Setup with of CRS112-8G-4S-IN with Mgmt VLAN

karit · December 22, 2016, 9:28am

HI,

I have just got a CRS112-8G-4S-IN and having issues setting it up.

I am failing on the first step, of getting it to listen a the management vlan.

I have ether1 is the uplink to the core router and is a trunk. ether2-7 will be for devices and ether8 will be a downlink to another CRS112-8G-4S-IN

The management vlan is 100 and the IP range is 10.0.100.0/24 the core router/gateway is 10.0.100.253. This switch I would like to be 10.0.100.7 (The first 6 are switches running SwOS and are all running well)

I have tried the management vlan example in http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Management_IP_Configuration and I can not connect to 10.0.100.7 (browser, ssh, telnet or even ping that IP (I can access all the other devices on the 10.0.100.0/24 so routing, firewall, etc is fine)).

I did notice that the example does seem to have the ports separate e.g. ether1, ether2, etc though on the out of the box/factory reset they are ether1-master-local, ether2-slave-local, etc. Is there something I need to do first? Do I need to unlink them.

Is there a better example/tutorial somewhere which I could use to get the management vlan100 working?

Also is there a good guide I could follow to get to my desired end state (see below)?

Thanks

vlan 100 - Management
vlan 10 - LAN
vlan 20 - Servers
vlan 30 - WiFi

ether1 - Tagged Trunk uplink of all four vlans back to core router, gateway, dhcp, etc
ether2 - untagged 10
ether3 - untagged 10
ether4 - untagged 20
ether5 - untagged 30
ether6 - untagged 10
ether7 - untagged 10
ether8 - Tagged Trunk downlink to downstream switch carrying all four vlans
The switch’s ssh and web listening on vlan100 (either static or dhcp) 10.0.100.7

mpreissner · December 22, 2016, 5:06pm

If you want wire-speed layer 2 switching, then you need the master/slave relationship in place. It doesn’t really matter which port acts as the “master” though, since they all share a single 1 gbps link to the CPU anyway. I’d recommend you do all configuration via the Console port until you have the management interface correctly configured…this prevents you from getting locked out via IP if you make a mistake. Post your config, and we’ll be able to help you much more easily. In fact, I’m pretty sure I can get you set straight, as I also use VLAN 100 for management of my CRS226…your config should end up looking almost identical to mine. Post your export and I’ll see what I can do for you.

karit · December 22, 2016, 8:28pm

Thanks here is my config so far. I have just been working on getting the management side working following the guide on the wiki (http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Management_IP_Configuration) and it isn’t working.

I am doing the config via 192.168.88.1 and after the changes I can still access the switch on this IP.

SO I do the following steps:

[admin@MikroTik] > /interface vlan 
[admin@MikroTik] /interface vlan> add name=vlan100-mgmt vlan-id=100 interface=ether1-master-local 
[admin@MikroTik] /interface vlan> /ip address 
[admin@MikroTik] /ip address> add address=10.0.100.7/24 interface=vlan100-mgmt
 network=10.0.100.0
[admin@MikroTik] /ip address> /interface ethernet switch egress-vlan-tag        
[admin@MikroTik] /interface ethernet switch egress-vlan-tag> add tagged-ports=ether1-master-local,ether2-slave-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ether8-slave-local,switch1-cpu vlan-id=100
[admin@MikroTik] /interface ethernet switch egress-vlan-tag> /interface ethernet switch vlan 
[admin@MikroTik] /interface ethernet switch vlan> add ports=ether1-master-local,ether2-slave-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ether8-slave-local,switch1-cpu vlan-id=100 learn=yes 
[admin@MikroTik] /interface ethernet switch vlan>

I then ether1 into the uplink to the core switch, replacing an existing SwOS switch that was manageable over the vlan100 and I can not access 10.0.100.7.

The current config is:

# jan/02/1970 00:09:30 by RouterOS 6.28
# software id = 9YG2-9AKD
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local name=ether2-slave-local
set [ find default-name=ether3 ] master-port=ether1-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether1-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether1-master-local name=ether5-slave-local
set [ find default-name=ether6 ] master-port=ether1-master-local name=ether6-slave-local
set [ find default-name=ether7 ] master-port=ether1-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether1-master-local name=ether8-slave-local
set [ find default-name=sfp9 ] master-port=ether1-master-local name=sfp9-slave-local
set [ find default-name=sfp10 ] master-port=ether1-master-local name=sfp10-slave-local
set [ find default-name=sfp11 ] master-port=ether1-master-local name=sfp11-slave-local
set [ find default-name=sfp12 ] master-port=ether1-master-local name=sfp12-slave-local
/interface vlan
add interface=ether1-master-local l2mtu=1584 name=vlan100-mgmt vlan-id=100
/port
set 0 name=serial0
/interface ethernet switch egress-vlan-tag
add tagged-ports="switch1-cpu,ether1-master-local,ether2-slave-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-loc\
    al,ether7-slave-local,ether8-slave-local" vlan-id=100
/interface ethernet switch vlan
add ports="switch1-cpu,ether1-master-local,ether2-slave-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ethe\
    r7-slave-local,ether8-slave-local" vlan-id=100
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1-master-local network=192.168.88.0
add address=10.0.100.7/24 interface=vlan100-mgmt network=10.0.100.0
/romon port
add disabled=no
/system routerboard settings
set protected-routerboot=disabled

Thanks again for the help

karit · December 23, 2016, 1:00am

I have done some port mirroring to see what it is up to.

It is responding to arps asking for 10.0.100.7 and the vlan is tagged as 100.

But pings, telnet, http, ssh just disappear and get no response

mpreissner · December 23, 2016, 1:54pm

So, your egress vlan tag section should only include ether1, ether 8, and switch1-cpu, since you said that you’re treating ether2-7 as untagged (access) ports. You’ll use the ingress-vlan-translation section to set the default VLAN ID for those ports.

You didn’t include your ip > firewall section, which may be preventing the communications you want. Also, from where are you trying to access the switch? Another port on the switch, or across the trunk from another part of your network?

I’d recommend that you set ether2 for ingress-vlan-translation to VLAN 100; that way you can plug a laptop directly into the switch, come up on VLAN 100, and see if you can access the management IP from there.

If you post your full config, I can probably just edit that to effectively mirror my own but using your VLAN schema and IP addresses. Just run “export” from the command line and post the full config. It shouldn’t be too long as I don’t think your config is terribly complicated.

karit · December 24, 2016, 9:46am

THanks,

That is my entire configm which I have posted above. Though I did redo it with just ether1, ether8 and the CPU.

What firewall rules should I put in place to allow it? There are currently now so it should be allow all correct?