I'm facing a little problem. A loop :(
I have two CCR with VRRP interfaces.
I clearly have a problem with my RSTP configuration.
Here my RSTP cfg :
What i'm missing there ?
Thanks for your help.
VRRP & RSTP
Hi guys,
I'm facing a little problem. A loop :(
I have two CCR with VRRP interfaces.
I clearly have a problem with my RSTP configuration.
Here my RSTP cfg :
What i'm missing there ?
Thanks for your help.
I'm facing a little problem. A loop :(
I have two CCR with VRRP interfaces.
I clearly have a problem with my RSTP configuration.
Here my RSTP cfg :
What i'm missing there ?
Thanks for your help.
Last edited by Philox on Fri Feb 19, 2021 10:27 am, edited 1 time in total.
Re: VRRP & RSTP
Do I read your picture right that the HP and HP PoE boxes are actually Hewlett-Packard (-Enterprise) ones? If so, the RSTP flavor there may not understand the one implemented by Mikrotik. The only STP flavor standardized precisely enough to intework between different vendors is MSTP, so it may be as simple as that.
Re: VRRP & RSTP
Tanks for your reply.
Yes it's. But i tried with the CRS and i'm facing the same problem.
So i guess it's not a problem with the HPe switches.
What about the RSTP configuraiton ? Do this looks good for you ?
Thank you
Yes it's. But i tried with the CRS and i'm facing the same problem.
So i guess it's not a problem with the HPe switches.
What about the RSTP configuraiton ? Do this looks good for you ?
Thank you
Re: VRRP & RSTP
The configuration exports have disappeared from your post, so hard to say whether it looks good or not. I'd need at least one of the CCR (assuming they are symmetric at L2) and one from the CRS (assuming that those are also similar to each other). But still, once you want the HP to work, you may have to migrate everything to MSTP after all. Given the topology, the other possibility might be to give up STP and use just port horizon/isolation, meaning that what comes in via SFP1 will not be forwarded out via SFP2 and vice versa. But I don't know whether this can be done on the HP devices.
Re: VRRP & RSTP
Thanks for your reply and your time.
Sadly i don't have the routers with me right now, i'll tonight. I just have the ccfg without the rstp now.
I'll try to configure the MSTP, but i never used this protocol before.
CCR1 :
CCR2:
Sadly i don't have the routers with me right now, i'll tonight. I just have the ccfg without the rstp now.
I'll try to configure the MSTP, but i never used this protocol before.
CCR1 :
Code: Select all
/interface bridge
add name=bridge-15 priority=0x1000 vlan-filtering=yes
add name=bridge-30 vlan-filtering=yes
add name=bridge-45 vlan-filtering=yes
add name=bridge-46 vlan-filtering=yes
add name=bridge-138 vlan-filtering=yes
add name=bridge-175 vlan-filtering=yes
add name=bridge-200 priority=0x1000 vlan-filtering=yes
add name=bridge-icl
add name=bridgeWAN1
/interface vrrp
add interface=bridge-15 name=vrrp-15 priority=200 vrid=15
add interface=bridge-30 name=vrrp-30 priority=200 vrid=30
add interface=bridge-45 name=vrrp-45 priority=200 vrid=45
add interface=bridge-46 name=vrrp-46 priority=200 vrid=46
add interface=bridge-138 name=vrrp-138 priority=200 vrid=138
add interface=bridge-175 name=vrrp-175 priority=200 vrid=175
add interface=bridge-200 name=vrrp-200 priority=200 vrid=200
/interface vlan
add comment=SFP1 interface=sfp-sfpplus1 name=sfp1-138 vlan-id=138
add interface=sfp-sfpplus1 name=sfp1-175 vlan-id=175
add interface=sfp-sfpplus1 name=sfp1-200 vlan-id=200
add comment=SFP2 interface=sfp-sfpplus2 name=sfp2-15 vlan-id=15
add interface=sfp-sfpplus2 name=sfp2-200 vlan-id=200
add interface=sfp-sfpplus2 name=sfp2-30 vlan-id=30
add comment=SFP3 interface=sfp-sfpplus3 name=sfp3-15 vlan-id=15
add interface=sfp-sfpplus3 name=sfp3-200 vlan-id=200
add interface=sfp-sfpplus3 name=sfp3-30 vlan-id=30
add interface=sfp-sfpplus3 name=sfp3-45 vlan-id=45
add interface=sfp-sfpplus3 name=sfp3-46 vlan-id=46
add comment=SFP4 interface=sfp-sfpplus4 name=sfp4-15 vlan-id=15
add interface=sfp-sfpplus4 name=sfp4-200 vlan-id=200
add interface=sfp-sfpplus4 name=sfp4-30 vlan-id=30
add comment=SFP5 interface=sfp-sfpplus5 name=sfp5-138 vlan-id=138
add interface=sfp-sfpplus5 name=sfp5-175 vlan-id=175
add interface=sfp-sfpplus5 name=sfp5-200 vlan-id=200
add comment=SFP6 interface=sfp-sfpplus6 name=sfp6-15 vlan-id=15
add interface=sfp-sfpplus6 name=sfp6-200 vlan-id=200
add interface=sfp-sfpplus6 name=sfp6-30 vlan-id=30
add interface=sfp-sfpplus6 name=sfp6-45 vlan-id=45
add interface=sfp-sfpplus6 name=sfp6-46 vlan-id=46
add comment=SFP8 interface=sfp-sfpplus8 name=sfp8-138 vlan-id=138
add interface=sfp-sfpplus8 name=sfp8-15 vlan-id=15
add interface=sfp-sfpplus8 name=sfp8-175 vlan-id=175
add interface=sfp-sfpplus8 name=sfp8-200 vlan-id=200
add interface=sfp-sfpplus8 name=sfp8-30 vlan-id=30
add interface=sfp-sfpplus8 name=sfp8-45 vlan-id=45
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-legacy ranges=192.168.138.10-192.168.138.200
add name=pool-data ranges=10.0.14.2-10.0.15.254
add name=pool-voix ranges=10.0.30.2-10.0.30.254
add name=pool-wifi ranges=10.0.45.2-10.0.45.254
add name=pool-wifiguest ranges=10.0.46.2-10.0.47.254
add name=pool-serveur ranges=10.0.175.2-10.0.175.254
/ip dhcp-server
add address-pool=pool-data disabled=no interface=bridge-15 name=dhcp-15
add address-pool=pool-voix disabled=no interface=bridge-30 name=dhcp-30
add address-pool=pool-serveur disabled=no interface=bridge-175 name=dhcp-175
add address-pool=pool-wifi disabled=no interface=bridge-45 name=dhcp-45
add address-pool=pool-wifiguest disabled=no interface=bridge-46 name=dhcp-46
add address-pool=pool-legacy disabled=no interface=bridge-138 name=dhcp-138
/user group
add name=ftp-dhcp policy="ftp,read,!local,!telnet,!ssh,!reboot,!write,!policy,!t\
est,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-138 interface=sfp1-138
add bridge=bridge-175 interface=sfp1-175
add bridge=bridge-200 interface=sfp1-200
add bridge=bridge-15 interface=sfp2-15
add bridge=bridge-200 interface=sfp2-200
add bridge=bridge-30 interface=sfp2-30
add bridge=bridge-15 interface=sfp3-15
add bridge=bridge-200 interface=sfp3-200
add bridge=bridge-30 interface=sfp3-30
