Configuring two CRS125-24G-1S-RM switches for redundancy

RouterOS General
1

I have two CRS125-24G-1S-RM switches that will be configured the same way and connected together on the SFP ports to provide redundancy to two routers in an active/passive cluster. Currently, two routers are connected to one switch with switch ports configured in the attachment. I need to be able to configure two CRS125-24G-1S-RM switches in this way with the following requirements:

  1. The switches should be accessible from the network on VLAN20(ports 3, 5, and 6) for management.
  2. One VLAN(and the ports using that VLAN) must be completely isolated from any other VLAN(and ports using other VLANs).
  3. SFP ports on both switches are trunk ports between both switches so that VLANs(and the ports using the different VLANs) can pass traffic between the switches to the proper VLAN.

I am using RouterOS 6.21.1.

At first I thought I should use basic master/slave port configuration, but this would only work if I had one switch. Since I have two switches, I think I need to use VLANs between both switches.

Then, using guidance from CRS Examples, I put together this configuration(assumes no default configuration):
#################

Set sfp1 as master-port

#################
/interface ethernet
set [ find default-name=ether1 ] master-port=sfp1
set [ find default-name=ether2 ] master-port=sfp1
set [ find default-name=ether3 ] master-port=sfp1
set [ find default-name=ether4 ] master-port=sfp1
set [ find default-name=ether5 ] master-port=sfp1
set [ find default-name=ether6 ] master-port=sfp1
set [ find default-name=ether7 ] master-port=sfp1
set [ find default-name=ether8 ] master-port=sfp1
set [ find default-name=ether9 ] master-port=sfp1
set [ find default-name=ether10 ] master-port=sfp1
set [ find default-name=ether11 ] master-port=sfp1
set [ find default-name=ether12 ] master-port=sfp1
set [ find default-name=ether13 ] master-port=sfp1
set [ find default-name=ether14 ] master-port=sfp1
set [ find default-name=ether15 ] master-port=sfp1
set [ find default-name=ether16 ] master-port=sfp1
set [ find default-name=ether17 ] master-port=sfp1
set [ find default-name=ether18 ] master-port=sfp1
set [ find default-name=ether19 ] master-port=sfp1
set [ find default-name=ether20 ] master-port=sfp1
set [ find default-name=ether21 ] master-port=sfp1
set [ find default-name=ether22 ] master-port=sfp1
set [ find default-name=ether23 ] master-port=sfp1
set [ find default-name=ether24 ] master-port=sfp1
#################

Tag incoming traffic to VLANs on access ports

#################
/interface ethernet switch ingress-vlan-translation
add ports=ether1 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether2 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether3 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether4 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether5 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether6 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether7 customer-vid=0 new-customer-vid=30 sa-learning=yes
add ports=ether8 customer-vid=0 new-customer-vid=30 sa-learning=yes
add ports=ether9 customer-vid=0 new-customer-vid=40 sa-learning=yes
add ports=ether10 customer-vid=0 new-customer-vid=30 sa-learning=yes
add ports=ether11 customer-vid=0 new-customer-vid=40 sa-learning=yes
add ports=ether12 customer-vid=0 new-customer-vid=40 sa-learning=yes
add ports=ether13 customer-vid=0 new-customer-vid=50 sa-learning=yes
add ports=ether14 customer-vid=0 new-customer-vid=50 sa-learning=yes
add ports=ether15 customer-vid=0 new-customer-vid=60 sa-learning=yes
add ports=ether16 customer-vid=0 new-customer-vid=50 sa-learning=yes
add ports=ether17 customer-vid=0 new-customer-vid=60 sa-learning=yes
add ports=ether18 customer-vid=0 new-customer-vid=60 sa-learning=yes
add ports=ether19 customer-vid=0 new-customer-vid=70 sa-learning=yes
add ports=ether20 customer-vid=0 new-customer-vid=70 sa-learning=yes
#################

Configure sfp1 as a trunk port

#################
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp1 vlan-id=10
add tagged-ports=sfp1 vlan-id=20
add tagged-ports=sfp1 vlan-id=30
add tagged-ports=sfp1 vlan-id=40
add tagged-ports=sfp1 vlan-id=50
add tagged-ports=sfp1 vlan-id=60
add tagged-ports=sfp1 vlan-id=70
#################

Define VLAN memberships

#################
/interface ethernet switch vlan
add ports=sfp1,ether1,ether2,ether4 vlan-id=10 learn=yes
add ports=sfp1,ether3,ether5,ether6 vlan-id=20 learn=yes
add ports=sfp1,ether7,ether8,ether10 vlan-id=30 learn=yes
add ports=sfp1,ether9,ether11,ether12 vlan-id=40 learn=yes
add ports=sfp1,ether13,ether14,ether16 vlan-id=50 learn=yes
add ports=sfp1,ether15,ether17,ether18 vlan-id=60 learn=yes
add ports=sfp1,ether19,ether20 vlan-id=70 learn=yesThis seems to work, but I cannot manage the switches on VLAN20. So I changed my configuration to:
#################

