I've been scratching my head and pounding it on the desk in frustration for the past little while.
I have read the VLAN wiki entry numerous times and it hasn't (yet) lead to a lightbulb moment!
I'm trying to split 2 sections of a network off from the rest with a couple of VLANs in a mixed Cisco/Mikrotik environment. Until earlier this week, the entire network was in 192.168.1.0/24 across 4 buildings. There are now a bunch of new VLANs and subnets configured.
Essentially, I would like there to be two networks (bottom left and right), 192.168.2.0/24 and 192.168.3.1/24 in VLANs 2 and 3 respectively able to connect through the intervening architecture and NAT on the RB1000 using real.world.ip.2 and real.world.ip.3 respectively. The NAT part I have figured out - the VLANs, not so much!
Eventually, I would like to enable OSPF so that the links between the RB750s can "fail over/back" between the ~54 megabit wireless link and the ~1.5mbps SDSL, so I would need the solution to support this (over the "triangle" between the 3 RB750s), including the ethernet link.
192.168.1.254 is the gateway for our network on the RB1000, which then connects to a real world IP address through "Internet" interface upstream from a real world IP address range (NAT x.x.x.1; subnets/VLAN will also be NATd ). There is a connection to a local INX through "INX" port; routes are exchanged via BGP in a private use ASN.
Starting at the RB 1000 (our core router), there is a physical link from a physical port called "private", which links into Gi1/0/24 on the 3750 (core switch); this is configured as a trunk port on the Cisco, and the mikrotik currently has VLAN 2,3 and 111 configured on "private". The core cisco 3750 switch has VLANs 2,3 110-116 configured on it.
From the core switch, 4 Cisco 2960s are connected to a trunk port each (Gi1/0/13-16); we can ignore these.
More relevantly, there is then a trunk port (Gi1/0/17) from the 3750 into eth5 of the RB750 (A). On the 750A, I've added VLAN 2,3,114,116 to eth2,3&5.
From 750A, eth2 connects to a RB433 and then through a wireless bridge to another RB433 to eth2 on a 750G.
From 750A, eth 3 connects to an SDSL bridge and then to eth3 of RB750(B).
Between 750G and 750(B), there is an ethernet link, forming a nice networking triangle. For now, I prevent loops by manually disabling eth3 of RB750(B), and enabling it if the wireless fails. (R)STP didn't work (too much flapping), and with a flat subnet structure up until now, I couldn't get OSPF to work.
The 2950s (A) and (B) have VLAN 2, 114, 116 and 3, 114, 116 configured on them; Port Gi1/0/24 is configured as a trunk, the rest will be client access ports.
VLAN 2 - 192.168.2.0/24
VLAN 3 - 192.168.3.0/24
VLAN 110 - Servers (192.168.110.0/24)
VLAN 111 - Data (192.168.111.0/24)
VLAN 112 - Wireless VLAN (not yet used; 192.168.112.0/24)
VLAN 113 - Guest Wireless VLAN (not yet used; 192.168.113.0/24)
VLAN 114 - Management VLAN (Ciscos configured with 192.168.114.0/24)
VLAN 115 - Voice VLAN (not yet used; 192.168.115.0/24)
VLAN 116 - Migration VLAN (carrying 192.168.1.0/24) - this will fall away in time.
All these are present on the core 3750;
110-116 are on the 4x48 port 2960s;
2,114,116 should be present on 2960A
3,114,116 should be present on 2960B
I have put interfaces on all the mikrotiks with the various VLANs; the core cisco 3750 also has VLAN 2 and 3 enabled.
I have added 192.168.2.1/24 to VLAN2 on RB1000
192.168.2.2/24 to port Gi1/0/17 on the 3750
192.168.2.3/24 to (interface) VLAN 2 on 750
192.168.2.4/24 to (interface) VLAN2 on 433 (A)
192.168.2.5/24 to (interface) VLAN2 on 433 (B)
192.168.2.252/24 to the trunk port Gi1/0/24 on the 2950(A)
192.168.2.254/24 to (interface) VLAN 2 on 750G
The main thing that is causing me major headaches is I can't for the life of me get pings to travel across the entire network within VLAN 2 (I have yet to start work on VLAN 3). Do I need to configure the VLANs (and a VLAN address) on each physical interface of all the Mikrotiks (I've tried this), or do I need to create some sort of bridge?
Or have I misunderstood VLANs entirely!?
Here's how my pings are going:
192.168.2.1 - nothing reachable
192.168.2.2 - can reach 192.168.2.3, not 192.168.2.1
192.168.2.3 - can reach 192.168.2.2
192.168.2.100 (DHCP client) - can reach 192.168.2.252, 192.168.2.254, nothing below .100.
192.168.2.252 - can reach .254, but not DHCP address (i.e. .2.100)
192.168.2.254 - can reach 192.168.2.252, nothing else
I'm currently accessing all the routerboards through their old 192.168.1.0/24 addresses.
750G is running a DHCP server on VLAN2 interface handing out 192.168.2.100-192.168.2.200 addresses. Machines there can successfully DHCP and can ping 192.168.2.252, .254 and each other (but .252 can't ping them!). DHCP leases specify 192.168.2.254 as gateway.
The RB 1000 is running ROS 3.30; the RB750s and RB433s are all on ROS 5.4.
Gateways on this network are normally configured at the top of the subnet. (i.e. .254)
What am I doing wrong and how can I fix it?
Many, many thanks in advance.