add bridge=bridge-45 interface=sfp3-45
add bridge=bridge-46 interface=sfp3-46
add bridge=bridge-15 interface=sfp4-15
add bridge=bridge-200 interface=sfp4-200
add bridge=bridge-30 interface=sfp4-30
add bridge=bridge-138 interface=sfp5-138
add bridge=bridge-175 interface=sfp5-175
add bridge=bridge-200 interface=sfp5-200
add bridge=bridge-15 interface=sfp6-15
add bridge=bridge-200 interface=sfp6-200
add bridge=bridge-30 interface=sfp6-30
add bridge=bridge-45 interface=sfp6-45
add bridge=bridge-46 interface=sfp6-46
add bridge=bridge-icl interface=sfp8-138
add bridge=bridge-icl interface=sfp8-15
add bridge=bridge-icl interface=sfp8-175
add bridge=bridge-icl interface=sfp8-200
add bridge=bridge-icl interface=sfp8-30
add bridge=bridge-icl interface=sfp8-45
/ip address
add address=**.***.*.***/28 comment="WAN PROCEAU" interface=bridgeWAN1 \
network=**.***.*.***
add address=192.168.0.201/30 comment="ICL " interface=bridge-icl network=\
192.168.0.200
add address=192.168.138.2/24 comment=legacy interface=bridge-138 network=\
192.168.138.0
add address=10.0.175.2/24 interface=bridge-175 network=10.0.175.0
add address=10.0.45.2/24 interface=bridge-45 network=10.0.45.0
add address=10.0.46.2/23 interface=bridge-46 network=10.0.46.0
add address=10.0.30.2/24 interface=bridge-30 network=10.0.30.0
add address=10.0.200.2/24 interface=bridge-200 network=10.0.200.0
add address=10.0.14.2/23 interface=bridge-15 network=10.0.14.0
add address=192.168.138.1 comment=VRRP-VLAN-LEGACY interface=vrrp-138 network=\
192.168.138.0
add address=10.0.175.1 comment=VRRP-VLAN-SERVER interface=vrrp-175 network=\
10.0.175.0
add address=10.0.30.1 comment=VRRP-VLAN-VOIX interface=vrrp-30 network=\
10.0.30.0
add address=10.0.200.1 comment=VRRP-VLAN-MGMT interface=vrrp-200 network=\
10.0.200.0
add address=10.0.14.1 comment=VRRP-VLAN-DATA interface=vrrp-15 network=\
10.0.14.0
add address=10.0.45.1/24 comment=VRRP-VLAN-WIFI interface=vrrp-45 network=\
10.0.45.0
add address=10.0.46.1 comment=VRRP-VLAN-WIFIGUEST interface=vrrp-46 network=\
10.0.46.0
/ip dhcp-server network
add address=10.0.14.0/32 gateway=10.0.14.1 netmask=23
add address=10.0.30.0/32 gateway=10.0.30.1 netmask=24
add address=10.0.45.0/32 gateway=10.0.45.1 netmask=24
add address=10.0.46.0/32 gateway=10.0.46.1 netmask=23
add address=10.0.175.0/32 gateway=10.0.175.1 netmask=24
add address=10.0.200.0/32 gateway=10.0.200.1 netmask=24
add address=192.168.138.0/32 gateway=192.168.138.1 netmask=24
/ip firewall filter
add action=accept chain=input comment=":: FTP DHCP Failover" dst-port=21 \
in-interface=bridge-icl protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=all
/ip route
add distance=1 gateway=46.252.178.177
add distance=1 dst-address=192.168.0.202/32 gateway=192.168.0.202
/lcd
set color-scheme=dark
/lcd interface pages
set 0 interfaces="sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplu\
s5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8"
/system identity
set name=LBO_CoreRouter1
/system scheduler
add interval=2m name=dhcp on-event="if ([: len [/ file find name = leases.rsc]]>\
\_0) do = {/ file remove leases.rsc}\r\
\n/ ip dhcp-server lease export file=leases.rsc" policy=\
ftp,read,write,romon start-time=startup
/tool romon
set enabled=yesCode: Select all
/interface bridge
add name=bridge-15 vlan-filtering=yes
add name=bridge-30 vlan-filtering=yes
add name=bridge-45 vlan-filtering=yes
add name=bridge-46 vlan-filtering=yes
add name=bridge-138 vlan-filtering=yes
add name=bridge-175 vlan-filtering=yes
add disabled=yes name=bridge-200 vlan-filtering=yes
add name=bridge-icl
add name=bridgeWAN2
/interface vrrp
add interface=bridge-15 name=vrrp-15 vrid=15
add interface=bridge-30 name=vrrp-30 vrid=30
add interface=bridge-45 name=vrrp-45 vrid=45
add interface=bridge-46 name=vrrp-46 vrid=46
add interface=bridge-138 name=vrrp-138 vrid=138
add interface=bridge-175 name=vrrp-175 vrid=175
add interface=bridge-200 name=vrrp-200 vrid=200
/interface vlan
add comment=SFP1 interface=sfp-sfpplus1 name=sfp1-138 vlan-id=138
add interface=sfp-sfpplus1 name=sfp1-175 vlan-id=175
add interface=sfp-sfpplus1 name=sfp1-200 vlan-id=200
add comment=SFP2 interface=sfp-sfpplus2 loop-protect=off name=sfp2-15 vlan-id=15
add interface=sfp-sfpplus2 name=sfp2-200 vlan-id=200
add interface=sfp-sfpplus2 name=sfp2-30 vlan-id=30
add comment=SFP3 interface=sfp-sfpplus3 name=sfp3-15 vlan-id=15
add interface=sfp-sfpplus3 name=sfp3-200 vlan-id=200
add interface=sfp-sfpplus3 name=sfp3-30 vlan-id=30
add interface=sfp-sfpplus3 name=sfp3-45 vlan-id=45
add interface=sfp-sfpplus3 name=sfp3-46 vlan-id=46
add comment=SFP4 interface=sfp-sfpplus4 name=sfp4-15 vlan-id=15
add interface=sfp-sfpplus4 name=sfp4-200 vlan-id=200
add interface=sfp-sfpplus4 name=sfp4-30 vlan-id=30
add comment=SFP5 interface=sfp-sfpplus5 name=sfp5-138 vlan-id=138
add interface=sfp-sfpplus5 name=sfp5-175 vlan-id=175
add interface=sfp-sfpplus5 name=sfp5-200 vlan-id=200
add comment=SFP6 interface=sfp-sfpplus6 name=sfp6-15 vlan-id=15
add interface=sfp-sfpplus6 name=sfp6-200 vlan-id=200
add interface=sfp-sfpplus6 name=sfp6-30 vlan-id=30
add interface=sfp-sfpplus6 name=sfp6-45 vlan-id=45
add interface=sfp-sfpplus6 name=sfp6-46 vlan-id=46
add comment=SFP8 interface=sfp-sfpplus8 name=sfp8-138 vlan-id=138
add interface=sfp-sfpplus8 name=sfp8-15 vlan-id=15
add interface=sfp-sfpplus8 name=sfp8-175 vlan-id=175
add interface=sfp-sfpplus8 name=sfp8-200 vlan-id=200
add interface=sfp-sfpplus8 name=sfp8-30 vlan-id=30
add interface=sfp-sfpplus8 name=sfp8-45 vlan-id=45
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-legacy ranges=192.168.138.10-192.168.138.200
add name=pool-data ranges=10.0.14.2-10.0.15.254
add name=pool-voix ranges=10.0.30.2-10.0.30.254
add name=pool-wifi ranges=10.0.45.2-10.0.45.254
add name=pool-wifiguest ranges=10.0.46.2-10.0.47.254
add name=pool-serveur ranges=10.0.175.2-10.0.175.254
/ip dhcp-server
add address-pool=pool-data delay-threshold=10s disabled=no interface=bridge-15 name=dhcp-15
add address-pool=pool-voix delay-threshold=10s disabled=no interface=bridge-30 name=dhcp-30
add address-pool=pool-serveur delay-threshold=10s disabled=no interface=bridge-175 name=dhcp-175
