Multiple vlans on same subnet, please help

kemeris2 · Wed Nov 27, 2013 1:21 pm

Hi,

I have MT ccr1036 switch, and would like to define two vlans (vlan10 on eth7 and vlan20 on eth6) to same subnet.
Also I need to use the same DHCP server with one address poll for both vlan10 and vlan20.
I wonder is it possible?

efaden · Wed Nov 27, 2013 8:04 pm

Hi,

I have MT ccr1036 switch, and would like to define two vlans (vlan10 on eth7 and vlan20 on eth6) to same subnet.
Also I need to use the same DHCP server with one address poll for both vlan10 and vlan20.
I wonder is it possible?

You can't have the same subnet assigned to multiple interfaces on the mikrotik. What you can do is to bridge the two interfaces and assign the addresses to the bridge..... Does that make sense?...

e.g.

ros code

/interface bridge
add name=mybridge
/interface bridge port
add interface=vlan10 bridge=mybridge
add interface=vlan20 bridge=mybridge
/ip address
add address=10.0.0.1/24 interface=mybridge

Although that does kind of defeat the idea of a VLAN....

kemeris2 · Wed Nov 27, 2013 8:55 pm

Thanks for reply efaden,

I have unsigned packets from eth7 which need to be assigned to vlan10. The same with eth6 and vlan20.
I have tried to create bridge1 with ports vlan10 and eth7, bridge2 with ports vlan20 and eth6. But I can't assign the same subnet for both bridges as you just confirmed. If I will bridge all ports to one bridge, I will not be able to tag specific ports with different vlans?

Cisco allow to have Multiple VLANS in the same subnet

As I understand, this is not possible with mikrotik?

efaden · Wed Nov 27, 2013 9:02 pm

Thanks for reply efaden,

I have unsigned packets from eth7 which need to be assigned to vlan10. The same with eth6 and vlan20.
I have tried to create bridge1 with ports vlan10 and eth7, bridge2 with ports vlan20 and eth6. But I can't assign the same subnet for both bridges as you just confirmed. If I will bridge all ports to one bridge, I will not be able to tag specific ports with different vlans?

Cisco allow to have Multiple VLANS in the same subnet

As I understand, this is not possible with mikrotik?

I'll have to think about it. You "may" be able to do something like that by using the features of the switch chip, but I'm not positive. The other problem is I don't know which of those features exist on the CCR and I don't have one to test with.

To make sure I get it ...

You want to take untagged traffic from eth6 and tag it with VLAN20 on 10.0.0.1/27.... untagged traffic from eth7 and tag it with VLAN10 on 10.0.0.2/27.... then you want to make a trunk on eth3?...

efaden · Wed Nov 27, 2013 9:08 pm

Thanks for reply efaden,

I have unsigned packets from eth7 which need to be assigned to vlan10. The same with eth6 and vlan20.
I have tried to create bridge1 with ports vlan10 and eth7, bridge2 with ports vlan20 and eth6. But I can't assign the same subnet for both bridges as you just confirmed. If I will bridge all ports to one bridge, I will not be able to tag specific ports with different vlans?

Cisco allow to have Multiple VLANS in the same subnet

As I understand, this is not possible with mikrotik?
I'll have to think about it. You "may" be able to do something like that by using the features of the switch chip, but I'm not positive. The other problem is I don't know which of those features exist on the CCR and I don't have one to test with.

To make sure I get it ...

You want to take untagged traffic from eth6 and tag it with VLAN20 on 10.0.0.1/27.... untagged traffic from eth7 and tag it with VLAN10 on 10.0.0.2/27.... then you want to make a trunk on eth3?...

You could do something like this...

ros code

/interface bridge
add name=mybridge
/interface vlan
add name=vlan20 interface=ether3
add name=vlan10 interface=ether3
/interface bridge port
add bridge=mybridge interface=ether6
add bridge=mybridge interface=ether7
add bridge=mybridge interface=vlan10
add bridge=mybridge interface=vlan20
/ip address
add interface=mybridge address=10.0.0.1/27

kemeris2 · Wed Nov 27, 2013 9:14 pm

I'll have to think about it. You "may" be able to do something like that by using the features of the switch chip, but I'm not positive. The other problem is I don't know which of those features exist on the CCR and I don't have one to test with.

Unfortunately CCR does not have switch chip.

To make sure I get it ...

