Can't use vlan 1 as management vlan

RouterOS General
1

I’ve got an issue with understanding how to use VLAN 1 as a management VLAN on a Mikrotik device. The tests I’ve been doing on a hAP ac² with a switch cpu which is not capable of VLAN filtering in hardware, therefore I used the approach depicted here: https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip. Using another VLAN ID for the management VLAN is not an option as the entire infrastructure uses it. The only workaround could be to use it as untagged traffic on the trunk port but that would be entirely inconsistent with the rest of the infrastructure. Another option could be to rename the ID on the fly - like VLAN 1 ingress rename to VLAN 99 on Mikrotik and other way round egress - I don’t know if Mikrotik can handle that.

I’ve been using the following config with VLAN 150 as a management VLAN - connections to the switch’s address 192.168.0.70 work both via VLAN 150 on the trunk interface as well the access port ether2:

# jan/02/1970 00:44:39 by RouterOS 6.46.3
# software id = BGF7-UZLL
#
# model = RBD52G-5HacD2HnD
/interface bridge
add name=bridge

/interface vlan
add interface=bridge name=OAM vlan-id=150

/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=150 vlan-header=always-strip vlan-mode=secure
set ether3 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set ether4 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set ether5 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-mode=secure

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=OAM

/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether3,ether4,ether5 switch=switch1 vlan-id=50
add independent-learning=yes ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=150

/ip address
add address=192.168.0.70/24 interface=OAM network=192.168.0.0

/ip route
add distance=1 gateway=192.168.0.2

The funny thing is - if I replace the VLAN ID 150 with the ID 1 and configure an approriate IP address/gateway from the VLAN 1 subnet, I can’t connect to the switch anymore.
The only thing to let this work partially is replacing set switch1-cpu vlan-mode=secure by set switch1-cpu vlan-mode=disabled, then at least I can connect to the switch through VLAN 1 on the trunk interface (but not the access port ether2).

What am I missing and doing wrong here?

Cheers
spi

2

IIRC, under /interface ethernet switch port you need to use vlan-header=leave-as-is on the Hap AC², etc

3

A bridge has two personalities, it is both like a switch and also an interface to the CPU. The VLAN interface should not be added as a member of the bridge - remove add bridge=bridge interface=OAM from under /interface bridge port

4

Currently it is

/interface ethernet switch port> pri
Flags: I - invalid 
 #   NAME                           SWITCH                          VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1                         switch1                         secure    add-if-missing            auto
 1   ether2                         switch1                         secure    always-strip                 1
 2   ether3                         switch1                         secure    always-strip                50
 3   ether4                         switch1                         secure    always-strip                50
 4   ether5                         switch1                         secure    always-strip                50
 5   switch1-cpu                    switch1                         secure    leave-as-is               auto

Which one needs leave-as-is?
I am following here the wiki https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip

5

Tried that, didn’t work. And as said - if I use VLAN 150 instead of 1 it works. With VLAN 1 it doesn’t.
And I am following exactly what https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip suggests.

6

Update: I tried a different configuration with VLAN filtering (adapted from http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1). It works. Switch is accessible on management IP in VLAN1 via trunk and access port.
If I do switching from one access port to the trunk port with Gigabit wire speed the CPU load of one core goes up to around 60-70%. I can live with that.
(With the previous configuration CPU load stays at 0% while switching from one to another port with Gigabit wire speed.)

The config I used is:

# jan/02/1970 00:01:22 by RouterOS 6.46.3
# software id = BGF7-UZLL
#
# model = RBD52G-5HacD2HnD
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=1

/interface list
add name=BASE

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=50
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=150
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=150
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1 pvid=4000

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 untagged=ether2 vlan-ids=1
add bridge=BR1 tagged=ether1 untagged=ether3 vlan-ids=50
add bridge=BR1 tagged=ether1 untagged=ether4,ether5 vlan-ids=150

/ip address
add address=192.168.254.70/24 interface=BASE_VLAN network=192.168.254.0

/ip route
add distance=1 gateway=192.168.254.1

Anyone any other idea why other config does not work with VLAN ID 1?

7

Not fully tested, but this seems to work on rb2011, which has the same switch chip

/interface bridge
add name=bridge1 protocol-mode=none
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set 11 default-vlan-id=1 vlan-mode=secure
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1,ether2 switch=switch1 vlan-id=1
8

Will try that.

/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set 11 default-vlan-id=1 vlan-mode=secure

set 1 = ether 1?
set 2 = ether 2?
set 11 = switch1-cpu?


Update:
Tested it. Used
set 1 = ether 1
set 2 = ether 2
set 11 = switch1-cpu

Does not work. Switch not accessible on its management IP (added that to the config as it was missing).

9

Above is correct, the export seems to be screwed up in 6.46.4.

Apply as per my last post, then provide a full config, maybe there is a firewall rule or something preventing access.

use “export hide-sensitive”

10

As a rule dont try and do VLAN 1 as a management vlan or as a separate vlan, you will come unstuck with vendors and some Linux kernel versions.
In Cisco world vlan 1 is the Native vlan e.g the default layer 2 traffic on an unconfigured switch .
Googling ‘vlan 1’ or ‘native vlan’ has so many varied responces. Its easier to avoid. For me I use vlan 1000 for my management on MT devices, never any issues.
Maybe as a rule use 2 and above !

https://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=11

11

Here’s the entire config I’ve been using so far which doesn’t work:


# jan/02/1970 00:09:18 by RouterOS 6.46.3
# software id = BGF7-UZLL
#
# model = RBD52G-5HacD2HnD
/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge name=OAM vlan-id=1
/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set ether3 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set ether4 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set ether5 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/port
set 0 baud-rate=115200 name=usb1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=wifi name-for-users="" override-shared-users=off owner=admin price=0 starts-at=logon validity=0s
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=OAM
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether3,ether4,ether5 switch=switch1 vlan-id=50
add independent-learning=yes ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=1
/ip address
add address=192.168.254.70/24 interface=OAM network=192.168.254.0
/ip route
add distance=1 gateway=192.168.254.1
/tool user-manager database
set db-path=flash/user-manager

I’ve been playing with assigning different “default-vlan-id” to ether1 (default-vlan-id=4000, unused) and the switch1-cpu (default-vlan-id=1) in “/interface ethernet switch port” without success.

Today Mikrotik’s support got me the right idea: I need to set both ether1 and switch1-cpu to unused VLAN IDs. So setting both to eg. 4000 works. This config works now:


# jan/02/1970 00:09:18 by RouterOS 6.46.3
# software id = BGF7-UZLL
#
# model = RBD52G-5HacD2HnD
/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge name=OAM vlan-id=1
/interface ethernet switch port
set ether1 default-vlan-id=4000 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set ether3 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set ether4 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set ether5 default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set switch1-cpu default-vlan-id=4000 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/port
set 0 baud-rate=115200 name=usb1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=wifi name-for-users="" override-shared-users=off owner=admin price=0 starts-at=logon validity=0s
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=OAM
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether3,ether4,ether5 switch=switch1 vlan-id=50
add independent-learning=yes ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=1
/ip address
add address=192.168.254.70/24 interface=OAM network=192.168.254.0
/ip route
add distance=1 gateway=192.168.254.1
/tool user-manager database
set db-path=flash/user-manager

Check out both the lines for ether1 and switch1-cpu in the “/interface ethernet switch port” section. CPU load is 0% with this config compared to the other one based on VLAN filtering.

Thanks everybody for your kind support!