Trouble with switch chip VLANs on RB3011

Hi everyone

I am trying to configure an RB3011 for VLAN switching using the built-in chips.

I’ve struggled for most of the day, trying various configs. The latest one is included below.

I’d greatly appreciated a review of the below, with suggested changes, or notes on mistakes made. Thanks.

Devices plugged into the access ports 7-10 do not acquire the relevant DHCP IP from the VLAN which is linked to that port.

My understanding is that adding the VLANs to the first bridge on switch1 should carry the VLAN traffic over the LAN trunk between ports 5 and 6, but this isn’t happening. Is this correct?

I’ve only included relevant config.

Router: RB3011 with RouterOS 6.45.7

VLANs:

VLAN IDs according to future expansion plans

1: vlan_default
4: vlan_voice
6: vlan_data

Ports:

eth_01 - ISP_01 data
eth_02 - ISP_01 voice
eth_03 - ISP_02 data & voice
eth_04 - WAN trunk to remote site
eth_05 - LAN trunk cabled to eth_06

eth_06 - LAN trunk cabled to eth_05
eth_07 - vlan_data
eth_08 - vlan_data
eth_09 - vlan_data
eth_10 - vlan_voice to PBX

/interface bridge
add name=bridge_switch1
add name=bridge_switch2

/interface bridge port
add bridge=bridge_switch1 interface=eth_04 hw=yes
add bridge=bridge_switch1 interface=eth_05 hw=yes
add bridge=bridge_switch2 interface=eth_06 hw=yes
add bridge=bridge_switch2 interface=eth_07 hw=yes
add bridge=bridge_switch2 interface=eth_08 hw=yes
add bridge=bridge_switch2 interface=eth_09 hw=yes
add bridge=bridge_switch2 interface=eth_10 hw=yes

/interface ethernet switch vlan
add switch=switch1 vlan-id=1 ports=eth_04,switch1-cpu
add switch=switch1 vlan-id=1 ports=eth_05,switch1-cpu
add switch=switch1 vlan-id=4 ports=eth_04,eth_05
add switch=switch1 vlan-id=6 ports=eth_04,eth_05
add switch=switch2 vlan-id=1 ports=eth_06,switch2-cpu
add switch=switch2 vlan-id=6 ports=eth_06,eth_07
add switch=switch2 vlan-id=6 ports=eth_06,eth_08
add switch=switch2 vlan-id=6 ports=eth_06,eth_09
add switch=switch2 vlan-id=4 ports=eth_06,eth_10

/interface vlan
add name=vlan_default vlan-id=1 interface=bridge_switch1
add name=vlan_voice vlan-id=4 interface=bridge_switch1
add name=vlan_data vlan-id=6 interface=bridge_switch1

/ip address
add address=192.168.10.1/30 interface=eth_01
add address=192.168.20.1/30 interface=eth_02
add address=192.168.30.1/30 interface=eth_03
add address=192.168.1.1/24 interface=vlan_default
add address=192.168.4.1/24 interface=vlan_voice
add address=192.168.6.1/24 interface=vlan_data

/interface ethernet switch port
set eth_04 vlan-mode=secure
set eth_05 vlan-mode=secure
set eth_06 vlan-mode=secure
set eth_07 vlan-mode=secure default-vlan-id=6
set eth_08 vlan-mode=secure default-vlan-id=6
set eth_09 vlan-mode=secure default-vlan-id=6
set eth_10 vlan-mode=secure default-vlan-id=4
set switch1-cpu vlan-mode=secure

/ip pool
add name=pool_vlan_default ranges=192.168.1.20-192.168.1.254
add name=pool_vlan_voice ranges=192.168.4.20-192.168.4.254
add name=pool_vlan_data ranges=192.168.6.20-192.168.6.254

/ip dhcp-server
add name=dhcp_vlan_default address-pool=pool_vlan_default disabled=no interface=vlan_default lease-time=23h59m
add name=dhcp_vlan_voice address-pool=pool_vlan_voice disabled=no interface=vlan_voice lease-time=23h59m
add name=dhcp_vlan_data address-pool=pool_vlan_data disabled=no interface=vlan_data lease-time=23h59m

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1

/ip dns
set servers=1.1.1.1,8.8.8.8,208.67.220.220 allow-remote-requests=yes

It’s written on the official wiki and I have recently written it in another topic, but let me summarize it again here.

The tagging or untagging operation is done right at ingress of the frame into the switch. So if a tagless frame arrives to the ingress port of the switch, and the ingress port’s default-vlan-id matches the egress port’s default-vlan-id, the frame continues to the egress port tagless. If the egress port’s default-vlan-id differs from ingress port’s one, the frame gets tagged already at ingress and continues to the egress port tagged.

If a frame arrives tagged to the ingress port, and the VID in its VLAN tag matches the egress port’s default-vlan-id, the frame gets untagged at ingress; if the VID in its VLAN tag differs from the egress port’s default-vlan-id, it continues to the egress port tagged.

The same logic is mimicked on the software bridge when its vlan-filtering is set to yes, with one significant difference - on the switch chip, you can set the default-vlan-id of a port to 0, which is not possible on the bridge. When vlan-filtering on the bridge is set to no, no tagging/untagging is done on it.

What I never really found out is whether the auto value of default-vlan-id on the switch chip port is actually translated to 1 or not. But if it is, it means that frames which belong to VLAN 1 egress tagless from ports with default-vlan-id=auto, and so they will appear tagless on the bridge if that’s the case for the switchX-cpu port. Hence, the IP (or other) configuration for VLAN 1 must not be linked to /interface vlan name=vlan-default vlan-id=1 interface=bridge but to the /interface bridge itself. In fact, the row of /interface bridge actually holds configuration of two related but distinct objects - the software bridge itself (to which things like protocol-mode, vlan-filtering etc. are related) and the virtual port of the bridge looking towards the higher layers of the network stack (to which parameters like pvid are related, and to which the L3 configuration is linked, and which becomes the carrier interface for the /interface vlan used internally.)
By setting default-vlan-id to 0 on the switchX-cpu port you’ll get also frames belonging to VLAN 1 be sent to the bridge tagged, but if you set vlan-filtering at the bridge to yes, you have also to set the bridge’s pvid to something else than 1.

Other than that, I have never tried multiple rows in /interface ethernet switch vlan with the same vlan-id and switch values. So misinterpretation of this configurationwhen pushing it to the switch may be another source of your issue. Please replace each group of rows sharing the same vlan-id and switch values by a single one with the complete list of member ports.