This is the related configuration:
For CCR2004:
Code: Select all
/interface bridge
add name=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes vlan-filtering=yes
/interface vlan
add interface=bridge name=default vlan-id=1
add interface=bridge name=inet vlan-id=14
add interface=bridge name=mgt vlan-id=11
/interface bonding
add name=bonding28-1-2 slaves=sfp28-1,sfp28-2
/interface list
add name="STP Filter"
/interface bridge filter
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface-list="STP Filter"
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF in-interface-list="STP Filter"
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface-list="STP Filter"
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1 path-cost=30 trusted=yes
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp28-1 trusted=yes
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp28-2 trusted=yes
add bridge=bridge edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus4 point-to-point=yes pvid=14 restricted-role=yes restricted-tcn=yes
add bridge=bridge edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus5 point-to-point=yes pvid=14 restricted-role=yes restricted-tcn=yes
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bonding28-1-2 trusted=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,sfp28-1,sfp28-2,bonding28-1-2 vlan-ids=1
add bridge=bridge tagged=bridge,ether1,sfp28-1,sfp28-2,bonding28-1-2 vlan-ids=11
add bridge=bridge tagged=bridge,ether1,sfp28-1,sfp28-2,bonding28-1-2 vlan-ids=14
/interface list member
add interface=sfp-sfpplus4 list="STP Filter"
add interface=sfp-sfpplus5 list="STP Filter"
/ip address
add address=192.168.0.1/24 interface=voip network=192.168.0.0
add address=192.168.1.52/28 interface=mtc network=192.168.1.48
/ip firewall filter
add action=drop chain=input connection-state=invalid,untracked
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=voip
add action=drop chain=input
add action=drop chain=forward connection-state=invalid,untracked
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward
and for CRS326:
Code: Select all
/interface bridge
add name=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes vlan-filtering=yes
/interface vlan
add interface=bridge name=default vlan-id=1
add interface=bridge name=inet vlan-id=14
add interface=bridge name=mngt vlan-id=11
/interface list
add name="STP Filter"
/interface bridge filter
add action=drop chain=output dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface-list="STP Filter"
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF in-interface-list="STP Filter"
add action=drop chain=forward dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF out-interface-list="STP Filter"
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1 trusted=yes
add bridge=bridge edge=yes frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus18 point-to-point=yes pvid=14 restricted-role=yes restricted-tcn=yes
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus24 trusted=yes
/interface bridge vlan
add bridge=bridge tagged="bridge,ether1,sfp-sfpplus24" vlan-ids=1
add bridge=bridge tagged="bridge,ether1,sfp-sfpplus24" vlan-ids=11
add bridge=bridge tagged="bridge,sfp-sfpplus24" vlan-ids=14
/interface list member
add interface=sfp-sfpplus18 list="STP Filter"
/ip address
add address=192.168.0.87/24 interface=voip network=192.168.0.0
add address=192.168.1.50/28 interface=mtc network=192.168.1.48
/ip firewall filter
add action=drop chain=input connection-state=invalid,untracked
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=voip
add action=drop chain=input
add action=drop chain=forward connection-state=invalid,untracked
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward
Both mikrotiks does ping to providers gw 192.168.1.49.
While pinging the providers cable is inserted in CCR2004 port sfp-sfpplus4. For this case CCR2004 can ping provider's GW, but CRS326 can not ping provider's GW.
When the providers cable is connected to CRS326 port sfp-sfpplus18, both mikrotiks can ping the provider's GW.
The question is: Why when provider's cable is connected to CCR2004 the other mikrotik can not ping provider's GW? There is no problem with provider. Provider does not block by mac or something, only does not accept BPDU and STP packets.
Both mikrotiks are updated to latest RouterOS v.6.