Page 1 of 1

RB2011 with bridged vlans across trunked uplink and bonded (LACP and 802.3ad) downlinks

Posted: Wed Mar 09, 2016 6:54 am
by promethean
Trying to configure an RB2011(UiAS-RM) for vlans, trunk uplink and bonded (LACP and 802.3ad) downlinks.

Vlans:

name=mgmt vlan-d=10 (with management ip address 10.1.1.41/24)
name=cust-1 vlan-id=41
name=cust-2 vlan-id=42

Ports:

sfp1 - uplink to core switch: tagged vlans mgmt,cust-1,cust-2
ether6,ether7,ether8 bonded untagged cust-1
ether9,ether10 bonded untagged cust-2
(ether1-ether5 will be doing other things, but it'll be far more straightforward - so let's leave them out of this example.)

Was hoping to bridge the vlans across from the trunk to the bonded downlinks. Keeping the routed ips on the core router (accessed through sfp1 uplink to core switch) and the customer cpe router (hEX Lite, which would also do bonding). (No NAT or routing at all, running the 2011 as a switch.) Is that possible?

I've done a bit with vlans and got through the basic bonding, but the examples use routed interfaces.

I must admit to being very confused by the interaction between the switch chips and vlans, particularly when bonding is involved.

What would be the router os (6.34.2) code to do this?

Thanks in advance to anyone that can help!

Re: RB2011 with bridged vlans across trunked uplink and bonded (LACP and 802.3ad) downlinks

Posted: Thu Mar 10, 2016 4:35 am
by promethean
In this board's fine tradition of answering one's own question, I got this to work.

I ended up doing a reset after locking myself out playing with the switch vlan settings.

By doing that reset and not re-entering the "interface ethernet switch" settings, I think that fixed the things that were messing me up.

Pared down to just the relevant part that implements the scenario description I gave above:
/interface bridge
add name=br-v41
add name=br-v42
add name=br-vMGMT
/interface vlan
add interface=sfp1 name=v41-sfp1 vlan-id=41
add interface=sfp1 name=v42-sfp1 vlan-id=42
add interface=sfp1 name=vMGMT-spf1 vlan-id=10
/interface bonding
add name=bond1 slaves=ether6,ether7,ether8
add name=bond2 slaves=ether9,ether10
/interface vlan
add interface=bond1 name=vMGMT-bond1 vlan-id=10
add interface=bond2 name=vMGMT-bond2 vlan-id=10
/interface bridge port
add bridge=br-vMGMT interface=vMGMT-spf1
add bridge=br-vMGMT interface=vMGMT-bond1
add bridge=br-vMGMT interface=vMGMT-bond2
add bridge=br-v41 interface=bond1
add bridge=br-v41 interface=v41-sfp1
add bridge=br-v42 interface=bond2
add bridge=br-v42 interface=v42-sfp1
/ip address
add address=10.1.1.41/24 interface=br-vMGMT network=10.1.1.0
Hope that saves someone else a headache someday.

(PS - Note that passing along the MGMT vlan down the bonded downlinks is optional. I found it useful for configuring the the test CPE routers.)

Re: RB2011 with bridged vlans across trunked uplink and bonded (LACP and 802.3ad) downlinks

Posted: Fri Dec 18, 2020 10:55 pm
by plum
Thanks for self-answering, it helped me solve the same problem, which I got when I wanted to add a new device with LCAP/802.3ad support.

I figured it out without resetting the device, but it does not make sense to me. IMO these two ports should emit packages with the VLAN ID still present, but they seem not to?
I welcome anyone to explain me why it works this way (or wether it is stupid how I did it) :-)

Here is guide on how to turn previously configured vlan ports to a bond (port 3+4).

Remove port 3+4 from the the switch's VLAN (/interface ethernet switch vlan)
Under Switch -> Port (/interface ethernet switch port), change default-vlan-id to auto (in the UI: remove the value with the up arrow) and disable both VLAN settings
 #   NAME             SWITCH             VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 1   eth01            switch1            secure    always-strip                40
 2   eth02            switch1            secure    always-strip                40
 3   eth03            switch1            disabled  leave-as-is               auto
 4   eth04            switch1            disabled  leave-as-is               auto
 
The rest is as described in the post above
1. Add a bond over your ports 3+4 (/interface bonding)
2. Add a vlan with the bond as interface (/interface vlan)
3. Add the bond to the vlan-bridge (don't add the bond's vlan but the bond itself!)

Re: RB2011 with bridged vlans across trunked uplink and bonded (LACP and 802.3ad) downlinks

Posted: Fri Dec 18, 2020 11:11 pm
by mkx
The way you configured bond ports, hardware (switch chip) doesn't do anything about VLAN tags. Bridge when used without vlan-filtering set to yes doesn't do anything about VLANs as well. As you added bond directly to bridge, VLAN tags will not be touched by ROS.
So whether packets will be tagged or not deprnds on how's configured switch1-cpu interface under /interface ethernet switch.

