I'm in the process of researching the configuration of my "border" LAN router (CCR2004) for a home lab setup. I have a diagram below, that helps explain the setup.
https://imgur.com/a/UkaUBdl
--How do I configure the CCR2004 to accept a VLAN trunk/tunnel (for VLANs 1 - 4094) on port SFP12 from the downstream switch, and then statically route between VLANs 2611, 2612, 2613?
--I need all VLANs (1-4094) routed to the 10.13.2.0/24 (GW is 10.13.2.1) network via the 10.13.2.10 IP assigned to the CCR2004 to SFP1 (access port)?
--I also need the MTU set to 9000 on SFP12 (and the default of 1500 on SFP1), so it can support VMware NSX-T
I've tried to go through the routing wiki examples, but none really fit this situation so I'm looking for help with the needed configuration commands. Thanks!
-
-
Traveler382
just joined
- Posts: 22
- Joined:
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
You cannot route VLANs - they are ethernet / layer2, IP routing is layer 3.
Attaching an /ip address to an /interface vlan on an interface (or bridge containing one more more interfaces) will automatically create static routes for those address subnets.
Attaching an /ip address to an /interface vlan on an interface (or bridge containing one more more interfaces) will automatically create static routes for those address subnets.
-
-
Traveler382
just joined
- Posts: 22
- Joined:
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Yes, sorry I misspoke about routing VLANs. Thanks for clarifying that attaching IPs to an interface will automatically create static routes. I will work up a proposed config and post it later for review.You cannot route VLANs - they are ethernet / layer2, IP routing is layer 3.
Attaching an /ip address to an /interface vlan on an interface (or bridge containing one more more interfaces) will automatically create static routes for those address subnets.
-
-
Traveler382
just joined
- Posts: 22
- Joined:
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Here's my first stab at the configuration. How does this look?
Code: Select all
/interface bridge
add name=bridge1 vlan-filtering=no
/ip address
add address=10.13.2.13/24 interface=MGMT
/ip route add distance=1 gateway=10.13.2.1
/ip dns
set servers=10.13.2.200,10.13.2.201
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus12
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus12]
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus12 vlan-ids=1-4094
/ip address
add address=10.13.2.10/24 interface=sfp-sfpplus1 network=10.13.2.0
/ip route
add distance=1 gateway=sfp-sfpplus1
/interface vlan
add name=VLAN2611 vlan-id=2611 interface=sfp-sfpplus12 disabled=no
add name=VLAN2612 vlan-id=2612 interface=sfp-sfpplus12 disabled=no
add name=VLAN2613 vlan-id=2613 interface=sfp-sfpplus12 disabled=no
/ip address
add address=172.26.11.1/24 interface=VLAN2611
add address=172.26.12.1/24 interface=VLAN2612
add address=172.26.13.1/24 interface=VLAN2613
/interface ethernet
set sfp-sfpplus12 l2mtu=10218 mtu=9000
/interface bridge set bridge1 vlan-filtering=yes
/system identity
set name=Mikro-CCR2004
/system ntp client
set enabled=yes
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Not good.
/ip address and /interface vlan objects should not be attached to interfaces which are a member of a bridge, but the bridge itself.
What interface is MGMT - there is nothing which creates an interface with this name, or renames an existing interface to this.
You have two default routes with the same distance value, and one of the incorrectly specifies an interface as the gateway (this is only valid for point-to-point links with /32 addresses at each end).
There only appears to be bridge vlan configuration for sfp-sfplus12, they are not made available to sfp-sfplus1 or the bridge.
/ip address and /interface vlan objects should not be attached to interfaces which are a member of a bridge, but the bridge itself.
What interface is MGMT - there is nothing which creates an interface with this name, or renames an existing interface to this.
You have two default routes with the same distance value, and one of the incorrectly specifies an interface as the gateway (this is only valid for point-to-point links with /32 addresses at each end).
There only appears to be bridge vlan configuration for sfp-sfplus12, they are not made available to sfp-sfplus1 or the bridge.
-
-
Traveler382
just joined
- Posts: 22
- Joined:
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Not good.
/ip address and /interface vlan objects should not be attached to interfaces which are a member of a bridge, but the bridge itself.
What interface is MGMT - there is nothing which creates an interface with this name, or renames an existing interface to this.
You have two default routes with the same distance value, and one of the incorrectly specifies an interface as the gateway (this is only valid for point-to-point links with /32 addresses at each end).
There only appears to be bridge vlan configuration for sfp-sfplus12, they are not made available to sfp-sfplus1 or the bridge.