add address-pool=pool-wifi delay-threshold=10s disabled=no interface=bridge-45 name=dhcp-45
add address-pool=pool-wifiguest delay-threshold=10s disabled=no interface=bridge-46 name=dhcp-46
add address-pool=pool-legacy delay-threshold=10s disabled=no interface=bridge-138 name=dhcp-138
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge-138 interface=sfp1-138
add bridge=bridge-175 interface=sfp1-175
add bridge=bridge-200 interface=sfp1-200
add bridge=bridge-15 interface=sfp2-15
add bridge=bridge-200 interface=sfp2-200
add bridge=bridge-30 interface=sfp2-30
add bridge=bridge-15 interface=sfp3-15
add bridge=bridge-200 interface=sfp3-200
add bridge=bridge-30 interface=sfp3-30
add bridge=bridge-45 interface=sfp3-45
add bridge=bridge-46 interface=sfp3-46
add bridge=bridge-15 interface=sfp4-15
add bridge=bridge-200 interface=sfp4-200
add bridge=bridge-30 interface=sfp4-30
add bridge=bridge-138 interface=sfp5-138
add bridge=bridge-175 interface=sfp5-175
add bridge=bridge-200 interface=sfp5-200
add bridge=bridge-15 interface=sfp6-15
add bridge=bridge-200 interface=sfp6-200
add bridge=bridge-30 interface=sfp6-30
add bridge=bridge-45 interface=sfp6-45
add bridge=bridge-46 interface=sfp6-46
add bridge=bridge-icl interface=sfp8-138
add bridge=bridge-icl interface=sfp8-15
add bridge=bridge-icl interface=sfp8-175
add bridge=bridge-icl interface=sfp8-200
add bridge=bridge-icl interface=sfp8-30
add bridge=bridge-icl interface=sfp8-45
/ip address
add address=192.168.0.202/30 comment="ICL " interface=bridge-icl network=192.168.0.200
add address=192.168.138.3/24 comment=legacy interface=bridge-138 network=192.168.138.0
add address=10.0.175.3/24 interface=bridge-175 network=10.0.175.0
add address=10.0.45.3/24 interface=bridge-45 network=10.0.45.0
add address=10.0.46.3/23 interface=bridge-46 network=10.0.46.0
add address=10.0.30.3/24 interface=bridge-30 network=10.0.30.0
add address=10.0.200.3/24 interface=bridge-200 network=10.0.200.0
add address=10.0.14.3/23 interface=bridge-15 network=10.0.14.0
add address=192.168.138.1 comment=VRRP-VLAN-LEGACY interface=vrrp-138 network=192.168.138.0
add address=10.0.175.1 comment=VRRP-VLAN-SERVER interface=vrrp-175 network=10.0.175.0
add address=10.0.30.1 comment=VRRP-VLAN-VOIX interface=vrrp-30 network=10.0.30.0
add address=10.0.200.1 comment=VRRP-VLAN-MGMT interface=vrrp-200 network=10.0.200.0
add address=10.0.14.1 comment=VRRP-VLAN-DATA interface=vrrp-15 network=10.0.14.0
add address=10.0.45.1/24 comment=VRRP-VLAN-WIFI interface=vrrp-45 network=10.0.45.0
add address=10.0.46.1 comment=VRRP-VLAN-WIFIGUEST interface=vrrp-46 network=10.0.46.0
/ip dhcp-client
add !dhcp-options disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.14.0/23 gateway=10.0.14.1 netmask=23
add address=10.0.30.0/24 gateway=10.0.30.1 netmask=24
add address=10.0.45.0/24 gateway=10.0.45.1 netmask=24
add address=10.0.46.0/23 gateway=10.0.46.1
add address=10.0.175.0/24 gateway=10.0.175.1
add address=10.0.200.0/24 gateway=10.0.200.1 netmask=24
add address=192.168.138.0/24 gateway=192.168.138.1 netmask=24
/ip dns
set servers=46.252.178.178,46.252.178.179
/ip firewall filter
add action=accept chain=output out-interface=bridge-icl
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=all
/ip route
add distance=1 gateway=46.252.178.177
add distance=1 dst-address=192.168.0.201/32 gateway=192.168.0.201
/lcd
set color-scheme=dark
/lcd interface pages
set 0 interfaces=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=LBO_CoreRouter2
/system scheduler
add interval=2m name=ftp-dhcp on-event="if ([: len [/ file find name=leases.rsc]]> 0) do= {/ file remove leases.rsc}\r\
\n/ tool fetch mode=ftp address=192.168.0.201 src-path=leases.rsc user=ftp-dhcp password=**************\r\
\nif ([:len [/ file find name=leases.rsc]]> 0) do={\r\
\n foreach i in=[/ ip dhcp-server lease find] do={\r\
\n / ip dhcp-server lease remove \$ i\r\
\n };\r\
\n import leases.rsc;\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/tool romon
set enabled=yesRe: VRRP & RSTP
From what I recall of the HPE STP/RSTP implementation it is standards compliant - the BPDUs are always untagged.
If you stick with RSTP you must have the same selection of VLANs present on all legs of the loop (as the RSTP blocking could interrupt any leg), and RSTP only transmitted untagged for the CCR interfaces. Alternatively switch to MSTP.
Using a single VLAN-aware bridge on each CCR would make the configuration much more simple.
If you stick with RSTP you must have the same selection of VLANs present on all legs of the loop (as the RSTP blocking could interrupt any leg), and RSTP only transmitted untagged for the CCR interfaces. Alternatively switch to MSTP.
Using a single VLAN-aware bridge on each CCR would make the configuration much more simple.
Re: VRRP & RSTP
OK, now it becomes much clearer. On the CCRs, you have used the "one bridge per VLAN" approach which still does make sense in some special cases but not any more for standard setups like this one. You cannot use xSTP if you interconnect Mikrotik devices set up this way with devices from other vendors, because whilst xSTP BPDUs do not belong to any particular VLAN so other vendors' switches expect them to arrive tagless, if you run xSTP on the bridge used to interconnect the tagless ends of /interface vlan whose tagged ends are attached to physical ports, the BPDUs get tagged as they travel from the bridge to the physical interface, so the other vendors' devices ignore them even if the xSTP format itself is possibly compatible between the vendors.
So instead of the following architecture,
You cannot make the same interface a member port of a bridge and at the same time use it as an underlying interface of /interface vlan, so the migration may be a bit complex and you risk locking yourself out. Hence be careful and ideally set up a management interface out of any bridges and with an IP address attached directly to it before starting to redo the configuration. MAC-Winbox will not save you if you don't add a permissive interface list which allows MAC-Winbox from the physical interface(s) - I have no idea what the default for this is on CCR.
