Hi all
I’m trying to configure vlans on an crs2xx series switch with ROS 6.45 with hardware acceleration.
For example I want to configure eth1 like trunk port with vlans 10 and 20, and eth2 like access port which receives traffic from vlan 10 and 20 and untag it on esgress. That’s because on ether2 I have a device without vlan configuration and must receive traffic from all vlans.
Thanks
How it is supposed to chose which vlan tag to add on ingress on ether2 in your scheme?
Here is the problem. I don’t want to chose, i want to add all of them in ingress and remove tag in esgress. It is possible? If not, there is some workaround?
Tagging packets with multiple VLAN tags on ingress not possible. Switch doesn’t clone packets, it only forwards them … forwarding them to multiple interfaces (in case egress interface is not known yet) is not cloning packets.
Surely untagging packets from several VLANs on egress isn’t a problem, some vendors allow to do that …
So you really have to re-think your physical and logical network layout.
There’s no problem to strip all tags and send untagged frames out.
But how it is supposed to know which tag to add to which frame in the opposite direction?!
Some criteria is needed.
Nice answers guys. Now i understood each frame can have only one tag. I was thinking it can have multiple tags 
So i need a way to clone frames and tag each of them for every vlan.
Adding one mikrotik router between this device and mikrotik switch should be an workarround?
Kind of. But not in a way you think of it.
And not the sole existence of a router, rather the way it, and the rest of your network will be configured.
You don’t need to “clone” frames - that won’t work for you on some higher level anyway.
If you want device on ether2 access both your vlans, all you need is to establish a proper routing between it and these two vlans.
I guess you already have a router in your network that you can configure to accomplish that.
If not, add your network scheme, and we will look into what can be done.
Yes I have three routers before the switch and the device (2 ccr 1009 and one ccr 1036).
On each router i have some users that i will subdivide in vlans. All that i want is to continue to pass traffic between users and this device.
Add this device to a separate vlan and allow access between this vlan and all other vlans in your router, that is used as a firewall.
Yes this is the best way. Thank you
Ps.
It is possibile to allow access to all users (considering they are on three different routers ) without changing gateway on the device?
Sure. Routers will do their jobs … if configured coherently.
The three routers don’t “talk” each other and each router is connected to internet with its own pubblic ip. They are connected to same switch. What’s the right way to configure them in this situation?
I don’t know the right way, but it could be done like this:
one of routers (either one of the three existing or additional one) will have to take over the role of default gateway for THE device. This router will have routes towards remaining VLANs using respective routers as gateways. The rest of routers will know to use THE router as gateway towards THE device. THE router will also firewall THE device and can firewall also traffic between routers if THE router will be kinda IX for other VLANs (and unconditionally block such traffic if VLANs should communicate via some other path or not at all).
Thank you for all your very clear answers. I only don’t know how to do this step considering routers already have their own gateway, it is possibile to have even another gateway?
Is there any example on mikrotik wiki?
Gateway is a device that can pass packets on their way elsewhere. Any device (including normal computers and what not) can have configured several gateways, but for reaching different target hosts. One of such gateways (usually the only one) is default gateway which gets used to pass traffic when none of other configured gateways is better suited to do it.
Example:
/ip address
add address=192.168.88.1/24 interface=LAN
add address=1.2.3.4/16 interface=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=1.2.0.1 # ISP's router serving as default gateway
add dst-address=192.168.99.0/24 gateway=192.168.88.99 # some router serving as gateway to this private subnet
Note the router with IP address 192.168.88.99 … it doesn’t necessarily have direct connectivity with devices in subnet 192.168.99.0/24, it might use another hop to get there. But it has some configuration which gets packet further.
Perfect. Thank you very much.
Two suggestions..
- Some diagrams showing the relationships
- Set of requirements based on what you are trying to accomplish for users or devices without any mention of IT equipment or configuration. (use cases).
Then we will better understand what you are trying to accomplish with the detail necessary to devise and manage a configuration.