Hi Folks,

Can router OS do what I need.
Lets say I have ingress tagged traffic on ether1 from 5 different vlans, lets say the vlan-ids are 1,2,3,4,5
I want any frames tagged with 1,2,3,4 or 5 re-tagged as 6 and these will egress on ether2.
Traffic coming back into the network doesn't need to be retagged.
This is all L2.
Currently I do this using a switch with several loopback cables and want to find a better way to do it.
We have a CCR1036-8G-2S+

Thanks,
Chris.

It's called assymetric vlans. AFAIK ROS not support it.

Will "Use Service Tag" not work here, i.e. you have C-Vlans 1,2,3,4&5, with S-Vlan 6

Or maybe QinQ, have Vlan 6 attached to ether2, with Vlan's 1-5 attached to vlan 6?

Thanks for replies, I was thinking of QinQ but have never really used it.

I'll give you more information about the topology.
It's a docsis cable network to which Schools are connected. The CMTS I am using is limited to allowing 1 modem on a vlan so each school is on it's own vlan. The protocol is PPPoE.
When each frame leaves our network it has to be single tagged with vlan-id 6. I'm doing this by using a switch with loopback cables so each school takes up 2 ports on my switch. It's the only way currently I can untag and retag the frames.

When the frames leave our network they need to be single tagged 6. They will come back to the network as 6 and the downstream switch will look after switching the frames back to the correct School modem.
Can you point me to some q in q examples?

Chris.

What happens to the Vlan's once it gets to the other side of Vlan 6? If they split out again according to their Vlan's, then you can look intgo Service Tag / QinQ.

If the Vlan's comes from the schools, and Vlan 6 is just your uplink Vlan, won't it be better to terminate Vlan's 1 - 5 on your device, and then route out to upstream provider with Vlan 6?

Is the PPPoE server the CMTS itself or is the PPPoE server at the other end of the VLAN 6 "uplink"?

Given that you say you currently use an external switch for the task, it seems to me that what you actually need is to link each MAC address with a proper VLAN ID on the trunk towards the CMTS and use VLAN ID 6 for all of them on the (single-VLAN) trunk towards the PPPoE server.

So assuming that ether1 looks towards the CMTS which translates the VLAN ID to the modem line and doesn't care about the modem's MAC address and ether2 looks towards the PPPoE server, my configuration would be:

ascii art code

                     bridge-X
                        |
           -T.vlan1.U---|
          /             |
         / -T.vlan2.U---|
        / /             |
ether1 ---- T.vlan3.U---|---U.vlan6.T---ether2
        \ \             |
         \ -T.vlan4.U---|
          \             |
           -T.vlan5.U---|

In RouterOS code, it would be

Hi Sindy,

Thanks for the config snippit. The PPPoE server is at the end of VLAN6 outside our network. These come back into the network on VLAN6 as well. The CMTS is just acting as a bridge and sends all the tagged traffic from the schools routers to a dedicated interface to a switch. The traffic leaves this switch as single tagged 6.
The modem macs are transparent. The modems are a bridge.
I'll test your config in lab today.

Chris.

Sindy, that's a perfect solution, thank you so much!

The CMTS is just acting as a bridge

The way you describe it, its bridge operation is not perfect as there is the limitation of number of modems per VLAN, a normal bridge would not need this. So I assume that each VLAN is translated into a carrier channel but it is just my wild guess and I simply take as a matter of fact that you need to twist the idea of VLANs this odd way.

The modem macs are transparent. The modems are a bridge.

The fact that the PPPoE clients are not the modems themselves but some devices behind them doesn't change anything about the principle of handling the VLAN tagging/untagging. What it does change seriously is the approach to security.

If the modems act as bridges, you may want to prevent the L2 networks at the Ethernet side of the modems from seeing each other. The consequence of joining all the L2 segments (previously VLANs) together after stripping the VLAN IDs, each device behind one modem will be able to see, on L2, all the devices behind the other modems too. So if you attached an IP address from some subnet to the Ethernet interface of one device in one school and an IP address from the same subnet to Ethernet interface of another device in another school, these two devices would be able to talk to each other over IP. This is true also with your current solution using an external switch as tag stripper.

So to prevent this, you can use the split-horizon functionality of the bridge, which prevents bridge ports with the same value of the horizon parameter from forwarding traffic to each other. Just add the horizon parameter to the items in /interface bridge port configuration section:

Seems it works just like assymetric vlans mode in Huawei VRP OS. And split-h you using for L2 isolation. Nice implementaion.

Thanks Sindy, we are contracted to supply a L2 connection from Schools Routers to the main Schools network outside our network. We aren't responsible for the security.

Thanks Sindy, we are contracted to supply a L2 connection from Schools Routers to the main Schools network outside our network. We aren't responsible for the security.

She offer a split horizon:

interface bridge - horizon:

Use split horizon bridging to prevent bridging loops. Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offloading. Read more about Bridge split horizon.

It's save you from layer 2 connectivity between hosts when there're untagged.