So instead of the following architecture,
ascii-art code
VRRP10 VRRP20
| |
br-vlan10 br-vlan20
| |
,===T.vlan10.U---o |
sfp1 | |
`===T.vlan20.U---------------o
| |
,===T.vlan10.U---o |
sfp2 | |
`===T.vlan20.U---------------o
| |
use this one:
ascii-art code
br-all-vlans
||
sfp1=====================||
||====T.vlan10.U---VRRP10
sfp2=====================||
||====T.vlan20.U---VRRP20
||
The corresponding configuration looks the following:Code: Select all
/interface bridge
add bridge=br-all-vlans vlan-filtering=yes
/interface bridge port
add bridge=br-all-vlans interface=sfp1
add bridge=br-all-vlans interface=sfp2
/interface bridge vlan
add bridge=br-all-vlans vlan-ids=10 tagged=br-all-vlans,sfp1,sfp2
add bridge=br-all-vlans vlan-ids=20 tagged=br-all-vlans,sfp1,sfp2
/interface vlan
add name=vlan10 vlan-id=10 interface=br-all-vlans
add name=vlan20 vlan-id=20 interface=br-all-vlans
/interface vrrp
add name=vrrp10 interface=vlan10 ...
add name=vrrp20 interface=vlan20 ...Re: VRRP & RSTP
Thank you.
It's my lab so no problem. I'm using the eth as mgmt.
I'm trying to configure the br-all-vlans, but now i can't get any ip issues by dhcps on vlans. Do you have an idea why ?
Thank you.
It's my lab so no problem. I'm using the eth as mgmt.
I'm trying to configure the br-all-vlans, but now i can't get any ip issues by dhcps on vlans. Do you have an idea why ?
Thank you.
Code: Select all
/interface bridge
add name=br-all-vlans vlan-filtering=yes
/interface vlan
add interface=br-all-vlans name=vlan15 vlan-id=15
add interface=br-all-vlans name=vlan30 vlan-id=30
add interface=br-all-vlans name=vlan45 vlan-id=45
add interface=br-all-vlans name=vlan46 vlan-id=46
add interface=br-all-vlans name=vlan138 vlan-id=138
add interface=br-all-vlans name=vlan175 vlan-id=175
add interface=br-all-vlans name=vlan200 vlan-id=200
/interface vrrp
add interface=vlan15 name=vrrp-15 priority=200 vrid=15
add interface=vlan30 name=vrrp-30 priority=200 vrid=30
add interface=vlan45 name=vrrp-45 priority=200 vrid=45
add interface=vlan46 name=vrrp-46 priority=200 vrid=46
add interface=vlan138 name=vrrp-138 priority=200 vrid=138
add interface=vlan175 name=vrrp-175 priority=200 vrid=175
add interface=vlan200 name=vrrp-200 priority=200 vrid=200
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-legacy ranges=192.168.138.10-192.168.138.200
add name=pool-data ranges=10.0.14.4-10.0.15.254
add name=pool-voix ranges=10.0.30.4-10.0.30.254
add name=pool-wifi ranges=10.0.45.4-10.0.45.254
add name=pool-wifiguest ranges=10.0.46.4-10.0.47.254
add name=pool-serveur ranges=10.0.175.4-10.0.175.254
add name=pool-mgmt ranges=10.0.200.4-10.0.200.254
/ip dhcp-server
add address-pool=pool-data disabled=no interface=vlan15 name=dhcp-15
add address-pool=pool-voix disabled=no interface=vlan30 name=dhcp-30
add address-pool=pool-serveur disabled=no interface=vlan175 name=dhcp-175
add address-pool=pool-wifi disabled=no interface=vlan45 name=dhcp-45
add address-pool=pool-wifiguest disabled=no interface=vlan46 name=dhcp-46
add address-pool=pool-legacy disabled=no interface=vlan138 name=dhcp-138
add address-pool=pool-mgmt disabled=no interface=vlan200 name=dhcp-200
/interface bridge port
add bridge=br-all-vlans interface=sfp-sfpplus1
add bridge=br-all-vlans interface=sfp-sfpplus2
add bridge=br-all-vlans interface=vlan15
add bridge=br-all-vlans interface=vlan30
add bridge=br-all-vlans interface=vlan45
add bridge=br-all-vlans interface=vlan46
add bridge=br-all-vlans interface=vlan138
add bridge=br-all-vlans interface=vlan175
add bridge=br-all-vlans interface=vlan200
add bridge=br-all-vlans interface=sfp-sfpplus3
add bridge=br-all-vlans interface=sfp-sfpplus4
add bridge=br-all-vlans interface=sfp-sfpplus5
add bridge=br-all-vlans interface=sfp-sfpplus6
add bridge=br-all-vlans interface=sfp-sfpplus7
add bridge=br-all-vlans interface=sfp-sfpplus8
/ip address
add address=192.168.138.2/24 comment=legacy interface=vlan138 network=192.168.138.0
add address=10.0.175.2/24 interface=vlan175 network=10.0.175.0
add address=10.0.45.2/24 interface=vlan45 network=10.0.45.0
add address=10.0.46.2/23 interface=vlan46 network=10.0.46.0
add address=10.0.30.2/24 interface=vlan30 network=10.0.30.0
add address=10.0.200.2/24 interface=vlan200 network=10.0.200.0
add address=10.0.14.2/23 interface=vlan15 network=10.0.14.0
add address=192.168.138.1 comment=VRRP-VLAN-LEGACY interface=vrrp-138 network=192.168.138.0
add address=10.0.175.1 comment=VRRP-VLAN-SERVER interface=vrrp-175 network=10.0.175.0
add address=10.0.30.1 comment=VRRP-VLAN-VOIX interface=vrrp-30 network=10.0.30.0
add address=10.0.200.1 comment=VRRP-VLAN-MGMT interface=vrrp-200 network=10.0.200.0
add address=10.0.14.1 comment=VRRP-VLAN-DATA interface=vrrp-15 network=10.0.14.0
add address=10.0.45.1/24 comment=VRRP-VLAN-WIFI interface=vrrp-45 network=10.0.45.0
add address=10.0.46.1 comment=VRRP-VLAN-WIFIGUEST interface=vrrp-46 network=10.0.46.0
/ip dhcp-server network
add address=10.0.14.0/32 gateway=10.0.14.1 netmask=23
add address=10.0.30.0/32 gateway=10.0.30.1 netmask=24
add address=10.0.45.0/32 gateway=10.0.45.1 netmask=24
add address=10.0.46.0/32 gateway=10.0.46.1 netmask=23
add address=10.0.175.0/32 gateway=10.0.175.1 netmask=24
add address=10.0.200.0/32 gateway=10.0.200.1 netmask=24
add address=192.168.138.0/32 gateway=192.168.138.1 netmask=24
/tool romon
set enabled=yes
Last edited by Philox on Thu May 07, 2020 11:40 pm, edited 1 time in total.
Re: VRRP & RSTP
You don't need the rows add bridge=br-all-vlans interface=vlanXX in /interface bridge port; on the other hand, you've completely forgotten about the rows add vlan-ids=XX bridge=br-all-vlan tagged=br-all-vlan,sfp1,... in /interface bridge vlan. If you need to make one of the interfaces an access port to VLAN XX, state pvid=XX in /interface bridge port row for that port, and do not put that port to the tagged list in the corresponding row of /interface bridge vlan.
Re: VRRP & RSTP
Of course !!!
I don't know why i didn't see that... as i did it on !!!
Thank you so much. I'll continue then !
I don't know why i didn't see that... as i did it on !!!
Thank you so much. I'll continue then !
Re: VRRP & RSTP
So, do you think about the STP should stay like this :
Just changing the STP priority on both bridge ?
Core 1
Core2 :
Just changing the STP priority on both bridge ?
