Community discussions

MikroTik App
 
gmonty
just joined
Topic Author
Posts: 18
Joined: Mon Aug 23, 2021 3:20 pm

Trunk/VLAN on PTP Wireless brigde with CISCO

Sat Oct 02, 2021 6:47 am

Hi,
I have to MK SXT Wireless connected to link 2 offices.
I have 2 CISCO switches ate each sites that they are connected to. Somehow i cannot get the Trunk and VLAN to work based on my configs.
I want to pass 2 vlans via the wireless link.
I have setup trunk on both my CISCO, and created sub interfaces for vlan 50 and vlan 310.
Its not working. See image of what i want to achieve
Trunk ptp.png
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7907
Joined: Mon Dec 04, 2017 9:19 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Sat Oct 02, 2021 9:42 am

The picture is clear, but the configuration expors from both SXTs are missing. See my automatic signature for a hint.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
gmonty
just joined
Topic Author
Posts: 18
Joined: Mon Aug 23, 2021 3:20 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Sun Oct 03, 2021 10:59 am

Hi sindy,

Here are my simple config on both sites.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7907
Joined: Mon Dec 04, 2017 9:19 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Sun Oct 03, 2021 2:02 pm

First, RouterOS can transport VLAN-tagged frames via a wireless link without any additional encapsulation, but I hazily remember this capability became available as late as with the vlan-filtering capability of bridges in ROS 6.41 (and it is not clearly described in either the wireless manual page or the bridge manual page). So the first thing to do is to upgrade both SXTs to the latest long-term version (in 6.30.2., the same upgrade channel is called bugfix) release, which is 6.47.10 as of writing this.

Also, even once your wireless link starts natively supporting VLANs, there is a number of mistakes in your current configuration:

/interface bridge
add name=bridge1 mtu=1500 protocol-mode=none
add name=bridge_Vlan50
add name=bridge_vlan310

/interface bridge port
add bridge=bridge_Vlan50 interface=ether1-local
add bridge=bridge_Vlan50 interface=wlan1-gateway
add bridge=bridge_vlan310 interface=vlan310

/ip address
add address=172.16.11.36/16 interface=wlan1-gateway network=172.16.0.0
add address=10.10.5.3/27 interface=ether1-local network=10.10.5.0

/interface vlan
add interface=ether1-local l2mtu=1594 name=vlan310 vlan-id=310


What you've actually done here:
  • frames are forwarded between wlan1-gateway and ether1-local via a bridge named bridge_Vlan50. As you say you've created a subinterface for VLAN 50 at the Cisco, but the SXTs' own IP addresses are attached directly to wlan1-gateway and ether1-local, these addresses will not be accessible via the VLAN 50 subinterface on the Cisco but via the carrier interface itself, i. e. using tagless frames.
  • In addition, you've attached an /interface vlan with vlan-id=310 to ether1_local and made that /interface vlan a member port of bridge_vlan310, but this bridge has no other member port. In current ROS versions, the same interface can not be a member port of a bridge and at the same time be a carrier interface for an /interface vlan. Even if this worked in 6.30.2, you'd get frames from Cisco's VLAN 310 subinterface on the bridge_vlan310, but they wouldn't get any further from that bridge.
So to get a configuration suggestion, improve the drawing to express whether the management of the SXTs should remain accessible via tagless frames or whether it should be accessible via VLAN 50. Explain why you need two IP addresses, each from another subnet, on the SXT.

How logistically complex is it for you to upgrade each SXT locally? I mean, upgrading directly from 6.30.2 to 6.47.10 may cause some issues in configuration conversion, rendering the device inaccessible. So if I were to upgrade remotely, I'd definitely remove any configuration related to VLAN 310 before upgrading, and I'd still upgrade first to 6.38.7, then to 6.43.16, and then to 6.47.10, upgrading the more remote device first in each step, in order to minimize the risk that I'll have to drive to the remote site and/or climb to the mast/roof.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 7907
Joined: Mon Dec 04, 2017 9:19 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Sun Oct 03, 2021 2:54 pm

This is a standalone manual page explaining that setup. Please also note that they use mode=bridge at one device and mode=station-bridge at the other one, whilst you've got mode=bridge on both devices. Also here, maybe it works that way in 6.30.2, but it is unlikely to work in current RouterOS versions.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8753
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Sun Oct 03, 2021 3:15 pm

Nice link.......
This line......
All devices (R1, R2, AP and ST) needs a VLAN interface created in order to be able to access the device through the specific VLAN ID. For AP and ST create the VLAN interface on top of the bridge interface and assign an IP address to it:
Basically makes the case that all smart devices in the network should have an IP address on the management vlan.

