Hi,
We have installed a RB3011 with 2 bridges which are assigned to different Eth-ports.
How can we also create tagged VLAN in the network with combination of a HP Managed switch?
I want to create 3 VLAN’s. And use them on different ports on the HP Managed switch. In the attachment i’ve made a simple overview of exmaple network.
What is the best way to do this?
Best regards,
Joost Lauwen
Tekening6.pdf (57.1 KB)
The best way is
a. ONE bridge
b. ONE trunk port to the HP switch.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Read, apply, come back with a config and will be happy to look at it.
Hi,
I’ve managed to create 3 VLANs on one port. When I select VLAN20 on my NIC, i’m getting the right IP-address. If no VLAN is configured the computers will get an IP-address from the BRIDGE-DHCP.
How do I configure an managed (HP J9980A) switch to use the VLANs on different ports?
Should I configure the VLAN-id on the trunkport of the switch?
First, Network diagram to see the relationship physical between devices (ports to ports0
and the network structure Subnets/vlans.
Also post your latest config…
https://support.hpe.com/hpesc/public/docDisplay?docId=c04622710 pages 49-54 & 19-21. If you get the management settings wrong you will have to reset the HP switch to defaults as there is no serial console port.
Note the term ‘trunk’ is used differently by HP (refers to a static link-aggregation group) and Cisco/others (refers to a connection with multiple VLANs).
Hi,
Network diagram and MK config.
Network-Diagram.pdf (46.7 KB)
SPIKE-GOIRLE-RTR01-2021oct12.rsc (3.78 KB)
Which VLAN is your management VLAN? 20? 30? something else?
THe HP should get an IP address on the management vlan subnet for starters!
Why is ether5 part of the bridge???
Why are ether2,3,4 members of the LAN when you already have the bridge identified as LAN.
Why isnt vlan30 also associated with LAN?
Why is this rule open to the entire internet??
add action=accept chain=input comment=“Allow Remote Mgmt” log-prefix=
“Remote Mngment” src-address-list=“Remote Mgmt” WHERE IS in-interface-list=SOMETHING
What is the purpose of these two contradictory rules in the input chain…
Do you not realize the second rule is meaningless and will never get matched ???
add action=accept chain=input comment=“Allow VPN IPSEC” dst-port=
500,1701,4500 log-prefix=IPSEC protocol=udp
add action=accept chain=input comment=IPSCEC protocol=ipsec-esp
add action=accept chain=forward comment=“Allow IPSEC out” ipsec-policy=
out,ipsec
add action=drop chain=input comment=“Block VPN IPSEC” dst-port=500,1701,4500
log=yes log-prefix=VPN-Block protocol=udp src-address-list=VPN-Block
Conclusion and Summary: Configuring the HP printer is the least of your concerns. Using youtube to configure our router without understanding what you have done is the big issue here.
Reset to defaults and learn about firewall rules…
The management / base VLAN is the bridge and members ether2-5 untagged, which is fine other than some people not liking hybrid over fully-tagged implementations. To match this on the HP you would add VLAN IDs 20 and 30, then assign tagged/untagged membership to the ports as required
Attaching an /interface vlan to an interface which is a member of a bridge was used before VLAN-aware bridges were implemented. It still works at the moment but future RouterOS updates may change that, especially when the bridge uses hardware switching, and is not recommended.
The downside of changing to a VLAN-aware bridge is that you loose the hardware switching between ports, it isn’t clear which device you are using - the title says RB3011, which has its own issues with multiple switch chips and hardware switching, but the config posted is from an RB960PGS. Hardware switching between ports is only really relevant for wire-speed traffic between ports on the Mikrotik within the same VLAN, so may not be an issue.
Hi tdw, understood all but when managing other smart devices I prefer a consistent approach
and that is to have management vlans, could use an existing trusted vlan too,
with the bridge doing nothing but bridging.
’
So in the ops case I would create vlan50 to replace the bridge subnet,
add the vlan to the bridge, get rid of ether 5 by itself.
ONE bridge bridging a bunch of defined vlans,
Perhaps vlan50 can be considered also a the management vlan, or else add a fourth vlan just for management.
Depends on where the OP will be logging in most of the time for admin work (which vlan).
Its much easier on smart devices to accept an incoming vlan as the management vlan in terms of switch or smart AP settings.
Hi anav,
This is just a test/sample config and is used behind our “Main” Mikrotik. Some settings can be wrong, but at this moment i’m just testing the VLAN configuration. I’m testing with an RB960PGS, but want to implement this on a RB3011.
If I understand it correctly I should add multiple VLANs to port Eth and delete the bridge on this port. Only a device with VLAN configured should get an IP-address trough this port.
Then my config should be, for example:
Eth5
→ VLAN 20: VoIP (192.168.20.)
→ VLAN 30: DATA (192.168.30.)
→ VLAN 99: Management (10.100.10.*)
Not quite.
I said, keep the bridge and add all the vlans to the bridge.
Then use
/interface bridge ports and
/interface bridge vlan settings as required.
To distribute the vlans to the appropriate ports.
As per this article.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
quick sample…
/interface bridge port
add bridge=bridge interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged
etc…
lets say ether 2-4,6 were attached to pcs on vlan99
add bridge=bridge interface=ether2 pvid=99 ingress-filtering=yes frame-types=admin-only-untagged-and-priority
(repeat for 3,4,6)
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=20,30
add bridge=bridge tagged=bridge,ether5 untagged=ether2,ether3,ether4,ether6 vlan-ids=99 (if the rest of the etherports were access ports going to dumb devices.)
I am going to test this tomorrow and let you know the outcome.
Thanks for your replies!
Hi anav,
If followed the config based on the other forum-post and I managed to add VLAN10, VLAN20 and VLAN99 (MGMT) to VLAN-BRIDGE. Which is enable on the Ether5.
When I connect a laptop to this port and configure one of those VLANs, i’m getting an IP-address from the right DHCP.
Now i’m going to try to configure the HP Switch. Do I need use TAGGED or UNTAGGED VLAN on the switchports?
Hi, just wanted to let you know that it works. I have one last question about the VLAN.
I’ve created BRIDGE-VLAN and added VLAN-interfaces to this bridge. After that i’ve assigned the bridge to Eth 9 and Eth10
Is it possible to setup DHCP/DNS/etc on BRIDGE-VLAN, when end-hosts connect to one of these ports it’s getting the “default network”. When the connected device (e.g. Switch) setup an VLAN, it’s getting another network-address.
Best regards,
Joost Lauwen