I knew this day would come – I’m hoping people can soften the blow for I have sinned…
Years ago, when I started with Mikrotik, I bought the RB1100 (how I remember that fan), and as needs came, I started adding CRS switches. We didn’t VLANs at the time, so I never bothered. I just kept adding switches and running cable.
Now, the Ubiquiti UniFIs want VLANs to handle different networks
I really don’;t want to have to every switch and assign them VLAN IDs including VLAN1 for the legacy equipment.
Yes, I know I should. I should have done it in the first place. And I know it’s like medicine, it’s better if you just swallow it all quickly and get it over with.
But I also know, this will take all weekend, and SOMEWHERE, I’ll screw up something I won’t track down for days! I’m scared!
In the hopes I can somehow cheat VLAN death…
I have mostly legacy items that don’t need VLANs
I have a few items like the UniFI that need to be put on VLANs (100, 101, 102)
Must I go to each switch, check the cabling, assign each port VLAN1 save for the trunk ports, or, can I somehow, through magic or sacrifice, leave existing ports untagged, and just add tags to the trunk ports. I don’t think I’ll get away with that, but it’s worth asking.
Also, on the main trunk switch, is the tagging for trunking being down in the hardware, or am I using a software bridge, and am I better just getting a traditional switch that supports trunking.
You can get away without touching the untagged ports, due to how RouterOS handles VLANs it could be as simple as just adding the VLAN to the proper ports and adding say VLANs to the proper bridge, assumming you have the following scenario or something like it:
R1
|
SW1 — SW2
|
SW3 – UNIFI
Where R1 is your gateway, in this case you’d want to have VLANs 100, 101 and 102 towards the UNIFI, assuming everything is bridged, then you’d just need to create the VLANs in the ports that connects:
R1 - SW1 (lets say it’s ether1 in both devices)
SW1-SW3 (lets say it’s ether2 in both devices)
SW3-UNIFI (lets say its ether3 in SW3)
You’d only need to do the following:
#this must be done in all the switches
/interface bridge add name=VLAN100
/interface bridge add name=VLAN101
/interface bridge add name=VLAN102
#this must be done in R1 and SW1
/interface vlan add name=V100-ETH1 vlan-id=100 interface=ether1
/interface vlan add name=V101-ETH1 vlan-id=101 interface=ether1
/interface vlan add name=V102-ETH1 vlan-id=102 interface=ether1
#This must be done in SW1 and SW3
/interface vlan add name=V100-ETH2 vlan-id=100 interface=ether2
/interface vlan add name=V101-ETH2 vlan-id=101 interface=ether2
/interface vlan add name=V102-ETH2 vlan-id=102 interface=ether2
#This must be done in SW3
/interface vlan add name=V100-ETH3 vlan-id=100 interface=ether3
/interface vlan add name=V101-ETH3 vlan-id=101 interface=ether3
/interface vlan add name=V102-ETH3 vlan-id=102 interface=ether3
#This must be done in SW1
#"Trunking VLANs"
/interface bridge port
add interface=V100-ETH1 bridge=VLAN100
add interface=V100-ETH2 bridge=VLAN100
add interface=V101-ETH1 bridge=VLAN101
add interface=V101-ETH2 bridge=VLAN101
add interface=V102-ETH1 bridge=VLAN102
add interface=V102-ETH2 bridge=VLAN102
#This must be done in SW3
#"Trunking VLANs"
/interface bridge port
add interface=V100-ETH2 bridge=VLAN100
add interface=V100-ETH3 bridge=VLAN100
add interface=V101-ETH2 bridge=VLAN101
add interface=V101-ETH3 bridge=VLAN101
add interface=V102-ETH2 bridge=VLAN102
add interface=V102-ETH3 bridge=VLAN102
You can just add the IP addresses in the VLAN interfaces created on R1, you shouldn’t have any kind of downtime by doing this.
pFsense -----------------------------------------------------CRS Trunk Switch
(100, 101, 102) | | | (All are hybrid ports)
S1 S2 S3
| | | |
UP 100 UP UP
101
102
|
UniFIs
Where UP = untagged ports and the numbers are VLANs.
The pFSense box sends out untagged traffic to the trunk switch on a separate interface to keep things simple. The tagged interface also goes to the trunk switch.
At the tunk switch, I’ve got ten ports active (eth3-eth10). I’ve created then 8 VLAN interfaces and assigned their IDs (100, 101, 102) so now I have 32 “interfaces” – 8 nopn-tagged and 3 grousp of 8 tagged.
I created three bridges (V100, V101, V102).
What interfaces do I assume to each bridge. I get that I assigne the untagged interfaces to the normal “untagged bridge”, but what about each VLAN interface. Do I assign all -V100 interfaces to V100, all -V101 interface to bridge V101 etc. According to the docs, that means each ingress flow will be “untagged” at the switch, pass through its bridge and be retagged on the way out. And what do I do on S2? I want the tagged traffic to just emerge from a port that the UniFI sees without removing its tag? Do I just assign an ethernet (non VLAN interface) to that VLAN bridge – meaning the packets will egress with VLAN tags etc?
I apologize for being a bit dense here – I know I’m getting close.
Since the previous ASCII art attempt was bad, I have a visio image I can send if it helps…
First, we have a pfSense router with two interfaces – one is for untagged traffic to keep things simple. The other interface is for tagged traffic (Vlans 100, 101, 102). The pFSense box sends out untagged traffic to the trunk switch on a separate interface to keep things simple. The tagged interface also goes to the trunk switch.
At the tunk switch, I’ve got eight ports active (eth3-eth10). I’ve then created 8 VLAN interfaces and assigned their IDs (100, 101, 102) so now I have 32 “interfaces” – 8 nopn-tagged and 3 grousp of 8 tagged.
I created three bridges (V100, V101, V102).
What interfaces do I assume to each bridge. I get that I assigne the untagged interfaces to the normal “untagged bridge”, but what about each VLAN interface. Do I assign all -V100 interfaces to V100, all -V101 interface to bridge V101 etc. According to the docs, that means each ingress flow will be “untagged” at the switch, pass through its bridge and be retagged on the way out. And what do I do on S2? I want the tagged traffic to just emerge from a port that the UniFI sees without removing its tag? Do I just assign an ethernet (non VLAN interface) to that VLAN bridge – meaning the packets will egress with VLAN tags etc?
I apologize for being a bit dense here – I know I’m getting close.
I shall – what’s special about it? However, I took a shot in the dark and just added the VLANs to the bridges. It works.
So most important, thanks to both of you for the help.
