CRS Example (Help Needed)

RouterOS General
1

So I am trying to do something similar to a port based VLAN with very specific settings. I need:

Port 1 - Trunk - Tagged VLANs 1/100/1003
Port 2 to 10 - Untagged VLAN 100
Port 11 to 23 - Untagged VLAN 100 and Tagged VLAN 1003
Port 24 - Untagged VLAN 1

I also need to ensure that the VLANs are secured (e.g. “SECURE” mode on the 260GS) such that VLAN 1 isn’t accessible on Port 2 to 23, etc… basically VLANs are only on those ports which they are specified.

I also need VLAN 1 to be on the CPU port and assigned the IP 10.1.1.2/24

All of the rest of the VLANs should just pass through as a switch…


I was trying to use the Port Based VLAN Example (http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port_Based_VLAN), but that doesn’t seem to have any security or anything… and I also can’t figure out how to get the one port as both tagged and untagged traffic.

What I have so far is:
/interface ethernet
set [ find default-name=ether1 ] name=ether01-gateway
set [ find default-name=ether2 ] master-port=none name=ether02-master-trunk
set [ find default-name=ether3 ] master-port=ether02-master-trunk name=ether03-slave-trunk
set [ find default-name=ether4 ] master-port=ether02-master-trunk name=ether04-slave-trunk
set [ find default-name=ether5 ] master-port=ether02-master-trunk name=ether05-slave-trunk
set [ find default-name=ether6 ] master-port=ether02-master-trunk name=ether06-slave-trunk
set [ find default-name=ether7 ] master-port=ether02-master-trunk name=ether07-slave-trunk
set [ find default-name=ether8 ] master-port=ether02-master-trunk name=ether08-slave-trunk
set [ find default-name=ether9 ] master-port=ether02-master-trunk name=ether09-slave-trunk
set [ find default-name=ether10 ] master-port=ether02-master-trunk name=ether10-slave-trunk
set [ find default-name=ether11 ] master-port=ether02-master-trunk name=ether11-slave-trunk
set [ find default-name=ether12 ] master-port=ether02-master-trunk name=ether12-slave-trunk
set [ find default-name=ether13 ] master-port=ether02-master-trunk name=ether13-slave-trunk
set [ find default-name=ether14 ] master-port=ether02-master-trunk name=ether14-slave-trunk
set [ find default-name=ether15 ] master-port=ether02-master-trunk name=ether15-slave-trunk
set [ find default-name=ether16 ] master-port=ether02-master-trunk name=ether16-slave-trunk
set [ find default-name=ether17 ] master-port=ether02-master-trunk name=ether17-slave-trunk
set [ find default-name=ether18 ] master-port=ether02-master-trunk name=ether18-slave-trunk
set [ find default-name=ether19 ] master-port=ether02-master-trunk name=ether19-slave-trunk
set [ find default-name=ether20 ] master-port=ether02-master-trunk name=ether20-slave-trunk
set [ find default-name=ether21 ] master-port=ether02-master-trunk name=ether21-slave-trunk
set [ find default-name=ether22 ] master-port=ether02-master-trunk name=ether22-slave-trunk
set [ find default-name=ether23 ] master-port=ether02-master-trunk name=ether23-slave-trunk
set [ find default-name=ether24 ] master-port=none name=ether24-master-management
set [ find default-name=sfp1 ] master-port=ether02-master-trunk name=sfp01-slave-trunk

/interface vlan
add interface=ether02-master-trunk l2mtu=1584 name=vlan-management-ether02 vlan-id=1

/interface bridge port
add bridge=bridge-management interface=vlan-management-ether02

/ip address
add address=10.1.0.2/24 comment=Management interface=bridge-management network=10.1.0.0

/interface ethernet switch egress-vlan-translation
add port=ether02 customer-vid=100 new-customer-vid=0
add port=ether03 customer-vid=100 new-customer-vid=0
add port=ether04 customer-vid=100 new-customer-vid=0
add port=ether05 customer-vid=100 new-customer-vid=0
add port=ether06 customer-vid=100 new-customer-vid=0
add port=ether07 customer-vid=100 new-customer-vid=0
add port=ether08 customer-vid=100 new-customer-vid=0
add port=ether09 customer-vid=100 new-customer-vid=0
add port=ether10 customer-vid=100 new-customer-vid=0

add port=ether11 customer-vid=100 new-customer-vid=0
add port=ether12 customer-vid=100 new-customer-vid=0
add port=ether13 customer-vid=100 new-customer-vid=0
add port=ether14 customer-vid=100 new-customer-vid=0
add port=ether15 customer-vid=100 new-customer-vid=0
add port=ether16 customer-vid=100 new-customer-vid=0
add port=ether17 customer-vid=100 new-customer-vid=0
add port=ether18 customer-vid=100 new-customer-vid=0
add port=ether19 customer-vid=100 new-customer-vid=0
add port=ether20 customer-vid=100 new-customer-vid=0
add port=ether21 customer-vid=100 new-customer-vid=0
add port=ether22 customer-vid=100 new-customer-vid=0
add port=ether23 customer-vid=100 new-customer-vid=0

add port=ether24 customer-vid=1 new-customer-vid=0

/interface ethernet switch ingress-vlan-translation
add port=ether02 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether03 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether04 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether05 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether06 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether07 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether08 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether09 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether10 customer-vid=0 new-customer-vid=100 sa-learning=yes

add port=ether11 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether12 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether13 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether14 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether15 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether16 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether17 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether18 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether19 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether20 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether21 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether22 customer-vid=0 new-customer-vid=100 sa-learning=yes
add port=ether23 customer-vid=0 new-customer-vid=100 sa-learning=yes

add port=ether24 customer-vid=0 new-customer-vid=1 sa-learning=yes

2

I’m looking at the features:
/interface ethernet switch
set drop-if-no-vlan-assignment-on-ports
set drop-if-invalid-or-src-port–not-member-of-vlan-on-ports
set invalid-vlan-lookup-mode
set vlan-level-isolation

/interface ethernet switch port
set filter-tagged-frame
set filter-untagged-frame

/interface ethernet switch vlan

/interface ethernet switch egress-vlan-tagBut their documentation and examples are completely lacking.

3

In RouterOS v6.10 there are few problems which restrict some of the commonly used switch settings.
Security using VLAN table and tagging on CPU port are planned to be fixed in the next few RouterOS releases.

To make tagged and untagged traffic work on the same port your current configuration does not require additional settings.
“Port 11 to 23 - Untagged VLAN 100 and Tagged VLAN 1003” already works because translation rules change VID for untagged traffic and tagged traffic is not blocked.

In v6.10 you may use frame filtering on the ports to ensure some level of security:

/interface ethernet switch port
  set filter-tagged-frame
  set filter-untagged-frame
4

Any ETA? And what do you mean “next few” releases. Are we talking weeks or months? This is a major feature of the product that doesn’t really work.