CRS326 + multiple vlans with hardware offloading and non-vlan ports

Hello,

i want to replace a CRS125 with a CRS326 and switch from bridge-based vlans to vlan switching over the switch chip, so that hardware offloading does work for all vlans. i read in the wiki how this can be done with the crs326, but i am not sure if my planned setup is possible with only using one bridge. The ports 1-12 are used for different vlans, which should use sfp2 as trunked uplink to the firewall. the ports 13-24 are just the usual LAN without any vlan tags, with two connections to other mikrotik switches. So basically, the ports 1-12 should be tagged and use sfp2 as trunk, but the other ports should work like a common switch. then, there is a capsman running with different vlan-datapaths which should use sfp2 as trunk, too. One WiFi is standard-LAN without a VLAN, so that one should not use the trunk.
Using the method with creating a bridge for each vlan this wasn’t really a problem, but i really would like a solution that fully utilizes hardware offloading for all ports. Is that possible ? Do i have to tag the non-vlan-ports with pvid=1 ?

Here i sketched a plan: switch plan

experimental config:

/interface bridge 
add name=bridge1 vlan-filtering=no
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes pvid=10
add bridge=bridge1 interface=ether2 hw=yes pvid=10
add bridge=bridge1 interface=ether3 hw=yes pvid=10
add bridge=bridge1 interface=ether4 hw=yes pvid=10
add bridge=bridge1 interface=ether5 hw=yes pvid=10
add bridge=bridge1 interface=ether6 hw=yes pvid=10
add bridge=bridge1 interface=ether7 hw=yes pvid=60
add bridge=bridge1 interface=ether8 hw=yes pvid=60
add bridge=bridge1 interface=ether9 hw=yes pvid=50
add bridge=bridge1 interface=ether10 hw=yes pvid=50
add bridge=bridge1 interface=ether11 hw=yes pvid=50
add bridge=bridge1 interface=ether12 hw=yes pvid=50
add bridge=bridge1 interface=ether13 hw=yes 
add bridge=bridge1 interface=ether14 hw=yes
add bridge=bridge1 interface=ether15 hw=yes 
add bridge=bridge1 interface=ether16 hw=yes 
add bridge=bridge1 interface=ether17 hw=yes
add bridge=bridge1 interface=ether18 hw=yes
add bridge=bridge1 interface=ether19 hw=yes
add bridge=bridge1 interface=ether20 hw=yes
add bridge=bridge1 interface=ether21 hw=yes
add bridge=bridge1 interface=ether22 hw=yes
add bridge=bridge1 interface=ether23 hw=yes
add bridge=bridge1 interface=ether24 hw=yes
add bridge=bridge1 interface=sfp1 hw=yes
add bridge=bridge1 interface=sfp2 hw=yes
/interface bridge vlan
add bridge=bridge1 tagged=sfp2 untagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=10
add bridge=bridge1 tagged=sfp2 vlan-ids=20  // used in capsman with no physical-port
add bridge=bridge1 tagged=sfp2 vlan-ids=30  // used in capsman with no physical-port
add bridge=bridge1 tagged=sfp2 vlan-ids=40  // used in capsman with no physical-port
add bridge=bridge1 tagged=sfp2 untagged=ether9,ether10,ether11,ether12 vlan-ids=50
add bridge=bridge1 tagged=sfp2 untagged=ether7,ether8 vlan-ids=60

/caps-man datapath
add bridge=bridge1 name=lan
add bridge=bridge1 client-to-client-forwarding=no name=vlan.public vlan-id=20 vlan-mode=use-tag
add bridge=bridge1 client-to-client-forwarding=no name=vlan.team vlan-id=30 vlan-mode=use-tag
add bridge=bridge1 name=vlan.media vlan-id=50 vlan-mode=use-tag
add bridge=bridge1 name=vlan.stream vlan-id=60 vlan-mode=use-tag

See the VLAN link in my signature. I’ve implemented it with great success in my environments.

The trick, which helps to avoid need for multiple bridges, is to have a VLAN which is entirely internal to a particular switch … So all ports which belong to a switch partition, are access ports for that VLAN.
Or a few such VLANs if there’s need for more switch partitions.

And try to avoid mixing tagged and untagged ports on the same switch … the untagged stuff may cause some conceptual problems.
Aldo don’t use VLAN ID 1 … sometimes untagged and tagged with VID=1 get treated in the same way.

Thanks for your replies.

That’s a pretty cool summary/guide, it gave a me a whole new perspective for my network architecture.
Based on that i decided to move the CRS326 to the top, so it is directly attached to the firewall. Further, i’ll change the previous LAN into a new VLAN. After doing this i can use all 24 ports as access ports, while using both SFP+ ports as Trunk & LAGG-Uplink to the firewall (which already provides DHCP, DNS & other services to the VLANs).

image: planned network

I think that’s a nice solution.

yeah the dude pcunite needs to change his nick to vlanunite
more to the point, MT should pay him to do a proper user manaul!!

Thank you. I would be very happy to do the documentation. I think MikroTik has a great product with enthusiastic users on the forums. We form a team. Would love to help make the product experience, be the best it can be.