Switching vlan filtering

icovada · March 20, 2015, 7:12pm

Hello

I will first of all say that I come from Cisco and have little idea how Mikrotik works.

I have bought a CRS125 and would like some help configuring VLANs.

Let’s say I have three VLANs. The CRS will be the gateway for all three so they must be routed.

I want two trunks and one native port. The first trunk will have ONLY vlan 10 and 11, the second ONLY vlan 11 and 12, and an untagged port on vlan 10.

on Cisco I would create the VLANs

vlan 10,11,12

make them routed interfaces

int vlan 10
ip addr 192.168.0.1 255.255.255.0
int vlan 11
ip add 192.168.1.1 255.255.255.0
int vlan 12
ip addr 192.168.2.1 255.255.255.0

then assign them to the physical ports:

int fa0/1
switchport mode trunk
switchport trunk allowed vlan 10,11
int fa0/2
switchport mode trunk
switchport trunk allowed vlan 11,12
int fa0/3
switchport mode access
switchport access vlan 10

So far I have managed to do what I wanted using bridges but I cannot seem to be able to filter the VLANs on trunks.
Would somebody please help me?

Also is there any way to use the hardware switching feature and spanning tree as well?

ZeroByte · March 20, 2015, 7:42pm

In routerOS, creating a bridge interface is roughly analgous to

config t
vlan 10
name TestVLAN
int vlan 10
no ip address
no shut
end

The bridge interface is both the “vlan” entity itself AND the vif.
You connect ports to the bridge - it simply forwards the frames as a dumb switch would. If you connect ether1 and ether2 to bridge1, then bridge1 will forward untagged and tagged frames alike.

If you want ONLY tagged frames on the interfaces, what you do is create vlan interfaces (as they’re called in ROS).
Naming them properly helps, because in other parts of the system, when you pick an interface from a drop-down selector, having 12 interfaces called “vlan10” is not going to be helpful.
I name them E3.10 → Vlan10 subinterface on physical interface ether3.
E4.10 → ether4, vlan 10.
E4.20 → ether4, vlan 20.
Once you create all of these interfaces (cisco would call them subinterfaces) you add these to the appropriate bridges.
So for bridge10, add ports E3.10 and E4.10
This will give you exactly what you want. You can then make “vlan 10” appear untagged on ether5 by adding ether5 to bridge10 as well. Since you’re connecting the vlan subinterfaces, only the vlan traffic you want will go through. Other tags won’t go onto the wrong bridge.

If you want tagged AND untagged traffic on a trunk interface, then you’re going to have to connect the physical interfaces to the bridge, have no vlan subinterfaces, and then create filter rules in the “forward” chain of the bridge firewall configuration. (action=drop, vlan tag=10, out-interface = ether4 would take vlan 10 off of ether4, for instance)

In RouterOS, the way to add an IP interface to the vlan is easy - just go into IP > Addresses, and add a new IP address (using CIDR notation) and the interface should be the bridge, e.g. bridge10. This would be analogous to:
int vlan10
ip address x.x.x.x 255.255.255.0
no shut
end

The switch menu is how the hardware switching is configured. I’ve never personally used this - I tend not to make bridges out of Mikrotiks very often, and when I do, it’s usually over some form of encapsulated bridge anyway, so hardware switching doesn’t much come into play. If I just want a switch, I use Cisco, Adtran, or HP.

icovada · March 20, 2015, 9:32pm

So if I want to have vlan 10 and 20 on two interfaces I should:

create vlan 10 and 20 on ether1
create vlan 10 and 20 on ether2

create a br-vlan10 bridge
create a br-vlan20 bridge

add ether1vlan10 and ether2vlan10 to br-vlan10
add ether1vlan20 and ether2vlan20 to br-vlan20.

OK… a little complicated, but I’ll try. Thanks!