You could post output of /interface export for us to see actual configuration to make some relevant comments.

Re: RB2011 with bridged vlans across trunked uplink and bonded (LACP and 802.3ad) downlinks

Posted: Sat Dec 19, 2020 3:27 am
by plum
Hey, yeah I would be glad if you could shed some light on this.
The hardware switch config at least interferres with the bond, any other setting does not work. I expected to end up with an untagged bond, but the vlan on the bond interface seems to act as a default vlan. The initial configuration is 3-4 years old an was migrated to a newer firmware, "bridge vlans" didn't exist when that router was setup, but I wasn't sure if it is worth migrating?

EDIT: I think what I did is the discouraged VLAN in bridge with a physical interface

1 is the internet
2 and 6 are trunks to an switch
3+4 is the bond
# dec/19/2020 02:05:09 by RouterOS 6.44.3
# software id = TQ36-1UAQ
#
# model = 2011UiAS-2HnD
# serial number = XXXX

/interface bridge
add admin-mac=5C:4B:2B:1C:72:A0 auto-mac=no comment=defconf name=bridge
add name=bridge-vlan-dmz-20
add name=bridge-vlan-guest-80
add name=bridge-vlan-int-40

/interface ethernet
set [ find default-name=ether1 ] name=eth01-outside speed=100Mbps
set [ find default-name=ether2 ] name=eth02-master speed=100Mbps
set [ find default-name=ether3 ] name=eth03 speed=100Mbps
set [ find default-name=ether4 ] mac-address=6C:3B:6B:8C:7D:A1 name=eth04 speed=100Mbps
set [ find default-name=ether5 ] name=eth05 speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth06-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth07
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth08
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth09
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eth10
set [ find default-name=sfp1 ] disabled=yes

/interface wireless
set [ find default-name=wlan1 ] country=switzerland disabled=no distance=indoors frequency=2467 frequency-mode=regulatory-domain installation=indoor mode=ap-bridge name=wlan-int-40 ssid="Internal WLAN" vlan-id=40 wireless-protocol=802.11 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:8C:7D:AA master-interface=wlan-int-40 multicast-buffering=disabled name=wlan-iot-40 ssid="IOT WLAN" vlan-id=40 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

/interface vlan
add interface=bridge name=vlan-dmz-20 vlan-id=20
add interface=bridge name=vlan-guest-80 vlan-id=80
add interface=bridge name=vlan-int-40 vlan-id=40

/interface bonding
add arp=disabled mode=802.3ad name=bond-nas-34 slaves=eth03,eth04

/interface vlan
add interface=bond-nas-34 name=vlan-int-bond vlan-id=40
/interface ethernet switch port
set 2 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 5 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 7 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 8 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set 9 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 10 default-vlan-id=80 vlan-header=always-strip vlan-mode=secure
set 11 vlan-mode=check
set 12 vlan-mode=check

/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key="xxx" wpa2-pre-shared-key="xxx"
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=profile-guest supplicant-identity=MikroTik wpa-pre-shared-key="xxx" wpa2-pre-shared-key="xxx"
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=hotspot supplicant-identity="" wpa-pre-shared-key="xxx" wpa2-pre-shared-key="xxx"

/interface wireless
add disabled=no mac-address=6E:3B:6B:8C:7D:A9 master-interface=wlan-int-40 name=wlan-guest-80 security-profile=profile-guest ssid="Guest WLAN" vlan-id=80 wps-mode=disabled
/interface bridge filter
add action=drop chain=forward in-interface=wlan-guest-80
add action=drop chain=forward out-interface=wlan-guest-80
/interface bridge port
add bridge=bridge comment=defconf interface=eth02-master
add bridge=bridge-vlan-int-40 comment=defconf interface=wlan-int-40
add bridge=bridge interface=eth06-master
add bridge=bridge-vlan-int-40 interface=vlan-int-40
add bridge=bridge-vlan-guest-80 interface=vlan-guest-80
add bridge=bridge-vlan-guest-80 interface=wlan-guest-80
add bridge=bridge-vlan-dmz-20 interface=vlan-dmz-20
add bridge=bridge interface=eth10
add bridge=bridge interface=eth05
add bridge=bridge interface=eth07
add bridge=bridge interface=eth08
add bridge=bridge interface=eth09
add bridge=bridge-vlan-int-40 interface=bond-nas-34
add bridge=bridge-vlan-int-40 disabled=yes interface=eth03
add bridge=bridge-vlan-int-40 disabled=yes interface=eth04
/interface bridge settings
set use-ip-firewall-for-vlan=yes

