Community discussions

 
silverstr8p
newbie
Topic Author
Posts: 38
Joined: Wed Nov 13, 2013 3:47 am

Mikrotik > Juniper VLAN trunk

Sun May 12, 2019 12:18 am

I'm trying to pass 2 separate tagged VLAN traffic from a RB2011 (Ports 2-5 as VLAN id 10 for 192.168.44.0/24, and Ports 6-10 as VLAN id 20 for 172.16.44.0/24) through ether1 as a "trunk" without NAT (NAT handled by the Juniper later), though I guess VTP isn't supported. I've established a VLAN 20 that includes Ports 6-10 (which were already on a separate bridge), how do I get that traffic to ether1 along with VLAN 10 traffic from Ports 2-5? Here's what I have:
Image
Which also means I'm not sure whether to configure the Juniper ge0/0/3.0 as a vlan trunk or access port, but that's probably a question for JunOS guys (leaning toward trunk), here's what I *think* I'll need on that end:
vlans {
        data44 {
            vlan-id 10;
        }
        voice44 {
            vlan-id 20;
        }
    }
ge-0/0/3 {
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members [ data44 voice44 ];
            }
        }
    }
} 
meanwhile I'm just trying to get the RB2011 to pass both VLAN 10 and 20 traffic to the Juniper over one Ethernet cable. Suggestions?
 
mkx
Forum Guru
Forum Guru
Posts: 2449
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mikrotik > Juniper VLAN trunk

Sun May 12, 2019 12:57 am

So basically you want to use RB2011 as access switch for the two VLANs?

There are two ways of configuring VLANs on RB devices, but RB2011 being a rather old device with good switch chips it should perform better if VLANs are configured in switch chip.
/interface ethernet switch port
# check if the numbers used in clauses below really correspond to ports referred in comments
set 0 vlan-mode=secure #ether1 is trunk port towards juniper
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure #ether2 is access port for VLAN10
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure #ether3 is access port for VLAN10
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure #ether4 is access port for VLAN10
set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure #ether5 is access port for VLAN10
set 5 vlan-mode=secure #switch1-cpu is trunk towards RB's CPU
set 6 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure #ether6 is access port for VLAN20
set 7 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure #ether7 is access port for VLAN20
set 8 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure #ether8 is access port for VLAN20
set 9 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure #ether9 is access port for VLAN20
set 10 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure #ether10 is access port for VLAN20
set 12 vlan-mode=secure #switch2-cpu is trunk towards RB's CPU

/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 \
    vlan-id=10
add independent-learning=yes ports=switch1-cpu,ether1 switch=switch1 vlan-id=20
add independent-learning=yes ports=switch2-cpu,ether6,ether7,ether8,ether9,ether10 switch=switch2 \
    vlan-id=20
    
# and now connect both switch chips using a CPU bridge ... adding all ports to it.
# note that bridge does not do VLAN filtering, just passes frames left and right
# as a dumb switch would
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge port=ether1
add bridge=bridge port=ether2
add bridge=bridge port=ether3
add bridge=bridge port=ether4
add bridge=bridge port=ether5
add bridge=bridge port=ether6
add bridge=bridge port=ether7
add bridge=bridge port=ether8
add bridge=bridge port=ether9
add bridge=bridge port=ether10
If you need management access, add a /interface vlan add interface=bridge name=MGMT vlan-id=xx and configure IP on interface MGMT (set vlan-id to the VLAN you want to have management through ... if you decide to use a third one, be sure to configure it on appropriate physical interfaces).