Core 1
Code: Select all
/interface bridge
add name=br-all-vlans priority=0x4000 protocol-mode=stp vlan-filtering=yes
/interface vlan
add interface=br-all-vlans name=vlan15 vlan-id=15
add interface=br-all-vlans name=vlan30 vlan-id=30
add interface=br-all-vlans name=vlan45 vlan-id=45
add interface=br-all-vlans name=vlan46 vlan-id=46
add interface=br-all-vlans name=vlan138 vlan-id=138
add interface=br-all-vlans name=vlan175 vlan-id=175
add interface=br-all-vlans name=vlan200 vlan-id=200
/interface vrrp
add interface=vlan15 name=vrrp-15 priority=200 vrid=15
add interface=vlan30 name=vrrp-30 priority=200 vrid=30
add interface=vlan45 name=vrrp-45 priority=200 vrid=45
add interface=vlan46 name=vrrp-46 priority=200 vrid=46
add interface=vlan138 name=vrrp-138 priority=200 vrid=138
add interface=vlan175 name=vrrp-175 priority=200 vrid=175
add interface=vlan200 name=vrrp-200 priority=200 vrid=200
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-legacy ranges=192.168.138.10-192.168.138.200
add name=pool-data ranges=10.0.14.4-10.0.15.254
add name=pool-voix ranges=10.0.30.4-10.0.30.254
add name=pool-wifi ranges=10.0.45.4-10.0.45.254
add name=pool-wifiguest ranges=10.0.46.4-10.0.47.254
add name=pool-serveur ranges=10.0.175.4-10.0.175.254
add name=pool-mgmt ranges=10.0.200.4-10.0.200.254
/ip dhcp-server
add address-pool=pool-data disabled=no interface=vlan15 name=dhcp-15
add address-pool=pool-voix disabled=no interface=vlan30 name=dhcp-30
add address-pool=pool-serveur disabled=no interface=vlan175 name=dhcp-175
add address-pool=pool-wifi disabled=no interface=vlan45 name=dhcp-45
add address-pool=pool-wifiguest disabled=no interface=vlan46 name=dhcp-46
add address-pool=pool-legacy disabled=no interface=vlan138 name=dhcp-138
add address-pool=pool-mgmt disabled=no interface=vlan200 name=dhcp-200
/tool traffic-generator port
add interface=br-all-vlans name=port1
/interface bridge port
add bridge=br-all-vlans interface=sfp-sfpplus1
add bridge=br-all-vlans interface=sfp-sfpplus2
add bridge=br-all-vlans interface=sfp-sfpplus3
add bridge=br-all-vlans interface=sfp-sfpplus4
add bridge=br-all-vlans interface=sfp-sfpplus5
add bridge=br-all-vlans interface=sfp-sfpplus6
add bridge=br-all-vlans interface=sfp-sfpplus7
/interface bridge vlan
add bridge=br-all-vlans tagged=br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=15
add bridge=br-all-vlans tagged=br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=30
add bridge=br-all-vlans tagged=br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=175
add bridge=br-all-vlans tagged=br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=138
add bridge=br-all-vlans tagged=br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=200
add bridge=br-all-vlans tagged=br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=45
add bridge=br-all-vlans tagged=br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=46
/ip address
add address=192.168.138.2/24 comment=legacy interface=vlan138 network=192.168.138.0
add address=10.0.175.2/24 interface=vlan175 network=10.0.175.0
add address=10.0.45.2/24 interface=vlan45 network=10.0.45.0
add address=10.0.46.2/23 interface=vlan46 network=10.0.46.0
add address=10.0.30.2/24 interface=vlan30 network=10.0.30.0
add address=10.0.200.2/24 interface=vlan200 network=10.0.200.0
add address=10.0.14.2/23 interface=vlan15 network=10.0.14.0
add address=192.168.138.1 comment=VRRP-VLAN-LEGACY interface=vrrp-138 network=192.168.138.0
add address=10.0.175.1 comment=VRRP-VLAN-SERVER interface=vrrp-175 network=10.0.175.0
add address=10.0.30.1 comment=VRRP-VLAN-VOIX interface=vrrp-30 network=10.0.30.0
add address=10.0.200.1 comment=VRRP-VLAN-MGMT interface=vrrp-200 network=10.0.200.0
add address=10.0.14.1 comment=VRRP-VLAN-DATA interface=vrrp-15 network=10.0.14.0
add address=10.0.45.1/24 comment=VRRP-VLAN-WIFI interface=vrrp-45 network=10.0.45.0
add address=10.0.46.1 comment=VRRP-VLAN-WIFIGUEST interface=vrrp-46 network=10.0.46.0
/ip dhcp-server network
add address=10.0.14.0/32 gateway=10.0.14.1 netmask=23
add address=10.0.30.0/32 gateway=10.0.30.1 netmask=24
add address=10.0.45.0/32 gateway=10.0.45.1 netmask=24
add address=10.0.46.0/32 gateway=10.0.46.1 netmask=23
add address=10.0.175.0/32 gateway=10.0.175.1 netmask=24
add address=10.0.200.0/32 gateway=10.0.200.1 netmask=24
add address=192.168.138.0/32 gateway=192.168.138.1 netmask=24
/system identity
set name=LBO_CORE1
/tool romon
set enabled=yesCore2 :
Code: Select all
/interface bridge
add name=br-all-vlans priority=0xF350 protocol-mode=stp vlan-filtering=yes
/interface vlan
add interface=br-all-vlans name=vlan15 vlan-id=15
add interface=br-all-vlans name=vlan30 vlan-id=30
add interface=br-all-vlans name=vlan45 vlan-id=45
add interface=br-all-vlans name=vlan46 vlan-id=46
add interface=br-all-vlans name=vlan138 vlan-id=138
add interface=br-all-vlans name=vlan175 vlan-id=175
add interface=br-all-vlans name=vlan200 vlan-id=200
/interface vrrp
add interface=vlan15 name=vrrp-15 priority=200 vrid=15
add interface=vlan30 name=vrrp-30 priority=200 vrid=30
add interface=vlan45 name=vrrp-45 priority=200 vrid=45
add interface=vlan46 name=vrrp-46 priority=200 vrid=46
add interface=vlan138 name=vrrp-138 priority=200 vrid=138
add interface=vlan175 name=vrrp-175 priority=200 vrid=175
add interface=vlan200 name=vrrp-200 priority=200 vrid=200
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-legacy ranges=192.168.138.10-192.168.138.200
add name=pool-data ranges=10.0.14.4-10.0.15.254
add name=pool-voix ranges=10.0.30.4-10.0.30.254
add name=pool-wifi ranges=10.0.45.4-10.0.45.254
add name=pool-wifiguest ranges=10.0.46.4-10.0.47.254
add name=pool-serveur ranges=10.0.175.4-10.0.175.254
add name=pool-mgmt ranges=10.0.200.4-10.0.200.254
/ip dhcp-server
add address-pool=pool-data delay-threshold=10s disabled=no interface=vlan15 \
name=dhcp-15
add address-pool=pool-voix delay-threshold=10s disabled=no interface=vlan30 \
name=dhcp-30
add address-pool=pool-serveur delay-threshold=10s disabled=no interface=\
vlan175 name=dhcp-175
add address-pool=pool-wifi delay-threshold=10s disabled=no interface=vlan45 \
name=dhcp-45
add address-pool=pool-wifiguest delay-threshold=10s disabled=no interface=\
vlan46 name=dhcp-46
add address-pool=pool-legacy delay-threshold=10s disabled=no interface=\
vlan138 name=dhcp-138
add address-pool=pool-mgmt delay-threshold=10s disabled=no interface=vlan200 \
name=dhcp-200
/interface bridge port
add bridge=br-all-vlans interface=sfp-sfpplus1
add bridge=br-all-vlans interface=sfp-sfpplus2
add bridge=br-all-vlans interface=sfp-sfpplus3
add bridge=br-all-vlans interface=sfp-sfpplus4
add bridge=br-all-vlans interface=sfp-sfpplus5
add bridge=br-all-vlans interface=sfp-sfpplus6
add bridge=br-all-vlans interface=sfp-sfpplus7
add bridge=br-all-vlans interface=sfp-sfpplus8
/interface bridge vlan
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" \
vlan-ids=15
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" \
vlan-ids=30
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" \
vlan-ids=175
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" \
vlan-ids=138
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" \
vlan-ids=200
