VLAN Filtering和hardware offloading问题咨询(Consultation on “VLAN filtering” and “hardware offloading” issues)

RouterOS General
1

你好,我英文不好,所以使用中文和翻译软件各发一份。
我买了八十台hAP ac^2,
我想实现的是端口数据交换时使用交换芯片,并且每个端口的VLAN使用dot1x的MAC地址通过RADIUS获取,应该如何配置。
我按教程配置,必须要在bridge启用VLAN filtering,而启用VLAN filtering后,所有数据交换都是通过CPU。

Sorry,my english no good,
i bought 80 devices,is hAP AC ^ 2,
I want to achieve is to use a switching chip for port data exchange, and to obtain the MAC address of dot1x through RADIUS for each port’s VLAN. How should I configure it.
I follow the tutorial configuration and must enable “VLAN filtering” on the bridge. After enabling “VLAN filtering”, all data exchange is done through the CPU.

this is my config.

/interface bridge
add name=vlan_B vlan-filtering=yes
/interface vlan
add interface=vlan_B name=vlan9 vlan-id=9
/interface wireless security-profiles
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=pw radius-called-format=mac radius-mac-authentication=\
    yes radius-mac-format=XXXXXXXXXXXX radius-mac-mode=\
    as-username-and-password supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm 
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge \
    security-profile=pw ssid=mgzyy-ros
set [ find default-name=wlan2 ] disabled=no frequency=auto mode=ap-bridge \
    security-profile=pw ssid=mgzyy-ros
/interface bridge port
add bridge=vlan_B interface=ether1
add bridge=vlan_B interface=ether2
add bridge=vlan_B interface=ether3
add bridge=vlan_B interface=ether4
add bridge=vlan_B interface=wlan1
add bridge=vlan_B interface=wlan2
add bridge=vlan_B interface=ether5
/interface bridge vlan
add bridge=vlan_B tagged=ether1,vlan_B,wlan1,wlan2 vlan-ids=9
add bridge=vlan_B tagged=ether1,vlan_B,wlan1,wlan2 vlan-ids=2
add bridge=vlan_B tagged=ether1,vlan_B,wlan1,wlan2 vlan-ids=3
add bridge=vlan_B tagged=ether1,vlan_B,wlan1,wlan2 vlan-ids=4
add bridge=vlan_B tagged=ether1,vlan_B,wlan1,wlan2 vlan-ids=11
/interface dot1x server
add auth-types=mac-auth interface=ether2 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX
add auth-types=mac-auth interface=ether3 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX
add auth-types=mac-auth interface=ether4 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX
add auth-types=mac-auth interface=ether5 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=XXXXXXXXXXXX
/ip address
add address=1.1.1.67/24 interface=vlan9 network=1.1.1.0
/ip dns
set servers=1.1.1.254
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=1.1.1.254 routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/radius
add address=1.1.1.254 service=wireless,dot1x
/system clock
set time-zone-name=Asia/Shanghai
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp1.aliyun.com

But this will result in the loss of H (hw offload) in the interface bridge port print

2

https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading
your device has an Atheros8327 switch chip
do not support hardware offload when filtering bridge VLANs

3

Thanks.
i know this switch chip not support hardware offload when filtering bridge VLANs.
What I want to ask is can I achieve MAC authentication for DOT1X when “vlan filtering = no”

4

Not sure, but I guess it’s possible.

Maybe the following is worth a try to test basic functionality first:
According to the online doc at https://help.mikrotik.com/docs/display/ROS/Dot1X, for server you can use for auth-types both dot1x and mac-auth at the same time, see description there.

And I think for such recent features it is advisable to use ROS v7, for example when the doc says
“Setting is available only since RouterOS 7.2 version and has an effect when bridge vlan-filtering is enabled”.