ANNOYED by MT wiki on switch chip features

biatche · November 12, 2017, 2:35pm

" Packets without vlan tag are treated just like if they had a vlan tag with port default-vlan-id. This means that if “vlan-mode=check or secure” to be able to forward packets without vlan tags you have to add a special entry to vlan table with the same vlan id set according to default-vlan-id. "

Can we have an example??

Also, following your example of hybrid+access+trunk ports, MAC server breaks… even on ports that aren’t part of switch VLAN WHEN switch1-cpu vlan-mode=secure. FINE with fallback. Although its unclear if fallback is what i want.

ALSO are we suppose to add switch1-cpu to ALL switch vlans? PLEASE CLARIFY

Can MIKROTIK please revisit the wiki and make sure everything works perfect?

Just trying to have NORMALLY working trunk+access ports on CRS326. Can’t imagine it’s that hard.

ether1 - no vlans, no switch vlans, no nothing. only want WINBOX on this (in case of emergency)
ether2 - master for the rest of the ports. access port 99 with mac winbox
ether3 - trunk, 10,20,90,99
ether4 - trunk, 10,20,90,99
ether5 - access 90 with mac winbox
ether6 - access 90 with mac winbox

SERIOUSLY, how? I’ve tried NUMEROUS combinations. i think vlan-mode=secure is causing difficulties.

Cha0s · November 12, 2017, 3:04pm

I wish MikroTik switching UI was more like Cisco’s.

While I find MikroTik’s routing stuff super intuitive, switching is like being made by another company completely. Everything switching related is pretty un-intuitive and complex IMHO.

Let’s just hope that all these issues will be ironed out as time passes since they are now focused on UI improvements for switching (using bridges/hw offloading).

biatche · November 12, 2017, 4:16pm

They had better fix it in 6.41. I’m not even doing anything complex.

I’ve seen other quirkiness with switch vlan, which i can’t explain in simple words.

When I specify mac server on ether1, i expect it to just work. ESPECIALLY when the port is not assigned to any vlan. or any service or anything.

becs · November 13, 2017, 8:32am

Hello,
Here is an example for the statement about vlan-mode “check” and “secure” to allow forwarding of untagged packets. The port default vlan-id is 1, therefore it has to be added to VLAN table before enabling “check” or “secure” mode.

[admin@MikroTik] > interface ethernet switch port print 
Flags: I - invalid 
 #   NAME              SWITCH              VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1            switch1             fallback  leave-as-is                  1
 1   ether2            switch1             fallback  leave-as-is                  1
 2   ether3            switch1             fallback  leave-as-is                  1
 3   ether4            switch1             fallback  leave-as-is                  1
 4   ether5            switch1             fallback  leave-as-is                  1
[admin@MikroTik] /interface ethernet switch vlan> add switch=switch1 vlan-id=1 \
ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu 
[admin@MikroTik] /interface ethernet switch vlan> print
Flags: X - disabled, I - invalid 
 #   SWITCH                              VLAN-ID PORTS                             
 0   switch1                                   1 ether1                            
                                                 ether2                            
                                                 ether3                            
                                                 ether4                            
                                                 ether5                            
                                                 switch1-cpu

Probably, the missing VLAN entry and vlan-mode “secure” is the reason why MAC server stops working.
And the ports which are not part of the switched port group still communicate through “switch1-cpu” port. Switch1-cpu port has to be configured for all VLAN traffic which is supposed to be forwarded to device itself to access management and RouterOS services.

Since RouterOS v6.41rc, there is a new VLAN configuration for CRS3xx switches. Please consider using it instead of the old one.
https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

Rackit · November 13, 2017, 4:20pm

I currently have a CRS326 and RouterOS 6.40.4.

Based on your recommendation, reviewing theWiki page for using bridging on access and trunk ports CRS3xx switches; should we not add VLANs to the Master port any longer? Instead add the VLANs to the bridge instead of the master port??
If I am understanding correctly, I am looking at VLAN example #1 Trunk and access ports (Manual:Interface/Bridge Wiki), if I have trunk ports slaved to the master port with three VLANS(as an example) , the bridging example will not work? I am trying to get my head wrapped around this.

Strong recommendation to move to 6.41rc instead of 6.40.4?
Thanks
John

becs · November 14, 2017, 6:24am

Hello, yes, we strongly recommend using RouterOS v6.41rc on CRS3xx switches.
Although RouterOS v6.41 is still in release candidate stage, the switch VLAN features for CRS3xx switches in it provide more fuctionality, they are well tested and work stable.

Any switch VLAN configuration works with as many VLAN trunks as needed - master-port is one, slave ports can also be VLAN trunks. The same applies to bridging by specifying multiple “tagged” ports.

sid5632 · November 14, 2017, 10:39pm

Is this ever going to work on the bridge on the CRS125 without it disabling Hardware Offload when enabling VLAN filtering?
Or are we stuck forever with having to use the Switch chip programming as in the past?