Does Tik support "Any" on C-tag?

paolobyte · July 10, 2023, 7:00am

Cisco and other vendor supports the ability of “any” as c-tag. Does Tik support it? If so, how?

mkx · July 10, 2023, 7:55am

Mikrotik in general doesn’t support “any” for VLAN. However, one can usually set range, e.g.

vlan-ids=1-4095

This comes with caveat: it’s about VLAN table and only single configuration line can refer to any single VLAN ID. So if you want to set VLAN membership for some VLAN differently, then you have to exclude that VLAN from the range. With more than a few exceptions, it becomes messy.

paolobyte · July 11, 2023, 7:55am

I am creating a sub interface btw and I don’t see that option.

mkx · July 11, 2023, 6:09pm

How exactly are you trying to do it?

It should work something like this:

/interface bridge
add name=test-bridge vlan-filtering=yes
/interface bridge port
# the last property (ingresss-filtering) is no by default, just showing that you may want to leave it set thusly
add bridge=test-bridge interace=ether1 frame-types=admit-only-vlan-tagged ingress-filtering=no
/interface bridge vlan
add bridge=test-bridge tagged=ether1 vlan-ids=1-4094

But, as I mentioned before, this can become convoluted when the same bridge has multiple ports and not all of them are allowed to work with “wildcard” VLANs:

/interface bridge
add name=test-bridge vlan-filtering=yes
/interface bridge port
# the last property (ingresss-filtering) is no by default, just showing that you may want to leave it set thusly
add bridge=test-bridge interace=ether1 frame-types=admit-only-vlan-tagged ingress-filtering=no
add bridge=test-bridge interace=ether2 frame-types=admit-only-vlan-tagged ingress-filtering=no
/interface bridge vlan
add brdige=test-bridge tagged=ether1,ether2 vlan-ids=65,123
# the next line will fail because VLAN table already has entries for VIDs 65 and 123
add bridge=test-bridge tagged=ether1 vlan-ids=1-4094
# so instead one has to execute the following command
add bridge=test-bridge tagged=ether1 vlan-ids=1-64,66-122,124-4094 comment="wildcard"

Things get even worse if, after the above config is runnig, you want to add another VID to ether2 (or you add another port with different list of VIDs allowed). This would mean you’d have to either remove or change the “wildcard” config to exclude the “another VID” first and then add new line with all the config for the “another VID”, like this:

/interface bridge vlan
set [ find comment="wildcard" ] vlan-ids=1-64,66-122,124-1218,1220-4094
set [ find vlan-ids=65,123 ] vlan-ids=65,123,1219

The example above also illustrates the immense usability of comments (if set strategically) because they allow to construct the change (“set”) commands much easier.

paolobyte · July 13, 2023, 3:40am

I did not made myself clear.
I was creating a L3 subinterface, not just L2.
So I want to have an L3 interface, that allows any traffic with dual tag frames, matching exact the outer tag, and any on inner.

mkx · July 13, 2023, 9:09am

Interfaces of type vlan (the ones created under /interface/vlan) are kind of “pipes” with two ends:

tagged end which is anchored off the interface set by interface= (e.g. ether1)
untagged end which can be used as interface and has name as defined by property name=

The way these interfaces work is that when a frame is delivered to the tagged end, it check VLAN ID inside 802.1q header. If VID doesn’t match the configured value (property vlan-id), the frame is discarded. If frame doesn’t have 802.1q header, it’s discarded as well. If frame has 802.1q header and VID matches, then 802.1q header (the outer-most!) is stripped and remaining frame is then pushed out via untagged end.
When a frame is received on the untagged end, vlan interface adds a 802.1q header with VID set to configured value. It is then pushed out via tagged end.

So if frame, received via tagged end, actually has stacked 802.1q headers, vlan interface will only look at outer-most header and will pass the rest (including inner 802.1q headers) unaltered. When passing the other way, vlan interface doesn’t care about frame (i.e. ethertype), it only stacks (another) 802.1q header.

The above explains “software” tag handling. Which obviously means that performance (throughput if you want) isn’t exactly light-speed. If you are after wire-speed switching with tag stacking, then there are only a few select devices (CRS family) which (some of them) can perform tag stacking in switch chip / ASIC. The configuration (and mechanizm) on those is much different than the explained above.

paolobyte · July 17, 2023, 11:59pm

I completely understand that but your answer is really far from the original question.

The solution I’m looking for is that, say I have
outer tag: 100, inner tag: 2
outer tag: 100, inner tag: 3
outer tag: 100, inner tag: 4

All those 3 types of traffic, I want them to terminate on an L3 interface as they hit the Mikrotik router, for example RB5009.

I was able to get around it by defining,
interface vlan add name=ether1.100 interface=ether1 vlan-id=100
interface vlan add name=ether1.100.2 interface=ether1 vlan-id=ether1.100
and so on for the rest, then bridge them together, with split-horizon value of 1.

mkx · July 18, 2023, 4:03am

Your last post is, to my understanding, pretty unrelated to the first one. It would help if you would explain your particular use case. Showing your current config would be fine as well. Without it, we can theoreticize for ages …