What I would do, not sure if required or not but............
The management vlan should be an interface list member of a list created and called manage
Put winbox macserver interface as manage
Put an IP route to the gateway of the management vlan
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
sindy
Forum Guru
Forum Guru
Posts: 7907
Joined: Mon Dec 04, 2017 9:19 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Sun Oct 03, 2021 3:19 pm

Well, of course it is no copy-paste job, hence my question regarding the roles of the management addresses and via which VLAN they should be accessible. I don't think there is a reason why the SXTs should be accessible from all (both here) VLANs they forward at L2.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8753
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Sun Oct 03, 2021 4:05 pm

my comments were for the link provided, not on the advice provided. Just wanted to add a bit of helpful details
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
gmonty
just joined
Topic Author
Posts: 18
Joined: Mon Aug 23, 2021 3:20 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Tue Oct 05, 2021 11:44 am

I managed to upgrade my 2 SxT to 6.48

I have created one bridge and added all my vlans, also associated all vlan to the bridge, Including wlan also.

But when i configure switchport mode trunk on my CISCO switch i get error. VLAN mismatch errors.

See configs and screenshot attached.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8753
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Tue Oct 05, 2021 6:22 pm

Well the concept I am struggling with is having the wifi link carry more than one vlan. I am only use to wlan to users.......
If the wlan to wlan link can be viewed as a wifi trunk port then that is clearer!!

Assumptions made
vlan 50 is management vlan
vlan 10 is data vlan

# model = SXT 5HPnD
# serial number = 46B702F560DC
/interface bridge
add fast-forward=no name=bridge_Trunk {only one bridge}
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce \
country=no_country_set disabled=no frequency=5300 frequency-mode=\
manual-txpower mode=bridge name=wlan1-gateway ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
ether1-local
/interface vlan
add interface=bridge_Trunk name=vlan10 vlan-id=10 {trunk port}
add interface=bridge_Trunk name=vlan50 vlan-id=50 {trunk port}

/interface list
add name=manage
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge_Trunk hw=no interface=ether1-local ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge_Trunk interface=wlan1-gateway ingress-filtering=yes frame-types=admit-only-vlan-tagged

/interface bridge vlan
add bridge=bridge_Trunk tagged=bridge-Trunk,ether1-local,wlan1-gateway vlan-ds=10,50

/interface list member
add interface=vlan50 list=manage
/ip address
add address=10.10.5.5/27 interface=vlan50 network=10.10.5.0

/ip dns
set allow-remote-requests=yes servers=172.16.10.94,8.8.8.8
/ip dns static
add address=10.10.5.2 name=router
/ip route
add distance=1 gateway=10.10.5.1
/ip service
set api disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Indian/Mauritius
/system identity
set name=MK_SCAA_STORE
/system leds
set 0 interface=wlan1-gateway
add interface=ether1-local leds=user-led type=interface-activity
/system ntp client
set primary-ntp=10.10.14.2
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=manage
/tool romon port
add

The OTHER SXT would be nearly identical except needs different IP address on vlan50 subnet.
Last edited by anav on Wed Oct 06, 2021 3:14 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
tdw
Forum Guru
Forum Guru
Posts: 1020
Joined: Sat May 05, 2018 11:55 am

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Tue Oct 05, 2021 7:26 pm

Certainly multiple bridges with spanning tree enabled (the default) easily falls foul of several misconfiguration scenarios, as described https://wiki.mikrotik.com/wiki/Manual:L ... figuration. Also if the Cisco is using PVST+ it is incompatible with RSTP.

For point-to-point links it is often best to disable spanning tree completely on the radios - some of the 'slow protocol' ethernet addresses normally blocked by regular bridges are then forwarded make the connection more like a very long ethernet cable, see the protocol-mode decription in https://wiki.mikrotik.com/wiki/Manual:I ... Properties
 
sindy
Forum Guru
Forum Guru
Posts: 7907
Joined: Mon Dec 04, 2017 9:19 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Tue Oct 05, 2021 9:36 pm

I have created one bridge and added all my vlans, also associated all vlan to the bridge, Including wlan also.
Unfortunately, from the last config export it seems you've totally misunderstood how the bridging configuration works in Mikrotik. I can suggest you the correct configuration, but I need answers to the questions I've asked in my second post:

to get a configuration suggestion, improve the drawing to express whether the management of the SXTs should remain accessible via tagless frames or whether it should be accessible via VLAN 50. Explain why you need two IP addresses, each from another subnet, on the SXT.

The fact that PVST+ and RSTP are incompatible is important in the sense that if you need the SXTs to stay manageable, they must be part of the spanning tree, so that the PVST+ would not stop forwarding on that link for the VLAN used for management of the SXTs. If there is no other network path between the Ciscos than via this link, this cannot happen and you can disable STP on the SXTs completely. If there is a second path, the only way to make it work properly is to replace PVST+ by MSTP on all the Cisco switches and use MSTP on the SXTs.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
gmonty
just joined
Topic Author
Posts: 18
Joined: Mon Aug 23, 2021 3:20 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Wed Oct 06, 2021 8:10 am

Hi this is a more detailed photo.
Please disregard the other ip address 172.16.x.x, it has been removed.

right now the configs is as follows, the 10.10.5.0 address are for management only, and the are on the interfaces vlan 50 on both routers. it is not the issue.

