VLAN issue

qostechgl · Thu Jul 25, 2019 4:00 pm

Hello everyone, I don't ask for help very often (pretty much never) but I've been scratching my head with this one for a long while.

Here's the situation:
I have a SonicWALL router which manages my customer's network.
Main network (VLAN1) is 10.80.0.0/20
First VLAN (10) is 10.8.0.0/24
Second VLAN (100) is 172.16.16.0/23

SonicWALL is uplinked in a CRS328. From this first CRS328, we use SPF+ to uplink to 2 more CRS328.
On any of those switches, I can configure access ports on any of the 2 VLANs.
Issue: I can create access ports on any of the 2 VLANs and it's working fine. However, as soon as I try to create a trunk port that keeps the 2 VLANs tagged, only one of the 2 VLAN works.
See my config and a better hands-on explanation.

SWITCH 1

/interface bridge
add admin-mac=74:4D:28:25:12:A7 auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-VLAN10
set [ find default-name=ether2 ] name=ether2-VLAN10
set [ find default-name=ether3 ] name=ether3-VLAN10
set [ find default-name=ether4 ] name=ether4-VLAN10
set [ find default-name=ether5 ] name=ether5-VLAN10
set [ find default-name=ether6 ] name=ether6-VLAN10
set [ find default-name=ether7 ] name=ether7-VLAN10
set [ find default-name=ether8 ] name=ether8-VLAN10
set [ find default-name=ether9 ] name=ether9-VLAN10
set [ find default-name=ether10 ] name=ether10-VLAN10
set [ find default-name=ether11 ] name=ether11-VLAN10
set [ find default-name=ether12 ] name=ether12-VLAN10
set [ find default-name=ether13 ] name=ether13-VLAN10
set [ find default-name=ether14 ] name=ether14-VLAN10
set [ find default-name=ether15 ] name=ether15-VLAN10
set [ find default-name=ether16 ] name=ether16-VLAN10
set [ find default-name=ether17 ] name=ether17-VLAN100
set [ find default-name=ether18 ] name=ether18-VLAN100
set [ find default-name=ether19 ] name=ether19-VLAN100
set [ find default-name=ether20 ] name=ether20-VLAN100
set [ find default-name=ether21 ] name=ether21-TRUNK
set [ find default-name=ether22 ] name=ether22-TRUNK
set [ find default-name=ether23 ] name=ether23-TRUNK
set [ find default-name=ether24 ] name=ether24-TRUNK
set [ find default-name=sfp-sfpplus1 ] name=sfpplus1-TRUNK
set [ find default-name=sfp-sfpplus2 ] disabled=yes name=sfpplus2-TRUNK
/interface list
add name=interfaces_TRUNK
add name=interfaces_VLAN10
add name=interfaces_VLAN100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=interfaces_TRUNK
add bridge=bridge interface=interfaces_VLAN100 pvid=100
add bridge=bridge interface=interfaces_VLAN10 pvid=10
/interface bridge vlan
add bridge=bridge tagged="ether23-TRUNK,ether24-TRUNK,sfpplus1-TRUNK,sfpplus2-\
    TRUNK,ether21-TRUNK,ether22-TRUNK" untagged="ether1-VLAN10,ether2-VLAN10,e\
    ther3-VLAN10,ether4-VLAN10,ether5-VLAN10,ether6-VLAN10,ether7-VLAN10,ether\
    8-VLAN10,ether9-VLAN10,ether10-VLAN10,ether11-VLAN10,ether12-VLAN10,ether1\
    3-VLAN10,ether14-VLAN10,ether15-VLAN10,ether16-VLAN10" vlan-ids=10
add bridge=bridge tagged=\
    ether23-TRUNK,ether24-TRUNK,sfpplus1-TRUNK,sfpplus2-TRUNK untagged=\
    ether17-VLAN100,ether18-VLAN100,ether19-VLAN100,ether20-VLAN100 vlan-ids=\
    100
/interface list member
add interface=ether23-TRUNK list=interfaces_TRUNK
add interface=ether24-TRUNK list=interfaces_TRUNK
add interface=sfpplus1-TRUNK list=interfaces_TRUNK
add interface=sfpplus2-TRUNK list=interfaces_TRUNK
add interface=ether17-VLAN100 list=interfaces_VLAN100
add interface=ether18-VLAN100 list=interfaces_VLAN100
add interface=ether19-VLAN100 list=interfaces_VLAN100
add interface=ether20-VLAN100 list=interfaces_VLAN100
add interface=ether21-TRUNK list=interfaces_TRUNK
add interface=ether22-TRUNK list=interfaces_TRUNK
add interface=ether1-VLAN10 list=interfaces_VLAN10
add interface=ether2-VLAN10 list=interfaces_VLAN10
add interface=ether3-VLAN10 list=interfaces_VLAN10
add interface=ether4-VLAN10 list=interfaces_VLAN10
add interface=ether5-VLAN10 list=interfaces_VLAN10
add interface=ether6-VLAN10 list=interfaces_VLAN10
add interface=ether7-VLAN10 list=interfaces_VLAN10
add interface=ether8-VLAN10 list=interfaces_VLAN10
add interface=ether9-VLAN10 list=interfaces_VLAN10
add interface=ether10-VLAN10 list=interfaces_VLAN10
add interface=ether11-VLAN10 list=interfaces_VLAN10
add interface=ether12-VLAN10 list=interfaces_VLAN10
add interface=ether13-VLAN10 list=interfaces_VLAN10
add interface=ether14-VLAN10 list=interfaces_VLAN10
add interface=ether15-VLAN10 list=interfaces_VLAN10
add interface=ether16-VLAN10 list=interfaces_VLAN10
/ip address
add address=10.80.0.2/20 comment=defconf interface=bridge network=10.80.0.0
/system identity
set name=SW01
/system routerboard settings
set boot-os=router-os silent-boot=no