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" \
vlan-ids=45
add bridge=br-all-vlans tagged="br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8" \
vlan-ids=46
/ip address
add address=192.168.138.3/24 comment=legacy interface=vlan138 network=\
192.168.138.0
add address=10.0.175.3/24 interface=vlan175 network=10.0.175.0
add address=10.0.45.3/24 interface=vlan45 network=10.0.45.0
add address=10.0.46.3/23 interface=vlan46 network=10.0.46.0
add address=10.0.30.3/24 interface=vlan30 network=10.0.30.0
add address=10.0.200.3/24 interface=vlan200 network=10.0.200.0
add address=10.0.14.3/23 interface=vlan15 network=10.0.14.0
add address=192.168.138.1 comment=VRRP-VLAN-LEGACY interface=vrrp-138 \
network=192.168.138.0
add address=10.0.175.1 comment=VRRP-VLAN-SERVER interface=vrrp-175 network=\
10.0.175.0
add address=10.0.30.1 comment=VRRP-VLAN-VOIX interface=vrrp-30 network=\
10.0.30.0
add address=10.0.200.1 comment=VRRP-VLAN-MGMT interface=vrrp-200 network=\
10.0.200.0
add address=10.0.14.1 comment=VRRP-VLAN-DATA interface=vrrp-15 network=\
10.0.14.0
add address=10.0.45.1/24 comment=VRRP-VLAN-WIFI interface=vrrp-45 network=\
10.0.45.0
add address=10.0.46.1 comment=VRRP-VLAN-WIFIGUEST interface=vrrp-46 network=\
10.0.46.0
/ip dhcp-server network
add address=10.0.14.0/32 gateway=10.0.14.1 netmask=23
add address=10.0.30.0/32 gateway=10.0.30.1 netmask=24
add address=10.0.45.0/32 gateway=10.0.45.1 netmask=24
add address=10.0.46.0/32 gateway=10.0.46.1 netmask=23
add address=10.0.175.0/32 gateway=10.0.175.1 netmask=24
add address=10.0.200.0/32 gateway=10.0.200.1 netmask=24
add address=192.168.138.0/32 gateway=192.168.138.1 netmask=24
/system identity
set name=LBO_CORE2
/tool romon
set enabled=yes
Re: VRRP & RSTP
I would suggest protocol-mode=rstp rather than protocol-mode=stp as it converges much more quickly.
RouterOS does not change port path cost based on the link speed so you may wish to review the values.
Also, on the secondary switch your choice of priority is odd. From the wiki "In RouterOS it is possible to set any value for bridge priority between 0 and 65535, the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can cause incompatibility issues between devices that do not support such values. To avoid incompatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440." (or the hex equivalents).
RouterOS does not change port path cost based on the link speed so you may wish to review the values.
Also, on the secondary switch your choice of priority is odd. From the wiki "In RouterOS it is possible to set any value for bridge priority between 0 and 65535, the IEEE 802.1W standard states that the bridge priority must be in steps of 4096. This can cause incompatibility issues between devices that do not support such values. To avoid incompatibility issues, it is recommended to use only these priorities: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440." (or the hex equivalents).
Re: VRRP & RSTP
I feel it's working now. Thanks for your explanation, sounds clear now.
No Tx/rx packets going crazy.
Another question, with this kind of setup, one bridge for all vlans.Am i suppose to put the wan interface, and the trunk (between the two routeurs) in the same bridge ?
Or create another bridge for each interface ?
Thanks.
No Tx/rx packets going crazy.
Another question, with this kind of setup, one bridge for all vlans.Am i suppose to put the wan interface, and the trunk (between the two routeurs) in the same bridge ?
Or create another bridge for each interface ?
Thanks.
Re: VRRP & RSTP
That's two questions.Another question, with this kind of setup, one bridge for all vlans. Am i suppose to put the wan interface, and the trunk (between the two routeurs) in the same bridge ?
Or create another bridge for each interface ?
When you mention a trunk between the routers, it suggests that the physical connection will carry multiple VLANs; if these should be the same VLANs you use on the uplinks from the switches, then the interfaces involved have to me member ports of those existing all-vlan bridges. This is a recommended setup, because when the STP works as it should, without the direct link between the CCRs, they would see each other via one of the switches in the lower row on the picture, which is not desired. One of the two CCRs should always be the root bridge in the spanning tree (if one dies, the other one should become the root).
As for WAN - either each of the CCRs has its own WAN subnet, or they share a common one and thus VRRP will be used also on WAN. For independent subnets, you don't need any bridge at all, and the IP configuration may be attached directly to the physical interface; for the same subnets and VRRP, it depends on the ISP requirements, but if you don't have your own connection between the CCRs, you have to use the WAN VRRP as the master one - when the uplink of one CCR breaks, that CCR loses connection to internet, so you have to force all VRRP virtual addresses to the other one. If you interconnect the WAN VLAN between the CCRs using the trunk as well, you also have to put it to the common bridge, and you have to agree with the ISP about STP - you don't want to receive their own internal topology updates, nor are they interested in yours. Here MSTP comes to help again, as the changes are only propagated within a region, and each regions is seen as one large switch to all neighboring regions. And the MSTP instances for different VLAN groups also help separate the two L2 networks.
Re: VRRP & RSTP
Haha that's true 
I wasn't sure about it.
But it's what i did. My wan will be the eth1, then it's not a member of the bridge.
The trunk between both routers will be sfp8, then it's a member of the bridge.
Sadly, my 2 wans ar not from the same provider, so it's not possible for me to do a wanvrrp.
As you understood, i'll use my ccr2 as failover.
If my CCR1 lose internet connexion, i want the second to become the root.
I'll need to force it manually ?
I wasn't sure about it.
But it's what i did. My wan will be the eth1, then it's not a member of the bridge.
The trunk between both routers will be sfp8, then it's a member of the bridge.
Sadly, my 2 wans ar not from the same provider, so it's not possible for me to do a wanvrrp.
As you understood, i'll use my ccr2 as failover.
If my CCR1 lose internet connexion, i want the second to become the root.
I'll need to force it manually ?
Re: VRRP & RSTP
Mikrotik used to manufacture a router model which had a passive bypass between two interfaces (if you switched the router off, the signal passed through from one of those interfaces to the other one), so it was possible to connect one of these ports to the uplink and connect the other router to the other port, so you could have both uplinks accessible on both routers, one directly and the other one by "proxy" of the other one. But none of the current products features this functionality, even those with electric interfaces.Sadly, my 2 wans ar not from the same provider, so it's not possible for me to do a wanvrrp.
That's again multiple things.If my CCR1 lose internet connexion, i want the second to become the root.
