VLAN - hybrid port - untagged VLAN 1

lrn23 · April 29, 2019, 11:49am

Hello,
is it possible to configure hybrid port with untagged VLAN 1? I need to configure one port with one or more VLANs (tagged) and leave there untagged VLAN 1 because of Ubiuqiti Unifi AP. There is not possible to configure management VLAN in Ubiquiti and it has to be untagged VLAN 1 :-/

I have RB3011UiAS running ROS 6.44.

It looks like a problem according to this: http://forum.mikrotik.com/t/rb3011-switch-chip-question/99916/1

Is there any solution? Thank you…

Samot · April 29, 2019, 12:06pm

The post you are referencing is from 2016 and at the end of 2017 how VLANs where done and managed was changed. So that post is irrelevant. Have you tried following the current steps here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering ?

solar77 · April 29, 2019, 12:32pm

https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip
is for VLAN on RB3011

but I think you can still use bridge VLAN as well.

also check this
https://wiki.mikrotik.com/wiki/Manual:Switch_Router#VLAN_switching

so you will need to add VLAN to the bridge and put your hybrid port on the bridge. add IP, DHCP etc as you needed.

from here, you can either use bridge vlan: add VLANs on bridge / VLAN, and configure bridge/port for untagged VLAN 1 and tagged VLAN xx and xx; and enable VLAN filtering on the bridge.

Or you can do switch VLAN, add swtich / VLAN, then configure switch / port , set PVID 1 for the port. in my setup I have untagged VLNA1, tagged VLAN 20 and 30 running on ether2

## set native VLAN1 for ether 2
/interface ethernet switch port
set 0 default-vlan-id=1 vlan-mode=secure
/interface ethernet switch vlan
add ports=ether2 switch=switch1 vlan-id=20
add ports=ether2 switch=switch1 vlan-id=30
add ports=ether2 switch=switch1 vlan-id=1

lrn23 · April 29, 2019, 1:41pm

2 Samot: I know, that there are some changes now. I wanted to know if it’s possible now.

2 solar77: Thank you!

I have to reconfigure this device which is already running somewhere and there is some weird configuration already. There is a bridge and there are 2 switches configured. I assume, that those switches are part of a default config because of two switch chips in this device? So I’m thinking what I have to use for VLANs. Switches or bridge?

Also I’m not sure I understand those switch cpu ports.

solar77 · April 29, 2019, 2:02pm

hi, I have only started to look at VLAN recently . My understanding is that, the switch VLAN only comes into consideration if you wish to have hardware offload for VLAN (the traffic between VLAN ports would be near wire speed because the swhich chip feature support this).

note on the wiki:

For devices that have multiple switch chips (for example, RB2011, RB3011, RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering will not work on a hardware level between ports that are on different switch chips, this means you should not add all ports to a single bridge if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use Bridge VLAN Filtering, but it disables hardware offloading (and lowers the total throughput).

so if you cannot fit all VLAN port on the same switch chip, CPU will be involved in forwarding traffic to another switch chip, you might as well use bridge VLAN for it’s simplicity .

hope this helps you.

lrn23 · April 30, 2019, 10:26am

Thank you. I know about that. But I’m talking about “switch1-cpu” port, which is used here in examples:
https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching

I don’t know how to work with this.

solar77 · April 30, 2019, 11:27am

that I think is to give the CPU (Router) access to your managed VLAN
I have not tried it yet but that’s my understanding.

anav · April 30, 2019, 1:16pm

Some good examples here, one of them with a hybrid port…
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

solar77 · May 1, 2019, 9:22am

thanks ava, good reading. in particular there is a link within the text, to “Manual:Layer2 misconfiguration”

Safety1st · May 14, 2019, 10:40pm

But on my switches RB941-2nD & RB951G-2HnD that disables hardware offloading so that’s why I would like to setup using /interface ethernet switch method.

The same problem for me Here are the settings on RB941-2nD:

But the switch uses tag for egress traffic:

lrn23 · May 22, 2019, 11:07am

Safety1st: Look at this: http://forum.mikrotik.com/t/rb3011-switch-chip-hw-offload-vlan-configuration/129846/1

tdw · May 22, 2019, 12:00pm

Example using switch chip https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_2_.28Trunk_and_Hybrid_Ports.29. Note only QCA8337 & Atheros8327 switch chips support hybrid ports, it is not possible to have hardware switched hybrid ports on your RB941-2nD.

minks · August 30, 2020, 4:43pm

On 100Mbit Swich Chip only this way:

/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge1 vlan-filtering=yes

/interface vlan
add interface=bridge1 name="Untagged VLAN" vlan-id=1
add interface=bridge1 name=VLAN99 vlan-id=99

/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=ether1

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether1 vlan-ids=1
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=99

/ip address
add address=192.168.120.1/24 interface="Untagged VLAN" network=192.168.120.0
add address=192.168.121.1/24 interface=VLAN99 network=192.168.121.0