Need some help with RB951G-2Hnd VLAN/Switch/wlan setup

jasongt · Sat Aug 03, 2013 5:44 pm

I'm new to the switch settings and not seeing an example that fits exactly and wanting to make sure I set these up efficiently as possible.

So I have a Cisco 2960 with a port setup as a trunk for VLAN 10 and VLAN 20 going to power inserter then to ether1 on the 951G. I need it to be a trunk so that it accepts and sends tagged VLAN 10 and 20.

VLAN 10 will be going vap-10 and to ether2. All incoming traffic from ether2 and vap-10 will need to have VLAN 10 tag applied before passing to the trunk on ether1 and all traffic from the trunk on ether1 going to ether2 and vap-10 needs VLAN 10 tag removed. Not for sure if this is possible but I would like it so the people connected to vap-10 or ether2 not to see each other. On the Cisco 2960 it is port security that blocks port to port communication other than to the trunk. Ether2 will be going to network port in a guests room so more than likely this will not be active most the time. (This is in a hotel is why I need this type of restriction and this is the guest VLAN.)

VLAN 20 will be going to wlan1 and ether3 this will also have an IP address for management of the 951G. I do not care if traffic is blocked or not between clients on this VLAN. Ether3 and wlan1 will need to do the same in regards to applying and removing the VLAN tag going and coming from the trunk on ether1. Not for sure if it makes any difference or not but ether3 will not be used 99% of the time it's just there in case need to plug in direct and access unit.

Normally I create a bridge on ether1 and created to vlan interfaces attached to the bridge and that allows my trunking to take place on that port, but I am confusing myself by over thinking I'm sure on how to do this with switch in the 951G and wanting to have wire speed from ether1 to ether2 and ether3 but not sure how you get that over to the wireless correctly and efficiently.

Thanks for any help on this.

jasongt · Sat Aug 03, 2013 11:33 pm

Here is what I have so far and it seems to function but I just want to make sure this is the correct/optimal way. And I am adding these units to go with an existing wireless setup that is all based on Cisco 1131AG APs so I've set the 951G's to just do B/G as I'm not for sure how bouncing between N and non N units would go. All existing AP's are connected to the network with CAT6 so no WDS or repeaters and devices are iPhones, iPads, Androids PC's and Mac's so if there is anything needing setup on the Wireless to play nice with everything let me know as well. No security on the guest side and WPA2 on the InHouse.

/interface ethernet
set 0 name=1-Trunk
set 1 name=2-RmXXX
set 2 name=3-Service
/interface bridge
add l2mtu=1598 name=bridge-trunk
add l2mtu=1594 name=bridge-vlan10
add l2mtu=1594 name=bridge-vlan20
/interface vlan
add interface=bridge-trunk l2mtu=1594 name=vlan10-Guests vlan-id=10
add interface=bridge-trunk l2mtu=1594 name=vlan20-InHouse vlan-id=20
/interface wireless channels
add band=2ghz-b/g frequency=2417 list=wlan-ch-list-1 name=ch2 width=20
add band=2ghz-b/g frequency=2457 list=wlan-ch-list-1 name=ch10 width=20
add band=2ghz-b/g frequency=2437 list=wlan-ch-list-1 name=ch6 width=20
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=XXXXXXXXXX
add authentication-types=wpa-psk,wpa2-psk eap-methods="" name=profile-guests \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    mode=dynamic-keys name=profile-IH supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=XXXXXXXXXX
/interface wireless
set 1 adaptive-noise-immunity=ap-and-client-mode antenna-gain=2 band=2ghz-b/g \
    bridge-mode=disabled country="united states" dfs-mode=radar-detect \
    disabled=no distance=indoors frequency=2457 frequency-mode=\
    regulatory-domain hw-protection-mode=rts-cts hw-retries=5 l2mtu=2290 \
    mac-address=xx:xx:xx:xx:xx:x0 max-station-count=30 mode=ap-bridge name=\
    vap-inhouse periodic-calibration=disabled radio-name=4F-AP4 \
    scan-list=wlan-ch-list-1 security-profile=profile-IH ssid=InHouse \
    wireless-protocol=802.11 wmm-support=enabled
add disabled=no l2mtu=2290 mac-address=xx:xx:xx:xx:xx:x1 master-interface=\
    vap-inhouse max-station-count=30 name=vap-guests security-profile=\
    profile-guests ssid=guests
/interface bridge filter
add action=drop chain=forward in-bridge=bridge-vlan10 out-bridge=bridge-vlan20
add action=drop chain=forward in-bridge=bridge-vlan20 out-bridge=bridge-vlan10
/interface bridge port
add bridge=bridge-trunk interface=1-Trunk
add bridge=bridge-vlan10 interface=vlan10-Guests
add bridge=bridge-vlan20 interface=vlan20-InHouse
add bridge=bridge-vlan20 interface=vap-inhouse
add bridge=bridge-vlan10 interface=vap-guests
add bridge=bridge-vlan10 interface=2-RmXXX
/interface bridge settings
set allow-fast-path=no
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=check
set 2 default-vlan-id=20 vlan-header=add-if-missing vlan-mode=check
/interface ethernet switch rule
add copy-to-cpu=yes ports=1-Trunk
/interface ethernet switch vlan
add independent-learning=no ports=1-Trunk,3-Service switch=switch1 vlan-id=20
add independent-learning=no ports=1-Trunk,2-RmXXX switch=switch1 vlan-id=10
/interface wireless access-list
add authentication=no forwarding=no interface=vap-guests
add interface=vap-inhouse
/interface wireless connect-list
add interface=vap-inhouse security-profile=profile-IH
add interface=vap-guests security-profile=profile-guests
/ip address
add address=192.168.20.121/24 interface=bridge-vlan20 network=192.168.20.0