SWITCH 2

/interface bridge
add admin-mac=74:4D:28:25:9F:37 auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-VLAN10
set [ find default-name=ether2 ] name=ether2-VLAN10
set [ find default-name=ether3 ] name=ether3-VLAN10
set [ find default-name=ether4 ] name=ether4-VLAN10
set [ find default-name=ether5 ] name=ether5-VLAN10
set [ find default-name=ether6 ] name=ether6-VLAN10
set [ find default-name=ether7 ] name=ether7-VLAN10
set [ find default-name=ether8 ] name=ether8-VLAN10
set [ find default-name=ether9 ] name=ether9-VLAN10
set [ find default-name=ether10 ] name=ether10-VLAN10
set [ find default-name=ether11 ] name=ether11-VLAN10
set [ find default-name=ether12 ] name=ether12-VLAN10
set [ find default-name=ether13 ] name=ether13-VLAN10
set [ find default-name=ether14 ] name=ether14-VLAN10
set [ find default-name=ether15 ] name=ether15-VLAN10
set [ find default-name=ether16 ] name=ether16-VLAN10
set [ find default-name=ether17 ] name=ether17-VLAN100
set [ find default-name=ether18 ] name=ether18-VLAN100
set [ find default-name=ether19 ] name=ether19-VLAN100
set [ find default-name=ether20 ] name=ether20-VLAN100
set [ find default-name=ether21 ] name=ether21-TRUNK
set [ find default-name=ether22 ] name=ether22-TRUNK
set [ find default-name=ether23 ] name=ether23-TRUNK
set [ find default-name=ether24 ] name=ether24-TRUNK
set [ find default-name=sfp-sfpplus1 ] name=sfpplus1-TRUNK
set [ find default-name=sfp-sfpplus2 ] disabled=yes name=sfpplus2-TRUNK
/interface list
add name=interfaces_TRUNK
add name=interfaces_VLAN10
add name=interfaces_VLAN100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=interfaces_TRUNK
add bridge=bridge interface=interfaces_VLAN100 pvid=100
add bridge=bridge interface=interfaces_VLAN10 pvid=10
/interface bridge vlan
add bridge=bridge tagged=\
    ether23-TRUNK,ether24-TRUNK,sfpplus1-TRUNK,sfpplus2-TRUNK untagged=\
    ether17-VLAN100,ether18-VLAN100,ether19-VLAN100,ether20-VLAN100 vlan-ids=\
    100
add bridge=bridge tagged="ether23-TRUNK,ether24-TRUNK,sfpplus1-TRUNK,sfpplus2-\
    TRUNK,ether21-TRUNK,ether22-TRUNK" untagged="ether1-VLAN10,ether2-VLAN10,e\
    ther3-VLAN10,ether4-VLAN10,ether5-VLAN10,ether6-VLAN10,ether7-VLAN10,ether\
    8-VLAN10,ether9-VLAN10,ether10-VLAN10,ether11-VLAN10,ether12-VLAN10,ether1\
    3-VLAN10,ether14-VLAN10,ether15-VLAN10,ether16-VLAN10" vlan-ids=10
/interface list member
add interface=ether23-TRUNK list=interfaces_TRUNK
add interface=ether24-TRUNK list=interfaces_TRUNK
add interface=sfpplus1-TRUNK list=interfaces_TRUNK
add interface=sfpplus2-TRUNK list=interfaces_TRUNK
add interface=ether17-VLAN100 list=interfaces_VLAN100
add interface=ether18-VLAN100 list=interfaces_VLAN100
add interface=ether19-VLAN100 list=interfaces_VLAN100
add interface=ether20-VLAN100 list=interfaces_VLAN100
add interface=ether21-TRUNK list=interfaces_TRUNK
add interface=ether22-TRUNK list=interfaces_TRUNK
add interface=ether1-VLAN10 list=interfaces_VLAN10
add interface=ether2-VLAN10 list=interfaces_VLAN10
add interface=ether3-VLAN10 list=interfaces_VLAN10
add interface=ether4-VLAN10 list=interfaces_VLAN10
add interface=ether5-VLAN10 list=interfaces_VLAN10
add interface=ether6-VLAN10 list=interfaces_VLAN10
add interface=ether7-VLAN10 list=interfaces_VLAN10
add interface=ether8-VLAN10 list=interfaces_VLAN10
add interface=ether9-VLAN10 list=interfaces_VLAN10
add interface=ether10-VLAN10 list=interfaces_VLAN10
add interface=ether11-VLAN10 list=interfaces_VLAN10
add interface=ether12-VLAN10 list=interfaces_VLAN10
add interface=ether13-VLAN10 list=interfaces_VLAN10
add interface=ether14-VLAN10 list=interfaces_VLAN10
add interface=ether15-VLAN10 list=interfaces_VLAN10
add interface=ether16-VLAN10 list=interfaces_VLAN10
/ip address
add address=10.80.0.3/20 comment=defconf interface=bridge network=10.80.0.0
/system identity
set name=SW02
/system routerboard settings
set boot-os=router-os silent-boot=no

