Basic vlan layer 2 config on CRS317-1G-16S+

RouterOS General
1

Hello everyone,

i come from a Cisco/Juniper/Arista background and i am really just starting to play with Mikrotik in our lab.
I have a CRS317-1G-16S+ which we want to use as a media converter or "cloud" simulation between our Cisco Nexus or Juniper QFX devices.

I'm trying to make a very simple layer 2 setup (no inter-vlan routing what so ever) but i am struggling and i really cannot understand what is the logic behind the Router OS.

my goal is to do the following:

  • create vlan 100,200 and 3921
  • on port sfp-sfpplus3 i want to make it a trunk and ONLY allow vlan 3921 tagged
  • on port sfp-sfpplus5 and sfp-sfpplus6, i want to make it a trunk and allow ONLY vlan 100,200 and 3921 with vlan 100 as native
  • on port sfp-sfpplus7 i want to make it a trunk and allow all vlans so that i don't have to edit that interface everytime i create new vlans

in cisco terms what i would do is

vlan 100
vlan 200
vlan 3921

interface eth1/3
switchport mode trunk
switchport trunk allowed vlan 3921

interface eth1/5
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200,3921

interface eth1/6
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,200,3921

interface eth1/7
switchport mode trunk
switchport trunk allowed vlan all

\

Can someone please help me out to figure out how this config would be done?
what if i wanted one port to be an access port?

thanks a lot!

2

This tutorial should help you with ROSish …

3

Thanks, let me read it out.
If i get it working i will paste here my config that mirrors the cisco one

4

This article I wrote will probably be very helpful since you’re familiar with Cisco. It translates cisco switching configs for VLANs to the MikroTik equivalent.

https://stubarea51.net/2019/02/06/cisco-to-mikrotik-switching-and-vlans/

5

Guys you are my saviours!

i will publish here my config once done but i begin to see the light :slight_smile:

one thing that seems to be very annoying is that if i had vlan 100-300 to port1 , and then i go to add vlan 100 to port2, it will complain as vlan is already added.

[admin@MKTK-SW02] /interface bridge vlan> add bridge=bridge1 tagged=port-channel1 vlan-ids=100-300
[admin@MKTK-SW02] /interface bridge vlan> add bridge=bridge1 tagged=eth5 vlan-ids=100                 
failure: vlan already added

i am trying to understand if i really have to create 1 entry per vlan, or if i will have to find some way to optimize this in something like

[admin@MKTK-SW02] /interface bridge vlan> add bridge=bridge1 tagged=port-channel1,eth5 vlan-ids=100                 
[admin@MKTK-SW02] /interface bridge vlan> add bridge=bridge1 tagged=port-channel1 vlan-ids=101-300

it seems to be overly complicated for no real reason..


for the moment the config i have is like this (no way to be final)

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9000 name=eth1
set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mac-address=CC:2D:E0:A2:70:99 mtu=9000 name=eth2
set [ find default-name=sfp-sfpplus3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full comment="ETH3 - Connection to Juniper" l2mtu=9216 mtu=9000 name=eth3
set [ find default-name=sfp-sfpplus4 ] l2mtu=9216 mtu=9000 name=eth4
set [ find default-name=sfp-sfpplus5 ] l2mtu=9216 mtu=9000 name=eth5
set [ find default-name=sfp-sfpplus6 ] l2mtu=9216 mtu=9000 name=eth6
set [ find default-name=sfp-sfpplus7 ] l2mtu=9216 mtu=9000 name=eth7
set [ find default-name=sfp-sfpplus8 ] l2mtu=9216 mtu=9000 name=eth8
set [ find default-name=sfp-sfpplus9 ] l2mtu=9216 mtu=9000 name=eth9
set [ find default-name=sfp-sfpplus10 ] l2mtu=9216 mtu=9000 name=eth10
set [ find default-name=sfp-sfpplus11 ] l2mtu=9216 mtu=9000 name=eth11
set [ find default-name=sfp-sfpplus12 ] l2mtu=9216 mtu=9000 name=eth12
set [ find default-name=sfp-sfpplus13 ] l2mtu=9216 mtu=9000 name=eth13
set [ find default-name=sfp-sfpplus14 ] l2mtu=9216 mtu=9000 name=eth14
set [ find default-name=sfp-sfpplus15 ] l2mtu=9216 mtu=9000 name=eth15
set [ find default-name=sfp-sfpplus16 ] l2mtu=9216 mtu=9000 name=eth16
set [ find default-name=ether1 ] l2mtu=9216 mtu=9000 name=mgmt0
/interface bonding
add mode=802.3ad mtu=9000 name=port-channel1 slaves=eth1,eth2 transmit-hash-policy=layer-2-and-3

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=port-channel1
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth3
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth5
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth6
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth4
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth7
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth8
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth9
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth10
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth11
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth12
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth13
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth14
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth15
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=eth16
/interface bridge vlan
add bridge=bridge1 tagged=eth3,eth5,eth6,port-channel1 vlan-ids=3921
6

It seems that in /interface bridge vlan one can only add config lines with unique combination of bridge= vlan-ids= … so defining a config line with range of VIDs complicates things later when one wants to make setup a tad more complex. Simplifying your example into 200 config lines doesn’t make much sense either.

BTW, if we constrain ourselves to slightly simpler example: you have a trunk port with a couple of VLANs and you later on decide to add another port with single VLAN, you’ do it like this:

#initial setup
/interface bridge vlan
add bridge=bridge1 vlan-ids=100 tagged=port-channel1
add bridge=bridge1 vlan-ids=200-300 tagged=port-channel1
# later addition
set bridge=bridge1 vlan-ids=100 tagged=port-channel1,eth5

Note use of set instead of add as you’re changing an existing entity rather than adding a new one.

7

Hi, just a quick question if i may, because i can’t really understand the login behind the routeros..

what’s the difference between those two commands? i understand they are required to make it the config work (simple access port) but i don’t understand why or what they do differently

/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=sfp1 pvid=100

/interface bridge vlan
add bridge=bridge1 untagged=sfp1 vlan-ids=100

i mean, an access port is a port where 1 and only 1 vlan is allowed nad traffic is untagged. (in contrast, a trunk allows multiple vlans, all tagged, with exception of 1 and only 1 untagged vlan, called native vlan)…

so what are the 2 commands doing differently? the first is saying that the port SFP1 has “port-vlan-id” set to 100.. unless i’m totally wrong here, the pvid is the untagged vlan.

the second commands says that vlan 100 is to be untagged on port SFP1 .. they seem redundant to me…

8

The first command configures ingress behaviour while the second one configures egress behaviour. Both commands are not entirely independant of each other though, setting ingress-filtering=yes establishes the dependency. Another important setting is frame-types=

It is possible to set interface to accept untagged packets on ingress (as you did with the first command) and to transmit tagged packets on egress. Doesn’t make sense, I know.

9

You’re not alone in this feeling; basically the /interface bridge vlan defines the egress behaviour, and the /interface bridge port defines the ingress behaviour. To make things even more strange, the untagged list in /interface bridge vlan items seems to be optional in the manual configuration, as it is created automatically (in the actual configuration, not in the manually set one). So if you add port P to bridge B with pvid=V, a row will appear in /interface bridge vlan with vlan-ids=V untagged=P bridge=B; if a row with vlan-ids=V and bridge=B already exists, P will be added to its untagged list. All the above is true for SOHO devices; I could never test whether it works the same on a CRS 3xx as I haven’t got one.