When configuring VLANs on switch chip, beware that if you don't do things right and in the right sequence, you will loose access to the device and factory reset will be the only way out. So perhaps connect your computer to ether10 and don't change ether10 settings (which includes also switch port settings for 11 and 12). Change settings only after you get management access through one of other ports. Also use safe-mode, it'll revert settings which might cause loss of connectivity ...
BR,
Metod
 
silverstr8p
newbie
Topic Author
Posts: 38
Joined: Wed Nov 13, 2013 3:47 am

Re: Mikrotik > Juniper VLAN trunk

Tue May 14, 2019 1:29 am

Thanks @mkx :)

I left ether2 unconfigured to use it as a management port in case something broke, and just configured 3-5 on the data VLAN (actually vlan-id 431) and 6-10 to phone VLAN (actually vlan-id 432)

I ran into a glitch trying to delete and add ports:
[admin@MikroTik] /interface bridge port> remove numbers=4
failure: can not remove dynamic port
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether6
failure: device already added as bridge port
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether7
failure: ether7 is already slave
So I logged into the WebUI and set master port=none on those ports, then added them to the right bridge like:
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether3
Here's my final code (in case it helps someone else):
[admin@MikroTik] /interface ethernet switch port> print
 #   NAME               SWITCH               VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   sfp1               switch1              disabled  leave-as-is               auto
 1   ether1             switch1              disabled  leave-as-is               auto
 2   ether2-master      switch1              disabled  leave-as-is               auto
 3   ether3             switch1              disabled  leave-as-is               auto
 4   ether4             switch1              disabled  leave-as-is               auto
 5   ether5             switch1              disabled  leave-as-is               auto
 6   ether6-master      switch2              disabled  leave-as-is                  0
 7   ether7             switch2              disabled  leave-as-is                  0
 8   ether8             switch2              disabled  leave-as-is                  0
 9   ether9             switch2              disabled  leave-as-is                  0
10   ether10            switch2              disabled  leave-as-is                  0
11   switch1-cpu        switch1              disabled  leave-as-is               auto
12   switch2-cpu        switch2              disabled  leave-as-is                  0
[admin@MikroTik] /interface ethernet switch port> set 1 vlan-mode=secure
[admin@MikroTik] /interface ethernet switch port> set 3 default-vlan-id=431 vlan-header=always-strip vlan-mode=secure
[admin@MikroTik] /interface ethernet switch port> set 4 default-vlan-id=431 vlan-header=always-strip vlan-mode=secure
[admin@MikroTik] /interface ethernet switch port> set 5 default-vlan-id=431 vlan-header=always-strip vlan-mode=secure
[admin@MikroTik] /interface ethernet switch port> set 6 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
[admin@MikroTik] /interface ethernet switch port> set 7 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
[admin@MikroTik] /interface ethernet switch port> set 8 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
[admin@MikroTik] /interface ethernet switch port> set 9 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
[admin@MikroTik] /interface ethernet switch port> set 10 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
[admin@MikroTik] /interface ethernet switch port> print
Flags: I - invalid
 #   NAME                                     SWITCH                                    VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   sfp1                                     switch1                                   disabled  leave-as-is               auto
 1   ether1                                   switch1                                   secure    leave-as-is               auto
 2   ether2-master                            switch1                                   disabled  leave-as-is               auto
 3   ether3                                   switch1                                   secure    always-strip               431
 4   ether4                                   switch1                                   secure    always-strip               431
 5   ether5                                   switch1                                   secure    always-strip               431
 6   ether6-master                            switch2                                   secure    always-strip               432
 7   ether7                                   switch2                                   secure    always-strip               432
 8   ether8                                   switch2                                   secure    always-strip               432
 9   ether9                                   switch2                                   secure    always-strip               432
10   ether10                                  switch2                                   secure    always-strip               432
11   switch1-cpu                              switch1                                   disabled  leave-as-is               auto
12   switch2-cpu                              switch2                                   disabled  leave-as-is                  0
[admin@MikroTik] /interface ethernet switch vlan>
[admin@MikroTik] /interface ethernet switch vlan> add independent-learning=yes ports=switch1-cpu,ether1,ether3,ether4,ether5 switch=switch1 vlan-id=431
[admin@MikroTik] /interface ethernet switch vlan> add independent-learning=yes ports=switch1-cpu,ether1 switch=switch1 vlan-id=432
[admin@MikroTik] /interface ethernet switch vlan> add independent-learning=yes ports=switch2-cpu,ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=432
[admin@MikroTik] /interface ethernet switch vlan> /interface bridge
[admin@MikroTik] /interface bridge> print
Flags: X - disabled, R - running
 0  R ;;; defconf
      name="databridge" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled
      arp-timeout=auto mac-address=B8:69:F4:72:4B:B7 protocol-mode=rstp
      fast-forward=yes priority=0x8000 auto-mac=no admin-mac=B8:69:F4:72:4B:B7
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

