Good morning, I just purchased a CRS354-48P+4S+2Q+RM switch and I am curious what the concensus is when configuring this switch do most setup a switch intended for VLANS, Access Points, network clients utilizing RouterOS or SWOS? This switch will be used as the main switch at a second plant that joins to the first plant thru a fiber connection, basically a network extension. I noticed when in SWOS mode you simply set the IP and there are no other settings such as Gateway etc..Just unsure what is the best way method to go with, I am still fairly new to Mikrotik and most switches I have dealt with are not so customizeable. Thanks
2 Likes
Concour
Thank you ^
Basic switch setup example
exampleâŚâŚâŚ this one assumes you have a base/management or at least trusted vlan.
We use ether1 as an emergency access or safe place to config device, even if the bridge has some hiccups. Just plug laptop into ether1, change ipv4 settings to 192.168.75.2 and with username and password you should access the device. Besides trusted vlan 05, the upstream device ( managed switch or router is sending other example vlans to the device: vlanClerical (20) vlanGuest (30) and vlanProduction (40), vlanWarehouse (50), vlanTransport (60)
Note: for the bridge itself we change vlan-filtering=yes as the last step in the config.
/interface bridge
add ingress-filtering=no name=bridgeOffice port-cost-mode=short vlan-filtering=no \
frame-types=admit-only-vlan-tagged { added at end of config }
/interface ethernet
set [ find default-name=ether1 ] name=emergaccess
/interface vlan
add interface=bridgeOffice name=trusted-VLAN vlan-id=05
/interface list
add interface=MGMT
/interface bridge port
add bridge=bridgeOffice frame-types=admit-only-vlan-tagged interface=ether2 \
comment=âconnection to an upstream device (router or possibly a managed switch)â
add bridge=bridgeOffice frame-types=admit-priority-and-untagged interface=ether3 \
pvid=20 comment=âconnection to administration PCâ
add bridge=bridgeOffice frame-types=admit-priority-and-untagged interface=ether4 \
pvid=30 comment=âconnection to public access pointâ
add bridge=bridgeOffice frame-types=admit-priority-and-untagged interface=ether5 \
pvid=40 comment=âconnection to production manager PCâ
add bridge=bridgeOffice frame-types=admitâonly-vlan-tagged interface=ether5 \
comment=âconnection to downstream switchâ
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridgeOffice tagged=bridgeOffice,ether2,ether5 vlan-ids=05
add bridge=bridgeOffice tagged=ether2,ether5 untagged=ether3 vlan-ids=20
add bridge=bridgeOffice tagged=ether2 untagged=ether4 vlan-ids=30
add bridge=bridgeOffice tagged=ether2,ether5 untagged=ether5 vlan-ids=40
add bridge=bridgeOffice tagged=ether2,ether5 vlan-ids=50,60
/interface list member
add interface=trusted-VLAN list=MGMT
add interface=emergaccess list=MGMT
/ip address
add address=192.168.0.84/24 interface=trusted-VLAN network=192.168.0.0
add address=192.168.75.1/30 interface=emergaccess network=192.168.75.0
/ip dns
set servers=192.168.0.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-table=main
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
1 Like
Oh wow comprehensive. I actually reset the unit and removed the default configuration, just slowly working on it while I do other things but thank you. Iâve just been using Winbox to configure. Thanks for taking the time to help out so much. Been also watching quitea few videos as Iâm trying to figure out how this switch handles a VoIP plugged into the port with PC plugged in thru the phoneâs switch but yet still retains the correct vlan. Our other switches just seem to automatically assign the correct vlan to each device in that scenario. Thanks
Some devices are designed to handle two incoming subnets.
A voip phone is one example. Typically the VOIP phone will expect
one vlan to come through tagged ( the voip vlan ), and the rest of the data,
an untagged vlan will be passed through to the PC.
only vlans = TRUNK port
only one untagged subnet= ACCESS port
only one untagged subnet and any number of vlans = HYBRID port.
To deal with a hybrid port, lets say ether6 goes to the voip phone on vlan80 and its associated PC is fed from vlan20 (work subnet). Ether1 is upstream (router or managed switch), ether5 is down stream managed switch.
/interface bridge ports
âŚâŚ
add bridge=bridge frame-types=any interface=ether6 pvid=20 comment=âhybrid portâ
/interface bridge vlans
âŚâŚ
add bridge=bridge tagged=ether1,ether5 untagged=ether6 vlan-id=20
add bridge=bridge tagged=ether1,ether6 vlan-id=80
++++++++++++++++++++++++
one should quickly see that the work pc vlan comes in untagged on ether6,to the VOIP phone and will be passed through to the PC, the voip vlan comes in tagged on ether6 and it will be read by the VOIP phone.
Yes that does make a lot of sense becasue the switch I am replacing has all 52 ports tagged with the VoIP vlan and untagged on the workstation vlans on various ports. Thanks for following the thread and providing cmd entries.
Can you explain why ingress-filtering=no is used?
You change it to YES once you are ready. Thats just the initial commands so you donât accidently lock yourself out. ^
Are you thinking of vlan-filtering or ingress-filtering?
After thinking about this, the ingress-filtering on the bridge itself isn't that useful. It is controlling what enters the "virtual switch" from the router side, so unless there is software in the router that is crafting raw packets with a vlan header for a vlan that isn't in the vlan-table, then it would have no effect anyway.
Ingress-filtering is much more important on the other bridge ports (that connect to external ports).