Issue is i cannot get the trunk working from CISCO to Mikrotik. i get vlan mismatch each time.
My ether1 on both MK have vlan 10, 50, 310 as its sub interface.
and ether1,wlan1, vlan 10,50,310 are all members of bridge_trunk.

see photos below
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8753
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Wed Oct 06, 2021 1:52 pm

No they are not.
your config is hosed, did you not see the example provided??
At least read this article.
viewtopic.php?t=143620

You assigned the vlans to ether1 and not the bridge...........
Furthermore vlans are NOT bridge ports........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
gmonty
just joined
Topic Author
Posts: 18
Joined: Mon Aug 23, 2021 3:20 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Wed Oct 06, 2021 1:54 pm

The VLans are assigned to the the bridge in PORTS
 
gmonty
just joined
Topic Author
Posts: 18
Joined: Mon Aug 23, 2021 3:20 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Wed Oct 06, 2021 1:56 pm

How a trunk port is made in mikrotik then... The interface directly connected to CISCO ( which is ether1) will create a trunk
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2065
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Wed Oct 06, 2021 2:28 pm

The VLans are assigned to the the bridge in PORTS
How a trunk port is made in mikrotik then... The interface directly connected to CISCO ( which is ether1) will create a trunk
Clearly you have not read the link from @sindy!!! Your config is based on the "old Mikrotik Vlan" method and not as per article, not the forums place to do work for you
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 7907
Joined: Mon Dec 04, 2017 9:19 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Wed Oct 06, 2021 2:54 pm

right now the configs is as follows, the 10.10.5.0 address are for management only, and the are on the interfaces vlan 50 on both routers. it is not the issue.
I understand this is not the issue, but to get rid of the actual issue, the configuration of the SXTs has to be changed. And since an SXT only has a single Ethernet port, it is important not to lose access to the SXTs, as the reset button is hard to reach on them and it's even not a button but just contact pads. So if you've got an USB to serial converter and easy access to both devices, you can take a risk, otherwise you have to be very careful.
My ether1 on both MK have vlan 10, 50, 310 as its sub interface.
and ether1,wlan1, vlan 10,50,310 are all members of bridge_trunk.
In the Cisco way of thinking, think about each SXT as about a separate switch interconnected with a separate router, except that their interconnection cable is a virtual one. So no VLAN subinterfaces to be used at ether1 or wlan1, these are switchports, not router ports. And then there is another switchport, named the same like the bridge (switch), and to it an interface of the router is connected, unfortunately also named the same like the bridge (switch). See this post for more details.

Whilst VLAN 50, which you intend to use for management access to the SXTs, has to be in trunk mode (tagged) at ether1 (and, for simplicity, also on wlan1) because that's how it is configured at the Cisco boxes, there are two ways how to handle it between the router part of the SXT and the bridge part of it:
  1. you can keep VLAN 50 as a trunk (tagged) one on the router-facing port of the bridge, and attach a subinterface to the switch-facing port of the router. In this case, the native VLAN will stay 1 on that port,
  2. you can set VLAN 50 as a native VLAN on the router-facing port of the bridge, and attach the IP configuration to the switch-facing interface of the router (i.e. no subinterface).
The above works with vlan-filtering set to yes on the bridge; with vlan-filtering=no, the switch acts as a dumb one, unable to tag/untag frames, just blindly forwarding them verbatim. But in this mode, it seems that the tagged frames are not accepted by the wireless interfaces.

So one possible target configuration of the bridges, VLANs and IP addresses at both SXTs is:
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes

/interface vlan
add name=bridge.50 interface=bridge vlan-id=50

/interface bridge vlan
add bridge=bridge vlan-ids=10 tagged=ether1,wlan1
add bridge=bridge vlan-ids=50 tagged=bridge,ether1,wlan1
add bridge=bridge vlan-ids=310 tagged=ether1,wlan1

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1

/ip address
add address=10.10.5.4/27 interface=bridge.50


But to reach this target state, you need to do some intermediate steps if you cannot connect to both SXTs using a serial console.

Even if you can reach both devices via ethernet, i.e. you don't need to reach the "remote" one via the wireless link, you have to be careful - at first place, attach addresses from different subnets to bridge itself (to manage the SXTs from a PC connected directly to the SXT's ethernet port) and to the VLAN "subinterface" (to manage SXTs from a PC connected to an access port to VLAN 50 on some Cisco). Addresses from same subnet on different interfaces will cause trouble.

So unless you'll configure using an USB serial cable, describe which SXT will be "local" and which will be "remote" (or whether you have them in the same room so far so both are "local", to get the proper sequence of configuration steps.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
gmonty
just joined
Topic Author
Posts: 18
Joined: Mon Aug 23, 2021 3:20 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Wed Oct 06, 2021 3:06 pm

Thanks sindy.. your explanation is clear... I will do the configs in this manner.
 
gmonty
just joined
Topic Author
Posts: 18
Joined: Mon Aug 23, 2021 3:20 pm

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Mon Oct 11, 2021 10:53 am

Hi sindy.

Applied the config in this manner and vlan traffic is now passing through.

So much for this new way of configuring vlans on MK, coming from a Cisco world.
:) :) Thanks alot

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], gresya, soponyaibence and 48 guests