Is it possible to do VLAN ID translation on the devices with the switch chip as RB3011 or only on CRS3xx/5xx?
I have one managed DELL switch which allows IP to be assigned only on VLAN ID 1, but the main network is using management VLAN with ID 99.
I would like to use it in a way, that there will be a trunk port between RB3011 and DELL switch for all VLANs, while the switch itself will be accessible from VLAN 99. Is it possible to set ROS in a way that DELL’s VLAN ID 1 will be translated to VLAN 99?
Edit: solved by adding “a loopback patch cable” to one port with native VLAN 1 and access port VLAN 99.
(assuming none of the vlans are going to other ports on the MT… )
Vlan1 is carried implicitly by Mikrotik on the bridge setting so it does not need defining anywhere else.
At your end, the dell switch can be told that vlan99 is the management vlan.
The dell needs an IP address on the Vlan 99 subnet, static is best regardless if you tesll the dell which is the managment vlan.
As per any managed switch, all ports will have the default vlan1 sitting in the background.
The only time vlan1 is removed from a port is if the port is either an access port going to a dumb device, or is a hybrid port and thus there is one untagged vlan that is in the mix which replaces vlan1.
Thanks for reply, @anav. And thanks for your other content here as well, together with stuff from @pcunite, it was very helpful for me in setting the VLANs in ROS.
This is unfortunately not possible. That way I use my CRS, IP is set for VLAN 99 on CRS, but it’s not possible on this DELL, confirmed by a DELL guy.
No, the 28xx does not have the functionality to allow the IP to be assigned to specific VLANs. It assigns to VLAN 1.
Daniel Mysinger, Dell EMC, Enterprise Engineer
I will try the following:
On RB3011 there will be one trunk port for CRS (99 for management, other VLANs for CRS access ports) + one hybrid port for DELL.
On hybrid port will be a trunk for DELL’s access ports + untagged for DELL management. Is that possible?
Let’s say DELL will have 192.168.199.2. On RB3011 should I assign 192.168.199.1 to the bridge? Or create the VLAN interface with ID 1 and assign an IP to it?
Thats fine… but remember what I said, vlan1 does not go away on any port that is tagged only ports that are untagged due to being an access port or a hybrid port.
So all you need to do is send all the Vlans on a trunk port from MT to a trunk port on DELL.
The default subnet for dell switches is i t hink 192.168.2.0/24 so simply enter the switch and chagne the iP parameters to match the managment vlan subnet, DONE.
If you are indeed talking about Dell 28xx series, I agree with @pe1chl (at least if I am interpreting what he said correctly).
Here is what I would do in your situation: (it isn’t best practice, but I don’t think there is any other solution if you want to be able to manage the Dell switches from vlan 99 on the rest of your network.)
Create what MikroTik calls a hybrid (trunk interface with on vlan untagged) using the vlan filtering bridge. Set the pvid of the MikroTik side to 99. Set the pvid of the trunk port on the Dell switch to 1. This with “translate” vlan 99 on the MikroTik switch to vlan 1 on the Dell switch. If you have any “other” ports on the Dell switch that are members of vlan 1, they will be connected to the management vlan, so that will require more caution on your part, because the default is that every port is a member of vlan 1 and the pvid is 1. i.e. by default every Dell Switch port will be a vlan 1 access port.
If you are indeed talking about Dell 28xx series, and you are able to waste another port on the switch, you can intentionally introduce a vlan mismatch by connecting two vlans in the switch together with a short jumper cable between two access ports (one in vlan 1 and one in vlan 99 in your case). See this https://www.dell.com/community/Networking-General/VLAN-error-with-Dell-Powerconnect-28xx/td-p/7910710/page/3. But then you must disable STP.
In my opinion, in the case of the “fixed management config semi-managed switches”, you may as well just use vlan 1 on the Dell switch and use intentional vlan mismatching to do the translation, because “patching” it into vlan 99 isn’t going to offer any additional security. To the Dell switch, what the rest of the network considers to be vlan 99, will appear to the dell switch to be vlan 1.
This is indeed the solution I wanted to suggest.
Of course it can be tricky when you have been using VLAN 1 for another purpose in the entire network, e.g. the default local network.
Such situations easily arise when the network has a long legacy: initially there are no VLANs at all, then some are introduced but the legacy situation is configured as untagged VLAN 1.
It may be difficult to incorporate switches like this (I have worked with others that have similar limitations) in a network where you want a separate management VLAN…
When you are starting your network fresh, avoid the use of VLAN 1 for operational data. Don’t use it at all, or use it as the management VLAN.
I made it work using a hybrid port. RB3011 port to the DELL has untagged for 99 (just an example, actually it’s another ID) and tagged for other VLANs used there.
I will introduce a more complex overview of my setup. I run a home lab network connected with other “locations”. I made a plan for VLANs and IPs in a way, that there is a list of location IDs and purpose IDs. E.g. the lab is 10, the apartment with my wife is 30, the neighbor 40, our cottage (via wireguard) 70, etc.
Then 1 is for generic lan, 2 for generic wifi, 3 for guests, etc., and 9 for management. So e.g. lab’s management VLAN ID is 19 and subnet 192.168.19.0/24, and the neighbor’s generic WiFi has ID 42 and subnet 192.168.42.0/24.
At my lab are the main router RB3011, cAP ac, and CRS326, so they use management VLAN 19.
The DELL is at the apartment, so it’s connected via that hybrid port with ID 39. It works, it gets an IP from DHCP, etc.
There will be connected 2x cAP to the DELL. One at the same location, and another in the neighborhood. So one should use VLAN 49 - that works, 39 goes as tagged through the DELL to that cAP where is VLAN 49 configured as well. But it will not work for cAP where I wanted 39 as well.
It’s not possible to use the same ID for tagged and untagged on the same port in ROS, AFAIK.
The idea was, that if there will will be tagged traffic on the port, it will leave as is, including 39. And when it’s not tagged (DELL’s management VLAN 1), it will add 39 (untagged 39).
Maybe it’s too complex, but I am trying to learn more about VLANs generally, about VLANs in ROS and this is one of the ways. Easy setups are … easy and don’t bring new knowledge. I know it could be easier to use some other CRS instead of DELL. But it costs something + wife will allow only a fanless switch in that room. I use now DELL 2824 as I have it here for a setup, but in her room will be 2816 - 16 ports fanless version - silent. I am not aware of any Mikrotik 16+ ports fanless for a reasonable price. I have a few spare DELL switches and they are for about 45EUR (refurbished). Another reason why I play with VLANs is, that I want to prevent the situation where somebody will plug their device at their location into our common network and they will gain access to my lab’s management VLAN or somewhere else.
I use now DELL 2824 as I have it here for a setup, but in her room will be 2816 - 16 ports fanless version - silent. I am not aware of any Mikrotik 16+ ports fanless for a reasonable price. I have a few spare DELL switches and they are for about 45EUR (refurbished). Another reason why I play with VLANs is, that I want to prevent the situation where somebody will plug their device at their location into our common network and they will gain access to my lab’s management VLAN or somewhere else.