Community discussions

MikroTik App
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

VLAN Issue

Sat Oct 02, 2021 7:05 pm

I'm in the middle of swapping out all the switches at work and I'm having an issue I do not understand.my main CRS326-24S+2Q+ is able to access all VLAN gateways. But any switch connected to it is not able to access any VLAN gateway but my management gateway. If I don't add a route I get "no route to host" which makes sense. But if I a route to one of the gateway IPs I get timeout or host unreachable responses. The gateway IPs are all hosted on a Meraki MX95 and by default it allows routing between all VLANs. The VLANs I am testing have not been blocked from my management VLAN.

Here is the config for my main CRS326-24S+2Q+
# oct/02/2021 11:00:08 by RouterOS 6.47.10
# software id =
#
# model = CRS326-24S+2Q+
# serial number =
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full
set [ find default-name=sfp-sfpplus2 ] advertise=1000M-full auto-negotiation=\
no
set [ find default-name=sfp-sfpplus3 ] advertise=1000M-full auto-negotiation=\
no
set [ find default-name=sfp-sfpplus24 ] advertise=1000M-full \
auto-negotiation=no
/interface bridge
add admin-mac=2C:C8:1B:CD:D0:57 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface bonding
add mode=802.3ad name=CRS326-24S+2Q+RM-1 slaves=qsfpplus1-1,qsfpplus2-1
add mode=802.3ad name=CRS328-24P-4S+RM-1 slaves=sfp-sfpplus7,sfp-sfpplus8
add mode=802.3ad name=CRS328-24P-4S+RM-2 slaves=sfp-sfpplus9,sfp-sfpplus10
add mode=802.3ad name=CRS328-24P-4S+RM-3 slaves=sfp-sfpplus11,sfp-sfpplus12
add mode=802.3ad name=CRS328-24P-4S+RM-4 slaves=sfp-sfpplus13,sfp-sfpplus14
add mode=802.3ad name=CRS328-24P-4S+RM-5 slaves=sfp-sfpplus15,sfp-sfpplus16
add mode=802.3ad name=CRS328-24P-4S+RM-6 slaves=sfp-sfpplus17,sfp-sfpplus18
add mode=802.3ad name=CRS328-24P-4S+RM-7 slaves=sfp-sfpplus19,sfp-sfpplus20
add mode=802.3ad name=CRS328-24P-4S+RM-8 slaves=sfp-sfpplus21,sfp-sfpplus22
add mode=802.3ad name=CRS328-24P-4S+RM-9 slaves=sfp-sfpplus23,sfp-sfpplus24
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=\
sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=yes interface=\
sfp-sfpplus2
add bridge=bridge comment=defconf ingress-filtering=yes interface=\
sfp-sfpplus3
add bridge=bridge comment=defconf ingress-filtering=yes interface=\
sfp-sfpplus4
add bridge=bridge interface=CRS326-24S+2Q+RM-1
add bridge=bridge interface=CRS328-24P-4S+RM-9
add bridge=bridge ingress-filtering=yes interface=CRS328-24P-4S+RM-8
add bridge=bridge ingress-filtering=yes interface=CRS328-24P-4S+RM-7
add bridge=bridge ingress-filtering=yes interface=CRS328-24P-4S+RM-6
add bridge=bridge ingress-filtering=yes interface=CRS328-24P-4S+RM-5
add bridge=bridge ingress-filtering=yes interface=CRS328-24P-4S+RM-4
add bridge=bridge ingress-filtering=yes interface=CRS328-24P-4S+RM-3
add bridge=bridge ingress-filtering=yes interface=CRS328-24P-4S+RM-2
add bridge=bridge ingress-filtering=yes interface=CRS328-24P-4S+RM-1
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge comment=Workstation tagged=bridge vlan-ids=22
add bridge=bridge comment=Static tagged=bridge vlan-ids=23
add bridge=bridge comment=Lab tagged=bridge vlan-ids=24
add bridge=bridge comment=Wifi tagged=bridge vlan-ids=26
add bridge=bridge comment=Avaya tagged=bridge vlan-ids=27
add bridge=bridge comment=Storage tagged=bridge vlan-ids=200
add bridge=bridge comment=DMZ tagged=bridge vlan-ids=10
add bridge=bridge comment="Guest Wifi" tagged=bridge vlan-ids=100
add bridge=bridge comment=Registration tagged=bridge vlan-ids=102
add bridge=bridge comment=Isolation tagged=bridge vlan-ids=103
add bridge=bridge comment=Serenade tagged=bridge vlan-ids=206
add bridge=bridge comment=VoIP vlan-ids=20
add bridge=bridge comment=Management untagged=bridge vlan-ids=1
/ip address
add address=192.168.250.20/24 interface=bridge network=192.168.250.0
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
add address=192.168.23.253/24 interface=bridge network=192.168.23.0
/ip dhcp-client
add disabled=no interface=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=CRS326-24S+2Q+RM-1
/system package update
set channel=long-term
/system routerboard settings
set boot-os=router-os
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
And the config for my CRS326-24S+2Q+ that is our production top of rack switch
# sep/25/2021 18:36:15 by RouterOS 6.47.10
# software id =
#
# model = CRS326-24S+2Q+
# serial number =
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus7 ] advertise=1000M-full auto-negotiation=\
no
set [ find default-name=sfp-sfpplus8 ] advertise=1000M-full auto-negotiation=\
no
set [ find default-name=sfp-sfpplus9 ] advertise=1000M-full auto-negotiation=\
no
