I have a couple of RB2011’s that have the 2 different switch chips in them. If I wanted to have a vlan on both switch chips, do they have to be bridged or is adding the master port interface on both chips to the vlan enough? In my initial configuration I added a bridge interface and the vlan to the interfaces.
I still get confused what is needed to have everything be able to talk to each other. I understand when the CPU is needed to be added but the am confused as to when a bridge is needed vs just a VLAN is fine.
You must bridge them if you want devices on switch1 ports to be able to communicate directly with switch2 ports…
switch1 and switch2 are not connected at layer2 by default, so if you want a single VLAN to be available on both of them, then the only way to do that is to bridge them.
Basically, you’d just need to make a bridge which connects the master ports of the two switches.
If you’re using tagged vlans on the switches, you’ll need to put vlan interfaces on the BRIDGE (not on etherX interfaces) if you want the Mikrotik to participate in those vlans as a router.
ok, thanks for the quick reply. And just to clarify, if I have a trunk on switch one with 5 vlans on and I want a trunk on switch 2. I need to create a bridge for each vlan and attach the master port on each switch to each vlan. Did I get that correct?
If you don’t need to use all 10 ports, you can also connect ether5 and ether6 with a short patch.
For example, if you set ether1 master port for ether2,3,4,5 and ether6 master port for ether7,8,9,10 you will have a sort of full switched logic (no cpu involved) as you can normally achieve with crs line (beware to correctly set the two switch chips config).
If you want to bridge the two switches together, move all VLAN interfaces onto the bridge interface (remove them from the master interfaces of the two switches).
Make sure that each switch will send/receive the VLANs on the CPU interface.
The bridge will forward untagged frames and tagged frames alike. It neither knows nor cares what an 802.1q header is.
The VLAN interfaces will recognize the headers and receive the appropriate vlan’s traffic.
It can also be the way you were thinking it was. It depends on what interface you connect to the bridge.
If you connect a physical ethernet interface, then whatever frames arrive will be placed onto the bridge. Tagged or not.
If you add a vlan interface to a bridge as a port, then the vlan interface will remove the tag and place the untagged frame onto the bridge.
Ok, I think I have it, one more clarification. In our usage the first 5 ports are trunk ports, the last 5 are untagged ports from the different vlans. I put both master ports into the bridge and configure the switch for the proper vlans. One of the vlans is a management vlan and the router attaches to that one. Do I only have to connect the switch CPU to that vlan or do I have to add the vlan to the bridge as an interface as well?
And if there is wireless, that has to connect to a bridge correct?
Since you’re bridging everything between the two switches, tags and all, then the bridge “gobbles up” the entire CPU interface of the switch - meaning that you now interact with the vlans via the bridge interface - so yes, if you want an IP address on the router on a management VLAN, then add a vlan sub-interface to the bridge interface, and set the mgt IP address on the vlan sub-interface.
Generally speaking, yes - for instance if you’re making the WLAN clients be on the same network as the hard-wired LAN clients, you’ll need to bridge the wlan interface.
I’m not sure if the wlan interface itself supports vlan tagging, but I know the VAPs do (virtual APs) so you could configure your SSID on a VAP instead of on the actual wlan interface, and then put whatever vlan tag on the VAP you wish - so you could very easily have multiple SSIDs which connect to various vlans. And yes, you would add the wlan1 interface to the main bridge, and just let the vlans reach the proper VAP interfaces via the tag - just the same way the IP packets reach the proper vlan sub-interface via their tags.
Thank you so much for all of the help. I think I got most of it configured. One more question. On this particular router I am setting up to replace an old switch and an old router, they have 2 subnets for local workgroups that are different vlans. They are routed into OSPF but never leave this location via trunk, etc. If a vlan is local and not tagged anywhere, the only way to keep them separate is to put them on different bridges since the vlan interface into a bridge does not tag, is that correct? (this is assuming it needs to cross the switches).
Do you want the 2011 to act as the router for those two vlans, or is some other device acting as the router for one or more of them?
If you want the 2011 to be the router, then you just add a vlan sub-interface to the bridge, set it to use that vlan’s tag, put the IP address onto the vlan subinterface, and you’re off to the races.
See the trend? The bridge interface is the nexus of everything.
The only exceptions to this will be interfaces which you remove from HW-based switching (set master-port=none)