Set sfp1 as master-port

#################
/interface ethernet
set [ find default-name=ether1 ] master-port=sfp1
set [ find default-name=ether2 ] master-port=sfp1
set [ find default-name=ether3 ] master-port=sfp1
set [ find default-name=ether4 ] master-port=sfp1
set [ find default-name=ether5 ] master-port=sfp1
set [ find default-name=ether6 ] master-port=sfp1
set [ find default-name=ether7 ] master-port=sfp1
set [ find default-name=ether8 ] master-port=sfp1
set [ find default-name=ether9 ] master-port=sfp1
set [ find default-name=ether10 ] master-port=sfp1
set [ find default-name=ether11 ] master-port=sfp1
set [ find default-name=ether12 ] master-port=sfp1
set [ find default-name=ether13 ] master-port=sfp1
set [ find default-name=ether14 ] master-port=sfp1
set [ find default-name=ether15 ] master-port=sfp1
set [ find default-name=ether16 ] master-port=sfp1
set [ find default-name=ether17 ] master-port=sfp1
set [ find default-name=ether18 ] master-port=sfp1
set [ find default-name=ether19 ] master-port=sfp1
set [ find default-name=ether20 ] master-port=sfp1
set [ find default-name=ether21 ] master-port=sfp1
set [ find default-name=ether22 ] master-port=sfp1
set [ find default-name=ether23 ] master-port=sfp1
set [ find default-name=ether24 ] master-port=sfp1
#################

Add sfp1 to management VLAN, add address, and allow communication through switch1-cpu

#################
/interface vlan
add name=vlan20 vlan-id=20 interface=sfp1
/ip address
add address=$LANAddress interface=vlan20
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=20
#################

Tag incoming traffic to VLANs on access ports

#################
/interface ethernet switch ingress-vlan-translation
add ports=ether1 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether2 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether3 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether4 customer-vid=0 new-customer-vid=10 sa-learning=yes
add ports=ether5 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether6 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether7 customer-vid=0 new-customer-vid=30 sa-learning=yes
add ports=ether8 customer-vid=0 new-customer-vid=30 sa-learning=yes
add ports=ether9 customer-vid=0 new-customer-vid=40 sa-learning=yes
add ports=ether10 customer-vid=0 new-customer-vid=30 sa-learning=yes
add ports=ether11 customer-vid=0 new-customer-vid=40 sa-learning=yes
add ports=ether12 customer-vid=0 new-customer-vid=40 sa-learning=yes
add ports=ether13 customer-vid=0 new-customer-vid=50 sa-learning=yes
add ports=ether14 customer-vid=0 new-customer-vid=50 sa-learning=yes
add ports=ether15 customer-vid=0 new-customer-vid=60 sa-learning=yes
add ports=ether16 customer-vid=0 new-customer-vid=50 sa-learning=yes
add ports=ether17 customer-vid=0 new-customer-vid=60 sa-learning=yes
add ports=ether18 customer-vid=0 new-customer-vid=60 sa-learning=yes
add ports=ether19 customer-vid=0 new-customer-vid=70 sa-learning=yes
add ports=ether20 customer-vid=0 new-customer-vid=70 sa-learning=yes
#################

Configure sfp1 as a trunk port

#################
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp1 vlan-id=10

add tagged-ports=sfp1 vlan-id=20

add tagged-ports=sfp1 vlan-id=30
add tagged-ports=sfp1 vlan-id=40
add tagged-ports=sfp1 vlan-id=50
add tagged-ports=sfp1 vlan-id=60
add tagged-ports=sfp1 vlan-id=70

#################

Define VLAN memberships

#################
/interface ethernet switch vlan
add ports=sfp1,ether1,ether2,ether4 vlan-id=10 learn=yes
add ports=sfp1,ether3,ether5,ether6 vlan-id=20 learn=yes
add ports=sfp1,ether7,ether8,ether10 vlan-id=30 learn=yes
add ports=sfp1,ether9,ether11,ether12 vlan-id=40 learn=yes
add ports=sfp1,ether13,ether14,ether16 vlan-id=50 learn=yes
add ports=sfp1,ether15,ether17,ether18 vlan-id=60 learn=yes
add ports=sfp1,ether19,ether20 vlan-id=70 learn=yesBut that didn't work. I'm not sure where to go from here. I also don't know if there is true isolation between the VLANs in this type of configuration or I will need to use isolation-leakage-profile-override in /interface ethernet switch port. Speaking even further about isolation, I don't know if I would also need to use /interface ethernet switch ingress-port-policer to control possible traffic storms between the VLANs.

Any help is greatly appreciated!

Switch_ports.png
Switch_ports.png1021×110 7.39 KB

2

Anyone have any ideas? Maybe this should go in beginner basics?

3

No sorry, but very curious to the answer.

