CRS vlan, trunking and switching

RouterOS Beginner Basics
1

Hello Folks!

I have recieved my first CRS devices some weeks back.
The first one is already in production, that was easy since it is a pure switch with no vlans and trunklinks etc.
It works like a charm!

I have some questions (like I guess many have).
The CRS came preconfigured as a classic router with NAT and DHCP server and client activated.

Making a switch out of it ?

I disabled NAT, DHCP client and server, also I disabled a couple of packages like hotspot and wireless and I opened the firewall for winbox and disabled all ip → services exept ssh and winbox.

What more packages is advisable to disable ? I think on disabling routing, ppp, mpls and dhcp as well.

IP Settings, IP Forward ?

Then going deeper, ip → settings, there I find that the following are checked: IP Forward, Send Redirects, Secure Redirects, Allow Fast Path. Should I also disable those ? IP Forward = routing enabled, I do not want that in a switch.

And further ?

Is there anything more to think on, making it a pure switch ?

I did not find any place to set Spanning Tree in the switch to prevent loops, we have a big network here. Where do I activate Spanning Tree ?

Even if the way making vlans working was a bit strange to me, I got the picture regarding ingress and egress handling of VLAN tagging, and made it working with a trunk and access ports.

Thank you in advance!

2

Hello Folks!

A small update, I went to IP > Settings and unchecked all.
Then I did disable hotspot, mpls, ppp, routing.
crs_packages.jpg
All works normally as expected without them, see picture, maybe un-nessesary to disable them, I don’t know.
Anyone who have some ideas about it ?

I have one problem, I attached my laptop to one access port of the CRS switch (connected to vlan 200), I have about 10 different vlan:s.

Setup:
DHCP server —>> fa/10 (cisco access port)—>> Cisco 2960 fa/15 (cisco trunk port) —>> ether2 (CRS) —>> ether 10 —>> Laptop
Configuration:
Port Based VLAN configurarion was used from: http://wiki.mikrotik.com/wiki/Manual:CRS_examples

I am in 172.16.1.0/24 vlan 200, why do I see traffic from other VLANS ?
23:49:35.413940 ARP, Request who-has 80-84-34-22.jscnet.se (Broadcast) tell 80-84-34-1.jscnet.se, length 46
23:49:35.414222 IP 172.16.1.128.39600 > ns.radio2.ing-steen.se.domain: 29036+ PTR? 22.34.84.80.in-addr.arpa. (42)
23:49:35.416784 IP ns.radio2.ing-steen.se.domain > 172.16.1.128.39600: 29036 1/2/2 PTR 80-84-34-22.jscnet.se. (145)
23:49:35.417102 IP 172.16.1.128.60097 > ns.radio2.ing-steen.se.domain: 38386+ PTR? 1.34.84.80.in-addr.arpa. (41)
23:49:35.420729 IP ns.radio2.ing-steen.se.domain > 172.16.1.128.60097: 38386 1/2/2 PTR 80-84-34-1.jscnet.se. (143)
23:49:35.427696 ARP, Request who-has 172.16.1.128 tell ns.radio2.ing-steen.se, length 46
23:49:35.427721 ARP, Reply 172.16.1.128 is-at 00:21:cc:cf:0e:19 (oui Unknown), length 28
23:49:35.457708 ARP, Request who-has 192.168.1.67 tell ns.lan2.ing-steen.se, length 46
23:49:35.517581 ARP, Request who-has 80-84-43-65.jscnet.se (00:30:88:14:ed:8d (oui Unknown)) tell 80-84-43-75.jscnet.se, length 46
23:49:35.742502 ARP, Request who-has 80-84-44-1.jscnet.se (00:30:88:14:ed:8d (oui Unknown)) tell 80-84-44-13.jscnet.se, length 46
23:49:35.804651 ARP, Request who-has 80-84-40-11.jscnet.se (Broadcast) tell 80-84-40-1.jscnet.se, length 46

I see lot of ARP requests from other vlans…
I tried to check Switch → VLAN Level isolation and MAC level isolation.

If I connect to one of the Ciso2960 accessport’s belonging to vlan200 I do not see them, so here is some problem.

But exept that all is working as far I can see.

Anyone who can help me sort this out ?

3

Hi steen… so… I had same problem.. but my job is easier… I want isolate vlans… I want port 1 e 2 talk to port 5 and 6 and 7… but port 5, 6 and 7 not talk one each other… but, I can’t… do you have any idea about this?

4

Hello dburigo!

I kept monitoring the one of the access ports attached to vlan id = 200 in my case for several hours.
I also did a lot of tests, faking IP addresses which belongs to neighbor vlans etc. trying to provoke an IP clash, also dhcp activities.

I was not able to causing any IP clashes, and dhcp addresses are delivered correctly only to clients in respective vlans, not was I able to connect to any server whilst being in wrong vlan so to say.

So far, all looks ok, exept that I see these arp broadcasts, who has… please tell.. and some else stuff.

It means, the vlans is not fully isolated by means they are leaking some kind of traffic, but it seems not to disturb something.

I did not fins any Spanning Tree algorithm/protocol to activate for the switch, so I will not put this in production, it is to dangerous in an enterprise network.

And yes, I tried to check that isolate vlans checkbox in switch menu.

5

I have read, that the trunking (LAG 802.3ad) is not supported by the switch.

This feature is necessary for my project.
Will there be a date, when it would be available?

I want to see that feature as part of the switch and not of the management cpu.

Project VMWare fault tolerance scenario:
2 Server with a 4x LAG to switch (8ports total)
1 Storage system 2x LAG to switch (2 Ports total)

The project is just for evaluation atm.
But i would like to use a mikrotik switch :slight_smile:

6

We have similar problems using IBM VIO servers, we need dual etherchannel with 4 ethernet ports in each leg from two different switches. This did not work at all at moment.

7

Hello Folks!

During the upcoming weekend I will try to put the dual CRS in production.

It is a dual legged configuration and we skip the etherchannels to the benefit of servers own interface failover capability in case of one port/cable/switch is out.

I got some more input from our distributor that say there is some setting in switch menu where you can set “drop if vlan does not match” or similar, however yet we had no time for a further investigation.

I will be back with information and configuration after the weekend.

8

Quoting myself. Here is the result:
We did not put them in production due to vlans in the switch “leak”, no matter what setting and configuration they simply leak traffic, between vlans so they are not isolated in RoS6.7.
From MT support I got that RoS6.8 release candidate have solved that problem, we wait for RoS6.8 stable release is out.
No more attempts will be performed before that. As long the CRS could be used as a soho device with 24 ports, but that is not for us anyway :slight_smile: