Configuring VLANs on CRS

Hi,

I apologize at the beginning if I am repeating this topic, but I didn’t find any already posted that refers to the same problem I have.

I need some advice from more experienced MikroTik users regarding VLAN configuration on CRS switches.
Scenario is following:
I have two CRS226-24G-2S. I do not need any routing on them, I just need to create multiple VLAN domains.
Here is the configuration I implemented on both switches:
CRS1:
/interface vlan
add interface=ether2 l2mtu=1584 name=Mgmt_VLAN vlan-id=10
/interface ethernet
set [ find default-name=ether1 ] none
set [ find default-name=ether2 ] none
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether2
set [ find default-name=ether8 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether2
set [ find default-name=ether10 ] master-port=ether2
set [ find default-name=ether11 ] master-port=ether2
set [ find default-name=ether12 ] master-port=ether2
set [ find default-name=ether13 ] master-port=ether2
set [ find default-name=ether14 ] master-port=ether2
set [ find default-name=ether15 ] master-port=ether2
set [ find default-name=ether16 ] master-port=ether2
set [ find default-name=ether17 ] master-port=ether2
set [ find default-name=ether18 ] master-port=ether2
set [ find default-name=ether19 ] master-port=ether2
set [ find default-name=ether20 ] master-port=ether2
set [ find default-name=ether21 ] master-port=ether2
set [ find default-name=ether22 ] master-port=ether2
set [ find default-name=ether23 ] master-port=ether2
set [ find default-name=ether24 ] master-port=ether2
/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether3 vlan-id=10
add ports=ether2,ether4,ether5,ether6,ether7,ether8 vlan-id=20
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2 vlan-id=20
add tagged-ports=ether2,switch1-cpu vlan-id=10
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=10 ports=ether3 sa-learning=yes
add new-customer-vid=20 ports=ether4 sa-learning=yes
add new-customer-vid=20 ports=ether5 sa-learning=yes
add new-customer-vid=20 ports=ether6 sa-learning=yes
add new-customer-vid=20 ports=ether7 sa-learning=yes
add new-customer-vid=20 ports=ether8 sa-learning=yes
/ip address
add address=10.0.0.1/24 interface=Mgmt_VLAN network=10.0.0.0


CRS2:
/interface vlan
add interface=ether2 l2mtu=1584 name=Mgmt_VLAN vlan-id=10
/interface ethernet
set [ find default-name=ether1 ] none
set [ find default-name=ether2 ] none
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether2
set [ find default-name=ether8 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether2
set [ find default-name=ether10 ] master-port=ether2
set [ find default-name=ether11 ] master-port=ether2
set [ find default-name=ether12 ] master-port=ether2
set [ find default-name=ether13 ] master-port=ether2
set [ find default-name=ether14 ] master-port=ether2
set [ find default-name=ether15 ] master-port=ether2
set [ find default-name=ether16 ] master-port=ether2
set [ find default-name=ether17 ] master-port=ether2
set [ find default-name=ether18 ] master-port=ether2
set [ find default-name=ether19 ] master-port=ether2
set [ find default-name=ether20 ] master-port=ether2
set [ find default-name=ether21 ] master-port=ether2
set [ find default-name=ether22 ] master-port=ether2
set [ find default-name=ether23 ] master-port=ether2
set [ find default-name=ether24 ] master-port=ether2
/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether3 vlan-id=10
add ports=ether2,ether4,ether5,ether6,ether7,ether8 vlan-id=20
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2 vlan-id=20
add tagged-ports=ether2,switch1-cpu vlan-id=10
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=10 ports=ether3 sa-learning=yes
add new-customer-vid=20 ports=ether4 sa-learning=yes
add new-customer-vid=20 ports=ether5 sa-learning=yes
add new-customer-vid=20 ports=ether6 sa-learning=yes
add new-customer-vid=20 ports=ether7 sa-learning=yes
add new-customer-vid=20 ports=ether8 sa-learning=yes
/ip address
add address=10.0.0.2/24 interface=Mgmt_VLAN network=10.0.0.0

This configuration is just for testing purposes.
The idea is to connect two switches using port 2, which is configured as tagged port (two VLANs need to cross over this port, VLAN 10 and VLAN 20). On each switch there is: one access port (untagged) in VLAN 10 (port 3), and 5 access ports in VLAN 20.
This configuration need to achieve following:

1. If I connect two switches through port 2, I must be able to ping from CRS1 10.0.0.2 and from CRS2 to ping 10.0.0.1 (port 2 on both switches allows VLAN 10 tagged and these addresses are bind to vlan 10 interface). —> THIS IS OK.
2. If I additionally connect my PC with static IP address 10.0.0.254/24, to port 3 on either switch, I must be able to ping both vlan 10 interfaces on switches. ----> THIS IS OK.
3. If I connect my PC with static IP address 10.0.0.254/24, to any port from 4-8 (ports that belong to VLAN 20), I must NOT be able to ping vlan 10 interfaces on either of two switches. -----> THIS IS OK.
4. If I connect two PCs, one, with static IP address 10.0.0.254/24 to port 3 on CRS1 and the other one with static IP 10.0.0.253/24 to port 3 on CRS2, these two PCs must be able to ping each other (they are both connected to access ports in VLAN 10, and two switches are connected through tagged port that allows VLAN 10 to pass through). ------> THIS IS OK.
5. If I connect two PCs, one with static IP address 10.0.0.254/24 to port 3 on CRS1 (access port in VLAN 10) and the other one with static IP 10.0.0.253/24 to port 4 on CRS2 (access port in VLAN20), these two PCs must NOT be able to ping each other because they are connected to different VLANs, even though they have IP parameters as if they are in the same subnet. -------> THIS IS NOT OK!!!