You want to take untagged traffic from eth6 and tag it with VLAN20 on 10.0.0.1/27.... untagged traffic from eth7 and tag it with VLAN10 on 10.0.0.2/27.... then you want to make a trunk on eth3?...

Yes, exactly.

kemeris2 · Wed Nov 27, 2013 9:47 pm

ros code

/interface bridge port
add bridge=mybridge interface=ether6
add bridge=mybridge interface=ether7
add bridge=mybridge interface=vlan10
add bridge=mybridge interface=vlan20

I doubt it will work, how system will know to which vlan assign packet from ether6 for example.
Anyway, I will try.

Just to make sure, its not possible to bridge two bridges together?
Its not possible to have same interface in two bridges?

efaden · Wed Nov 27, 2013 9:51 pm

If that doesn't work post your export and I'll take a look. I can explain when I get back on a computer

Sent from my SCH-I545 using Tapatalk

CelticComms · Wed Nov 27, 2013 10:29 pm

Do you have a specific Cisco config that you are trying to recreate? I suspect that you want to use one bridge and then use the horizon settings on the bridge ports to control the forwarding, however that has certain specific consequences which may or may not work for you depending on your overall goals.

See:

http://wiki.mikrotik.com/wiki/MPLSVPLS# ... n_bridging

kemeris2 · Thu Nov 28, 2013 9:15 am

Do you have a specific Cisco config that you are trying to recreate? I suspect that you want to use one bridge and then use the horizon settings on the bridge ports to control the forwarding, however that has certain specific consequences which may or may not work for you depending on your overall goals.

See:

http://wiki.mikrotik.com/wiki/MPLSVPLS# ... n_bridging

Yes, I know about this feature. Basically, packets received on a bridge port with a particular non-zero horizon value will not be forwarded out ports with the same non-zero horizon value. As I understand this is could be useful for isolating multiple vlans in the same bridge. My goal is to tag specific ports to specific vlans in the same bridge.

kemeris2 · Thu Nov 28, 2013 12:35 pm

You could do something like this...

ros code

/interface bridge
add name=mybridge
/interface vlan
add name=vlan20 interface=ether3
add name=vlan10 interface=ether3
/interface bridge port
add bridge=mybridge interface=ether6
add bridge=mybridge interface=ether7
add bridge=mybridge interface=vlan10
add bridge=mybridge interface=vlan20
/ip address
add interface=mybridge address=10.0.0.1/27

I have tried to test this setup, but need help. I cant manage to debug my setup to show packets vlan id.

I have used this example to enable bridge logging:

/interface bridge filter add chain=input action=log disabled=no

Pinging from eth6 (vlan10) to ether7 (vlan20), but cant see vlan ID in the logs.

Tried torch with Vlan ID collection option, but I see only untagged packets. Do I miss something fundamental?

Testing such a simple config for a moment:

ros code

/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp1
set [ find default-name=sfp-sfpplus2 ] name=sfp2
set [ find default-name=ether1 ] name=eth1-public comment=Public1 
set [ find default-name=ether2 ] name=eth2-public comment=Public2 
set [ find default-name=ether3 ] name=eth3 comment="Bond to sfp1" 
set [ find default-name=ether4 ] name=eth4 comment="Bond to sfp2"  
set [ find default-name=ether5 ] name=eth5 comment=DMZ 
set [ find default-name=ether6 ] name=eth6 comment=Wireless 
set [ find default-name=ether7 ] name=eth7 comment=Wired speed=1Gbps
set [ find default-name=ether8 ] name=eth8 comment=Wired
/interface bonding
add comment=Trunk mode=active-backup name=sfp1-bond primary=sfp1 slaves=\
    sfp1,eth3
add comment=DMZ mode=active-backup name=sfp2-bond primary=sfp2 slaves=\
    sfp2,eth4
/interface vlan
add interface=sfp1-bond name=vlan10 vlan-id=10
add interface=sfp1-bond name=vlan20 vlan-id=20
add interface=sfp1-bond name=vlan30 vlan-id=30
/interface bridge
add l2mtu=1590 name=mybridge
add l2mtu=1590 name=mybridge2
/interface bridge port
add bridge=mybridge interface=eth6 path-cost=4
add bridge=mybridge interface=vlan10 path-cost=2
add bridge=mybridge2 interface=vlan20 path-cost=2
add bridge=mybridge2 interface=eth7 path-cost=4
/ip pool
add name=dhcp-br-Wired ranges=10.0.0.11-10.0.0.29
add name=dhcp-br-Wired2 ranges=10.1.0.11-10.1.0.29
/ip dhcp-server
add address-pool=dhcp-br-Wired disabled=no interface=mybridge name=\
    dhcp-br-Wired
add address-pool=dhcp-br-Wired2 disabled=no interface=mybridge2 name=\
    dhcp-br-Wired2

