RB1100Ahx2 (Atheros8327) tagged and untagged vlans

f38eb · June 18, 2020, 11:38am

Hi,

I have stuck with this already few days trying to figure out how to properly set tagged and untagged vlans on RB1100Ahx2.
the principle diagram is here as an example: (pink is for testing, both cable ar not connected at the same cable)

Cisco 1/0/3 UNtagged is connected to ether1 - port doesn’t get up running, stays orange on cisco
re-plugging the same cable to:
Cisco 1/0/4 tagged —> ether5 - ports works and everything is ok.
in production I have in place of Cisco an unmanaged HP switch, connecting RB1100Ahx2 hangs up all network…

interface range GigabitEthernet1/0/1-3
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport trunk allowed vlan 2,10
 switchport trunk native vlan 999
 switchport mode trunk
!

----------------------------------------------------------------------------------------------
# jan/03/1970 01:48:04 by RouterOS 6.45.9
# model = 1100AHx2
/interface bridge
add name=bridge1
/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2
/interface ethernet switch port
# ether1,ether2,ether3,ether4,ether5,switch2-cpu
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=fallback   # error here?
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 11 vlan-mode=secure
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3 
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface ethernet switch vlan
add independent-learning=yes ports=switch2-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch2 vlan-id=2 # error here?
/ip address
add address=xxxxxxx interface=vlan2 
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes

this all seems to be related to this:
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features:

Note: QCA8337 and Atheros8327 switch chips ignore the vlan-header property and uses the default-vlan-id property to determine which ports are access ports. The vlan-header is set to leave-as-is and cannot be changed while the default-vlan-id property should only be used on access ports to tag all ingress traffic.

I’m assuming error is in one of those of two rows setting vlans, but have tried different settings, either doesn’t work IP network from Mikrotik, either cisco blocks port

sid5632 · June 18, 2020, 11:59am

I've never looked at an 1100, but I'd have thought you'd want to change this:

/interface ethernet switch port

ether1,ether2,ether3,ether4,ether5,switch2-cpu

set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=fallback # error here?
/interface ethernet switch vlan
add independent-learning=yes ports=switch2-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch2 vlan-id=2 # error here?

to this:

/interface ethernet switch port

ether1,ether2,ether3,ether4,ether5,switch1-cpu

set 0 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=2

You don't need a default-vlan-id on a trunk port, only on access port. And switch2 is usually ether6-10 (it is on an RB2011 anyway, which I do have), whereas ether1-5 is switch1.

f38eb · June 18, 2020, 12:06pm

on RB1100 it’s opposite, switch2 is 1-5, switch1 is 6-10…

ether1 is UNtagged port
ether5 is tagged

so unfortunately your provided code won’t help. That’s the main problem, that everything work with tagged port, but can’t get it working with the untagged port

mkx · June 18, 2020, 7:53pm

On my RB951G, which features (single) AR8327, the following sets ether2 as hybrid port (trunk with native) … VLAN 40 is untagged (native) and VLAN 3999 is tagged:

/interface ethernet switch port
set 1 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=3999
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=40

Actually the config lines in the second part include all ports which are members of corresponding VLAN.

So the “big difference” is in vlan-mode= setting.

f38eb · June 18, 2020, 8:47pm

On my RB951G, which features (single) AR8327, the following sets ether2 as hybrid port (trunk with native) … VLAN 40 is untagged (native) and VLAN 3999 is tagged:
/interface ethernet switch port
set 1 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=3999
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=40
Actually the config lines in the second part include all ports which are members of corresponding VLAN.

So the “big difference” is in vlan-mode= setting.

i think that one works for hybrid port fine, haven’t tested it though, but as the tagged port is working fine, it might also work fine with hybrid port.
but I think there is kind of issue how Mikrotik ROS or precisely this switch works with VLAN’s.
I checked with RB850 (ether1, ether2 put together with bridge, no vlans, no tagging etc., just plain bridge) Ether1 comes from unmanaged HP, ether2 goes to RB1100. When I connect RB1100 , then they see each other, but traffic from uplink HP on ether1 not work any more, although it doesn’t hang up the HP switch and other hosts
will try it tomorrow with Cisco, to see the behaviour.
Otherwise will have to make network setup in different way, using other MT or somthn…

f38eb · June 19, 2020, 5:46am

Tried with cisco → RB850 (bridged ether1,ether2) → RB1100 eth1 - cisco switches port to disabled orange state …

mkx · June 19, 2020, 8:43am

Any log on Cisco to see why it deems port/connection faulty?

One thing, just to make sure: when you try the untagged connection between cisco and RB, you have to disconnect the trunk connection first. Or else there will be loop on VLAN 2 and without MTSP cisco would panick and disable port …

f38eb · June 19, 2020, 12:00pm

no error no cisco

GigabitEthernet1/0/3 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 2c3e.cfe6.8d03 (bia 2c3e.cfe6.8d03)
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     361171 packets input, 369451598 bytes, 0 no buffer
     Received 8944 broadcasts (2759 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 2760 multicast, 0 pause input
     0 input packets with dribble condition detected
     375887 packets output, 92599920 bytes, 0 underruns
Switch#show interfaces status err-disabled
Switch#

altghough i figured out that setting on mikrotik solves issue:

/interface bridge
add name=bridge1 protocol-mode=none

But I think the RSTP should be used, as I will have multiple switches in chain, although not with multiple parallel connections… ?

mkx · June 19, 2020, 8:56pm

As there are VLANs in play, it should be MSTP rather than RSTP.

And it doesn’t matter how many switches are in chain, it only depends on interconnection … if there’s a loop in network infrastructure, switches around that loop need some kind of xSTP running (the same variant all of them) to avoid connectikn loops.