Bridging VLAN trunks on RouterOS

  • Edit: While Mikrotik is well known for their consumer-grade wireless routers, this question is about their rack mounted, carrier-grade, aggregation service routers.

    I need to send a VLAN trunk over an EoIP tunnel through two RouterOS/Mikrotik routers. I have thus bridged an ethernet interface on each side of the link with the respective EoIP interfaces.

    Seeing how different VLANs and trunks are handled on RouterOS makes me wonder how I should go about this.

    The frames will be tagged on egress from Catalyst switches on either side of the routers. Can one simply skip any VLAN configuration on RouterOS in this case? Will it bridge the frames with 802.1q tags intact?

    I assume that such configuration will cause the IP addresses of the routers to be accessible from any VLAN on the trunk, if any addresses are configured on the bridged ethernet interfaces.

    Any other downside to this configuration? Is there a better way?

    I have now tested a configuration without any vlan interfaces, and frames are bridged from physical interface through EoIP/IPSec with tags intact. It also seems possible to only add vlan interfaces (and associated bridge) for the vlan containing the router IP address (hybrid ports) leaving all other tags intact and directly bridged. Eg. RouterOS seems to only strip configured tags on ingress. I don't know if there might be other complicating issues,

  • user661

    user661 Correct answer

    8 years ago

    To be sure, create VLAN sub-interfaces on the physical interfaces and bridge the sub-interfaces. Any IP addresses are then configured on the respective bridges. VLANs are isolated from each other on layer 2 like on any switch.

    Treat the EoIP tunnel interface like a physical interface for this exercise.

    Oddly enough, the procedure is very similar to how VLAN trunks are configured on Juniper MX series routers :)

    http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN has the details.

    I read the docs, but they don't make much sense to me when it comes down to trunk-to-trunk. For 20 vlans that is 100 additional interfaces and bridges to configure. Might it not be better to put admin ip address on a separate physical interface and just bridge the entire trunk without messing with the tags?

    If that works... I haven't tested that way myself, so I don't know what issues may arise. http://wiki.mikrotik.com/wiki/Vlans_on_Mikrotik_environment suggests that if you're not stripping tags you don't need to configure the VLAN interfaces, at least on physicsal trunk ports.

    I have now had the simplistic bridge configuration in production for over a year without issue, meaning a dumb ethernet bridge of a physical ethernet port to a tunnel interface (EoIP/IPSec) without any consideration for VLAN tags. The entire trunk is nicely sent through, with VLAN tags intact. In my configuration where I have two links between four mikrotik routers, for redundancy, that also has the added benefit that I can easily move VLANs between the two trunks (on the distribution switches) without changing any config on the Mikrotiks. I configured admin ip adresses on seperate interfaces.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used