flat network (no vlans) 192.168.120.0/24
Now we need to implement SIP telephony service, but there is requirement - sip traffic must be isolated.
And therefore we need implement VLANs on switches.
I search info on this and find two solutions:
So please help me find solution.
export the config of the CSR
i’am simplified the scheme
изображения
Config CRS112:
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.120.202/24 192.168.120.0 ether1-master
[admin@MikroTik] > interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether1-master 1500 6C:3B:6B:62:A8:35 enabled none switch1
1 S ether2 1500 6C:3B:6B:62:A8:36 enabled ether1-master switch1
2 S ;;; buh pc's
ether3 1500 6C:3B:6B:62:A8:37 enabled ether1-master switch1
3 RS ether4 1500 6C:3B:6B:62:A8:38 enabled ether1-master switch1
4 RS ;;; videoserver (dina home)
ether5 1500 6C:3B:6B:62:A8:39 enabled ether1-master switch1
5 S ;;; videoserver (main)
ether6 1500 6C:3B:6B:62:A8:3A enabled ether1-master switch1
6 S ;;; dina pc
ether7 1500 6C:3B:6B:62:A8:3B enabled ether1-master switch1
7 RS ;;; uplink
ether8 1500 6C:3B:6B:62:A8:3C enabled ether1-master switch1
8 S sfp9 1500 6C:3B:6B:62:A8:3D enabled ether1-master switch1
9 S sfp10 1500 6C:3B:6B:62:A8:3E enabled ether1-master switch1
10 S sfp11 1500 6C:3B:6B:62:A8:3F enabled ether1-master switch1
11 S sfp12 1500 6C:3B:6B:62:A8:40 enabled ether1-master switch1
[admin@MikroTik] > interface ethernet switch print
name: switch1
type: QCA-8511
bridge-type: customer-vid-used-as-lookup-vid
drop-if-no-vlan-assignment-on-ports:
drop-if-invalid-or-src-port-not-member-of-vlan-on-ports: ether1-master,ether4,ether5
unknown-vlan-lookup-mode: svl
forward-unknown-vlan: yes
use-svid-in-one2one-vlan-lookup: no
use-cvid-in-one2one-vlan-lookup: yes
mac-level-isolation: yes
multicast-lookup-mode: dst-ip-and-vid-for-ipv4
override-existing-when-ufdb-full: no
unicast-fdb-timeout: 5m
ingress-mirror0: switch1-cpu,unmodified
ingress-mirror1: switch1-cpu,unmodified
ingress-mirror-ratio: 1/1
egress-mirror0: switch1-cpu,modified
egress-mirror1: switch1-cpu,modified
egress-mirror-ratio: 1/1
fdb-uses: mirror0
vlan-uses: mirror0
mirror-egress-if-ingress-mirrored: no
mirror-tx-on-mirror-port: no
mirrored-packet-qos-priority: 0
mirrored-packet-drop-precedence: green
bypass-vlan-ingress-filter-for:
bypass-ingress-port-policing-for:
bypass-l2-security-check-filter-for:
[admin@MikroTik] /interface ethernet switch vlan> print
Flags: X - disabled, I - invalid, D - dynamic
# VLAN-ID PORTS SVL LEARN FLOOD INGRESS-MIRROR QOS-GROUP
0 D 4095 switch1-cpu no no no no none
1 100 ether1-master no yes no no none
ether4
2 200 ether1-master no yes no no none
ether5
[admin@MikroTik] /interface ethernet switch> ingress-vlan-translation print
Flags: X - disabled, I - invalid, D - dynamic
0 ports=ether5 service-vlan-format=any customer-vlan-format=any customer-vid=0 new-customer-vid=200 pcp-propagation=no sa-learning=yes
1 ports=ether4 service-vlan-format=any customer-vlan-format=any customer-vid=0 new-customer-vid=100 pcp-propagation=no sa-learning=yes
2 D ports="" service-vlan-format=any customer-vlan-format=any new-customer-vid=4095 pcp-propagation=no sa-learning=no
[admin@MikroTik] /interface ethernet switch> egress-vlan-tag print
Flags: X - disabled, I - invalid, D - dynamic
# VLAN-ID TAGGED-PORTS
0 D 4095
1 100 ether1-master
2 200 ether1-master
Config CRS125:
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; lan
192.168.120.203/24 192.168.120.0 ether1-master-local
[admin@MikroTik] > interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether1-master-local 1500 4C:5E:0C:98:B9:BB enabled none switch1
1 ;;; internet
ether2-slave-local 1500 4C:5E:0C:98:B9:BC enabled none switch1
2 S ether3-slave-local 1500 4C:5E:0C:98:B9:BD enabled ether1-master-local switch1
3 RS ;;; Storage2
ether4-slave-local 1500 4C:5E:0C:98:B9:BE enabled ether1-master-local switch1
4 S ;;; esx3 iLo
ether5-slave-local 1500 4C:5E:0C:98:B9:BF enabled ether1-master-local switch1
5 S ether6-slave-local 1500 4C:5E:0C:98:B9:C0 enabled ether1-master-local switch1
6 S ;;; esx3