NOTE: This is a test environment. I'm using CRS326 instead of 328 for testing purposes.

SONICWALL -> SW01 Port24
SW01 sfpplus1-TRUNK -> SW02 sfpplus1-TRUNK

I have a DHCP running on each network in the SonicWALL.
- If I plug in my laptop in the SonicWALL, I get an IP 10.80.0.xxx (of course)
- If I plug in my laptop in the SW01 port 21/22/23, I also get an IP 10.80.0.xxx (OK)
- If I plug in my laptop in the SW01 port 1 to 16, I get an IP 10.8.0.xxx (OK, access port to VLAN 10)
- If I plug in my laptop in the SW01 port 17 to 20, I get an IP 172.16.16.xxx (OK, access port to VLAN 100)
- If I plug in my laptop in the SW02 port 21/22/23/24, I get an IP of 10.80.0.xxx (OK)
- If I plug in my laptop in the SW02 port 1 to 16, I get an IP 10.8.0.xxx (OK, access port to VLAN 10)
- If I plug in my laptop in the SW02 port 17 to 20, I get an IP 172.16.16.xxx (OK, access port to VLAN 100)

Here's the weird part:
If I hook up an access point (UBIQUITI AC-PRO) to the ports 21,22,23 of any of the switches. The AP broadcasts 3 networks.
- First network is 10.80.0.0 (NO VLAN): The AP gets an IP 10.80.0.xxx, DHCP is going through to clients and communication is working. (OK)
- Second network is 10.8.0.0 (VLAN10): The AP does NOT get an IP (not sure if this is normal), however DHCP is going through to clients and communication is working. (OK)
- Third network is 172.16.16.0 (VLAN100): The AP does NOT get an IP (again, not sure if this is normal), DHCP is NOT going through to clients and obviously communication is NOT working. (NOT OK)

Not sure I am 100% clear, if anyone of you need more details to help, I'll gladly provide more info.

Thanks a lot.

mkx · Thu Jul 25, 2019 4:06 pm

One thing that strikes me odd:

/interface bridge vlan
add bridge=bridge tagged="ether23-TRUNK,ether24-TRUNK,sfpplus1-TRUNK,sfpplus2-\
TRUNK,ether21-TRUNK,ether22-TRUNK" untagged="ether1-VLAN10,ether2-VLAN10,e\
ther3-VLAN10,ether4-VLAN10,ether5-VLAN10,ether6-VLAN10,ether7-VLAN10,ether\
8-VLAN10,ether9-VLAN10,ether10-VLAN10,ether11-VLAN10,ether12-VLAN10,ether1\
3-VLAN10,ether14-VLAN10,ether15-VLAN10,ether16-VLAN10" vlan-ids=10

There shouldn't be any double quotes there ... if double quotes are needed because of "weird" interface names, individual interface names should be enclosed in pairs of double quotes, commans should definitely be un-quoted.
Similar line for vlan-ids=100 looks fine.