However, the default is ingress-filtering=yes on both the bridge and the bridge ports, so the question remains: why override the default with ingress-filtering=no on the bridge?
I can understand overriding the port-cost-mode to short (to be compatible with legacy switches that didn't support long cost mode), but even that should be something to consider without just setting to short cost mode, especially when the default is long, and you should have the same cost mode within a RSTP network.
1 Like
Ahh yes you are exactly correct, my bad. Was thinking vlan filtering, thanks for catching my mistake.
I am curious on this switch, it has 2 X QSFP ports along with a console and mgmt port but under interfaces I see this:
qsfpplus1-1
qsfpplus1-2
qsfpplus1-3
qsfpplus1-4
qsfpplus2-1
qsfpplus2-2
qsfpplus2-3
qsfpplus2-4
Donât see any references to the mgmt/con ports, I do have the 4 SFP ports accounted for, bot sure why theere are 8 QSFP references.
Two different things.
Typically we use ingress filtering as default on all /interface bridge port settings, for both trunk and access port settings. For hybrid where we need both, we allow any frame types (obviously), so I should think there is no harm in keeping the default ingress-filtering=yes ( as it works for both trunk and access port examples).
That is my understanding, but if there is harm then perhaps set including ingress filtering here to no.
As for the bridge itself, vlan-filtering is turned off initially so as to maintain connectivity on the etherports until done ( after invoking it on, then all the bridge port settings take effect, and then, at least for me, the bridge often burps and needs to be done more than once, one of the reasons I always do it from my safe off-bridge port.
As for the bridge itself regarding frame-types, whilst hosting vlans, the purpose of making it vlan tagged only is to prevent the rare but possible leakage on vlan1 (untagged traffic).
Each 40G qsfpplus has four 10G channels, the Q stands for Quad:
Quad Small Form-factor Pluggable Plus)
So 2 interfaces, qsfpplus1 and qsfpplus2, each with four channels 1-4, total 8.
1 Like
Ahhh, very cool , thanks.
Quick question guys just regarding configuring. I have been watching quite a few videos just learning tips and setup tricks. When configuring access ports are there different ways to do it? I ask becasue this switch right now is just standalone on my desk so I am running vlan filtering while setting up so I can wach devices plugged in show up to confirm. I had watched one video where âaccess portâ configuration simply configured the actual Port PVID, is this normally the way it is handled? I assumed you would go into that VLAN and actually âuntaggedâ the port. For example if you wanted your PC on VLAN33, can you either go to the PORT, choose your port and assign â33â to PVID or go to VLAN, choose your VLAN and specially âuntagâ that port. Which way is correct. Can I assum PVID assignment automatically assigns as untagged on that port.
I do apologize for converting this original post into basically a VLAN setup on ROUTEROS.
Thanks
There are shortcuts for example but until you understand the basics, its best to leave that till later.
For example by providing an interface bridge vlan bridge port, (access) it automatically creates an interface vlan entry but that can be misleading if there is additional complexity. Best to manually put in the correct settings for now in /interface bridge vlan settings.
It isn't ether set pvid or untag the port. Both are required, although the second may be done automatically for you (creating dynamic entries in the vlan table). You must set the pvid (if you want it to be other than the default 1). With at least 7.15 forward the dynamic untagged entries were reworked to make it work better (I assume in cases where a single /interface/bridge/vlan line had multiple vlans in the vlan-ids list).
See release notes for 7.15 Whatâs new in 7.15 (2024-May-29 15:44) where you will see this:
*) bridge - reworked dynamic VLAN creation;
In 7.16 dynamic entries for the bridge as tagged are added when a vlan interface is created. See release notes for Whatâs new in 7.16 (2024-Sep-20 16:00): where you will see
*) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge;
*) bridge - added message about who created a dynamic VLAN entry;
There are three things that have to be configured when using vlans on the vlan-aware bridge (vlan-filtering=yes), and that does not include the firewall and address lists. vlan table, port configurations (two parts, ingress and egress), and vlan interfaces (for vlans that will be connected to the router engine/CPU)
Two of the three affect the "switch" part of the bridge.
- vlan table - defines the vlans, and what bridge-ports have access to the vlans. The vlan table is a property of the "virtual vlan-aware switch" part of the bridge, and it can either be dynamically created for you by ROS (by setting pvid or by creating a vlan interface) or explicitly created with a line in /interfaces/bridge/vlan that has the vlan-ids with one or more vlan number. I prefer to have a speparate line for each vlan instead of putting a list of vlan ids on one line, although it is not a requirement; however, there are cases where having more than one vlan id will cause problems (access ports). This can happen behind the scenes without explicit commands in recent versions of ROS 7.16+ will also configure the tagged connection to the bridge (interface) when a vlan interface is created. This also defines what what ports will transmit traffic for the vlan with or without a tag (egress traffic for the vlan from the bridge-port)
- port configuration - the egress part of this is done above. The ingress (to virtual switch) is done with the command /interface/bridge/port and it allows you to specify the pvid as well as what will be accepted by the bridge port. You can filter by frame type (tagged/untagged/all) as well as blocking invalid vlans at the door (ingress-filtering).
- If you want the router to have access to a vlan, you must create a vlan-interface; it is the "connection" from the the specified vlan on the virtual switch to an interface on the router.
You can view the vlan table with the cli command: /interface/bridge/vlan/print
More links in this post and those following it.