/interface ethernet switch vlan
add ports=eth06-master,eth07,eth08,switch2-cpu switch=switch2 vlan-id=40
add ports=eth06-master,eth07,eth10,switch2-cpu switch=switch2 vlan-id=80
add independent-learning=no ports=eth02-master,eth05,switch1-cpu switch=switch1 vlan-id=40
add independent-learning=no ports=eth02-master,switch1-cpu switch=switch1 vlan-id=80
add ports=eth06-master,eth09,switch2-cpu switch=switch2 vlan-id=20
add independent-learning=no ports=eth02-master,switch1-cpu switch=switch1 vlan-id=20

/interface list member
add interface=sfp1 list=discover
add interface=eth02-master list=discover
add interface=eth03 list=discover
add interface=eth04 list=discover
add interface=eth05 list=discover
add interface=eth06-master list=discover
add interface=eth07 list=discover
add interface=eth08 list=discover
add interface=eth09 list=discover
add interface=eth10 list=discover
add interface=wlan-int-40 list=discover
add interface=bridge list=discover
add interface=vlan-int-40 list=discover
add interface=vlan-guest-80 list=discover
add interface=bridge-vlan-int-40 list=discover
add interface=bridge-vlan-guest-80 list=discover
add interface=wlan-guest-80 list=discover
add interface=vlan-dmz-20 list=discover
add interface=bridge-vlan-dmz-20 list=discover
add interface=eth02-master list=mactel
add interface=eth06-master list=mactel
add interface=eth02-master list=mac-winbox
add interface=eth10 list=mactel
add interface=eth06-master list=mac-winbox
add interface=sfp1 list=mactel
add interface=eth10 list=mac-winbox
add interface=wlan-int-40 list=mactel
add interface=sfp1 list=mac-winbox
add interface=wlan-guest-80 list=mactel
add interface=wlan-int-40 list=mac-winbox
add interface=wlan-guest-80 list=mac-winbox


Re: RB2011 with bridged vlans across trunked uplink and bonded (LACP and 802.3ad) downlinks

Posted: Sat Dec 19, 2020 5:39 pm
by mkx
You have an odd mix of different vintages in config. It's hard to read and IMHO not worth fixing. I'd suggest you to rethink the setup from scratch. With RB2011 you'll probably want to keep sticking to VLANs on switch chip for performance keeping in mind that your RB has two switch chips and traffic between pirts belonging to different switch chips has to pass (slow) CPU. You can still go for single bridge, the only obstacle I see is the bond towards NAS which you use as access port for VLAN 40. Can you set-up NAS to use tagged connection? If you can, then that bond can become usual member of dumb bridge, the same way as the rest of trunk ports. Do keep in mind that having two links in bond and bond traffic hits slow CPU you might actually end up with slower throughput than if you used single ether port which would then be switched.

A question: why do you have
/interface bridge settings
set use-ip-firewall-for-vlan=yes
You don't need that for inter-vlan traffic, that's handled by pkain L3 firewall. The quoted setting is to force intra-vlan traffic through firewall rules, and in your case it woukd be minor share of intra-VLAN connections, only those passing bridge (I guess most are handled by both switch chips directly).

Re: RB2011 with bridged vlans across trunked uplink and bonded (LACP and 802.3ad) downlinks

Posted: Sun Dec 20, 2020 2:42 am
by plum
Thanks for your input!

The IP firewall might have been an attempt for allowing a specific vlan-to-vlan connection that is exposed externally and uses port forwarding in the firewall. ;-)

I held back from a total reset because there are quite a few things on that network online 24/7.
I guess the easiest would be to just forget about bonding or make the NAS tag the connection. I didn't want to do that so far because if I blow the config, I am locked out of the NAS.

Is there any up-to-date guide on how to do VLANs on a RB2011? If I read correctly, just using bridge filtering would be unwise as it would put everything on the CPU, so I still somehow need to mix bridges, switch chips and wifis.

Re: RB2011 with bridged vlans across trunked uplink and bonded (LACP and 802.3ad) downlinks

Posted: Sun Dec 20, 2020 6:08 pm
by mkx
On devices with weak CPU but with decent switch chips (such as RB2011) it's still best to go the way you did ... just with least number of bridges. Keep in mind that by default bridge is kind of trunk, passing anything between member ports. It doesn't do anything about VLAN tags, which is fine for most interfaces which can deal with VLAN tags by themselves. Unfortunately bond is not one if those.

So you can go half-way: use single bridge for everything but bond. For bond you'll need to create VLAN interface on top of bridge (creates kind of access port for that VLAN). Then create another bridge which will bridge bond and the VLAN interface. If router is supposed to interact with this VLAN, then add corresponding IP address (and DHCP server etc.) to this secondary bridge. But again: having everything between NAS and the rest of network will hit RB's CPU hard, reducing usable throughput to/from NAS and affecting overall performance (e.g. internet traffic) of router. If NAS is not the only device in that subnet (which would be silly), then this is not the way to do it. If you'd still like to do bond, then get a proper smart switch (any CxS3xx would do nicely) and use RB2011 for routing only.