Thanks
Jason

jasongt · Tue Aug 06, 2013 3:45 am

Actually my config isn't working correctly. Can anyone help me to get this working or if it can't do it to tell me that as well so I can quit chasing my tail.

If any more info is needed please let me know.

Thanks

Rudios · Tue Aug 06, 2013 8:05 am

I would've done it differently

Create two bridges, one for each VLAN.

ros code

/interface bridge
add name=br-vlan10
add name=br-vlan20

Create two vlan interfaces on your ether1 interface, for which ether1 becomes trunk and add that vlan interface to the correct bridge.

ros code

/interface vlan
add name=vlan10-Guests vlan-id=10 interface=ether1
add name=vlan20-InHouse vlan-id=20 interface=ether1

Than add the desired ports to the bridges

ros code

/interface bridge port
add bridge=br-vlan10 interface=vlan10-Guests
add bridge=br-vlan10 interface=ether2
add bridge=br-vlan10 interface=vap10
add bridge=br-vlan20 interface=vlan20-InHouse
add bridge=br-vlan20 interface=ether3
add bridge=br-vlan20 interface=wlan1

You also should define two IP segments on both vlans. If DHCP is desired, add a separate DHCP server to both bridges.

jasongt · Thu Aug 08, 2013 4:14 pm

This isn't working, it's like the wireless doesn't pass traffic unless something is plugged into the rmxxx port or service port. Although it seems to pass vlan20 to the service but vlan10 gets an ip on the rmxxx but few seconds later it's gone and doesn't work after that.

I know x86 version is working with Cisco and several others by creating a bridge and assigning the Ethernet interface connected to the trunk port on the switch. Then create the vlan interfaces assigning them to the bridge. This works perfect on many x86 boxes and on older rb133's and I'm sure others but those I know 100%.

It also appears that the wireless is inactive it's in italics vs the standard font unless someone is connected, I can't recall if this is normal or not but I'm not thinking so. Also the way you said is not utilizing any of the switch wirespeed abilities although traffic passing through this will be mainly wireless and CPU should be more than enough to handle so that isn't a big deal I'm just wondering if the switch not setup is why it isn't working?

I'm to the point I think I have found a way to just hook ether1 as a trunk vlan10 and vlan20 and just have the two wireless ssid's and skip the ether2-5 setup if it would make this happen any easier as I found a spare cat6 on each floor although it comes with it's on complications as well so any ideas on either is greatly appreciated.

Thanks
Jason

Rudios · Thu Aug 08, 2013 7:19 pm

Maybe you should remove the vlan config on the switch part.
Also a possibility is that the mac address of the bridge is a problem. Maybe it can be solved by setting a admin mac manually. On the other hand. I have some sort of same config and if no ether is connected, wlan does work.

jasongt · Thu Aug 08, 2013 9:47 pm

I have tried with the switch configured and left at default. Maybe you are on to something with the mac address, I did adjust the mac on the two ssid's to be different but not on the bridges or anything because I've not ever messed with them before but not dealt with this built in switch before either. It's like the traffic is only going one way which would be a tagging issue I would think as I have set the port up same as I always have and tried multiple switches and ports with the same results.

If only the trunk port is connected and no other ports in use and no one connected wireless is the name shown in italics? I think the primary is in italics and the vap is normal with no connections which seems wrong.