set [ find default-name=sfp-sfpplus10 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus11 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus12 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus13 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus14 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus15 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus16 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus17 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus18 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus19 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus20 ] advertise=1000M-full \
auto-negotiation=no
set [ find default-name=sfp-sfpplus24 ] advertise=100M-full auto-negotiation=\
no
/interface bridge
add admin-mac=2C:C8:1B:CD:D0:1D auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface bonding
add mode=802.3ad name=CRS326-24S+2Q+RM-1 slaves=qsfpplus1-1,qsfpplus2-1 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=prodbackup slaves=sfp-sfpplus15,sfp-sfpplus16 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=prodbackup-storage slaves=sfp-sfpplus17,sfp-sfpplus18 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=unimaxdc3 slaves=sfp-sfpplus19,sfp-sfpplus20 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=unimaxeng slaves=sfp-sfpplus7,sfp-sfpplus8 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=unimaxeng-storage slaves=sfp-sfpplus9,sfp-sfpplus10 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=wsbackup slaves=sfp-sfpplus11,sfp-sfpplus12 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=wsbackup-storage slaves=sfp-sfpplus13,sfp-sfpplus14 \
transmit-hash-policy=layer-2-and-3
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=bridge comment=defconf interface=sfp-sfpplus21
add bridge=bridge comment=defconf interface=sfp-sfpplus22
add bridge=bridge comment=defconf interface=sfp-sfpplus23
add bridge=bridge comment=defconf interface=sfp-sfpplus24
add bridge=bridge interface=CRS326-24S+2Q+RM-1
add bridge=bridge interface=unimaxeng
add bridge=bridge interface=unimaxeng-storage
add bridge=bridge interface=wsbackup
add bridge=bridge interface=wsbackup-storage
add bridge=bridge interface=prodbackup
add bridge=bridge interface=prodbackup-storage
add bridge=bridge comment=esxcorpa interface=sfp-sfpplus1
add bridge=bridge comment=esxcorpa interface=sfp-sfpplus2
add bridge=bridge comment=esxcorpb interface=sfp-sfpplus3
add bridge=bridge comment=esxcorpb interface=sfp-sfpplus4
add bridge=bridge comment=esxcorpc interface=sfp-sfpplus5
add bridge=bridge comment=esxcorpc interface=sfp-sfpplus6
add bridge=bridge interface=unimaxdc3 pvid=23
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge comment=Workstation tagged=bridge vlan-ids=22
add bridge=bridge comment=Lab tagged=bridge vlan-ids=24
add bridge=bridge comment=Wifi tagged=bridge vlan-ids=26
add bridge=bridge comment=Avaya tagged=bridge vlan-ids=27
add bridge=bridge comment=Storage tagged=bridge vlan-ids=200
add bridge=bridge comment=DMZ tagged=bridge vlan-ids=10
add bridge=bridge comment="Guest Wifi" tagged=bridge vlan-ids=100
add bridge=bridge comment=Registration tagged=bridge vlan-ids=102
add bridge=bridge comment=Isolation tagged=bridge vlan-ids=103
add bridge=bridge comment=Static tagged=bridge vlan-ids=23
add bridge=bridge comment=Serenade tagged=bridge vlan-ids=206
add bridge=bridge comment=VoIP vlan-ids=20
add bridge=bridge comment=Management untagged=bridge vlan-ids=1
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface=sfp-sfpplus10 list=LAN
add interface=sfp-sfpplus11 list=LAN
add interface=sfp-sfpplus12 list=LAN
add interface=sfp-sfpplus13 list=LAN
add interface=sfp-sfpplus14 list=LAN
add interface=sfp-sfpplus15 list=LAN
add interface=sfp-sfpplus16 list=LAN
add interface=sfp-sfpplus17 list=LAN
add interface=sfp-sfpplus18 list=LAN
add interface=sfp-sfpplus19 list=LAN
add interface=sfp-sfpplus20 list=LAN
add interface=sfp-sfpplus21 list=LAN
add interface=sfp-sfpplus22 list=LAN
add interface=sfp-sfpplus23 list=LAN
add interface=sfp-sfpplus24 list=LAN
add interface=qsfpplus1-1 list=LAN
add interface=qsfpplus1-2 list=LAN
add interface=qsfpplus1-3 list=LAN
add interface=qsfpplus1-4 list=LAN
add interface=qsfpplus2-1 list=LAN
add interface=qsfpplus2-2 list=LAN
add interface=qsfpplus2-3 list=LAN
add interface=qsfpplus2-4 list=LAN
/ip address
add address=192.168.250.21/24 interface=bridge network=192.168.250.0
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
/ip route
add distance=1 dst-address=192.168.23.0/24 gateway=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=CRS326-24S+2Q+RM-2
/system package update
set channel=long-term
/system routerboard settings
set boot-os=router-os
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Anyone notice any simple thing I'm missing?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VLAN Issue