ether7-slave-local 1500 4C:5E:0C:98:B9:C1 enabled ether1-master-local switch1
7 S ether8-slave-local 1500 4C:5E:0C:98:B9:C2 enabled ether1-master-local switch1
8 S ether9-slave-local 1500 4C:5E:0C:98:B9:C3 enabled ether1-master-local switch1
9 S ether10-slave-local 1500 4C:5E:0C:98:B9:C4 enabled ether1-master-local switch1
10 S ether11-slave-local 1500 4C:5E:0C:98:B9:C5 enabled ether1-master-local switch1
11 RS ether12-slave-local 1500 4C:5E:0C:98:B9:C6 enabled ether1-master-local switch1
12 S ether13-slave-local 1500 4C:5E:0C:98:B9:C7 enabled ether1-master-local switch1
13 S ether14-slave-local 1500 4C:5E:0C:98:B9:C8 enabled ether1-master-local switch1
14 S ether15-slave-local 1500 4C:5E:0C:98:B9:C9 enabled ether1-master-local switch1
15 S ether16-slave-local 1500 4C:5E:0C:98:B9:CA enabled ether1-master-local switch1
16 S ;;; esx2
ether17-slave-local 1500 4C:5E:0C:98:B9:CB enabled ether1-master-local switch1
17 S ;;; esx2
ether18-slave-local 1500 4C:5E:0C:98:B9:CC enabled ether1-master-local switch1
18 S ;;; esx
ether19-slave-local 1500 4C:5E:0C:98:B9:CD enabled ether1-master-local switch1
19 S ;;; esx iLo
ether20-slave-local 1500 4C:5E:0C:98:B9:CE enabled ether1-master-local switch1
20 S ether21-slave-local 1500 4C:5E:0C:98:B9:CF enabled ether1-master-local switch1
21 S ether22-slave-local 1500 4C:5E:0C:98:B9:D0 enabled ether1-master-local switch1
22 S ;;; c2950
ether23-slave-local 1500 4C:5E:0C:98:B9:D1 enabled ether1-master-local switch1
23 S ether24-slave-local 1500 4C:5E:0C:98:B9:D2 enabled ether1-master-local switch1
24 S sfp1-slave-local 1500 4C:5E:0C:98:B9:D3 enabled ether1-master-local switch1
[admin@MikroTik] /interface ethernet switch> print
name: switch1
type: QCA-8513L
bridge-type: customer-vid-used-as-lookup-vid
drop-if-no-vlan-assignment-on-ports:
drop-if-invalid-or-src-port-not-member-of-vlan-on-ports: ether1-master-local,ether4-slave-local,ether6-slave-local
unknown-vlan-lookup-mode: svl
forward-unknown-vlan: yes
use-svid-in-one2one-vlan-lookup: no
use-cvid-in-one2one-vlan-lookup: yes
mac-level-isolation: yes
multicast-lookup-mode: dst-ip-and-vid-for-ipv4
override-existing-when-ufdb-full: no
unicast-fdb-timeout: 5m
ingress-mirror0: switch1-cpu,unmodified
ingress-mirror1: switch1-cpu,unmodified
ingress-mirror-ratio: 1/1
egress-mirror0: switch1-cpu,modified
egress-mirror1: switch1-cpu,modified
egress-mirror-ratio: 1/1
fdb-uses: mirror0
vlan-uses: mirror0
mirror-egress-if-ingress-mirrored: no
mirror-tx-on-mirror-port: no
mirrored-packet-qos-priority: 0
mirrored-packet-drop-precedence: green
bypass-vlan-ingress-filter-for:
bypass-ingress-port-policing-for:
bypass-l2-security-check-filter-for:
[admin@MikroTik] /interface ethernet switch> vlan print
Flags: X - disabled, I - invalid, D - dynamic
# VLAN-ID PORTS SVL LEARN FLOOD INGRESS-MIRROR QOS-GROUP
0 D 4095 ether2-slave-local no no no no none
switch1-cpu
1 100 ether1-master-local no yes no no none
ether4-slave-local
2 200 ether1-master-local no yes no no none
ether6-slave-local
[admin@MikroTik] /interface ethernet switch> ingress-vlan-translation print
Flags: X - disabled, I - invalid, D - dynamic
0 ports=ether6-slave-local service-vlan-format=any customer-vlan-format=any customer-vid=0 new-customer-vid=200 pcp-propagation=no sa-learning=yes
1 ports=ether4-slave-local service-vlan-format=any customer-vlan-format=any customer-vid=0 new-customer-vid=100 pcp-propagation=no sa-learning=yes
2 D ports=ether2-slave-local service-vlan-format=any customer-vlan-format=any new-customer-vid=4095 pcp-propagation=no sa-learning=no
[admin@MikroTik] /interface ethernet switch> egress-vlan-tag print
Flags: X - disabled, I - invalid, D - dynamic
# VLAN-ID TAGGED-PORTS
0 D 4095
1 100 ether1-master-local
2 200 ether1-master-local
now vlan’s are isolated (wireshark approved) :
How can i resolve this?
try to remove this here
drop-if-invalid-or-src-port-not-member-of-vlan-on-ports:
and what you mean on item 4 and 5 ?
removed ‘drop-if-invalid-or-src-port-not-member-of-vlan-on-ports’ on switches, but this does not help
and what you mean on item 4 and 5 ?
i can’t connect from vlan100 and vlan200 ports to switches