You do not need so much the second CCR to become a root bridge at L2 as long as both work, unless the capacity of the trunk between the two CCRs was insufficient to carry the complete traffic volume from the switches in the lower row, which would be a design mistake. By statically configuring bridge priority on the two CCRs you make them the primary and secondary root candidates; if you would insist on automatically making the primary spanning tree root candidate a secondary one if it loses the uplink, you'd need a script for that.
But what you do need is to make sure that the packets sent to the virtual gateway address will be delivered; to do that, you can
- manipulate the VRRP priority depending on the uplink state on one of the routers,
- use two virtual gateway addresses, each of which will be up on another CCR if both are up - in this case, you can use routes via different gateways to different destinations on the end devices, so the traffic can be distributed autonomously by each end device while both uplinks are OK
- use OSPF or static routing to route traffic for the VRRP subnet between the routers - if the VRRP interface is up, the traffic to the LAN clients goes through there, when it goes down, the traffic for that subnet will be routed to the other CCR which will deliver it.
Re: VRRP & RSTP
Thanks again for you complete reply.
I was thinking about a script to change the VRRP priority. Sounds easier and faster for me than create virtual gateway. I saw some topics on this forum, and it looks to work fine.
But now, your virtual gateway sounds more interesting, as the traffic can be distributed autonomously. I'll dig in to this as i don't have idea how to do this for the moment.
I have a stupid question, with my configuration, i'm not able to ping a computer in a vlan. In the firewall i accept all input.
Do i miss something ?
I was thinking about a script to change the VRRP priority. Sounds easier and faster for me than create virtual gateway. I saw some topics on this forum, and it looks to work fine.
But now, your virtual gateway sounds more interesting, as the traffic can be distributed autonomously. I'll dig in to this as i don't have idea how to do this for the moment.
I have a stupid question, with my configuration, i'm not able to ping a computer in a vlan. In the firewall i accept all input.
Do i miss something ?
Re: VRRP & RSTP
Well... in what I wrote the "virtual gateway" means the floating VRRP address (IP and MAC), i.e. the essence of VRRP functionality. So I don't understand what you actually mean. The whole idea is that there are two virtual addresses in the same subnet, and each prefers to be up on another CCR. And the hosts themselves must be able to define multiple routes and/or routing tables to make use of that. Or you may simply set one group of hosts to use one of the addresses as the default gateway and another group to use the other one, so you'll just send the traffic of each group through another CCR.But now, your virtual gateway sounds more interesting, as the traffic can be distributed autonomously. I'll dig in to this as i don't have idea how to do this for the moment.
Which firewall, on the CCR or on the host? From where are you pinging, from the CCR itself or something else? The description is too vague.I have a stupid question, with my configuration, i'm not able to ping a computer in a vlan. In the firewall i accept all input.
Re: VRRP & RSTP
Ohh ok, on this way. Sorry i didn't understood that way.
I understand the vrrp and how it's works, but i didn't think using it for routing. It's for that my previous answer.
For the ping, it's from the Mikrotik to the client.
Reverse it's not working either.
I understand the vrrp and how it's works, but i didn't think using it for routing. It's for that my previous answer.
For the ping, it's from the Mikrotik to the client.
Reverse it's not working either.
Code: Select all
/interface bridge
add name=br-all-vlans priority=0x4000 vlan-filtering=yes
/interface vlan
add interface=br-all-vlans name=vlan15 vlan-id=15
add interface=br-all-vlans name=vlan30 vlan-id=30
add interface=br-all-vlans name=vlan45 vlan-id=45
add interface=br-all-vlans name=vlan46 vlan-id=46
add interface=br-all-vlans name=vlan138 vlan-id=138
add interface=br-all-vlans name=vlan175 vlan-id=175
add interface=br-all-vlans name=vlan200 vlan-id=200
/interface vrrp
add interface=vlan15 name=vrrp-15 priority=200 vrid=15
add interface=vlan30 name=vrrp-30 priority=200 vrid=30
add interface=vlan45 name=vrrp-45 priority=200 vrid=45
add interface=vlan46 name=vrrp-46 priority=200 vrid=46
add interface=vlan138 name=vrrp-138 priority=200 vrid=138
add interface=vlan175 name=vrrp-175 priority=200 vrid=175
add interface=vlan200 name=vrrp-200 priority=200 vrid=200
/interface list
add include=all name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-legacy ranges=192.168.138.4-192.168.138.200
add name=pool-data ranges=10.0.14.4-10.0.15.254
add name=pool-voix ranges=10.0.30.4-10.0.30.254
add name=pool-wifi ranges=10.0.45.4-10.0.45.254
add name=pool-wifiguest ranges=10.0.46.4-10.0.47.254
add name=pool-serveur ranges=10.0.175.4-10.0.175.254
add name=pool-mgmt ranges=10.0.200.4-10.0.200.254
/ip dhcp-server
add address-pool=pool-data disabled=no interface=vlan15 name=dhcp-15
add address-pool=pool-voix disabled=no interface=vlan30 name=dhcp-30
add address-pool=pool-serveur disabled=no interface=vlan175 name=dhcp-175
add address-pool=pool-wifi disabled=no interface=vlan45 name=dhcp-45
add address-pool=pool-wifiguest disabled=no interface=vlan46 name=dhcp-46
add address-pool=pool-legacy disabled=no interface=vlan138 name=dhcp-138
add address-pool=pool-mgmt disabled=no interface=vlan200 name=dhcp-200
/tool traffic-generator port
add interface=br-all-vlans name=port1
/user group
add name=ftp-dhcp policy=\
ftp,read,!local,!telnet,!ssh,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp
/interface bridge port
add bridge=br-all-vlans interface=sfp-sfpplus1
add bridge=br-all-vlans interface=sfp-sfpplus2
add bridge=br-all-vlans interface=sfp-sfpplus3
add bridge=br-all-vlans interface=sfp-sfpplus4
add bridge=br-all-vlans interface=sfp-sfpplus5
add bridge=br-all-vlans interface=sfp-sfpplus6
add bridge=br-all-vlans interface=sfp-sfpplus7
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=br-all-vlans tagged=\
br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=15
add bridge=br-all-vlans tagged=\
br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=30
add bridge=br-all-vlans tagged=\
br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=175
add bridge=br-all-vlans tagged=\
br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=138
add bridge=br-all-vlans tagged=\
br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=200
add bridge=br-all-vlans tagged=\
br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=45
add bridge=br-all-vlans tagged=\
br-all-vlans,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8 vlan-ids=46
/interface list member
add interface=vlan15 list=VLANS
add interface=vlan30 list=VLANS
add interface=vlan45 list=VLANS
add interface=vlan46 list=VLANS
add interface=vlan138 list=VLANS
add interface=vlan175 list=VLANS
add interface=vlan200 list=VLANS
/ip address
add address=192.168.138.2/24 comment=legacy interface=vlan138 network=192.168.138.0
add address=10.0.175.2/24 interface=vlan175 network=10.0.175.0
add address=10.0.45.2/24 interface=vlan45 network=10.0.45.0
add address=10.0.46.2/23 interface=vlan46 network=10.0.46.0
add address=10.0.30.2/24 interface=vlan30 network=10.0.30.0
add address=10.0.200.2/24 interface=vlan200 network=10.0.200.0
add address=10.0.14.2/23 interface=vlan15 network=10.0.14.0
add address=192.168.138.1 comment=VRRP-VLAN-LEGACY interface=vrrp-138 network=192.168.138.0
