tag all untagged traffic - can't get it working

MerijnB · August 26, 2019, 11:24am

Hi all,

I’m doing some first steps into separation with VLAN’s. There are some unmanaged switches in the network, so to make live easier on myself the plan was to let my 2011UiAS-2HnD tag all untagged traffic, so that further down the line everything is tagged.
To test this I’ve done:

/interface ethernet switch port
set 1 default-vlan-id=10 vlan-header=add-if-missing

However, when I torch this port, or the bridge where this port is part of, I still only see untagged traffic. Do I misunderstand how this feature works? Any other way to add a default VLAN tag to all untagged traffic?

Thanks!

sebastia · August 26, 2019, 4:40pm

Sniffing takes place “close” to physical layer, and tagging might not have happened yet. Have you tried sniffing a trunk port down the hill?

Wrt config, there are few entries, see https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples.
Is the vlan 10 already defined under “switch vlan”?

pe1chl · August 26, 2019, 6:11pm

Correct config for a port that adds some tag to untagged traffic is this:

set 1 default-vlan-id=10 vlan-header=always-strip

i.e. you have to see the command as it is working outbound, not inbound.

Also remember that not all switch chips can do hybrid ports! So you may not be able to have some traffic untagged and other traffic tagged on the same port.
In that case you might have to apply that configuration to the bridge, where it is done in software.
E.g. on the 2011 ports 6-10 are examples of this (impossible to run as hybrid ports in the hardware switch)

MerijnB · August 26, 2019, 6:32pm

Sniffing further down the hill is kinda hard (I think?), cause after this the router will NAT network to the outside, where should I sniff?

Wrt config, there are few entries, see > https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples> .
Is the vlan 10 already defined under “switch vlan”?

No. But while you mention this, I read on multiple places there is a difference between ‘interface VLAN’ and ‘bridge VLAN’ (or something similar), which confuses me quite a bit.
I do have a VLAN configured in a bridge.

But just to take 1 step at a time I was hoping to tackle this untagged traffic ‘problem’.

MerijnB · August 26, 2019, 6:34pm

But always-strip will strip existing VLAN tags, right? That should not happen, on this port both correctly tagged and untagged traffic will be received.

i.e. you have to see the command as it is working outbound, not inbound.

I can’t really follow this, can you elaborate a bit please?

Also remember that not all switch chips can do hybrid ports! So you may not be able to have some traffic untagged and other traffic tagged on the same port.
In that case you might have to apply that configuration to the bridge, where it is done in software.
E.g. on the 2011 ports 6-10 are examples of this (impossible to run as hybrid ports in the hardware switch)

I’ve realized that ports 6-10 can’t do hybrid (that’s why I’m testing on port 1 for now).

But more in general, is tagging all untagged traffic the way to go here?

Thanks all!

mkx · August 27, 2019, 5:32am

The config command you posted a few posts back indicates that you’re configuring VLANs on switch chip.

So there are two ways of doing it:

On switch chip
You configure things in /interface ethernet switch port and /interface ethernet switch vlan configuraton subtrees.
The first one essentially configures ingress behaviour (or, rather, mix of behaviours: default-vlan-id is for ingress, while vlan-header is for egress) and the second one egress behaviour.
On bridge
You configure things in /interface bridge port and /interface bridge vlan configuration subtrees. In addition to that, you have to set vlan-filtering=yes on VLAN-aware bridge.
The first one configures ingress behaviour and the second one configures egress behaviour.

In both cases you configure “L2.5” using /interface vlan … which exposes individual VLANs for L3 setup.

I advise you to read through this tutorial. It is about the bridge vlan setup (#2 in my list above), it helps to understand some basic concepts and the way they’re implemented in ROS. If you decide to go with switch chip (#1) way, you can adapt configuration later, conceptually it is similar but perhaps a bit harder to grasp the details if you start to do it without some good background.

MerijnB · August 27, 2019, 8:36am

I do have a VLAN configured in a bridge.

The config command you posted a few posts back indicates that you’re configuring VLANs on switch chip.

So there are two ways of doing it:

On switch chip
You configure things in /interface ethernet switch port and /interface ethernet switch vlan configuraton subtrees.
The first one essentially configures ingress behaviour (or, rather, mix of behaviours: default-vlan-id is for ingress, while vlan-header is for egress) and the second one egress behaviour.

On bridge
You configure things in /interface bridge port and /interface bridge vlan configuration subtrees. In addition to that, you have to set vlan-filtering=yes on VLAN-aware bridge.
The first one configures ingress behaviour and the second one configures egress behaviour.

In both cases you configure “L2.5” using /interface vlan … which exposes individual VLANs for L3 setup.

I advise you to read through this tutorial. It is about the bridge vlan setup (#2 in my list above), it helps to understand some basic concepts and the way they’re implemented in ROS. If you decide to go with switch chip (#1) way, you can adapt configuration later, conceptually it is similar but perhaps a bit harder to grasp the details if you start to do it without some good background.

Tx mkx, much appreciated.

I realised there are two different ways of doing VPN’s, and it confuses the heck out of my because of two reasons:

I don’t really know the practical differences between the two
When I’m reading a tutorial, I can’t tell which of both methods is being used

Regarding this situation:

I’d like multiple ports to act as ‘single switch’ (what I think is called a bridge)
I’d like to run 2 VLAN’s on that ‘bridge’
I can choose if for one of those VLAN’s I leave all traffic untagged, or I need to let the board tag it

What would be the best approach for this, which method, and do I use untagged traffic or should I tag it all?

Thanks so much!

mkx · August 27, 2019, 9:48am

The mentioned tutorial is explaining the “bridge VLAN” (mentioned as #2 on my list). What you describe you want to do is perfectly doable.

The tutorial briefly touches the “hybrid” setup - one VLAN untagged (native) and the rest of VLANs tagged, but also notes that hybrid access is a bit problematic. It is advisable to configure all VLANs are tagged … which doesn’t mean it can not be untagged on the ethernet ports.

MerijnB · August 27, 2019, 10:58am

I’m having a hard time digesting this one, can you elaborate a little bit please?

mkx · August 27, 2019, 11:00am

Did you study the tutorial I linked in one of my previous posts?

MerijnB · August 27, 2019, 11:07am

Yes, although I’m quite sure I couldn’t place all when I read it, I’ll re-read it with the extra context you’ve given me and get back if I have questions after that.
Thanks!

anav · August 28, 2019, 3:49pm

I concur with MKX always best to have clean breaks (port is trunk and tagged) or port is access and incoming is untagged and stripped of any tag going back to device etc..
However there is one reference that attempts to discuss the hybrid setup. I have not tried it though.

Scroll down to image 4.
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

CZFan · August 29, 2019, 8:01pm

Where hybrid ports are possible, the “always strip” will only remove the tag that matches the pvid of the port, other tags will stay