Thanks for pointing out some problems with the config. Before I revise my config, I have clarifying questions/comments:
-How does one properly configure the 1G management interface port? That's what I was attempting to do with MGMT, but clearly failed. I want to use the 1G interface for out of band management of the switch. The management port should have an IP of 10.13.2.13 and gateway of 10.13.2.1.
-The double gateway was due to my attempt at configuring the OOB management port, and setting a default gateway for the bridge for all other traffic. I think once we fix the OOB management interface, we will be be back down to one gateway for production traffic.
-Setting SFP1 with an IP of 10.13.2.10 was my attempt at setting a LAN IP as an entry point into the 172.x.x.x network from the rest of my 10.13.2.x network. I have a Ubuquiti Edgerouter 12 with a static route for 172.16.0.0/12 pointing to 10.13.2.10. Do I just attach 10.13.2.10 to the bridge and not the SFP1 port?
Thanks!
-
-
Traveler382
just joined
- Posts: 22
- Joined:
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Ok so here's another stab at my configuration. I think I'm getting a bit closer to a working config. Would greatly appreciate input on what is wrong. I'm still not sure whether I can/need to assign an IP address to sfp-sfpplus1 (which is in a bridge). Per the network diagram in the original post, my intent was to have SFP1 be the 'gateway' into the 172.x network from the 10.13.2.0 network. My Edgerouter12 will forward all 172.16.0.0 traffic to the 10.13.2.10 IP for routing into the lab network.
Code: Select all
# Setup OOB management interface
/ip address
add address=10.13.2.13/24 interface=ether1 network=10.13.2.0
# Global settings
/ip route add dst-address=0.0.0.0/0 gateway=10.13.2.1
/ip dns
set servers=10.13.2.200,10.13.2.201
/system identity
set name=CCR2004
/system ntp client
set enabled=yes
/user set 0 name=root
/user set 0 password = "password"
# Setup Bridge
/interface bridge
add name=bridge1 vlan-filtering=no
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus12
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus12]
/interface bridge vlan
add bridge=bridge1 tagged=Bridge1,sfp-sfpplus1,sfp-sfpplus12 vlan-ids=1-4094
/ip address
add address=10.13.2.10/24 interface=sfp-sfpplus1 network=10.13.2.0
/interface vlan
add interface=Bridge1 name=VLAN2611 vlan-id=2611 disabled=no
add interface=Bridge1 name=VLAN2612 vlan-id=2612 disabled=no
add interface=Bridge1 name=VLAN2613 vlan-id=2613 disabled=no
/ip address
add interface=VLAN2611 address=172.26.11.1/24
add interface=VLAN2612 address=172.26.12.1/24
add interface=VLAN2613 address=172.26.13.1/24
/interface ethernet
set sfp-sfpplus12 l2mtu=10218 mtu=9000
/interface bridge set bridge1 vlan-filtering=yes
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Your setup as per network diagram would actually work without any bridge. You actually set up things that way, you just don't know what to do with bridge. Just omit all setup under /interface bridge. And in order for MGMT to work, you'd have to rename interface ether1 to MGMT: ...
However, if you configured device to properly use bridge, it would become much more flexible for any future change. E.g. you could use other sfp-sfpplus ports in a bridged/switched manner for certain VLANs, you would just have to perform minor changes in bridge setup.
Code: Select all
/interface ethernet set [ find default-name=ether1 ] name=MGMTHowever, if you configured device to properly use bridge, it would become much more flexible for any future change. E.g. you could use other sfp-sfpplus ports in a bridged/switched manner for certain VLANs, you would just have to perform minor changes in bridge setup.
-
-
Traveler382
just joined
- Posts: 22
- Joined:
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
I would like to go down the 'bridge' config route, vs. not using, for as you said, better flexibility in the future. I thought my config was using the bridge method? Guess I'm confused and not grasping what's incorrect about my config that is not using the defined bridge information. Sorry for being dense!Your setup as per network diagram would actually work without any bridge. You actually set up things that way, you just don't know what to do with bridge. Just omit all setup under /interface bridge. And in order for MGMT to work, you'd have to rename interface ether1 to MGMT:...Code: Select all/interface ethernet set [ find default-name=ether1 ] name=MGMT
However, if you configured device to properly use bridge, it would become much more flexible for any future change. E.g. you could use other sfp-sfpplus ports in a bridged/switched manner for certain VLANs, you would just have to perform minor changes in bridge setup.