4

Was able to figure this out eventually. To help someone else out later, here’s my working config:

#################
## Set master-port
#################
/interface ethernet
	set [ find default-name=sfp1 ] master-port=ether3
	set [ find default-name=ether1 ] master-port=ether3
	set [ find default-name=ether2 ] master-port=ether3
	set [ find default-name=ether4 ] master-port=ether3
	set [ find default-name=ether5 ] master-port=ether3
	set [ find default-name=ether6 ] master-port=ether3
	set [ find default-name=ether7 ] master-port=ether3
	set [ find default-name=ether8 ] master-port=ether3
	set [ find default-name=ether9 ] master-port=ether3
	set [ find default-name=ether10 ] master-port=ether3
	set [ find default-name=ether11 ] master-port=ether3
	set [ find default-name=ether12 ] master-port=ether3
	set [ find default-name=ether13 ] master-port=ether3
	set [ find default-name=ether14 ] master-port=ether3
	set [ find default-name=ether15 ] master-port=ether3
	set [ find default-name=ether16 ] master-port=ether3
	set [ find default-name=ether17 ] master-port=ether3
	set [ find default-name=ether18 ] master-port=ether3
	set [ find default-name=ether19 ] master-port=ether3
	set [ find default-name=ether20 ] master-port=ether3
	set [ find default-name=ether21 ] master-port=ether3
	set [ find default-name=ether22 ] master-port=ether3
	set [ find default-name=ether23 ] master-port=ether3
	set [ find default-name=ether24 ] master-port=ether3
#################
## Add ether3 to management VLAN and add address
#################
/interface vlan
	add name=vlan20 vlan-id=20 interface=ether3
/ip address
	add address=$LANAddress interface=vlan20
#################
## Tag incoming traffic to VLANs on access ports
#################
/interface ethernet switch ingress-vlan-translation
	add ports=ether1 customer-vid=0 new-customer-vid=10 sa-learning=yes
	add ports=ether2 customer-vid=0 new-customer-vid=10 sa-learning=yes
	add ports=ether3 customer-vid=0 new-customer-vid=20 sa-learning=yes
	add ports=ether4 customer-vid=0 new-customer-vid=10 sa-learning=yes
	add ports=ether5 customer-vid=0 new-customer-vid=20 sa-learning=yes
	add ports=ether6 customer-vid=0 new-customer-vid=20 sa-learning=yes
	add ports=ether7 customer-vid=0 new-customer-vid=30 sa-learning=yes
	add ports=ether8 customer-vid=0 new-customer-vid=30 sa-learning=yes
	add ports=ether9 customer-vid=0 new-customer-vid=40 sa-learning=yes
	add ports=ether10 customer-vid=0 new-customer-vid=30 sa-learning=yes
	add ports=ether11 customer-vid=0 new-customer-vid=40 sa-learning=yes
	add ports=ether12 customer-vid=0 new-customer-vid=40 sa-learning=yes
	add ports=ether13 customer-vid=0 new-customer-vid=50 sa-learning=yes
	add ports=ether14 customer-vid=0 new-customer-vid=50 sa-learning=yes
	add ports=ether15 customer-vid=0 new-customer-vid=60 sa-learning=yes
	add ports=ether16 customer-vid=0 new-customer-vid=50 sa-learning=yes
	add ports=ether17 customer-vid=0 new-customer-vid=60 sa-learning=yes
	add ports=ether18 customer-vid=0 new-customer-vid=60 sa-learning=yes
	add ports=ether19 customer-vid=0 new-customer-vid=70 sa-learning=yes
	add ports=ether20 customer-vid=0 new-customer-vid=70 sa-learning=yes
	add ports=ether21 customer-vid=0 new-customer-vid=20 sa-learning=yes
	add ports=ether22 customer-vid=0 new-customer-vid=20 sa-learning=yes
	add ports=ether23 customer-vid=0 new-customer-vid=20 sa-learning=yes
	add ports=ether24 customer-vid=0 new-customer-vid=20 sa-learning=yes
#################
## Configure sfp1 as a trunk port
#################
/interface ethernet switch egress-vlan-tag
	add tagged-ports=sfp1 vlan-id=10
	add tagged-ports=sfp1,switch1-cpu vlan-id=20
	add tagged-ports=sfp1 vlan-id=30
	add tagged-ports=sfp1 vlan-id=40
	add tagged-ports=sfp1 vlan-id=50
	add tagged-ports=sfp1 vlan-id=60
	add tagged-ports=sfp1 vlan-id=70
#################
## Define VLAN memberships
#################
/interface ethernet switch vlan
	add ports=sfp1,ether1,ether2,ether4 vlan-id=10 learn=yes
	add ports=sfp1,ether3,ether5,ether6,ether21,ether22,ether23,ether24,switch1-cpu vlan-id=20 learn=yes
	add ports=sfp1,ether7,ether8,ether10 vlan-id=30 learn=yes
	add ports=sfp1,ether9,ether11,ether12 vlan-id=40 learn=yes
	add ports=sfp1,ether13,ether14,ether16 vlan-id=50 learn=yes
	add ports=sfp1,ether15,ether17,ether18 vlan-id=60 learn=yes
	add ports=sfp1,ether19,ether20 vlan-id=70 learn=yes
#################
## Disable unknown/invalid VLAN forwarding
#################
/interface ethernet switch
	set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24