[Solved] CRS309 not accessible after adding VLANs

davorin · January 2, 2020, 4:28pm

Good evening (o;

Thought it deserves an own thread (o;

Got now two CRS309 switches up and running with two VLANs…10 and 62…10 is the local LAN and 62 is the providers /29 v4 and /60 v6 range…

All is running fine except I can’t access the switches anymore…

From a tutorial I configured this:

/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=10
/ip address add address=10.0.2.1/16 interface=BASE_VLAN

So that the management IP is in the local LAN VLAN 10…but to no joy…

Anything else I’ve been missing?

mkx · January 2, 2020, 7:45pm

Interface BR1 has to be tagged member of VLAN 10 …

/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10

Adapt the command above to suit your situation (e.g. add other tagged ports to the list, untagged as well).

davorin · January 2, 2020, 7:55pm

You mean like all ports which are involved in forwarding traffic from the source host to the management IP?

So if a PC is connected to sfp-sfpplus2 port, I just need to add:

/interface bridge vlan
add bridge=BR1 untagged=sfp-sfpplus2 vlan-ids=10

mkx · January 2, 2020, 9:23pm

I’m only guessing as you did not post current configuration. But assuming that other devices, connected to CRS, can communicate with each other, only CRS can not …
Bridge has two personalities: one is “switch like” and forwards frames between member ports … the other personality is interface which allows router/switch to interact with network. And (confusing as it might be) you should treat bridge interface just like you’d treat any other interface. So if router/switch needs to interact with VLAN 10, you have to explicitly add bridge interface to the list of tagged members of said vlan. This will then allow bridge (switch-like personality) to forward frames to device CPU as well.
On top of that there comes vlan interface, pinned to bridge interface. Vlan interfaces are merely pipes which take tagged frames on one end (the one pinned to lower interface) and deliver them untagged on the other end (the one that gets a name upon vlan interface creation) … and the oposite in the oposite direction (accepts untagged frames on the “free” end, tags them and pushes them out on the pinned end).

davorin · January 2, 2020, 9:40pm

Yes…all the ports are working now as expected, even between the two CRS309 switches
though only after I did a /system reset-configuration and added the VLAN settings…and thanks to the serial console.

Indeed the VLAN concept is a bit strange for me in RouterOS…coming from Cisco IOS/JunOS…but you know the price tag when going 10Gig with them (o;

I tried today to set BR1 as tagged for VLAN10…but then I lost all VLAN10 access ports connectivity…maybe I misconfigured it…
will try tomorrow morning as it is already late here…

Is there a good documentation about switching for RouterOS besides the Wiki as it was not really helpful for me so far…

cheers and a good night
richard

mkx · January 2, 2020, 10:04pm

There’s a nice tutorial about configuration of VLANs on ROS.

davorin · January 3, 2020, 7:51am

That’s the exact tutorial I followed…but how to access the switch from an access port is missing..it only talks about a separate VLAN for management terminated on another router…

The above command won’t work:

[admin@MikroTik] /interface bridge vlan> add bridge=BR1 tagged=BR1 vlan-ids=10
failure: vlan already added

Seems there can only be one tagged VLAN10 port…

[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                                           VLAN-IDS  CURRENT-TAGGED                                           CURRENT-UNTAGGED            
 0   BR1                                              10        sfp-sfpplus1                                             sfp-sfpplus3                
                                                                                                                         sfp-sfpplus2                
 1   BR1                                              62        sfp-sfpplus1                                             sfp-sfpplus8                
 2 D BR1                                              1                                                                  BR1

The config looks like:

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
add admin-mac=74:4D:28:8D:13:71 auto-mac=no comment=defconf name=bridge
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus6 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus7 pvid=62
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus8 pvid=62
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus1
/interface bridge vlan
add bridge=BR1 tagged=sfp-sfpplus1 untagged=sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=10
add bridge=BR1 tagged=sfp-sfpplus1 untagged=sfp-sfpplus7,sfp-sfpplus8 vlan-ids=62

mkx · January 3, 2020, 10:04am

Right, you can’t add same combination of bridge and vlan-ids twice. Instead you have to change existing definition using set command. I couldn’t write exact command because I didn’t know configuration you currently have.

Here’s command to be run:

/interface bridge vlan
set [ find bridge=BR1 vlan-ids=10 ] tagged=sfp-sfpplus1,BR1 untagged=sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6

Probably it’s not necessary to set the untagged= this time as we’re not changing that part of config … but doesn’t really hurt either.

davorin · January 3, 2020, 10:16am

You’re a genius

Works now for both CRS309 switches (o;

Now I understand what I did/understood wrong…
“set” command doesn’t add a config line to an existing configuration, it replaces it…therefore it just replaced the tagged ports with BR1 only…

So you have to explicitly merge existing tagged ports to the new config line…

[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                                           VLAN-IDS  CURRENT-TAGGED                                           CURRENT-UNTAGGED            
 0   BR1                                              10        BR1                                                      sfp-sfpplus2                
                                                                sfp-sfpplus1                                             sfp-sfpplus3                
                                                                                                                         sfp-sfpplus4                
 1   BR1                                              62        sfp-sfpplus1                                             sfp-sfpplus8                
 2 D BR1                                              1                                                                  BR1

cheers and
happy new year again

richard