Here's my latest config change with your MGMT tweaks:
Code: Select all
# Setup OOB management interface
/interface ethernet set [ find default-name=ether1 ] name=MGMT
/ip address
add address=10.13.2.13/24 interface=MGMT network=10.13.2.0
# Global settings
/ip route add dst-address=0.0.0.0/0 gateway=10.13.2.1
/ip dns
set servers=10.13.2.200,10.13.2.201
/system identity
set name=CCR2004
/system ntp client
set enabled=yes
/user set 0 name=root
/user set 0 password = "password"
# Setup Bridge
/interface bridge
add name=bridge1 vlan-filtering=no
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus12
set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus12]
/interface bridge vlan
add bridge=bridge1 tagged=Bridge1,sfp-sfpplus1,sfp-sfpplus12 vlan-ids=1-4094
/ip address
add address=10.13.2.10/24 interface=sfp-sfpplus1 network=10.13.2.0
/interface vlan
add interface=Bridge1 name=VLAN2611 vlan-id=2611 disabled=no
add interface=Bridge1 name=VLAN2612 vlan-id=2612 disabled=no
add interface=Bridge1 name=VLAN2613 vlan-id=2613 disabled=no
/ip address
add interface=VLAN2611 address=172.26.11.1/24
add interface=VLAN2612 address=172.26.12.1/24
add interface=VLAN2613 address=172.26.13.1/24
/interface ethernet
set sfp-sfpplus12 l2mtu=10218 mtu=9000
/interface bridge set bridge1 vlan-filtering=yes
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
There are L2 ports, which are bridged together to single L2 (ethernet) domain. All member ports have to use same max MTU size (not to overrun some interface). Bridge switches ethernet frames between member ports according to MAC table.
There are L3 interfaces which carry IP (or IPv6) addresses. Router routes IP packets between interfaces according to routing table(s). Interfaces can have different MTUs set, router will fragment packets if needed (and permitted).
A twist: in ROS bridge has twin personalities: 1) something like a switch (explained above) and 2) interface which allows ROS to interact with bridged network. Interface gets created implicitly with creation of bridge personality #1.
What you did was to mix ports and interfaces. Each port/interface can only be used in one personality, either as port or as interface. You bridged SFP+1 and SFP+12 which, according to network topology, should not be bridged/switched, but rather routed. You bridged SFP+12 port and kept using it as interface.
You have to decide whether to add SFP+1 to bridge or not. You can, but you'll have to sacrifice one VLAN ID for that. Example of fully bridged setup (except for management interface):
Properties frame-types and ingress-filtering are about port security.
The example above uses VLAN ID 42 for upstream and is internal to CCR only (but you can extend it through other ports if you want to). SFP+ ports 2-11 are disabled. If you need to connect something to e.g. SFP+ port 10, just enable it as bridge member port and will become active. After that you have to adjust VLAN memberships. E.g. if you want to pass VLAN ID 2612 (but not the rest) through SFP+ port 10, you would execute the following command:
(be careful to enumerate all tagged member ports, it is not possible to simply add another port without knowing previous list of member ports). This is exactly the reason not to use "wildcard" VLAN membership setup: a VLAN ID can only be used once in this configuration section. If it's already used (e.g. as part of range), adding another config line will fail.
There are L3 interfaces which carry IP (or IPv6) addresses. Router routes IP packets between interfaces according to routing table(s). Interfaces can have different MTUs set, router will fragment packets if needed (and permitted).
A twist: in ROS bridge has twin personalities: 1) something like a switch (explained above) and 2) interface which allows ROS to interact with bridged network. Interface gets created implicitly with creation of bridge personality #1.
What you did was to mix ports and interfaces. Each port/interface can only be used in one personality, either as port or as interface. You bridged SFP+1 and SFP+12 which, according to network topology, should not be bridged/switched, but rather routed. You bridged SFP+12 port and kept using it as interface.
You have to decide whether to add SFP+1 to bridge or not. You can, but you'll have to sacrifice one VLAN ID for that. Example of fully bridged setup (except for management interface):
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] name=MGMT
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
# upstream port will be untagged (access) port of VLAN ID 42
add bridge=bridge pvid=42 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1
# the rest of SFP+ ports are brdiged together, all tagged
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus3 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus4 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus5 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus6 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus7 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus8 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus9 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus10 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus11 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus12
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=42 # sfp-sfpplus1 gets added as untagged automatically due to pvid setting above
add bridge=bridge tagged=bridge,sfp-sfpplus12 vlan-ids=2611
add bridge=bridge tagged=bridge,sfp-sfpplus12 vlan-ids=2612
add bridge=bridge tagged=bridge,sfp-sfpplus12 vlan-ids=2613
/interface vlan
add name=WAN interface=bridge vlan-id=42
add name=VLAN2611 interface=bridge vlan-id=2611
add name=VLAN2612 interface=bridge vlan-id=2612
add name=VLAN2613 interface=bridge vlan-id=2613
/ip address
add address=10.13.2.10/24 interface=WAN
add interface=VLAN2611 address=172.26.11.1/24
add interface=VLAN2612 address=172.26.12.1/24
add interface=VLAN2613 address=172.26.13.1/24
Properties frame-types and ingress-filtering are about port security.
