bridge port
add bridge=Bridge-vlan10 interface=vlan10
add bridge=Bridge-vlan10 interface=ether2-master-local
add bridge=Bridge-vlan10 interface=wlan1
add bridge=Bridge-Guest-Wifi interface=wlan-guest
add bridge=Bridge-Guest-Wifi interface=vlan20
/ip address
add address=192.168.100.10/24 comment="adresa management" interface=vlan100 \
network=192.168.100.0
/ip dhcp-relay
add dhcp-server=192.168.10.1 disabled=no interface=Bridge-vlan10 name=\
relay_vlan10
add dhcp-server=192.168.20.1 disabled=no interface=Bridge-Guest-Wifi name=\
relay_vlan20
/ip dns
set servers=8.8.8.8
/ip firewall filter

/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-autodetect=no
/system identity
set name=AP1

[multipoint@AP1] >
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: RSTP, multiple Vlans with cisco switches

Tue Aug 04, 2015 4:55 pm

As far I know, Mikrotik devices are only compatible with CST, which is the IEEE standard for spanning-tree over vlans, this means 1 single instance of spanning tree for all the vlans available when trunks are in use. The STP (RSTP) information when CST is being used is sent over the native vlan, which by default on cisco's switches is VLAN1, this is why you see the behaviour you're expecting here but not on the other VLANs.

The main problem here is that Cisco's implementation of STP and RSTP doesn't exactly follow the standard (802.1D nor 802.1w), they have a propietary extension added to the protocols called "per-vlan" which you can't turn off, over a trunk interface every VLAN sends its own BPDUs using the standard BPDU frame + extra information that's not part of the standard (contrary to CST where this BPDU is only sent on native VLAN and using the frame defined by the standard without anything extra), hence Mikrotik devices don't understand it and follow the typical transparent-bridging procedure (they flood the frame).

The IEEE standard for a per-vlan spanning-tree is called MST which so far is not supported on Mikrotik Devices. But you could use it on Cisco switches, since the standard also states that "when in presence of a CST device, MST emulates CST behaviour". The MST implementation on Cisco devices is as the standard implies, it doesn't have anything propietary added to it.

I haven't really looked at your CFGs but I'm quite sure the problem that you comment over VLAN100 is related to STP (for the reasons stated above). Have you taken a look over the switche's logs?
Rafael Carvallo
Telecommunications Engineer

Need consultation?
Need a hotspot with facebook integration?
Send a PM!

Hablamos español, atendemos el mercado de latinoamérica visita nuestra página web:
http://www.tuproximosalto.com
 
Lotar
just joined
Topic Author
Posts: 14
Joined: Fri Jun 15, 2012 2:10 pm

Re: RSTP, multiple Vlans with cisco switches

Thu Aug 13, 2015 4:49 pm

Thank you for the response shaoranrch.

After some tweaking, I ended up going for a single cable to one of the Cisco SW (typical Router on a stick setup).
So no more PVST+ related loops and problems for me. And no more redundancy (the second SW is connected only to the first SW)

From what I read about RouterOS, there is no option for backup interfaces (like in IOS "#backup interface fa0/1") except bounding, right? If I use bounding, then both interfaces should be connected to a single cisco switch (where channel-protocol lacp is configured on 2 ports). So if that SW fails, no more redundancy for the network. In cisco environment, except for VSS, you can't connect a LACP channel across different physical switches (I may be wrong on this...)

Maybe some script to check if ether2 is up, and if not, then enable ether3?

Another thing I did, is to set 3 static routes to each AP, forcing the preferred source as the management vlan gateway (distance 1). Before that, I had some minor packet loss. I don't know how that help's (because there is a dynamic connected active route with distance 0 to that subnet already in the routing table, ).
Edge_setup2.jpg
I would love to see MST on RouterOS.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1069
Joined: Tue Oct 11, 2005 4:53 pm

Re: RSTP, multiple Vlans with cisco switches

Thu Aug 13, 2015 5:06 pm

From what I read about RouterOS, there is no option for backup interfaces (like in IOS "#backup interface fa0/1") except bounding, right? If I use bounding, then both interfaces should be connected to a single cisco switch (where channel-protocol lacp is configured on 2 ports). So if that SW fails, no more redundancy for the network. In cisco environment, except for VSS, you can't connect a LACP channel across different physical switches (I may be wrong on this...)
You could use bonding with active/backup mode (not LACP).

This way you will have redundancy in case the 'primary' switch fails.

AFAIK this does not require any special configuration on the part of the switches.

Of course if you do need the extra bandwidth with LACP you could use stackable switches and do LACP bonding on 1 port on each switch (I use this feature quite a lot and I find it awesome :D).
Maybe the ALB mode of bonding could also work on both switches without being stackable or without LACP (I haven't tried it in a while so I don't recall the exact mode of operation of ALB)

Who is online

Users browsing this forum: mikeeg02, MrHae and 226 guests