Switch chip rules and delivering packets to VLAN interfaces

cp8 · December 28, 2010, 5:49pm

I’ve run into a problem with the way switch chip implements VLAN tagging and I am searching for a work around. I expected that packets assigned a VLAN tag via ‘/interface ethernet switch rule’ would be delivered to the appropriate VLAN interface on the RB. Unfortunately, this is not the case.

Tagged packets seem to work properly regardless. As well, untagged packets seem to be forwarded appropriately when the destination is an external device. However, when the destination is the RB750G itself, untagged packets are received on the master port, instead of on the VLAN interface.

For VLAN ID 7 in the below example, tagged packets are received on the interface called “vlan7”. However, untagged packets are received on the interface called ether2-trunk. My question: How can I make tagged and untagged vlan7 packets received by the RB show up on the same vlan7 interface?

P.S. I know this is easy to solve using bridges however the whole point of using switch chip was for better performance.

# RouterOS 4.16
#
/interface ethernet
set 0 mac-address=00:0C:42:A1:44:53 master-port=ether2-trunk mtu=1500 name=ether1-slave
set 1 mac-address=00:0C:42:A1:44:54 master-port=none name=ether2-trunk 
set 2 mac-address=00:0C:42:A1:44:55 master-port=ether2-trunk name=ether3-slave
set 3 mac-address=00:0C:42:A1:44:56 master-port=ether2-trunk name=ether4-slave
set 4 mac-address=00:0C:42:A1:44:57 master-port=ether2-trunk name=ether5-slave
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=add-if-missing vlan-mode=secure
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
/interface ethernet switch rule
add copy-to-cpu=no disabled=no mirror=no new-vlan-id=7 redirect-to-cpu=no switch=switch1 vlan-header=not-present \
  ports=ether1-slave,ether2-trunk,ether3-slave,ether4-slave,ether5-slave
/interface ethernet switch vlan
add disabled=no ports=ether1-slave,ether2-trunk,ether3-slave,ether4-slave,ether5-slave,cpu switch=switch1 vlan-id=7
/interface vlan
add arp=enabled comment="" disabled=no interface=ether2-trunk l2mtu=1520 mtu=1500 name=vlan7 use-service-tag=no vlan-id=7

hedele · January 4, 2011, 10:17am

Hi,

I think you need to enable this in your switch rule:
redirect-to-cpu=yes

Otherwise, RouterOS cannot see the Packet and it will not be handled by VLAN interfaces on the RB!

cp8 · January 5, 2011, 2:34am

I’m really having a hard time here. I’ve tried redirect but it still doesn’t work.

I see this on the remote:

21:35:29.843898 ARP, Request who-has 192.168.2.2 tell 192.168.2.1, length 42
21:35:29.844051 ARP, Reply 192.168.2.2 is-at 00:14:bf:3c:1c:1b, length 28

On the Mikrotik, I see both the request and reply on the master port. However, the vlan interface does not receive the reply. Has anyone tested this?

blake · January 5, 2011, 3:31am

Yes, I tried implementing this exact type of configuration. MikroTik does not support it. The best way around it is to use an external router. I’ve thought about trying to loop two ports back to back, so… ether1 as VLAN trunk connected to ether2 which is a master port…although I’ve never really gotten around to testing this. Seems like it’d work, but since it chews up two ports it only slightly makes sense on a RB493AH (not G). Still, a horrible (and possibly non-functioning) hack.

dadaniel · August 30, 2013, 12:46pm

Is there any news about that? Is this resolved in v6.x?

CelticComms · September 2, 2013, 3:28pm

ROS 6.2 has more support for switch chip VLAN features than ROS 5.x.