CRS326 Management Port

mozerd · January 4, 2019, 1:14pm

Just got this Switch and I am having some difficulty understanding how to get a management port working.
following is my configuration using RouterOS currently configured as a Switch with a number of VLANs;

# jan/05/1970 13:41:53 by RouterOS 6.43.8
# software id = 6K0L-9RGW
#
# model = CRS326-24G-2S+
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=B8:69:F4:32:CD:68 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6 pvid=10
add bridge=bridge comment=defconf interface=ether7 pvid=10
add bridge=bridge comment=defconf interface=ether8 pvid=10
add bridge=bridge comment=defconf interface=ether9 pvid=10
add bridge=bridge comment=defconf interface=ether10 pvid=10
add bridge=bridge comment=defconf interface=ether11 pvid=20
add bridge=bridge comment=defconf interface=ether12 pvid=20
add bridge=bridge comment=defconf interface=ether13 pvid=20
add bridge=bridge comment=defconf interface=ether14 pvid=30
add bridge=bridge comment=defconf interface=ether15 pvid=30
add bridge=bridge comment=defconf interface=ether16 pvid=40
add bridge=bridge comment=defconf interface=ether17 pvid=40
add bridge=bridge comment=defconf interface=ether18 pvid=40
add bridge=bridge comment=defconf interface=ether19 pvid=40
add bridge=bridge comment=defconf interface=ether20 pvid=50
add bridge=bridge comment=defconf interface=ether21 pvid=50
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether11,ether12,ether13 vlan-ids=20
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether14,ether15 \
    vlan-ids=30
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether16,ether17,ether18,ether19 vlan-ids=40
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether20,ether21 \
    vlan-ids=50
add bridge=bridge tagged=ether24,ether23,ether22 untagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
/ip address
add address=192.168.10.88/24 comment=defconf interface=bridge network=\
    192.168.10.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxxx
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=haloSW
/system routerboard settings
set boot-os=router-os

When vlan-filtering=yes the switch works but with 2 issues:
[1] I am unable to connect via SSH and [2] I am unable to connect using Winbox.
I want VLAN 10 to be my Management vlan where my PC resides on port ether3 that I use to access the Switch via Winbox and SSH.
Question: What needs to be changed in my configuration that helps to achieve my objective?

sebastia · January 4, 2019, 1:24pm

Hey

You need to create a vlan interface on bridge with vid=10. This will be the interface by which you’ll access the crs from vlan10.

Currently the switch is accessible through: eth1, 2, 22, 23, 24, sfp1 & 2 (untagged)

mozerd · January 4, 2019, 1:47pm

Thanks @sebastia
So I did the following:
/interface vlan
add interface=bridge name=MGMT vlan-id=10

I can access via winbox but cannot access via SSH ?

sebastia · January 4, 2019, 1:49pm

ssh service enabled? on right port, from config “set ssh port=xxxxx”

also the user needs right to ssh. and user can be limited to a range, check that too

mozerd · January 4, 2019, 1:58pm

Thank You. Yep SSH service is enable with the correct port – . Will check permissions…

mkx · January 4, 2019, 2:02pm

/interface bridge vlan
set [ find bridge=bridge vlan-ids=10 ] tagged=bridge,ether24,ether23,ether22

I.e. bridge “port” has to be tagged member of management vlan.

mozerd · January 4, 2019, 2:11pm

[EDIT] Now from my PC I can access the Switch via SSH and Winbox. but I am no longer able to access the Internet.

mozerd · January 4, 2019, 6:13pm

Prior to making the 2 suggested changes Internet was accessable
So Managemet Port now works but access to Internet does not

Following is updated config

# jan/02/1970 06:08:51 by RouterOS 6.43.8
# software id = 6K0L-9RGW
#
# model = CRS326-24G-2S+
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=B8:69:F4:32:CD:68 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=MGMT vlan-id=10
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether11,ether12,ether13 vlan-ids=20
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether14,ether15 \
    vlan-ids=30
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether16,ether17,ether18,ether19 vlan-ids=40
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether20,ether21 \
    vlan-ids=50
add bridge=bridge tagged=bridge,ether24,ether23,ether22 untagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
/ip address
add address=192.168.10.88/24 comment=defconf interface=bridge network=\
    192.168.10.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=XXXX
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=haloSW
/system routerboard settings
set boot-os=router-os

Question: Why have I lost access to the Internet?

sebastia · January 4, 2019, 6:15pm

Lost internet, from which device?

mozerd · January 4, 2019, 6:19pm

From the PC I use to manage the switch and Router. The PC resides on van10.

mozerd · January 4, 2019, 6:26pm

OOPS just noticed that after switch reboot all my Port PVID settings are lost. ??? Stay Tuned.