Sat Oct 02, 2021 7:12 pm

Can you show a network diagram of the Network topology along with the VIDs ?
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: VLAN Issue

Sat Oct 02, 2021 7:23 pm

Here is a very basic diagram with only the CRS326-24S+2Q+s shown. Once I figure out the issue with CRS326-24S+2Q+-2 I should be able to easily apply the solution to the CRS328-24P-4S+s I'm deploying. The link between the CRS326-24S+2Q+s is an 802.3ad bond on the QSFP+ ports.
basic network.png
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: VLAN Issue

Sat Oct 02, 2021 7:42 pm

my main CRS326-24S+2Q+ is able to access all VLAN gateways.
Are you sure about that, the /interface bridge vlan and /ip address configuration is likely wrong.

Under /interface bridge vlan you should specify tagged membership for all the interfaces which you are expecting switched VLAN traffic to pass through. In this context bridge is an intrinsic switch port connecting the bridge to services on the Mikrotik - you only need to include it for VLANs which you wish to access on the Mikrotik itself, not those which are merely being switched by the Mikrotik, see viewtopic.php?f=2&t=173692.

For any bridge VLANs with tagged=bridgename you also require an /interface vlan to which an IP address can be added for access to/from resources on the Mikrotik itself.

With parallel connections with differing VLANs between devices the default RSTP on the Mikrotik will block one of the links, if you do not have the same VLAN on both you can disable spanning tree, otherwise it requires MSTP configuring.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VLAN Issue

Sat Oct 02, 2021 7:47 pm

As i can see you use untaged VLAN for your Management access...
Generally you don't need to add the bridge as Tagged port for every VLAN unless that is your Router or you want to create Management access for that VLAN...
Finally, i can see no other VLAN added as tagged for any VID so that it can pass the Trunk port of your switch ...

Take a look here Using RouterOS to VLAN your network
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: VLAN Issue

Mon Oct 04, 2021 9:33 pm

Once I added the ports & bonds as tagged items for the VLANs it worked. The only other weird thing I'm seeing is that with LACP enabled for links between switches I tend to get connection glitches in things like vSphere remote consoles. Known issue or a probably miss config on my part?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: VLAN Issue

Wed Oct 06, 2021 10:05 pm

Well i do use LACP along with VLANs on a couple of CRS3xxx switches with no problems...
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: VLAN Issue

Wed Oct 06, 2021 11:37 pm

Well i do use LACP along with VLANs on a couple of CRS3xxx switches with no problems...
Then I probably have something else wrong. Wouldn't be the first time, won't be the last.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Issue

Thu Oct 07, 2021 3:17 am

Well i do use LACP along with VLANs on a couple of CRS3xxx switches with no problems...
Then I probably have something else wrong. Wouldn't be the first time, won't be the last.
That officially makes you an MT configurer LOL

Who is online

Users browsing this forum: Amazon [Bot], anav, Bing [Bot], ernieball17, ret411, wsantos and 66 guests