The example above uses VLAN ID 42 for upstream and is internal to CCR only (but you can extend it through other ports if you want to). SFP+ ports 2-11 are disabled. If you need to connect something to e.g. SFP+ port 10, just enable it as bridge member port and will become active. After that you have to adjust VLAN memberships. E.g. if you want to pass VLAN ID 2612 (but not the rest) through SFP+ port 10, you would execute the following command:
Code: Select all
/interface bridge vlan
set [ find vlan-ids=2612 ] tagged=bridge,sfp-sfpplus10,sfp-sfpplus12
-
-
Traveler382
just joined
- Posts: 22
- Joined:
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
MKX, thank you a million times over! Great explanation and very helpful code example. What you said makes sense, super informative! I've included the latest config, below, incorporating your code samples. I also modified the MTU size for ports 2-12, per understanding your MTU comment.
Code: Select all
# Setup OOB management interface
/interface ethernet set [ find default-name=ether1 ] name=MGMT
/ip address
add address=10.13.2.13/24 interface=MGMT network=10.13.2.0
# Global settings
/ip route add dst-address=0.0.0.0/0 gateway=10.13.2.1
/ip dns
set servers=10.13.2.200,10.13.2.201
/system identity
set name=CCR2004
/system ntp client
set enabled=yes
/user set 0 name=root
/user set 0 password = "password"
# Setup Bridge
/interface bridge
add name=bridge vlan-filtering=no
/interface bridge port
# upstream port will be untagged (access) port of VLAN ID 42
add bridge=bridge pvid=42 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1
# The rest of SFP+ ports are brdiged together, all tagged
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus3 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus4 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus5 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus6 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus7 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus8 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus9 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus10 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus11 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus12
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=42 # sfp-sfpplus1 gets added as untagged automatically due to pvid setting above
add bridge=bridge tagged=bridge,sfp-sfpplus12 vlan-ids=2611
add bridge=bridge tagged=bridge,sfp-sfpplus12 vlan-ids=2612
add bridge=bridge tagged=bridge,sfp-sfpplus12 vlan-ids=2613
/interface vlan
add name=WAN interface=bridge vlan-id=42
add name=VLAN2611 interface=bridge vlan-id=2611
add name=VLAN2612 interface=bridge vlan-id=2612
add name=VLAN2613 interface=bridge vlan-id=2613
/ip address
add address=10.13.2.10/24 interface=WAN
add interface=VLAN2611 address=172.26.11.1/24
add interface=VLAN2612 address=172.26.12.1/24
add interface=VLAN2613 address=172.26.13.1/24
/interface ethernet
set sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12 l2mtu=10218
/interface vlan
set VLAN2611 mtu=9000
set VLAN2612 mtu=9000
set VLAN2613 mtu=9000
/interface bridge set bridge1 vlan-filtering=yes
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
You still have a problem: both WAN and MGMT interfaces are members of same IP subnet but the interfaces are not members of same L2 subnet (which is usually necessary).
Routing table will have two equally significant entries for 10.13.2.0/24 subnet and will thus likely fail to select correct interface for sending traffic towards other members of same IP subnet which includes default gateway.
My suggestion is to come up with scheme where routing segment (i.e. subnet used for connection between CCR2004 and upstream router) is separate from management subnet. It'll make easier to make sure other subnets can not access management interfaces of your LAN gear and will remove the problem mentioned above.
Another solution to the problem would be to bridge ether1 and VLAN42 (or rather add ether1 to the common bridge as access port of VLAN 42), but you don't want to do it, some users found out that mixing 1Gbps and 10Gbps ports to same bridge can cause packet drops and what not due to inefficient buffering when ingress port is faster than egress port.
Another thought: as you'll connect upstream (SFP+1) to another managed switch (CSS326), then you could run WAN subnet over SFP+1 tagged as well ... and let that switch do the untagging (on ether1). My general approach is to use tagged-only links between all LAN infrastructure devices, IMHO this makes configuration tidier.
Code: Select all
/interface ethernet set [ find default-name=ether1 ] name=MGMT
/ip address
add address=10.13.2.13/24 interface=MGMT network=10.13.2.0
add address=10.13.2.10/24 interface=WAN
# Global settings
/ip route add dst-address=0.0.0.0/0 gateway=10.13.2.1
...