What does /interface bridge vlan print show? On my routerboard it shows list of interfaces, one interface per line (no commas there).

qostechgl · Thu Jul 25, 2019 4:50 pm

Don't know what to answer to this. This is the exact copy/paste of the export command.

Here's the result of bridge vlan print

[admin@SW01] > /interface bridge vlan print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge 10 sfpplus1-TRUNK
ether24-TRUNK
ether23-TRUNK
1 bridge 100 sfpplus1-TRUNK
ether24-TRUNK
ether23-TRUNK
2 D bridge 1 bridge
sfpplus1-TRUNK
ether24-TRUNK
ether23-TRUNK

mkx · Thu Jul 25, 2019 4:57 pm

What you posted as output of /interface bridge vlan print doesn't correspond to how it should be configured (nor how you wanted it configured). The difference between /interface bridge vlan export and /interface bridge vlan print is that the former shows configuration directives and the later shows running configuration. Ideally these two should match as closely as possible.

qostechgl · Thu Jul 25, 2019 5:24 pm

Pretty sure it doesn't match in the print because there's no interfaces up other than the ones showing up. Am I wrong?
In the print you can see the SPF+1 and ether23/24 because I'm currently using them.
SPF+1 is uplink to SW02
ether23 is my computer at the time of the print
ether24 is the uplink from the sonicwall.

If I switch my laptop to any other port, ether23 doesn't show up in the print and this happens:

[admin@SW01] > /interface bridge vlan print
Flags: X - disabled, D - dynamic 
 #   BRIDGE           VLAN-IDS  CURRENT-TAGGED          CURRENT-UNTAGGED      
 0   bridge           10        sfpplus1-TRUNK         
                                ether24-TRUNK          
 1   bridge           100       sfpplus1-TRUNK          ether19-VLAN100       
                                ether24-TRUNK          
 2 D bridge           1                                 bridge                
                                                        sfpplus1-TRUNK        
                                                        ether24-TRUNK

mkx · Thu Jul 25, 2019 7:29 pm

OK,I'll assume then the print-out is fine.

What I just noticed: ether21 and ether22 are not set to be members of VLAN 100 (neither tagged nor untagged) on any of switches. Which explains why clients of third SSID don't get anything ... when AP is connected to any of ether21 or ether22 ports. It doesn't explain non-working state if AP is connected to ether23 though.

Regarding IP addresses on APs: they only need single IP address for management and seems like Ubnt gear wants management over untagged. It certainly doesn't need IP address just for frame forwarding between ethernet and wireless (as switches don't need IP addresses on all VLANs).

qostechgl · Thu Jul 25, 2019 9:52 pm

This is true, it wasn't tagged on the V100. I have made the modifications. However it's not 100% relevant to my tests because the AP is plugged into the port 23. Only reason I included the 21 and 22 is to hookup my laptop directly to the switch and start a wireshark, which I haven't done yet.

Any other ideas before I start digging deeper with wireshark?

Thanks a lot

mkx · Thu Jul 25, 2019 10:43 pm

My thinking: ports ether23 and ether24 are set up equally. As VLANs seemingly work as they should on ether24 (Sonicwall trunk ... when connecting to different access ports computer becomes part of correct VLAN) - you might want to verify this by connecting Sonicwall to ether23 ... it serms that CRSes are set up correctly .... so I'd have another look at the AP configs ...

qostechgl · Thu Jul 25, 2019 11:05 pm

So far, you're 100% right, my config seems fine on the CRS switches...
I have tested something which for some reason I hadn't before.
Hooked up the AP directly to the sonicwall and still the same issue.
I have absolutely no clue why that'd be the case. My test environment has nothing except my test VLANs which are 100% identical (except for the network addressing & vlan id)

I'll keep working on it. Thanks a lot!

VLAN issue

VLAN issue

Re: VLAN issue

Re: VLAN issue

Re: VLAN issue

Re: VLAN issue

Re: VLAN issue

Re: VLAN issue

Re: VLAN issue

Re: VLAN issue