Mikrotik RB5009 paired with Ruckus ICX7150 for VLAN configuration
Mikrotik RB5009 paired with Ruckus ICX7150 for VLAN configuration
Hello, I bought the equipment recently. I need the RB5009 to manage NAT and DHCP while the ICX handles local routing between VLANs and ACL setup. In the original guide I used, the RB5009 was set up for routing within local VLANs (confirmed by pinging across devices). If you have a Mikrotik routerOS reference with an ICX running 08.xx.xx router code, feel free to share it—I’d be happy to review it. Your config is welcome too if that’s more convenient. Thanks!
Adjust the routing functions between VLANs on the switch? The idea remains consistent whether you’re using an ICX switch or any other L3 device: set up a dedicated interface for each VLAN you need to manage routing, including a new VLAN just for communication between the switch and router. Interfaces with IP addresses on the switch should not appear on the router to avoid confusing route tables and asymmetric routing. The special case is the VLAN meant only for router-switch traffic—configure its default gateway to point to the router in that VLAN. On the router, establish static routes for each subnet now handled by the switch, using the switch’s IP inside the new VLAN as the next hop. Implement a DHCP relay or server for every VLAN where needed; if you use a relay, specify the desired DHCP server (such as Mikrotik) in your configuration. While I don’t have a ready example, experienced network pros confirm these steps work well across platforms like Mikrotik and Ruckus—just adapt the commands accordingly.
Thanks for taking the time to reply. I've read many of your posts here and other places and they have always been insightful. I've spent last night and today trying to work though your suggestions. I can no longer receive an IP address from a device connected to the ICX that is not on the default VLAN (192.168.88.0/24) changes I've made: I was using the same IP address for both the DHCP server on the Mikrotik and the ICX VE IP. I removed them on the Mikrotik. I added the IP helper-address on the ICX VEs pointing to the Mikrotik IP (192.168.88.1). The Mikrotik is connected from ether2 to the ICX e 1/2/1. I setup a new VLAN (50) as the point-to-point network (I've read that this is called the transit VLAN). I added an IP address on the Mikrotik ether2 of 192.168.50.1/24 I changed the default route from the Mikrtotik IP (192.168.88.1) to the new transit VLAN IP on Mikrotik ether2 (192.168.50.1) I tagged the ICX e 1/2/1 with all VLANs thinking that might be the issue. I've attached screenshots of the Mikrotik config (don't yet know how to get them from the CLI). ICX configs below Here's my permanent and running config: Spoiler ICX7150-C12 Router(config)#show config ! Startup-config data location is flash memory ! Startup configuration: ! ver 08.0.95fT213 ! stack unit 1 module 1 icx7150-c12-poe-port-management-module module 2 icx7150-2-copper-port-2g-module module 3 icx7150-2-sfp-plus-port-20g-module stack-port 1/3/1 stack-port 1/3/2 ! ! global-stp ! ! ! vlan 1 name DEFAULT-VLAN by port spanning-tree ! vlan 50 name Transit by port tagged ethe 1/2/1 router-interface ve 50 ! vlan 110 name IoT by port tagged ethe 1/1/12 ethe 1/2/1 untagged ethe 1/1/2 router-interface ve 110 ! vlan 200 name Parents by port tagged ethe 1/1/12 ethe 1/2/1 untagged ethe 1/1/1 router-interface ve 200 ! ! ! ! ! ! ! ! ! ! ! ! ! ! aaa authentication web-server default local aaa authentication login default local boot sys fl pri enable aaa console ip route 0.0.0.0/0 192.168.50.1 ! no telnet server username super password ..... ! ! ! ! ! ! manager registrar ! manager port-list 987 ! ! ! ! ! ! ! ! ! interface ethernet 1/3/1 speed-duplex 1000-full ! interface ethernet 1/3/2 speed-duplex 1000-full ! interface ve 50 ip address 192.168.50.254 255.255.255.0 ! interface ve 110 ip address 192.168.110.1 255.255.255.0 ip helper-address 1 192.168.88.1 ! interface ve 200 ip address 192.168.200.1 255.255.255.0 ip helper-address 1 192.168.88.1 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! end Here's my ICX routes: ICX7150-C12 Router(config)#show ip route Total number of IP routes: 4 Type Codes - B:BGP D:Connected O:OSPF R:RIP S:Static; Cost - Dist/Metric BGP Codes - i:iBGP e:eBGP OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 STATIC Codes - v:Inter-VRF Destination Gateway Port Cost Type Uptime 1 0.0.0.0/0 192.168.50.1 ve 50 1/1 S 33m40s 2 192.168.50.0/24 DIRECT ve 50 0/0 D 33m41s 3 192.168.110.0/24 DIRECT ve 110 0/0 D 5d1h 4 192.168.200.0/24 DIRECT ve 200 0/0 D 5d1h
