my question is, how to forward vlan tagged packets of any vlan id without having to configure each vlan and assign it to the ports, where it should be accessible.
My usecase requires to have 3 vlans on some ports with port-based vlans (PVID). These have to be configured of course, that’s what I’m aware of. Some dozen tagegd vlans are only for transit between a HCI cluster and a meraki core switch, where two CRS317 switches should be placed in between. The vlans setup as port-baed vlans with PVID are for management, ‘cluster interface’ and ‘storage network’. On the interfaces that have the PVID set for the ‘cluster interface’ and the uplink port to the next switch would like have any tagged vlans being forwarded, without having to create and assign them in SwOS or RouterOS to ports. This would be much more practical for my colleagues who are not mikrotik aware, because they then only have to manage the vlans in the HCI and meraki environment, when the CRS317 could pass all through.
I’m not really sure, if this is possible and you can understand, what I’m trying to ask. The easy way, using all meraki equipment would cost about 14x the cost of two CRS317-1G-16S+RM, which I is pretty heavy for an environment, where most things are test lab setups.
Are you using RouterOS or SwitchOS? And what version?
Both can be used with that device and the answers are massively different between the two operating systems.
I guess for the sake of flexibility I’ll choose RouterOS 7 latest stable. So the answer is to add all possible vlans ahead to the needed ports? Meanwhile I’ve found in the documentation sth. which may also work. Can you give me a recommendation or your opinion what you would prefer and why?
/interface ethernet switch
set forward-unknown-vlan=yes
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6
If I got it right, this would forward unknown vlans on all ports, except the ports where invalid/unknown vlan filtering is enabled in the last line? I have to test, if PVID settings than still works, but I guess they should.
The config you posted is quite specific to certain type(s) of devices, “my” config is generic and will work on all devices with bridge vlan-filtering enabled. Your config does offer some security though.
Thank you for your solution. As you’ve said, my intention was device specific for CRS2xx switches. The command does not exist in CRS3xx switches, what I did not noticed.