trunks from mikrotik to switches

networkfudge · Fri May 23, 2014 9:23 am

vlans and trunking from mikrotik to switches

My organisation has 5 vlans:

management traffic vlanid=3,
cctv traffic vlanid=4,
voip traffic vlanid=5,
office traffic vlanid=6
and hotspot traffic vlanid=7

I want to replace the current router (openwrt) with a mikrotik RB2011iL-RM.

I'm trying to replicate the setup I have on openwrt but my trunk ports (ether 1-5) refuse to communicate with the organisation's switches (switches work fine when connected to openwrt trunk ports).

# jan/02/1970 08:09:27 by RouterOS 6.12
# software id = QJDL-LB2R
#
/interface bridge
add l2mtu=1594 mtu=1504 name=3-MANAGEMENT
add l2mtu=1594 mtu=1504 name=4-CCTV
add l2mtu=1594 mtu=1504 name=5-VOIP
add l2mtu=1594 mtu=1504 name=6-OFFICE
add l2mtu=1594 mtu=1504 name=7-HOTSPOT
/interface ethernet
set [ find default-name=ether8 ] name=ether8-WAN1
set [ find default-name=ether9 ] name=ether9-WAN2
/interface vlan
add interface=ether1 l2mtu=1594 name=v3p1 vlan-id=3
add interface=ether2 l2mtu=1594 name=v3p2 vlan-id=3
add interface=ether3 l2mtu=1594 name=v3p3 vlan-id=3
add interface=ether4 l2mtu=1594 name=v3p4 vlan-id=3
add interface=ether5 l2mtu=1594 name=v3p5 vlan-id=3
add interface=ether6 l2mtu=1594 name=v3p6 vlan-id=3
add interface=ether1 l2mtu=1594 name=v4p1 vlan-id=4
add interface=ether2 l2mtu=1594 name=v4p2 vlan-id=4
add interface=ether3 l2mtu=1594 name=v4p3 vlan-id=4
add interface=ether4 l2mtu=1594 name=v4p4 vlan-id=4
add interface=ether5 l2mtu=1594 name=v4p5 vlan-id=4
add interface=ether1 l2mtu=1594 name=v5p1 vlan-id=5
add interface=ether2 l2mtu=1594 name=v5p2 vlan-id=5
add interface=ether3 l2mtu=1594 name=v5p3 vlan-id=5
add interface=ether4 l2mtu=1594 name=v5p4 vlan-id=5
add interface=ether5 l2mtu=1594 name=v5p5 vlan-id=5
add interface=ether1 l2mtu=1594 name=v6p1 vlan-id=6
add interface=ether2 l2mtu=1594 name=v6p2 vlan-id=6
add interface=ether3 l2mtu=1594 name=v6p3 vlan-id=6
add interface=ether4 l2mtu=1594 name=v6p4 vlan-id=6
add interface=ether5 l2mtu=1594 name=v6p5 vlan-id=6
add interface=ether7 l2mtu=1594 name=v6p7 vlan-id=6
add interface=ether1 l2mtu=1594 name=v7p1 vlan-id=7
add interface=ether2 l2mtu=1594 name=v7p2 vlan-id=7
add interface=ether3 l2mtu=1594 name=v7p3 vlan-id=7
add interface=ether4 l2mtu=1594 name=v7p4 vlan-id=7
add interface=ether5 l2mtu=1594 name=v7p5 vlan-id=7
/interface ethernet switch port
set 0 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 5 default-vlan-id=3 vlan-header=always-strip vlan-mode=fallback
set 6 default-vlan-id=6 vlan-header=always-strip vlan-mode=fallback
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool-3-management ranges=10.20.30.2-10.20.30.254
add name=dhcp_pool-4-cctv ranges=10.20.40.2-10.20.40.254
add name=dhcp_pool-5-voip ranges=10.20.50.2-10.20.50.254
add name=dhcp_pool-6-office ranges=10.20.60.2-10.20.60.254
add name=dhcp_pool-7-hotspot ranges=10.20.70.2-10.20.71.254
/ip dhcp-server
add address-pool=dhcp_pool-3-management disabled=no interface=3-MANAGEMENT \
