Can't get VLAN network work as I need (Confusion)

lalo86 · April 21, 2021, 1:35pm

I have read all the documentation, I also printed it, tried a lot of configuration on lab, but I cant understand how to get this working.

Scheme attached:

Config:

###Identity: RT-LH ###
/interface bridge
add bridge name=bridgeLSHN

/interface bridge port
add bridge=bridgeLSHN interface=sfp1 hw=yes

/interface ethernet switch vlan
add ports=sfp1 switch=switch1 vlan-id=1
add ports=sfp1 switch=switch1 vlan-id=300

/interface ethernet switch port
set sfp1 vlan-mode=secure vlan-header=add-if-missing



###Identity: SW-CAF ###
/interface bridge
add bridge name=bridgeLSHN

/interface bridge port
add bridge=bridgeLSHN interface=sfp1 hw=yes
add bridge=bridgeLSHN interface=ether1 hw=yes

/interface ethernet switch vlan
add ports=sfp1,ether1 switch=switch1 vlan-id=1
add ports=sfp1,ether1 switch=switch1 vlan-id=300

/interface ethernet switch port
set sfp1 vlan-mode=secure vlan-header=add-if-missing
set ether1 vlan-mode=secure vlan-header=add-if-missing



###Identity: SW-NOC ###
/interface bridge
add bridge name=bridgeLSHN

/interface bridge port
add bridge=bridgeLSHN interface=ether1 hw=yes
add bridge=bridgeLSHN interface=ether2 hw=yes
add bridge=bridgeLSHN interface=ether3 hw=yes

/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=1
add ports=ether1,ether2 switch=switch1 vlan-id=300
add ports=ether2,ether3 switch=switch1 vlan-id=301

/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=301



###Identity: SW-FAV ###
/interface bridge
add bridge name=bridgeLSHN

/interface bridge port
add bridge=bridgeLSHN interface=ether1 hw=yes
add bridge=bridgeLSHN interface=ether2 hw=yes
add bridge=bridgeLSHN interface=ether3 hw=yes

/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=1
add ports=ether2 switch=switch1 vlan-id=300
add ports=ether2,ether3 switch=switch1 vlan-id=301

/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=always-strip default-vlan-id=1
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=301

Is there anything wrong??

If it is right! how can I reach from RT-LH all the mikrotik,60GHRadio,ptmp5GHz devices on 10.4.10.0/24 vlanid 1 and all the 10.4.11.0/23 vlanid 300 devices ?

I’m really not writing after half an our of testing I’m almost one week on this setup resetting and rebuilding everything from scratch.

Thanks for help!!

tdw · April 21, 2021, 2:10pm

You have not indicated which Mikrotik models you are using. The capabilities and how you configure them differ significantly so your partial configurations may be inappropriate - in particular fast ethernet (10/100Mbit) switch chips do not support hybrid ports, and not all have SFP ports connected to the switch chip.

Aside from that you have not included the switch1-cpu port in any of the configuration under /interface ethernet switch vlan, this will prevent access to the Mikrotik itself.

Also, from the documentation: “For devices with QCA8337 and Atheros8327 switch chips a default vlan-header=leave-as-is should be used. When vlan-mode=secure is configured, it ignores switch port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works as vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as well, only default-vlan-id frames are untagged at the egress of port.”

lalo86 · April 22, 2021, 12:38pm

I cant handle it, there are to many variables, I found out now that some devices does not have sfp connected to switch-chip.

So an other way to keep it simple and under control is to have all devices with all ports on a bridge.

So how can I obtain the same effect of SW-FAV e3 ↔ SW-NOC e3 , I have a customer that need to connect to both sides and he doesnt need to see whats appening on my ports.

Is there any way to to that by IP, My net is 10.4.10.0/24 can I fix EOIP on a specific port for example e3?

Thanks

anav · April 22, 2021, 1:15pm

Yes all very doable with bridges and vlans.
However use vlan99 for management vlan or any number you wish and NOT pvid=1.
That is reserved as the default vlan on all equipment and should not be used to carry data etc…
Trust me I use netgear, dlink, tplink, and mikrotik ROS for switching and routing where one keeps the bridge vlan at default=1 (in the background).

Read this article
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Each device has its own bridge
Define the vlans
assign the bridge ports and bridge vlan settings accordingly