VLAN in pre 6.39 "Bridge Only" config

RouterOS General
1

Hello Folks!

For various reasons I can currently not upgrade so I am stuck to older RoS versions, pre 6.39.

The scenario is very simple, 4 gigabit ethernet trunklines attached to one CCR who is in the middle so to say, a kind of star.
I want to have the CCR being able to pass traffic between the attached switches trunks , no routing.

cisco_switch_a_p1 ← vlan trunk → p5 CCR_a
cisco_switch_b_p1 ← vlan trunk → p6 CCR_a
crs_switch_a_ether1 ← vlan trunk → p7 CCR_a
crs_switch_b_ether1 ← vlan trunk → p8 CCR_a

How do I do this ?

CCR1009-8 switch chip vlan & access ports
2

Sorry, I dont recommend staying on old firmware nor am aware of old ways of doing switches as I am only capable of grasping and barely at that, the single new way of doing it.

This looks like a case for straightforward port vlan, no 802.1q required.

3

One possibility, though most probably not optimal, would be to create vlan interfaces on top of all involved ether interfaces and bridge vlans together. Something like this:

/interface vlan
add interface=ether5 name=e5v100 vlan-id=100
add interface=ether5 name=e5v131 vlan-id=131
add interface=ether6 name=e6v100 vlan-id=100
add interface=ether6 name=e6v215 vlan-id=215
add interface=ether6 name=e6v314 vlan-id=314
add interface=ether7 name=e7v100 vlan-id=100
add interface=ether7 name=e7v314 vlan-id=314
#... and so on for all ports/VLANs combination

/interface bridge
add name=bridge100
add name=bridge131
add name=bridge215
add name=bridge314
# and so on, one bridge per VLAN

/interface bridge port
add bridge=bridge100 port=e5v100
add bridge=bridge100 port=e6v100
add bridge=bridge100 port=e7v100
add bridge=bridge131 port=e5v131
add bridge=bridge215 port=e6v215
add bridge=bridge314 port=e6v314
add bridge=bridge314 port=e7v314
# ... and so on for all combinations of VLANs and ports

If later need arises to route traffic, you can simply add IP addresses to bridges of corresponding VLANs and set proper firewall filters…

4

Big thanks! :slight_smile:

Yes agree, it is not optimal but works till we can upgrade or replace the CCR with a switch instead, thinking about CRS305-1G-4S+IN for that.
Again thanks!

5

Hi Folks!

I have not yet tested the bridge only configuration but will soon do, I am pretty sure it will work.

But if I then later upgrade the CCR to post 6.41(removing the bridge only configuration first), to achieve the same as above but instead using the integrated CCR switch chip, would the configuration be like the below ?

CCR vlans

/interface bridge
add name=bridge1 protocol-mode=none

/interface bridge port
add bridge=bridge1 interface=ether5 hw=yes
add bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether7 hw=yes

/interface ethernet switch vlan
add ports ether5,ether6,ether7 switch=switch1 vlan-id=100
add ports ether5 switch=switch1 vlan-id=131
add ports ether6 switch=switch1 vlan-id=215
add ports ether6,ether7 switch=switch1 vlan-id=314

/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=add-if-missing
set ether4 vlan-mode=secure vlan-header=add-if-missing
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

Accessible IP addresses on one VLAN

/interface vlan
add interface=bridge1 vlan-id=131 name=MGMT

/ip address
add address=192.168.88.1/24 interface=MGMT

(MGMT interface in order to being able accessing the router via one of the vlans.)

Thank you all in advance!

6

At quick glance I can spot only one error:
.

/interface ethernet switch vlan
add ports=> switch1-cpu,> ether5 switch=switch1 vlan-id=131

.
In order to “pull” VLAN from switch chip to router’s CPU (read: bridge1), switch1-cpu “port” has to be member of said VLAN.

And I assume that in /interface ethernet switch port you really wanted to configure ports ether5, ether6 and ether7 …

7

Thanks!
I take notes. In lab we now use the bridged only, and it is working, it eats some cpu cycles, it will eventually go in to production.

We now test to upgrade another CCR to see if the switched variant with higher routeros version also works. Then we will decide how to do.

8

I spotted an error myself, it should not be ether1, ether2, ether4 and ether4 in the example, it should off course be ether5, ether6 and ether7

Wrong:
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=add-if-missing
set ether4 vlan-mode=secure vlan-header=add-if-missing

Correct:
/interface ethernet switch port
set ether5 vlan-mode=secure vlan-header=add-if-missing
set ether6 vlan-mode=secure vlan-header=add-if-missing
set ether7 vlan-mode=secure vlan-header=add-if-missing

9

Correct me if I am wrong, here comes the complete code snippet for the switched variants, for higher RoS versions.

CCR vlans

/interface bridge
add name=bridge1 protocol-mode=none

/interface bridge port
add bridge=bridge1 interface=ether5 hw=yes
add bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether7 hw=yes

/interface ethernet switch vlan
add ports ether5,ether6,ether7 switch=switch1 vlan-id=100
add ports ether5 switch=switch1 vlan-id=131
add ports ether6 switch=switch1 vlan-id=215
add ports ether6,ether7 switch=switch1 vlan-id=314
add ports=switch1-cpu,ether5 switch=switch1 vlan-id=131

/interface ethernet switch port
set ether5 vlan-mode=secure vlan-header=add-if-missing
set ether6 vlan-mode=secure vlan-header=add-if-missing
set ether7 vlan-mode=secure vlan-header=add-if-missing
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

Accessible IP addresses on one VLAN

/interface vlan
add interface=bridge1 vlan-id=131 name=MGMT

/ip address
add address=192.168.88.1/24 interface=MGMT

10

It seems fine to me. But as I don’t have any CCR I xan’t vouch ut will work … many Routerboard devices have their own peculiarities in configuration. Your lab tests will show :wink:

11

Hello Folks!

The lab test show that it is working with one hint.
The hint is, the lab setup did have other ethernet ports, ether1 though ether4 and some other vlans and ip addresses, otherwise the lab setup was exactly as above.

The device used was CCR1009 which has a builtin switch chip that is configurable for ether1->ether4.

Another observation was that we could migrate another in production CCR1009.
We did all steps down to “/interface vlan” as described above.
The migration was simply using set and switch from ether3 to bridge1, e.g. moving the vlans to the bridge.
It actually worked without interruptions and any further configuration.

The migration step become:
/interface vlan
set interface=bridge1 vlan-id=131 name=MGMT

Prior the vlan had interface=ether3.