VLAN - best practice?

Sn1p3r · April 3, 2019, 11:35am

Hello,

My current setup works without a problem, but I would like to check with community is there maybe a better, “cleaner” way to do it.

ether7:
Business network, untagged traffic - this port is tagging all traffic to ID 104

ether8:
WiFI Network, tagged traffic (ID 100 guests, ID 17 access points)
CIsco switches and WLC that are tagging traffic.

sfp1:
Link to Core Gateway

What is the best way to deal with ports that I just want to trunk already tagged traffic?
What is the best way of tagging traffic from specific port and pushing it out?

Current configuration is attached.
konfiguracija.rsc (4.85 KB)

TheCiscoGuy · April 9, 2019, 8:35pm

What device model is this on?

Sn1p3r · April 10, 2019, 8:48pm

This is CCR1009-8G-1S-1S+

TheCiscoGuy · April 10, 2019, 9:12pm

Due to the nature of bridges, I always put the vlans on the physical interfaces then create a bridge for each vlan, I don’t rely on the bridges switch logic for vlan filtering (and I believe it is disabled by default anyways). That method is only for the CCR platforms though which is why I asked.

Jotne · April 11, 2019, 4:32am

That is the old way of doing it. See my post here where I did learn VLan.
http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1

There are many many post explaining Vlan on this forum, just do a search,

anav · April 11, 2019, 5:42pm

For vlan bridges, this is by far the best resource…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

millenium7 · April 16, 2019, 1:33am

The benefit of the ‘old’ way is VLAN rewriting
i.e. you can bridge VLAN101 coming in on ether1 to VLAN105 on ether2
Any traffic coming in as VLAN101 on ether1 gets its VLAN tag rewritten as 105 going out ether2 and vice versa
I believe the ‘new’ method cannot do that, you can only tag/untag but you can’t change the tag

anav · April 17, 2019, 10:55pm

Interesting functionality what is the use case for that scenario vice simply using one vlan for both subnets??
Obviously there seems to be a reason to have two VLANS vice one and normally if there is some degree of sharing (common printer etc) then firewall can be made so that the connectivity needed exists at layer 3.

Jotne · April 18, 2019, 6:12am

We hva joined two company that did have more or less the same setup, but different VLAN, så it could be used there, but we did instead using cable from VLAN x on one port to VLAN y on another port to join the VLAN together. Works but not recommended. So later all the VLAN was harmonized.

millenium7 · April 19, 2019, 11:44pm

Company acquisition with overlapping VLAN’s
Intentionally merging 2 tagged VLAN’s as if it were one, like a router-on-a-stick config at layer2 during the above (requires MSTP to not cause a loop)
Connections to other providers/customers i.e. they specify they need connectivity on VLAN 10 but you already use that VLAN for something else. You can bring it in on 500 and rewrite as 10 to them
I’ve had to do this when I needed to split 2 customers for PPPoE policy routing (Customer A goes 1 way, Customer Y goes the other) but it was cleaner and easier to not modify things on the customer side as I wanted all radio configs to be exactly the same so if/when that customer leaves the radio is re-used elsewhere it keeps working without needing anything changed. Was a mikrotik in front of it that simply rewrote VLAN X as VLAN Y, easier on the installers
I suppose you could use it for tagging of services in a way. i.e. VLAN10 everywhere, as above makes it easier with equipment moves, but you rewrite as ‘1110’ for location 1, ‘1210’ for location 2 etc. Q-in-Q would be better but maybe its not supported on some equipment