 1  R name="mgmt" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled
      arp-timeout=auto mac-address=00:00:00:00:00:00 protocol-mode=rstp
      fast-forward=yes priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

 2  R name="phonebridge" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled
      arp-timeout=auto mac-address=00:00:00:00:00:00 protocol-mode=rstp
      fast-forward=yes priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
      max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
[admin@MikroTik] /interface bridge> add name=vlanbridge
[admin@MikroTik] /interface bridge> /interface bridge port
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether3
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether4
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether5
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether6
failure: device already added as bridge port
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether7
failure: ether7 is already slave
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether7
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether8
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether9
[admin@MikroTik] /interface bridge port> add bridge=vlanbridge interface=ether10
[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE                             BRIDGE                            PRIORITY  PATH-COST    HORIZON
 0    ;;; defconf
      ether2-master                         databridge                            0x80         10       none
 1 I  ;;; defconf
      ether6-master                         databridge                            0x80         10       none
 2 I  ;;; defconf
      sfp1                                  databridge                            0x80         10       none
 3 I  ;;; defconf
      wlan1                                 databridge                            0x80         10       none
 4 I  ether3                                vlanbridge                            0x80         10       none
 5 I  ether4                                vlanbridge                            0x80         10       none
 6 I  ether5                                vlanbridge                            0x80         10       none
 7 I  ether7                                vlanbridge                            0x80         10       none
 8 I  ether8                                vlanbridge                            0x80         10       none
 9 I  ether9                                vlanbridge                            0x80         10       none
10 I  ether10                               vlanbridge                            0x80         10       none
Now I guess I have to tie the wireless into my data bridge, is there anything different for that versus a copper interface like any other etherX? Meanwhile, I'm waiting for an answer from the Juniper guys on how to configure an interface on a VLAN trunk, will post back when I find that answer, in case someone else is trying to do that.
 
mkx
Forum Guru
Forum Guru
Posts: 2449
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mikrotik > Juniper VLAN trunk

Tue May 14, 2019 8:59 am

You're mentioning master ports. Which brings up a question: which version of RouterOS is your RB2011 running? Probably ancient and you should upgrade ROS to latest long-term (at least), which is 6.43.15 at this time. My configuration example was meant for recent ROS version ...

Even if you don't upgrade ... there's no reason for using separate bridges. In this use case bridge is acting dumb switch and member ports do the VLAN filtering. As long as ports have correct VLAN settings, data nd VoIP won't get mixed where it shouldn't.

If you'll upgrade config and merge all ports to single bridge, adding wireless is painless:
/interface wireless
set [ find name=wlan1 ] vlan-mode=use-tag vlan-id=431
/interface bridge port
add bridge=bridge interface=wlan1
the above assumes wireless interface was not renamed.
BR,
Metod
 
silverstr8p
newbie
Topic Author
Posts: 38
Joined: Wed Nov 13, 2013 3:47 am

Re: Mikrotik > Juniper VLAN trunk

Wed May 15, 2019 1:06 am

I upgraded to 6.43.15, so hopefully that makes things better. I also added the wlan1 (not renamed) to the bridge, but it still doesn't seem to hit the upstream gateway on the Juniper, am I missing anything in this config?
/interface bridge
add admin-mac=B8:69:F4:72:4B:A7 auto-mac=no comment=defconf name=bridge
add admin-mac=B8:69:F4:72:4B:A7 auto-mac=no comment=defconf name=databridge
add name=mgmt
add name=phonebridge
add name=vlanbridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-724BC0 vlan-id=431 vlan-mode=use-tag wireless-protocol=802.11
/interface ethernet switch port
set 1 vlan-mode=secure
set 3 default-vlan-id=431 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=431 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=431 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
set 9 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
set 10 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1,ether3,ether4,ether5 \
    switch=switch1 vlan-id=431
add independent-learning=yes ports=switch1-cpu,ether1 switch=switch1 vlan-id=\
    432
add ports=switch2-cpu,ether6-master,ether7,ether8,ether9,ether10 switch=\
    switch2 vlan-id=432
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=databridge list=discover
add interface=mgmt list=discover
add interface=phonebridge list=discover
add interface=vlanbridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
So am I missing firewall rules, or is my routing still screwed up?
 
