Reconfigure VLAN on CRS-326-24P-2S+

incagarcilaso · January 27, 2021, 5:11pm

If I have this current set up:

interface bridge vlan print detail
Flags: X - disabled, D - dynamic
0 bridge=BR1 vlan-ids=22 tagged=sfp1,sfp2 untagged=ether2 current-tagged=sfp2 current-untagged=""

1 bridge=BR1 vlan-ids=1005 tagged=sfp1,sfp2 untagged=ether3,ether4,ether5,ether6,ether7,ether8 current-tagged=sfp2
current-untagged=ether3,ether4

2 bridge=BR1 vlan-ids=1030 tagged=sfp1,sfp2 untagged=ether9,ether10,ether11,ether12 current-tagged=sfp2
current-untagged=ether10,ether12

3 bridge=BR1 vlan-ids=1006 tagged=sfp1,sfp2 untagged=ether13,ether14,ether15,ether16,ether17,ether18 current-tagged=sfp2
current-untagged=ether14,ether18,ether13,ether16

4 bridge=BR1 vlan-ids=1015 tagged=BR1,sfp1,sfp2 untagged=ether19,ether20,ether21,ether22 current-tagged=BR1,sfp2,sfp1
current-untagged=""

5 D bridge=BR1 vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=BR1

Then what syntax do I need to change sfp1 from a trunk port to an access port on VLAN 1005? Do I need to re-write the whole VLAN table using the SET command and then set sfp1 as an access port? Not sure where to start. This is what I thought but no idea if it is correct. This switch is in production.
/interface bridge vlan
set bridge=BR1 tagged=sfp2 untagged=ether2 vlan-ids=22
set bridge=BR1 tagged=sfp2 untagged=
ether3,ether4,ether5,ether6,ether7,ether8,sfp1 vlan-ids=1005
set bridge=BR1 tagged=sfp2 untagged=
ether9,ether10,ether11,ether12 vlan-ids=1030
set bridge=BR1 tagged=sfp2 untagged=
ether13,ether14,ether15,ether16,ether17,ether18 vlan-ids=1006
set bridge=BR1 tagged=BR1,sfp2 untagged=
ether19,ether20,ether21,ether22 vlan-ids=1015
#Then I need to set sfp1 as an access port on Vlan 1005, I think:
/interface bridge port
set bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged
ingress-filtering=yes interface=sfp1 pvid=1005

Kindis · January 27, 2021, 9:41pm

So in first part of post spf1 is under tagged for vlan 1005 but in later output it is under untagged. It should be under untagged and PVID for the port is correct.
Can you do a full export under interface bridge?

incagarcilaso · January 27, 2021, 10:01pm

Sorry, that is my fault for not explaining. In the second part of my post it is just my suggested syntax for making the change. It is not from a print command. I don’t think my syntax is correct.
The first part of the post is the actual VLAN table, showing sfp1 as a trunk port (tagged for all VLANs). I need to know how to change sfp1 to an access port on VLAN 1005 via the command line.
I attach a full export.
Thanks.
326latest.rsc (4.82 KB)

Kindis · January 28, 2021, 7:59am

So having a quick look while between meetings I can see that SFP1 is currently specified as a Tragged only port

add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp1

You need to change this to

add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp1 pvid=1005

This mean the port is “access mode” and placed on VLAN 1005
Then you need to change the settings on VLAN 1005

add bridge=BR1 tagged=sfp-sfpplus2 untagged=ether3,ether4,ether5,ether6,ether7,ether8,sfp1 vlan-ids=1005

All i did was to move SFP1 from tagged to untagged.
Doing this, which is what you more or less wrote last in you post, makes SFP1 a access port and will only handle VLAN 1005´.

You should also consider removing SFP1 from all other VLAN’s as tagged as well.

Out of curiosity what is connected to SFP1?

incagarcilaso · January 28, 2021, 8:41am

So having a quick look while between meetings I can see that SFP1 is currently specified as a Tragged only port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp1
You need to change this to
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp1 pvid=1005
This sfp1 port has been repurposed to connect a data server with a new 10G interface.
OK. I see you use the “add” command rather than the “set” command. I thought that as sfp1 was already added to the bridge as a tagged trunk port, that in order to CHANGE the configuration I needed to use the “set” command to modify it. Is that also possible? Which is best?
Would the following also have done the same job by modifying the vlan table to have sfp2 as the only tagged port on all vlans (trunk)?
/interface bridge vlan
set vlan-ids=22 tagged=sfp2
set vlan-ids=1005 tagged=sfp2
set vlan-ids=1030 tagged=sfp2
set vlan-ids=1006 tagged=sfp2
set vlan-ids=1015 tagged=sfp2
Then configure sfp1 as an access port on 1005:
/interface bridge port
set bridge=BR1 interface=sfp1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=1005
I suppose my remaining questions are is, first what is the difference between using “set” and “add” when REconfiguring (not initial conifuration) and, second is my code suggestion correct?
Really appreciate your input as it means I can finally open up this 10G route to the server.

Kindis · January 28, 2021, 2:00pm

I will be honest and say I had not thought about Add and Set but I guess Add is adding and Set is changing something already added.
I however do most of this via Winbox as I lile the visual presentation and think that it makes for easier understanding of the configuration.
So I would have used Winbox to change SFP1 port settings to admin only untagged and then made changes to VLAN 1005 so that SFP1 is removed from tagged and added to untagged.

tdw · January 28, 2021, 6:37pm

Generally I find it best not to include any untagged= membership entries under /interface bridge vlan as they will be dynamically added when interfaces are running/up based on the pvid= entries under /interface bridge port. If the untagged membership entries are present you have to remember to update both when changing PVID or weird connectivity issues may result.

I don’t think you can change VLAN membership by interface as the configuration entries are indexed by VLAN IDs, so [ find interface=sfp1 ] has no meaning in this context. You would likely have to use [ find vlan-id=XX ] for each VLAN ID and change the membership from some-interface,sfp1,another-interface to some-interface,another-interface. Somone with a more in-depth knowledge of RouterOS scripting may be able to suggest a set of commands which would loop through all bridge VLAN definitions using regexp to match and update the membership for the interface of interest.

incagarcilaso · February 10, 2021, 3:53pm

Generally I find it best not to include any untagged= membership entries under /interface bridge vlan as they will be dynamically added when interfaces are running/up based on the pvid= entries under /interface bridge port. If the untagged membership entries are present you have to remember to update both when changing PVID or weird connectivity issues may result.

I don’t think you can change VLAN membership by interface as the configuration entries are indexed by VLAN IDs, so [ find interface=sfp1 ] has no meaning in this context. You would likely have to use [ find vlan-id=XX ] for each VLAN ID and change the membership from some-interface,sfp1,another-interface to some-interface,another-interface. Somone with a more in-depth knowledge of RouterOS scripting may be able to suggest a set of commands which would loop through all bridge VLAN definitions using regexp to match and update the membership for the interface of interest.

Great. That all makes sense. Clearer now. I can work it out from all the replies. Many thanks.