sebastia · January 4, 2019, 6:30pm

I would advise to isolate mgmt network…

But if you insist : where do you do your routing? what is your “uplink” / trunk? There is no routing here (rightfully so)

add bridge=bridge tagged=bridge,ether24,ether23,ether22 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10

mozerd · January 4, 2019, 6:53pm

I would advise to isolate mgmt network…

But if you insist : where do you do your routing? what is your “uplink” / trunk? There is no routing here (rightfully so)
add bridge=bridge tagged=bridge,ether24,ether23,ether22 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10

Yea, I may isolate the mgmt network later as this is a Lab exercise before I put it into production to replace a CISCO Switch.
My CCR1009 ether7 is my Router Trunk connected to ether24 on the CRS326

sebastia · January 4, 2019, 6:57pm

So that’s where (CCR) you need to do your routing: define vlan10 on eth7 (if needed) and route / nat as normal

mozerd · January 4, 2019, 7:07pm

My CCR1007 is working jsut fine
Thanks sebastia

So after I fixed the port pvid issue reported earlier I now have regained access to the Internet. Sure would like to know why it is that I lost all the PVID setting after switch reboot.-- nope I was not using safe mode

mozerd · January 5, 2019, 9:55am

[1] On my wired PC that connected to ether8 of the switch I only have access using Winbox no access using SSH.
[2] On my wireless laptop no access to Winbox or SSH using PVID 10 regardless of the fact that the Laptop is in the same subnet.
[3] Using PVID 1 the wireless laptop and wired PC have Winbox and SSH access

# jan/02/1970 21:53:15 by RouterOS 6.43.8
# software id = 6K0L-9RGW
#
# model = CRS326-24G-2S+
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=B8:69:F4:32:CD:68 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=MGMT vlan-id=10
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6 pvid=10
add bridge=bridge comment=defconf interface=ether7 pvid=10
add bridge=bridge comment=defconf interface=ether8 pvid=10
add bridge=bridge comment=defconf interface=ether9 pvid=10
add bridge=bridge comment=defconf interface=ether10 pvid=10
add bridge=bridge comment=defconf interface=ether11 pvid=20
add bridge=bridge comment=defconf interface=ether12 pvid=20
add bridge=bridge comment=defconf interface=ether13 pvid=20
add bridge=bridge comment=defconf interface=ether14 pvid=30
add bridge=bridge comment=defconf interface=ether15 pvid=30
add bridge=bridge comment=defconf interface=ether16 pvid=40
add bridge=bridge comment=defconf interface=ether17 pvid=40
add bridge=bridge comment=defconf interface=ether18 pvid=40
add bridge=bridge comment=defconf interface=ether19 pvid=40
add bridge=bridge comment=defconf interface=ether20 pvid=50
add bridge=bridge comment=defconf interface=ether21 pvid=50
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether11,ether12,ether13 vlan-ids=20
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether14,ether15 \
    vlan-ids=30
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether16,ether17,ether18,ether19 vlan-ids=40
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether20,ether21 \
    vlan-ids=50
add bridge=bridge tagged=bridge,ether24,ether23,ether22 untagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
/ip address
add address=192.168.10.88/24 comment=defconf interface=bridge network=\
    192.168.10.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxxx
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=haloSW
/system routerboard settings
set boot-os=router-os

So apparently I need to stack PVID 1 and PVID 10 if I want to Manage the Switch from either of the 2 devices I use.

Question: What’s the best way to do this so that I have Winbox/SSH access from both wireless Laptop and wired PC using VLAN10?

mkx · January 5, 2019, 12:58pm

If you want to have management access via IP over VLAN 10, you have to configure IP stuff in /ip address etc. on interface=MGMT (not on interface=bridge as it is now).
To have access via IP from other VLANs it’s probably best to configure firewall (both on switch and router) accordingly, connectivity between devices in different subnets is the matter of routing and firewalling.

The export doesn’t show anything about /tool mac-server so it’s probably still at default. Which probably means that winbox over MAC connections are allowed from interfaces listed in

/interface list member print where list=LAN

… you probably want to update that as well.

mozerd · January 5, 2019, 2:41pm

My current focus is to understand how CRS326/ROS works at Layer 2 … will Tackle Layer 3 Later. Using SwOS I do not have these issue … but its ROS/Winbox that interests me not SwOS. Much easier for me to configure CISCO Switches to do similar objectives Anyway mkx -Thank you for suggestions.

mozerd · January 5, 2019, 3:32pm

I find the following somewhat confusing:

Taken from the Wiki

In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired

To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.

/ip address
add address=192.168.88.1/24 interface=bridge1

It is required to add VLAN 1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports ether3,ether4 add this entry to the VLAN table:

/interface bridge vlan
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1

Make sure that PVID on the bridge interface matches the PVID value on these ports:

/interface bridge set bridge1 pvid=1
/interface bridge port set ether3,ether4 pvid=1

Question: So in my case does this mean that I need to find a way to stack PVID 1 on VLAN10?

mkx · January 5, 2019, 3:59pm

No, in your case you need to start using the MGMT interface. It is L2 interface, untagged “on the side” where you’re about to use it (e.g. as member of LAN interface list which would allow you to use MAC winbox from a PC which is member of VLAN 10).