RB450g switch and layer 2 traffic separation using VLANs

pantaril · November 12, 2009, 12:42pm

Hi, recently i purchuased my first routerboard RB450G and upgraded it to latest stable RouterOS v4.2

Now i’m trying to configure the five-port switch chip present on the board following way:

port ether1 is part of VLAN 1, vlan 1 is native (untagged) for this port (this means that all untagged traffic entering the port shall be part of VLAN 1 and all VLAN 1 traffic leaving the port shall be stripped of it’s vlan tag)

port ether2 is part of VLAN 1 and VLAN 2, vlan 1 is native (untagged) for this port.

port ether3 - ether5 are all part of VLAN 2 and vlan 2 is native (untagged) for those ports.

I know that this setup can be probably done using bridging of physical and vlan interfaces, but that would (as far as i know) have negative performance implications (as the swith chip can pass the packets at wire speed, while bridging will use CPU).

So my question is: can my setup be achieved using the switch circuit + switch rules (described at http://wiki.mikrotik.com/wiki/Switch_Chip_Features#Rule_Table) ?

The only problem is the assigment of incoming untagged traffic to proper VLAN.

Thanks in advance for your feedback.

pantaril

kirshteins · November 12, 2009, 1:49pm

This can be achieved with

/interface ethernet switch rule add switch=0 ports=ether1 new-vlan-id=1

But, unfortunately, the are no matcher to determine through which port packets will leave and there is no action to remove VLAN tag from the packet.

pantaril · November 12, 2009, 2:34pm

kirshteins:

pantaril:

The only problem is the assigment of incoming untagged traffic to proper VLAN.

This can be achieved with
/interface ethernet switch rule add switch=0 ports=ether1 new-vlan-id=1
But, unfortunately, the are no matcher to determine through which port packets will leave and there is no action to remove VLAN tag from the packet.

Thanks, i’ll experiment with “new-vlan-id” later today. If the documentation is correct, then you can strip the vlan header by setting the new-vlan-id to 0.

What i don’t understand is, what traffic is affected by those switch rules. Is it only incoming traffic or both incoming and outgoing? It’s real shame that there is no match rule for this. (But maybe i can workaround this by using the src-mac and dst-mac matching rules).

pantaril

pantaril · November 12, 2009, 9:23pm

So my final config is mixture of switching and bridging and it does more or less what i want.
Ports ether1 and ether2 are bridged together into brWan bridge.
Ports ether3 - ether5 are switched together with master-port being ether3.
There is an VLAN interface attached to brWan, which is named ‘lan’, has VLAN ID 2 and is bridged together with port ether3 into brLan bridge.

Untagged traffic (vlan id 0) is allowed to pass through all switch ports. Additionaly, vlan ID 2 is allowed for port ether2. All ports vlan filtering is set to “secure”.

There is one ip address assigned to each brLan and brWan interface.

configuration dump:

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=1520 max-message-age=20s mtu=1500 name=brLan priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=1524 max-message-age=20s mtu=1500 name=brWan priority=0x8000 protocol-mode=none \
    transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:12:9B master-port=none mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:12:9C master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:12:9D master-port=none mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:12:9E master-port=ether3 mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:12:9F master-port=ether3 mtu=1500 name=ether5 speed=100Mbps
/interface vlan
add arp=enabled comment="" disabled=no interface=brWan l2mtu=1520 mtu=1500 name=lan use-service-tag=no vlan-id=2

/interface bridge port
add bridge=brLan comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether3 path-cost=10 point-to-point=auto priority=0x80
add bridge=brLan comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=lan path-cost=10 point-to-point=auto priority=0x80
add bridge=brWan comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=10 point-to-point=auto priority=0x80
add bridge=brWan comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set (unknown) vlan-mode=secure
set (unknown) vlan-mode=secure
set (unknown) vlan-mode=secure
set (unknown) vlan-mode=secure
set (unknown) vlan-mode=secure
/interface ethernet switch vlan
add disabled=no ports=cpu,ether1,ether2,ether3 switch=switch1 vlan-id=0
add disabled=no ports=cpu,ether2 switch=switch1 vlan-id=2

/ip address
add address=10.0.0.2/24 broadcast=10.0.0.255 comment="" disabled=no interface=brWan network=10.0.0.0
add address=10.20.30.41/24 broadcast=10.20.30.255 comment="" disabled=no interface=brLan network=10.20.30.0

so next comes NAT and QoS but i’ll leave that for later:)