Helper IP must be 192.168.50.1 DHCP server. Devices on 110 and 200 should reside in the Transit vlan interface. Set the relay value to 255.255.255.255 for those interfaces (per Mikrotik documentation). Ideally assign a fixed IP like 192.168.50.254 for reliability, though verify if the switch is using it correctly. Consider changing the dhcp-relay source to 192.168.50.254 on the ICX. Ensure ether2 isn't connected to the bridge. Place the 192.168.50.1/24 subnet on the Transit vlan interface, not directly on ether2. In IP > Routes, add static routes for 192.168.110.0/24 and 192.168.200.0/24 pointing to 192.168.50.254. Once configured, you should be able to ping 192.168.50.1 from the switch, 192.168.110.1 from the router, and obtain IP addresses in VLANs 110 and 200. If issues persist, manually assign IPs and test gateway reachability.
Thank you for your reply. It helped fix my DHCP problems and I can now route locally on the ICX switch as well. I can ping from the switch to the router, router to switch, between devices on the switch, and from the router to devices on the switch. #3 above – it seems I got the location mixed up. On the RB5009, I adjusted each DHCP server relay to 255.255.255.255. The first server accepted it, but the second reported a duplicate. I restored the relay to use the VE address on the switch.
By the way, I only set up VLANs on the Mikrotik for the transit VLAN (50). No other VLANs were created there. #4 above – I kept ether2 enabled in the Mikrotik bridge temporarily. My Ruckus R710 AP was deployed on 1/1/12 and is running unleashed. It uses two WLANs on VLANs 110 and 200, plus one non-VLAN WLAN.
I’m still working on creating a management VLAN for the Mikrotik so I can manage it without an out-of-band Ethernet port. The ICX7150 has an out-of-band management port, while the Ruckus R710 AP does not. I need to figure out how to set up a management VLAN and resolve issues with external DNS names on VLANs 110 and 200. Currently, pinging external IPs fails with “sendto: No route to host.”
The need to exclude ether2 from the bridge arises because configurations become mixed up when an interface is part of a bridge. To retain ether2 within the bridge, relocate the Transit interface so it becomes the parent of the bridge instead of using ether2 as its parent. Verify the Default Gateway IPs in your setup (192.168.110.1 and 192.168.200.1). Display the routing table from a device (likely via “route print” on Windows) and check the traceroute results for 192.168.50.1 and 8.8.8.8.
I hope you found the helpful details you needed. I attempted to delete 192.168.88.0/24 and set up a new management VLAN (99). Mikrotik is now functioning with DHCP support. I removed ether2 from the bridge, which resolved the problem. However, accessing external IPs remains challenging—despite changing DNS settings on 192.168.200.0/24, DNS still fails for 192.168.88.1. I have two VLANs on ether2 (management and transit). I’m considering adding Mikrotik’s ether8 as a management VLAN too. The relay for the DNS servers needs adjustment; currently it uses ICX with IP 192.168.99.254, but that doesn’t connect properly to Mikrotik’s ether8. I can’t reach webfig (192.168.88.1) from any other VLAN. This might explain why DNS isn’t working.
Can't concentrate at the moment, feeling really exhausted. Hopefully I can revisit this later. Let me know when you're ready to respond.