    name=dhcp-3-management
add address-pool=dhcp_pool-4-cctv disabled=no interface=4-CCTV name=\
    dhcp-4-ccctv
add address-pool=dhcp_pool-5-voip disabled=no interface=5-VOIP name=\
    dhcp-5-voip
add address-pool=dhcp_pool-6-office disabled=no interface=6-OFFICE name=\
    dhcp-6-office
add address-pool=dhcp_pool-7-hotspot disabled=no interface=7-HOTSPOT name=\
    dhcp-7-hotspot
/interface bridge port
add bridge=3-MANAGEMENT interface=v3p1
add bridge=3-MANAGEMENT interface=v3p2
add bridge=3-MANAGEMENT interface=v3p3
add bridge=3-MANAGEMENT interface=v3p4
add bridge=3-MANAGEMENT interface=v3p5
add bridge=3-MANAGEMENT interface=v3p6
add bridge=4-CCTV interface=v4p1
add bridge=4-CCTV interface=v4p2
add bridge=4-CCTV interface=v4p3
add bridge=4-CCTV interface=v4p4
add bridge=4-CCTV interface=v4p5
add bridge=5-VOIP interface=v5p1
add bridge=5-VOIP interface=v5p2
add bridge=5-VOIP interface=v5p3
add bridge=5-VOIP interface=v5p4
add bridge=5-VOIP interface=v5p5
add bridge=6-OFFICE interface=v6p1
add bridge=6-OFFICE interface=v6p2
add bridge=6-OFFICE interface=v6p3
add bridge=6-OFFICE interface=v6p4
add bridge=6-OFFICE interface=v6p5
add bridge=6-OFFICE interface=v6p7
add bridge=7-HOTSPOT interface=v7p1
add bridge=7-HOTSPOT interface=v7p2
add bridge=7-HOTSPOT interface=v7p3
add bridge=7-HOTSPOT interface=v7p4
add bridge=7-HOTSPOT interface=v7p5
/interface ethernet switch vlan
add independent-learning=no ports=ether1,ether2,ether3,ether4,ether5 switch=\
    switch1 vlan-id=3
add independent-learning=no ports=ether1,ether2,ether3,ether4,ether5 switch=\
    switch1 vlan-id=4
add independent-learning=no ports=ether1,ether2,ether3,ether4,ether5 switch=\
    switch1 vlan-id=5
add independent-learning=no ports=ether1,ether2,ether3,ether4,ether5 switch=\
    switch1 vlan-id=6
add independent-learning=no ports=ether1,ether2,ether3,ether4,ether5 switch=\
    switch1 vlan-id=7
add ports=ether6 switch=switch2 vlan-id=3
add ports=ether7 switch=switch2 vlan-id=6
/ip address
add address=10.20.30.1/24 interface=3-MANAGEMENT network=10.20.30.0
add address=10.20.40.1/24 interface=4-CCTV network=10.20.40.0
add address=10.20.50.1/24 interface=5-VOIP network=10.20.50.0
add address=10.20.60.1/24 interface=6-OFFICE network=10.20.60.0
add address=10.20.70.1/23 interface=7-HOTSPOT network=10.20.70.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=ether8-WAN1
add default-route-distance=0 dhcp-options=hostname,clientid interface=\
    ether9-WAN2
/ip dhcp-server network
add address=10.20.30.0/24 dns-server=10.20.30.1 gateway=10.20.30.1
add address=10.20.40.0/24 dns-server=10.20.40.1 gateway=10.20.40.1
add address=10.20.50.0/24 dns-server=10.20.50.1 gateway=10.20.50.1
add address=10.20.60.0/24 dns-server=10.20.60.1 gateway=10.20.60.1
add address=10.20.70.0/23 dns-server=10.20.70.1 gateway=10.20.70.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN1
add action=masquerade chain=srcnat out-interface=ether9-WAN2

I can't pass any traffic whatsoever from the router to a switch.