add address=10.0.175.1 comment=VRRP-VLAN-SERVER interface=vrrp-175 network=10.0.175.0
add address=10.0.30.1 comment=VRRP-VLAN-VOIX interface=vrrp-30 network=10.0.30.0
add address=10.0.200.1 comment=VRRP-VLAN-MGMT interface=vrrp-200 network=10.0.200.0
add address=10.0.14.1 comment=VRRP-VLAN-DATA interface=vrrp-15 network=10.0.14.0
add address=10.0.45.1/24 comment=VRRP-VLAN-WIFI interface=vrrp-45 network=10.0.45.0
add address=10.0.46.1 comment=VRRP-VLAN-WIFIGUEST interface=vrrp-46 network=10.0.46.0
add address=192.168.0.201/30 comment="ICL " interface=sfp-sfpplus8 network=192.168.0.200
/ip dhcp-server lease
add address=192.168.138.212 comment=LBOPRS01 mac-address=00:11:32:69:31:A9 server=dhcp-138
add address=192.168.138.250 comment=LBOPRAD01 mac-address=9C:B6:54:03:C8:CE server=dhcp-138
add address=10.0.175.220 comment=LBOPPAS01 mac-address=00:0C:29:37:C3:47 server=dhcp-175
add address=10.0.175.221 comment=LBOPRAS01 mac-address=00:50:56:A4:2A:50 server=dhcp-175
add address=10.0.175.222 comment=LBOPRAS03 mac-address=00:30:18:08:FB:2D server=dhcp-175
add address=10.0.175.224 comment=LBOPPAS03 mac-address=00:50:56:86:08:2D server=dhcp-175
add address=10.0.175.225 comment=WCS-PROD mac-address=20:67:7C:F0:3B:80 server=dhcp-175
add address=10.0.175.226 comment=WCS-DBLKT mac-address=20:67:7C:F0:2B:DC server=dhcp-175
add address=10.0.175.250 comment=LBOPRHV02 mac-address=00:0C:29:55:88:35 server=dhcp-175
add address=10.0.175.252 comment=LBOPRHV01 mac-address=94:18:82:6F:84:25 server=dhcp-175
add address=10.0.175.5 comment=REDMINE mac-address=00:50:56:86:97:BE server=dhcp-175
add address=10.0.175.6 comment=BEEMO mac-address=A0:48:1C:B8:B6:B8 server=dhcp-175
add address=10.0.175.7 comment=LBOPRAS02_Wiki+Jenkin mac-address=00:50:56:A4:89:B1 server=dhcp-175
/ip dhcp-server network
add address=10.0.14.0/32 gateway=10.0.14.1 netmask=23
add address=10.0.30.0/32 gateway=10.0.30.1 netmask=24
add address=10.0.45.0/32 gateway=10.0.45.1 netmask=24
add address=10.0.46.0/32 gateway=10.0.46.1 netmask=23
add address=10.0.175.0/32 gateway=10.0.175.1 netmask=24
add address=10.0.200.0/32 gateway=10.0.200.1 netmask=24
add address=192.168.138.0/32 gateway=192.168.138.1 netmask=24
/ip firewall filter
add action=accept chain=input comment=":: FTP DHCP Failover" dst-port=21 in-interface=sfp-sfpplus8 protocol=tcp
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLANS
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN inter-VLAN routing" connection-state=new in-interface-list=VLANS
/system identity
set name=LBO_CORE1
/system scheduler
add interval=2m name=dhcp on-event=\
"if ([: len [/ file find name = leases.rsc]]> 0) do = {/ file remove leases.rsc}\r\
\n/ ip dhcp-server lease export file=leases.rsc" policy=ftp,read,write,romon start-time=startup
/tool romon
set enabled=yesRe: VRRP & RSTP
In /ip dhcp-server network, the meaning of the fields is a bit confusing - the prefix size in the address field (/32 in your current case) defines match of the row to IP addresses being leased out, whereas the netmask field defines what netmask will be assigned to the clients along with the address itself, gateway, DNS servers etc. So as your existing rows have mask /32 in address field, they do not match to any of the addresses in the ranges defined under /ip pool, and as a result, the PCs get the addresses from the pools (or manually defined rows under /ip dhcp-server lease with /32 network masks (i.e. a single address with no related subnet) and no default gateway. So when you check their status, you can see that they do have an IP address, but they cannot send packets directly using L2 (due to mask /32, nothing else is in the same subnet), nor can they respond via a gateway as they got none in the DHCPOFFER/DHCPACK.
Re: VRRP & RSTP
Oh my god ! I even didn't check that.
I configured that field with the gui. I thought i didn't needed to put the netmask in cidr after the address, as there is a field for the netmask. I was a bit confuse.
Of course, my pc client now how have the right ip, with the right gateway ! A good step.I can't beleive i didn't check before... Or didn't check my client as i saw the lease in the dhcp...
I can ping my gateway from the client. But if i have two clients in the same vlan. They can't ping each other.
But i guess my firewalls rules are super permissive, as i accept everything. Did i miss something in there too ?
I configured that field with the gui. I thought i didn't needed to put the netmask in cidr after the address, as there is a field for the netmask. I was a bit confuse.
Of course, my pc client now how have the right ip, with the right gateway ! A good step.I can't beleive i didn't check before... Or didn't check my client as i saw the lease in the dhcp...
I can ping my gateway from the client. But if i have two clients in the same vlan. They can't ping each other.
But i guess my firewalls rules are super permissive, as i accept everything. Did i miss something in there too ?
Re: VRRP & RSTP
Hosts with addresses in the same IP subnet communicate directly at L2, bypassing any gateway. If the clients are wired ones and both can ping the gateway (the CCR) and be pinged from there, I can only imagine some kind of port isolation between the ports to which the clients are connected to be configured on the CRS or HP, or a super-weird firewall on the clients. If they are wireless ones, it is quite usual that client-to-client forwarding is disabled on the AP by default.if i have two clients in the same vlan. They can't ping each other.
Yes, this was my next concern, you need to fix that before connecting the uplink to the jungle out there. But IP firewall rules are unrelated to forwarding on the bridge anyway, unless you force bridged packets through IP firewall to handle L2 QoS under /interface bridge settings; use of /interface bridge filter is another case but there's nothing like that in your configuration. And any filtering of bridged traffic only happens if the shortest network path between the ports to which the clients are connected goes through CPU of the device where the filtering rules are configured. If both are connected to the same CRS, the CCR never sees the traffic between them, and unless you disable hardware forwarding on the CRS, neither does the CPU of the CRS.i guess my firewalls rules are super permissive, as i accept everything.
Re: VRRP & RSTP
Both clients are wired, on a different crs. Both can ping the gateway, both can be ping from the CCR. But they can't ping each other.
The CRS configuration is pretty basic. One bridge, all the interfaces on it. One switch, no port with forwarding-override enable. Same conf as the default one i guess.
I already have my firewall rules for the future. But i wanted to see how to implement it in this router. By first trying to implement easy rules.
But of course i'll make it more granular.
It gave me a better understanding.
Thanks for your explaination. I understand better little by little.
The CRS configuration is pretty basic. One bridge, all the interfaces on it. One switch, no port with forwarding-override enable. Same conf as the default one i guess.
Of course. For the moment there is no wan. For the moment It's just a lab, to learn how Mikrotik products are working.this was my next concern, you need to fix that before connecting the uplink to the jungle out there.
I already have my firewall rules for the future. But i wanted to see how to implement it in this router. By first trying to implement easy rules.
But of course i'll make it more granular.
I just saw that in reading the Packet flow manual on the wiki: https://wiki.mikrotik.com/wiki/Manual:Packet_FlowBut IP firewall rules are unrelated to forwarding
It gave me a better understanding.
Thanks for your explaination. I understand better little by little.