Here is a question that I am in great need of an answer:
Apparently Cisco can do this and I have been trying to get the same results on a Mikrotik.
I would love to see the same subnet running and then on a switch have multiple VLANs per port so that the VLANs do not see each other broadcast. This would drastically reduce some blah overhead on my network.
Here is the link I had found. I want to do the multiple VLANs same subnet like this example.
http://gcharriere.com/blog/?p=620
Any ides on how to do this in a MT environment? Code example preferred.
Thanks
-Sincerely,
DesertAdmin
-
-
desertadmin
Member Candidate
- Posts: 232
- Joined:
- Location: Las Vegas, New Mexico
- Contact:
Re: Multiple VLANS in the same subnet Cisco can can you?
It's better if you can do the isolation at the switch, with a private or protected VLAN feature, but it can be done on a MT as well.
Create the VLANs, and place them all in a bridge, with the same horizon value assigned to each port. Then, put your IP configuration (or what have you) on the bridge interface.
Quick example:
The horizon is the important bit that prevents forwarding, and potential switch confusion.
--Eric
Create the VLANs, and place them all in a bridge, with the same horizon value assigned to each port. Then, put your IP configuration (or what have you) on the bridge interface.
Quick example:
Code: Select all
/int br add name=bridge-ether2-VLANs
:for x from=100 to=120 do={ \
:local name ("ether2." . $x)
/int vlan add name=$name vlan-id=$x interface=ether2 disabled=no
/int br po add bridge=bridge-ether2-VLANs horizon=10 interface=$name
}
--Eric
-
-
desertadmin
Member Candidate
- Posts: 232
- Joined:
- Location: Las Vegas, New Mexico
- Contact:
Re: Multiple VLANS in the same subnet Cisco can can you?
Hmm horizon? I am not familiar with that parameter. That looks very logical though. I will give it a try. Thank you.
-Sincerely,
DesertAdmin
-Sincerely,
DesertAdmin
Re: Multiple VLANS in the same subnet Cisco can can you?
The feature was added to support BGP signaled VPLS, but works great for situations like this.
Basically, packets received on a bridge port with a particular non-zero horizon value will not be forwarded out ports with the same non-zero horizon value. The intent is to prevent loops in a fully-meshed dynamic VPLS domain; without resorting to RSTP, which would prune useful paths, and force a highly non-optimal topology.
http://wiki.mikrotik.com/wiki/Manual:MP ... n_bridging
The same approach allows for other novel topologies however, such as the situation you described.
The same result can be achieved (with somewhat more overhead) with a bridge firewall rule.
In the simplest case (if this is the only bridge on the unit, and no L2 forwarding is desired at all), this could work:
--Eric
Basically, packets received on a bridge port with a particular non-zero horizon value will not be forwarded out ports with the same non-zero horizon value. The intent is to prevent loops in a fully-meshed dynamic VPLS domain; without resorting to RSTP, which would prune useful paths, and force a highly non-optimal topology.
http://wiki.mikrotik.com/wiki/Manual:MP ... n_bridging
The same approach allows for other novel topologies however, such as the situation you described.
The same result can be achieved (with somewhat more overhead) with a bridge firewall rule.
In the simplest case (if this is the only bridge on the unit, and no L2 forwarding is desired at all), this could work:
Code: Select all
/int br fil add chain=forward action=drop
Re: Multiple VLANS in the same subnet Cisco can can you?
Eric,
Sorry to pick up an old post. I'm a total newbie to MT. I wanted to make sure I understood your post. The solution you are proposing will work for the second option listed in the referenced link, right (Multiple VLAN inside the same subnet)? Cisco won't support that setup but Brocade does. We have this scenario and are attempting to find a way to link the duplicate subnets to the same default gateway. We're planning on using our MT routers to be the default gateway for each of these duplicate VLAN subnets.
--Rob
Sorry to pick up an old post. I'm a total newbie to MT. I wanted to make sure I understood your post. The solution you are proposing will work for the second option listed in the referenced link, right (Multiple VLAN inside the same subnet)? Cisco won't support that setup but Brocade does. We have this scenario and are attempting to find a way to link the duplicate subnets to the same default gateway. We're planning on using our MT routers to be the default gateway for each of these duplicate VLAN subnets.
--Rob
Re: Multiple VLANS in the same subnet Cisco can can you?
Hi Rob,
This allows you to create a 'subnet' that spans multiple VLANs on the same (or multiple) physical interface(s), while preventing L2 connectivity between hosts on different VLANs.
Conceptually, this is similar to default-forward=no (or station isolation) for wireless clients. The router/AP can send L2 frames to all VLANs/stations, and all VLANs/stations can send L2 frames to the router/AP, but VLANs/stations cannot send L2 frames to each other.
It's a very useful, if somewhat unusual topology, particularly for service providers.
You do need be careful however, and ensure that there is a mechanism in place to prevent the forwarding of traffic between VLANs at layer 2, as that protection is not automatic. Many L2 devices only maintain a single bridging table across all VLANs, and will thrash if they see the same source MAC on multiple ports. The bridge horizon feature (efficient!), or the bridge firewall (not quite so efficient), can prevent that from happening.
Hope that helps,
--Eric
This allows you to create a 'subnet' that spans multiple VLANs on the same (or multiple) physical interface(s), while preventing L2 connectivity between hosts on different VLANs.
Conceptually, this is similar to default-forward=no (or station isolation) for wireless clients. The router/AP can send L2 frames to all VLANs/stations, and all VLANs/stations can send L2 frames to the router/AP, but VLANs/stations cannot send L2 frames to each other.
It's a very useful, if somewhat unusual topology, particularly for service providers.
You do need be careful however, and ensure that there is a mechanism in place to prevent the forwarding of traffic between VLANs at layer 2, as that protection is not automatic. Many L2 devices only maintain a single bridging table across all VLANs, and will thrash if they see the same source MAC on multiple ports. The bridge horizon feature (efficient!), or the bridge firewall (not quite so efficient), can prevent that from happening.
Hope that helps,
--Eric
Re: Multiple VLANS in the same subnet Cisco can can you?
Thanks for the info!
--Rob
--Rob
Re: Multiple VLANS in the same subnet Cisco can can you?
This does work quite well. I use it quite a bit.
I have run into one problem with DHCP and broadcast storm detection on a switch.
I run DHCP on the bridge interface and yes, I have the horizons all set the same, etc.
DHCP clients that have the broadcast flag set (Vista, etc) will cause the MT to reply to every vlan. Depending on the number of vlans and storm threshold, that can trigger the storm detection on the switch trunk port.
I haven't found a solution so I simply turned off storm detection on the trunk port, but would like a cleaner solution, if anyone has run into this.
I have run into one problem with DHCP and broadcast storm detection on a switch.
I run DHCP on the bridge interface and yes, I have the horizons all set the same, etc.
DHCP clients that have the broadcast flag set (Vista, etc) will cause the MT to reply to every vlan. Depending on the number of vlans and storm threshold, that can trigger the storm detection on the switch trunk port.
I haven't found a solution so I simply turned off storm detection on the trunk port, but would like a cleaner solution, if anyone has run into this.
Who is online
Users browsing this forum: wrkq and 40 guests