I'm using routeros 6.12

ZPrime · Fri May 23, 2014 11:12 am

OK, I'm not exactly sure what you're trying to do there but it seems very wrong.

Do you have multiple physical ports plugged from the switch into the router?

What is the switch? Your best option is going to be to do a bond interface, and then run the VLANs on top of that. LACP mode (802.3ad) is "safest" but not all switches can do it, but everything should work with a generic bond if you set the bonding mode correctly. This will let all of the VLANs share the bandwidth on all 5 ports.

ros code

[admin@RTR1] > /interface bond print
Flags: X - disabled, R - running 
 0  R ;;; LACP eth1+2, ae6 on Junipers
      name="bond1" mtu=1500 mac-address=D4:CA:6D:E1:CE:9A arp=enabled slaves=ether1,ether2 mode=802.3ad primary=none link-monitoring=mii 
      arp-interval=100ms arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=30secs transmit-hash-policy=layer-2-and-3

You then setup VLAN interfaces that sit on that bond interface, and can work with them as you like. There's no need to do anything with bridge groups, and if you have those ports in a bridge you'll want to remove that.

http://wiki.mikrotik.com/wiki/Manual:Interface/Bonding

networkfudge · Fri May 23, 2014 6:22 pm

OK, I'm not exactly sure what you're trying to do there but it seems very wrong.

Do you have multiple physical ports plugged from the switch into the router?

What is the switch? Your best option is going to be to do a bond interface, and then run the VLANs on top of that. LACP mode (802.3ad) is "safest" but not all switches can do it, but everything should work with a generic bond if you set the bonding mode correctly. This will let all of the VLANs share the bandwidth on all 5 ports.

I need five trunk ports because I have five switches that the router connects to, not because I need an aggregate link to a single switch.

All five switches need to handle a combination of vlan traffic, that's why all vlans should be passed to all switches.

And before you ask, the reason why the switches are not daisy-chained is because they are not physically close to each other apart from one, then one is on a different floor, two reside in adjacent buildings and two are connected via wireless bridge (ubnt nanobridge) .

Anyway I REMOVED the following from the switch port config:

ros code

set 0 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure

and everything seems to be working. I tested by plugging something into a port on one of the switches (with say untagged vlan6) and its now getting 10.20.60.x address via the router's dhcp interface.

ZPrime · Fri May 23, 2014 10:55 pm

OK, I'm not exactly sure what you're trying to do there but it seems very wrong.

Do you have multiple physical ports plugged from the switch into the router?

What is the switch? Your best option is going to be to do a bond interface, and then run the VLANs on top of that. LACP mode (802.3ad) is "safest" but not all switches can do it, but everything should work with a generic bond if you set the bonding mode correctly. This will let all of the VLANs share the bandwidth on all 5 ports.

I need five trunk ports because I have five switches that the router connects to, not because I need an aggregate link to a single switch.

All five switches need to handle a combination of vlan traffic, that's why all vlans should be passed to all switches.

And before you ask, the reason why the switches are not daisy-chained is because they are not physically close to each other apart from one, then one is on a different floor, two reside in adjacent buildings and two are connected via wireless bridge (ubnt nanobridge) .

Anyway I REMOVED the following from the switch port config:

ros code
set 0 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=3 vlan-header=add-if-missing vlan-mode=secure
and everything seems to be working. I tested by plugging something into a port on one of the switches (with say untagged vlan6) and its now getting 10.20.60.x address via the router's dhcp interface.

That part about having 5 separate switches would've been helpful in the initial post.

networkfudge · Sat May 24, 2014 12:40 am

Well fair enough I suppose although I did say "the organization's switches"