sindy
Forum Guru
Forum Guru
Posts: 3466
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik > Juniper VLAN trunk

Wed May 15, 2019 11:39 am

Routing has nothing to do with bridging/switching inside a VLAN between interface wlan and ether1. However, you forgot to make ether1 a member port of bridge bridge, so the CPU doesn't forward frames from ether1 to the wireless interface wlan1 and vice versa.

L2 forwarding only works within each switch chip; between the two switch chips and between any of them and the wireless part, the CPU has to forward the packets. And packets coming from an ethernet port of the switch to the CPU port bear a proprietary tag identifying the source port in addition to the standard VLAN tag, so the CPU recognizes the ingress port and only lets the corresponding bridge (or /interface vlan, or /interface bonding, or the IP stack if some IP configuration is attached directly to the interface) handle the frame. So as ether1 is not a member of any bridge, the only part of the software which handles frames from there is the /ip dhcp-client attached to ether1 directly, but that one ignores vlan-tagged packets.

So to make the DHCP client listen to VLAN 431 (as it hopefully comes tagged from the Juniper), you have to create an /interface vlan name=wan-vlan vlan-id=431 interface=bridge (not interface=ether1), attach the DHCP client to interface=wan-vlan instead of ether1, and make ether1 a member port of the bridge. By making ether1 a member port of interface bridge, you'll also open the L2 path between ether1 and wlan1 via bridge for other frames, including those tagged with VLAN 432. This is true while vlan-filtering=no on bridge; with vlan-filtering=yes, you would have to do more steps (basically, replicate the /interface ethernet switch port and /interface ethernet switch vlan also into /interface bridge port and /interface bridge vlan).


Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
silverstr8p
newbie
Topic Author
Posts: 38
Joined: Wed Nov 13, 2013 3:47 am

Re: Mikrotik > Juniper VLAN trunk

Wed May 15, 2019 8:32 pm

Thanks @sindy :)

Okay, I did:
/interface bridge port add bridge=bridge interface=ether1
and now if I statically configure a laptop on port 3 with 192.168.43.3/24 it can ping the Juniper 192.168.43.1 gateway! Yay! That means the VLAN encapsulation must be working.

As for DHCP, wouldn't a laptop plugged in like mine is in port 3 just pass the lease request straight through to the Juniper without any further configuration, so once I get my DHCP server on the Juniper listening on vlan 431 it would just serve up an address somewhere in the 192.168.43.0/24? Or do I really need to do anything else on the Mikrotik still (besides disabling DHCP server on Ports 3-5 and 6-10)? I still want to leave the default DHCP of 192.168.88.1/24 on Port 2 for device management, but I want all wireless clients and wired clients to get their DHCP lease from the Juniper.
 
sindy
Forum Guru
Forum Guru
Posts: 3466
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik > Juniper VLAN trunk

Wed May 15, 2019 9:59 pm

if I statically configure a laptop on port 3 with 192.168.43.3/24 it can ping the Juniper 192.168.43.1 gateway! Yay! That means the VLAN encapsulation must be working.
It must be working at least in the laptop->Juniper direction in terms that a tagless frame sent by the laptop gets tagged with VID 431 on its way to Juniper; it may not be working in terms that if a frame from Juniper makes it to the laptop, it may not get untagged on the way and the Windows driver will accept it anyway (they usually silently strip the VLAN tag and happily process the frame).

wouldn't a laptop plugged in like mine is in port 3 just pass the lease request straight through to the Juniper without any further configuration, so once I get my DHCP server on the Juniper listening on vlan 431 it would just serve up an address somewhere in the 192.168.43.0/24?
Correct, it should work like this. But I have no idea whether the Juniper DHCP server doesn't need to be specifically told to listen on trunk ports or something alike. And as you use hardware forwarding, the only way to see how it really looks at the wire between the Juniper and ether1 is to insert another bridge device between the two and sniff on it. Or you may try to create another bridge on the 2011, temporarily make ether9 and ether10 its /interface bridge port with hw=no (and set them to defaults in /interface ethernet switch port section), connect ether1 to ether9 and ether10 to Juniper, and run /tool sniffer interface=ether9 with some dhcp client connected to one of ether3 .. ether5 to see whether the DHCPDISCOVER packets are tagged with VID 431 or not. But if all the port LEDs start blinking like mad, it means that there is an L2 loop because something leaks somewhere, and so you'll have to use an external device for sniffing.

