Daisy-chaining a CRS210 behind a CRS326 VLANs not being tagged

Hi all

This has also been posted on the mikrotik-reddit

I spent the past weekend trying to get VLANs working between two switches. I’ve attached an image of what I’m trying to do here:

AS a first step I updatet both switches to the current stable firmware. Then I copied most of my configuration from the mikrotik-wiki and changed the names of the interfaces and vlan-ids. This is what I used:

CRS326-24S+2Q+RM
# First I removed the default bridge and made a new one
/interface bridge
add name=TRUNK-CORE

# Adding the only port for now
/interface bridge port
add bridge=TRUNK-CORE interface=sfpplus22 hw=yes

# I created a bond with both QSFP-Interfaces to my OPNSense-Router - this is working fine
/interface bonding
add mode=802.3ad name=UPLINK-ROUTER slaves=qsfpplus1-1,qsfpplus2-1 transmit-hash-policy=layer-3-and-4

# Adding the bond interface to the bridge
/interface bridge port
add bridge=TRUNK-CORE interface=UPLINK-ROUTER hw=yes

# VLAN Port definition
/interface bridge vlan
add bridge=TRUNK-CORE tagged=sfpplus22 vlan-ids=30,40
add bridge=TRUNK-CORE tagged=UPLINK-ROUTER vlan-ids=30,40

# Enable filtering
/interface bridge set TRUNK-CORE vlan-filtering=yes

This is working quite well. However, the config below is from the CRS210 and this is where I am pulling my hair out:

CRS210-8G-2S+IN
# I reset the configuration and used the default bridge mode without making a new bridge
/interface ethernet switch ingress-vlan-translation
add ports=ether3 customer-vid=0 new-customer-vid=30 sa-learning=yes
add ports=sfp-sfpplus1 customer-vid=0 new-customer-vid=40 sa-learning=yes

# I set the correct egress tags, including the one for sfp-sfpplus 1 - when I try the same for ether3 the system tells me that it already has one set
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfpplus2 vlan-id=30
add tagged-ports=sfpplus2 vlan-id=30
add tagged-ports=sfp-sfpplus1 vlan-id=0

# Setting the VLAN-Port definition
/interface ethernet switch vlan
add ports=sfpplus2,ether3 vlan-id=30 learn=yes
add ports=sfpplus2,sfp-sfpplus1 vlan-id=40 learn=yes

# Filtering out anything else
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether3,sfpplus2,sfp-sfpplus1

Weirdly, it worked at one time, for about 2-3 hours. Then it suddenly… didn’t.

If I TORCH port sfpplus22 on the CRS326 I can see that packets are arriving from the uplink to the CRS210 but they don’t have a VLAN-Tag applied. OPNSense is configured to only service clients on one of the VLANs.

In my desperation I tried to use bridge-based VLANs on the CRS210 (like on the CRS326). This did work but of course used the CPU which meant horrible speeds around 150MBit/s.

Is this a case of incompatible VLAN-configs because of different device generations? If all else fails I would be prepared to use the CRS210 as a dumb switch and simply tag all traffic coming in on the CRS326 as VLAN40. Essentially everything that I plug into the CRS210 would be VLAN40. Is this even possible?

Thanks in advance for your help. And sorry for the terrible grammar, english is not my first language.

The CRS1xx/2xx switch chip configuration is not at all intuitive - /interface ethernet switch vlan specifies which VLANs are present on which ports, /interface ethernet switch ingress-vlan-translation specifies which tag to apply on untagged ingress packets, /interface ethernet switch egress-vlan-tag specifies which VLANs tags to leave present on egress packets.

Are ether3 and sfp-sfp-plus1 supposed to be tagged or untagged? If untagged then it looks OK apart from the /interface ethernet switch egress-vlan-tag section. Try just referencing the tagged VLANs on the uplink port, there is no need to add untagged access ports

/interface ethernet switch egress-vlan-tag
add tagged-ports=sfpplus2 vlan-id=30
add tagged-ports=sfpplus2 vlan-id=40

If I understand the whole concept correctly, ether3 and sfp-sfpplus1 should be untagged? Those are the ports which connect directly to my PC and TV. While I can set a VLAN-ID on my network card on the PC, I can not do so on the TV.

Yes, the most common setup is to present a single untagged VLAN for edge devices - often called an access port

Very good, thank you. I think I might have messed up something on the CRS326. I remember now that I tried to add another VLAN for my WiFi-AP on both the CRS210 and 326 and did it via the GUI instead of the terminal. When it did not work immediatly I removed it again. Things kept working for a while, but an hour or so later it stopped working. Maybe some kind of delayed reaction

I will factory reset both switches and redo the config. Hopefully that solves the problem.

You can safely mix changes in Winbox and the CLI.

If you use Quickset, and subsequently make changes with either Winbox or the CLI, then you should not make further changes with Quickset.

Sadly, redoing the config from scratch did not help. The access ports refuse to tag incoming traffic with the correct vlan.

I noticed that the connection sfp-sfpplus1 - PC causes a faint regular clicking sound on the audio output of the PC. Since my PC is attached via DAC cable and thus not electrically isolated from the switch I have a suspicion that it may have something to do with the access point on another port. That access point has a separate PoE injector. Maybe some kind of interference?

I will also try to switch out the roles of sfp-sfplus1 and sfpplus2, basically make sfp-sfpplus1 the uplink. And if all else fails maybe try firmware 7.0 beta.