As you can see from tests explained above, what is confusing me, is why am I able to ping one PC from another, if I connect them to two different VLANs?? Just to make a note: I have tested also to connect these two PCs (with above given IP settings) to two ports on the SAME switch, one PC in port 3 (VLAN10) and other PC in port 4 (VLAN20), and they can not ping each other, as it should be.

It appears as though, when traffic passes through link between switches, something happens and the ping is successful (and it shouldn’t be if my PCs are in different VLANs).
Note for the end: I am not using port from 9 through 24 at all in this testing, so they do not have any relation to these tests…

Can anybody give me some advice or opinion what is happening?

Also, one more question. Is it possible that there is no STP support at all if I use VLAN switching instead of bridging? Because, with this given configuration, I also tested if there is STP running (even though I couldn’t find anywhere under switch options where can I configure STP, unless I use bridges - which I do not want), and STP is not running. If I connect directly, for example, port 4 on CRS1 with port 5 on CRS1 (both ports in the same VLAN 20), loop is created (none of the ports turns to blocking state) and of course, as it is always when loop is present, CPU of the switch is overwhelmed until I unplug one side of the cable…

Thanks a lot.
Kind regards,
Jovana

You should add invalid/unknown VLAN filtering to your current configuration:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Unknown.2FInvalid_VLAN_filtering

Hi,

first of all, thank you for support.

I have set it up on both switches, and still doesn’t help. I can still ping two PCs if one is connected to port in VLAN 10 on CRS1 and other one is connected to port in VLAN 20 on CRS2 (for example).

What I have noticed additionally is that as soon as I have created ether2 as master port and added all ports from ether3 to ether24, one dynamic VLAN is created (VLAN 4091) which of course, I can not delete nor disable, nor delete port entry from it… One thing I can presume that this ping is somehow possible due to this VLAN, which should not happen, because the packet should traverse this way:

1. I send ping as untagged packet from PC1 connected to port 3 (access port in VLAN 10) on CRS1 switch.
2. Port 3 when receives packet, tags it with VLAN 10 tag.
3. If switch does not know where is destination MAC address of this packet, it should propagate the packet to all ports that belong to VLAN 10. This way, packet is sent to port 2 which is defined as port with eggress-vlan-tag rule defined (to accept and forward packets in VLAN 10 and 20).
4. Port 2 on CRS1 switch should transfer this packet untouched toward CRS2 (when I say untouched, I mean it will not remove the tag with ID=10 from packet).
5. CRS2 switch recieves this packet on port 2 which is defined with egress-vlan-tag rule (to accept tagged packets in VLAN 10 and VLAN 20).
6. CRS2 switch should now, if it doesn’t know where is destination MAC address of packet, forward the packet to all ports that are in VLAN 10 (except the port through which it recieved the packet, of course). This means that it should only send the packet to ether3 port of CRS2, which is defined as access port in VLAN 10 (using ingress-vlan-translation rule).

This is how it should be… But, from some reason, ping packet passes by even if the PC2 is connected to port 4 on CRS2 switch, which is defined to be access port in VLAN 20 (not VLAN 10). From this poing, I am not sure what happens when the packet is recieved on port 2 of CRS2 switch (or how is it sent from port 2 on CRS1 switch at the first place). I could try to look it up by sniffing the traffic on ports ether2 of both switches, but something is definitely not right…

One more reason why I suspect that VLAN 4091 somehow causes this trouble is that if I leave one PC in port in VLAN 10 on CRS1 but I connect other PC to, e.g. port 12 of CRS2 switch (which is not defined to be in any VLAN, it is left only as a slave to ether2 master port), I still can ping them mutually. I guess that the reason is that port 12 is a slave to ether2 master port, and automatically it belongs to this dynamic VLAN 4091…

Do you have any idea what I can try next?

Thank you very much.
Regards,

I did not see it in your posted configuration, but you may have a multiple master-port configuration due to dynamic VLAN 4091.
Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. Dynamic VLAN 4091 is created when the second master-port is configured and it makes VLAN restrictions in the second master-port group. If you make the same VLAN configuration with one master-port, VLANs should work on all ports and functionality will be the same.

Yes, you are right, I have left ether1 port as master port with two SFP port as its slaves (this is left from default config, or should I say - I haven’t changed configuration of these three ports).

Ok, I’ll try with your directions, and let you know if I succeed.

Thank you very much for support.
Regards,
Jovana

Hi,

just to inform that the problem was definitely second master port (I left ether1 to be master port which is default configuration). As soon as I changed that only ether2 is master port, and all others are slaves to it, VLAN 4091 was erased, and no more leakage between VLANs on different switches happened.
Thank you very much for your support!

p.s. What about STP support in switching? I tried with commands for traffic storm control, but still, if I make a loop, switch after a while can not process that much of a traffic and entire VLAN in which loop is made get stuck (which is expected behavious when there is no STP running)…

Kind regards,
Jovana