Or do I really need to do anything else on the Mikrotik still (besides disabling DHCP server on Ports 3-5 and 6-10)? I still want to leave the default DHCP of 192.168.88.1/24 on Port 2 for device management, but I want all wireless clients and wired clients to get their DHCP lease from the Juniper.
To keep the IP subnet 192.168.88.0/24 with DHCP server of Mikrotik on ether2, just remove the ether2 from the bridge and attach the IP address and DHCP server directly to ether2 rather than the bridge. So to do that, connect your PC to ether2, log in, open an ssh connection or a terminal window in WebFig or Winbox, press Ctrl-X (save mode), copy-paste the following line into that window and press [Enter]:
/interface bridge port disable [find interface=ether2-master];/ip address set [find interface=bridge] interface=ether2-master;/ip dhcp-server set [find interface=bridge] interface=ether2-master

If you don't lose the connection after doing this, you can press Ctrl-X again and the management access will be completely independent from the bridge.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
silverstr8p
newbie
Topic Author
Posts: 38
Joined: Wed Nov 13, 2013 3:47 am

Re: Mikrotik > Juniper VLAN trunk

Mon May 20, 2019 9:11 pm

I think I spoke too soon, my second VLAN on Ports 6-10 doesn't seem to be passing traffic to the Juniper, though VLAN on ports 3-5 is working fine (receives DHCP lease and is routing to Internet across trunk to Juniper and out). Here's what I have related to my second VLAN 432:
/interface ethernet switch port
set 1 vlan-mode=secure
set 3 default-vlan-id=431 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=431 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=431 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
set 9 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
set 10 default-vlan-id=432 vlan-header=always-strip vlan-mode=secure
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether1
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1,ether3,ether4,ether5 \
    switch=switch1 vlan-id=431
add independent-learning=yes ports=switch1-cpu,ether1 switch=switch1 vlan-id=\
    432
add ports=switch2-cpu,ether6-master,ether7,ether8,ether9,ether10 switch=\
    switch2 vlan-id=432
Is there some way to know if switch2-cpu really is passing traffic through to switch1-cpu so there's the possibility of ports6-10 sending traffic? Is it worth setting up port 5 on VLAN 432 and seeing if the switch1-switch2 traffic is being blocked somehow?
 
mkx
Forum Guru
Forum Guru
Posts: 2449
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mikrotik > Juniper VLAN trunk

Mon May 20, 2019 9:52 pm

Please post output of /interface bridge export ...
BR,
Metod
 
silverstr8p
newbie
Topic Author
Posts: 38
Joined: Wed Nov 13, 2013 3:47 am

Re: Mikrotik > Juniper VLAN trunk

Mon May 20, 2019 9:57 pm

/interface bridge export
# model = 2011UiAS-2HnD r2
/interface bridge
add admin-mac=B8:69:F4:72:1C:47 auto-mac=no comment=defconf name=\
    bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
 
silverstr8p
newbie
Topic Author
Posts: 38
Joined: Wed Nov 13, 2013 3:47 am

Re: Mikrotik > Juniper VLAN trunk

Wed May 22, 2019 2:38 am

I grabbed an HP ProCurve switch and had it configured to do the same thing as I'm trying to accomplish in about 10 minutes, so I think I'm going that direction rather than the pain involved in making a Mikrotik behave. The ProCurve doesn't have a wireless AP, but I could just hang one off it I guess. I just can't seem to make MT boxes not be glitchy or painful or have weird workarounds, though if someone knows how to make the second VLAN work I'd be willing to give it another shot.

Who is online

Users browsing this forum: No registered users and 52 guests