My suggestion is to come up with scheme where routing segment (i.e. subnet used for connection between CCR2004 and upstream router) is separate from management subnet. It'll make easier to make sure other subnets can not access management interfaces of your LAN gear and will remove the problem mentioned above.
Another solution to the problem would be to bridge ether1 and VLAN42 (or rather add ether1 to the common bridge as access port of VLAN 42), but you don't want to do it, some users found out that mixing 1Gbps and 10Gbps ports to same bridge can cause packet drops and what not due to inefficient buffering when ingress port is faster than egress port.
Another thought: as you'll connect upstream (SFP+1) to another managed switch (CSS326), then you could run WAN subnet over SFP+1 tagged as well ... and let that switch do the untagging (on ether1). My general approach is to use tagged-only links between all LAN infrastructure devices, IMHO this makes configuration tidier.
-
-
Traveler382
just joined
- Posts: 22
- Joined:
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Ya, that totally makes sense. After more thought, I realized it doesn't really make too much sense to connect the MGMT port on the CCR2004 since I can already access the router via the 10.13.2.10 address. So I removed the connection to the CCR2004 MGMT interface. That should resolve the dual route issue that you so correctly pointed out. Thanks! I've since revised the diagram:
https://imgur.com/a/3zd0XZY
And for the configuration I pulled the MGMT lines out, and now have the following. I *think* we are now in a good spot? A thousand thanks for all your help!!
https://imgur.com/a/3zd0XZY
And for the configuration I pulled the MGMT lines out, and now have the following. I *think* we are now in a good spot? A thousand thanks for all your help!!
Code: Select all
# Global settings
/ip route add dst-address=0.0.0.0/0 gateway=10.13.2.1
/ip dns
set servers=10.13.2.200,10.13.2.201
/system identity
set name=CCR2004
/system ntp client
set enabled=yes
/user set 0 name=root
/user set 0 password = "password"
# Setup Bridge
/interface bridge
add name=bridge vlan-filtering=no
/interface bridge port
# upstream port will be untagged (access) port of VLAN ID 42
add bridge=bridge pvid=42 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1
# The rest of SFP+ ports are bridged together, all tagged
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus3 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus4 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus5 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus6 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus7 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus8 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus9 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus10 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus11 disabled=yes
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus12
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=42 # sfp-sfpplus1 gets added as untagged automatically due to pvid setting above
add bridge=bridge tagged=bridge,sfp-sfpplus12 vlan-ids=2611
add bridge=bridge tagged=bridge,sfp-sfpplus12 vlan-ids=2612
add bridge=bridge tagged=bridge,sfp-sfpplus12 vlan-ids=2613
/interface vlan
add name=WAN interface=bridge vlan-id=42
add name=2611-MGT interface=bridge vlan-id=2611
add name=2612-vMotion interface=bridge vlan-id=2612
add name=2613-VM interface=bridge vlan-id=2613
/ip address
add address=10.13.2.10/24 interface=WAN
add interface=2611-MGT address=172.26.11.1/24
add interface=2612-vMotion address=172.26.12.1/24
add interface=2613-VM address=172.26.13.1/24
# Set Jumbo frames
/interface ethernet
set sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12 l2mtu=10218
/interface vlan
set 2611-MGT mtu=9000
set 2612-vMotion mtu=9000
set 2613-VM mtu=9000
/interface bridge set bridge1 vlan-filtering=yes
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
It seems a workable configuration, possibly something will pop up when you try to actually use it ;-)
Another question: does the LAN GW (@10.13.2.1) know about CCR2004 being gateway for subnets 172.26.11.0/24, 172.26.12.0/24 and 172.26.13.0/24? If it doesn't, you'll have to configure some NAT on CCR2004 ...
Another question: does the LAN GW (@10.13.2.1) know about CCR2004 being gateway for subnets 172.26.11.0/24, 172.26.12.0/24 and 172.26.13.0/24? If it doesn't, you'll have to configure some NAT on CCR2004 ...
-
-
Traveler382
just joined
- Posts: 22
- Joined:
Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Yes, 10.13.2.1 is a Ubuquiti Edgerouter12, and I manually put in a static route of 172.16.0.0/12 and pointed it to 10.13.2.10 as the next hop. Thanks for thinking of that though.It seems a workable configuration, possibly something will pop up when you try to actually use it ;-)
Another question: does the LAN GW (@10.13.2.1) know about CCR2004 being gateway for subnets 172.26.11.0/24, 172.26.12.0/24 and 172.26.13.0/24? If it doesn't, you'll have to configure some NAT on CCR2004 ...