This is my first Mikrotik device, and I have it only for one week.

efaden · Thu Nov 28, 2013 5:06 pm

You could do something like this...

ros code

/interface bridge
add name=mybridge
/interface vlan
add name=vlan20 interface=ether3
add name=vlan10 interface=ether3
/interface bridge port
add bridge=mybridge interface=ether6
add bridge=mybridge interface=ether7
add bridge=mybridge interface=vlan10
add bridge=mybridge interface=vlan20
/ip address
add interface=mybridge address=10.0.0.1/27

I have tried to test this setup, but need help. I cant manage to debug my setup to show packets vlan id.

I have used this example to enable bridge logging:

/interface bridge filter add chain=input action=log disabled=no

Pinging from eth6 (vlan10) to ether7 (vlan20), but cant see vlan ID in the logs.

Tried torch with Vlan ID collection option, but I see only untagged packets. Do I miss something fundamental?

Testing such a simple config for a moment:

ros code

/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp1
set [ find default-name=sfp-sfpplus2 ] name=sfp2
set [ find default-name=ether1 ] name=eth1-public comment=Public1 
set [ find default-name=ether2 ] name=eth2-public comment=Public2 
set [ find default-name=ether3 ] name=eth3 comment="Bond to sfp1" 
set [ find default-name=ether4 ] name=eth4 comment="Bond to sfp2"  
set [ find default-name=ether5 ] name=eth5 comment=DMZ 
set [ find default-name=ether6 ] name=eth6 comment=Wireless 
set [ find default-name=ether7 ] name=eth7 comment=Wired speed=1Gbps
set [ find default-name=ether8 ] name=eth8 comment=Wired
/interface bonding
add comment=Trunk mode=active-backup name=sfp1-bond primary=sfp1 slaves=\
    sfp1,eth3
add comment=DMZ mode=active-backup name=sfp2-bond primary=sfp2 slaves=\
    sfp2,eth4
/interface vlan
add interface=sfp1-bond name=vlan10 vlan-id=10
add interface=sfp1-bond name=vlan20 vlan-id=20
add interface=sfp1-bond name=vlan30 vlan-id=30
/interface bridge
add l2mtu=1590 name=mybridge
add l2mtu=1590 name=mybridge2
/interface bridge port
add bridge=mybridge interface=eth6 path-cost=4
add bridge=mybridge interface=vlan10 path-cost=2
add bridge=mybridge2 interface=vlan20 path-cost=2
add bridge=mybridge2 interface=eth7 path-cost=4
/ip pool
add name=dhcp-br-Wired ranges=10.0.0.11-10.0.0.29
add name=dhcp-br-Wired2 ranges=10.1.0.11-10.1.0.29
/ip dhcp-server
add address-pool=dhcp-br-Wired disabled=no interface=mybridge name=\
    dhcp-br-Wired
add address-pool=dhcp-br-Wired2 disabled=no interface=mybridge2 name=\
    dhcp-br-Wired2

This is my first Mikrotik device, and I have it only for one week.

You actually won't see the VLAN on the pings.... since eth6 and eth7 are actually untagged.... the packets only get tagged when they leave on eth3. Inside of the mikrotik they are untagged.

CelticComms · Thu Nov 28, 2013 5:26 pm

Yes, I know about this feature. Basically, packets received on a bridge port with a particular non-zero horizon value will not be forwarded out ports with the same non-zero horizon value. As I understand this is could be useful for isolating multiple vlans in the same bridge. My goal is to tag specific ports to specific vlans in the same bridge.

... so if you control which of the VLAN virtual interfaces the bridge will forward Ether interface frames to you can control which "VLAN" the traffic appears from at the other end of the trunk.

e.g. if Ether 6 and VLAN 10 have the same horizon then the Ether 6 traffic will only appear on VLAN 20.

Of course this would result in not all hosts on the subnet being able to see each other which is normally a bad idea.

I suspect that you are trying to emulate a Cisco switch but in terms of VLAN implementation RouterOS is more like a Cisco router,

efaden · Thu Nov 28, 2013 6:52 pm

Yes, I know about this feature. Basically, packets received on a bridge port with a particular non-zero horizon value will not be forwarded out ports with the same non-zero horizon value. As I understand this is could be useful for isolating multiple vlans in the same bridge. My goal is to tag specific ports to specific vlans in the same bridge.
... so if you control which of the VLAN virtual interfaces the bridge will forward Ether interface frames to you can control which "VLAN" the traffic appears from at the other end of the trunk.

e.g. if Ether 6 and VLAN 10 have the same horizon then the Ether 6 traffic will only appear on VLAN 20.

Of course this would result in not all hosts on the subnet being able to see each other which is normally a bad idea.

I suspect that you are trying to emulate a Cisco switch but in terms of VLAN implementation RouterOS is more like a Cisco router,

I don't think the horizon feature would work 100% here....

Since he basically has 4 ports he wants to bridge... ether6/ether7/vlan10/vlan20, but only really wants traffic from ether6 to vlan20 and ether7 to vlan10.... using the split horizon feature with the assignments

ether6 & vlan10 - Horizon 1
ether7 & vlan20 - Horizon 2

would yield ether6 traffic going to ether7 and vlan20 and ether7 traffic going to vlan10 and ether6... which wouldn't isolate ether6 and ether7...

CelticComms: do you agree?

kemeris2 · Thu Nov 28, 2013 10:39 pm

... so if you control which of the VLAN virtual interfaces the bridge will forward Ether interface frames to you can control which "VLAN" the traffic appears from at the other end of the trunk.

e.g. if Ether 6 and VLAN 10 have the same horizon then the Ether 6 traffic will only appear on VLAN 20.

Of course this would result in not all hosts on the subnet being able to see each other which is normally a bad idea.

I suspect that you are trying to emulate a Cisco switch but in terms of VLAN implementation RouterOS is more like a Cisco router,

You are right, I am trying to replicate existing setup on Cisco device, we will need to interconnect two branches with L2TP/IPSec tunnel.
And I think efaden is right, this will not work in my situation.

I had brought home only one router, and my PC NIC driver does not support vlans. Tomorrow I will test faden earlier posted solution and will report back.

CelticComms · Fri Nov 29, 2013 12:57 am

I looked at the link above to the Cisco setup. It refers to the situation of having restricted public IPs and using the method to arrange multiple VLANs without having multiple subnets.

Split horizon would not isolate the Ether ports so if that is desired you could perhaps use multiple bridge filters to control the forwarding in the desired pattern

Are you doing this on public or RFC 1918 addresses?

kemeris2 · Fri Nov 29, 2013 9:27 pm

You could do something like this...

ros code

/interface bridge
add name=mybridge
/interface vlan
add name=vlan20 interface=ether3
add name=vlan10 interface=ether3
/interface bridge port
add bridge=mybridge interface=ether6
add bridge=mybridge interface=ether7
add bridge=mybridge interface=vlan10
add bridge=mybridge interface=vlan20
/ip address
add interface=mybridge address=10.0.0.1/27

At last, have both routers on my hands. Loaded this config on both routers, except:
Router1:

ros code

add interface=mybridge address=10.0.0.1/27

Router2:

ros code

add interface=mybridge address=10.0.0.2/27

I have connected two hosts to each router, and I got 100% CPU on both routers, hosts cant ping routers.
So unfortunately this does not work. Do you have more suggestion to try?

kemeris2 · Fri Nov 29, 2013 10:07 pm

Split horizon would not isolate the Ether ports so if that is desired you could perhaps use multiple bridge filters to control the forwarding in the desired pattern

I would appreciate for simple example script.

Are you doing this on public or RFC 1918 addresses?

I'm afraid I do not quite understand the question.
We have two branches. I have provided topology image of branch 1 in my first post. Both routers in this image is connected using RFC 1918 address. Addresses provided in image are actual addresses we will use. Both branches will be connected via Public IPs using L2TP/IPSec tunnel. Branch 2 has quite similar topology with identical vlan IDs but cisco hardware.
I hope I have been able to answer your questions
Sorry for my poor English, it's my third language

barkas · Sat Nov 30, 2013 10:51 am

Vrf?

ARBEIT ANGST KONSUMTERROR