VLAN Not filtering in Bridge

Hai everyone, i need some help why my VLAN are not filtering or functioning and in access port VLAN cannot be ping Router gateway. anyone can assist me..

CONFIGURATION ROUTER AND 2 SWITCH

ROUTER (2 VLAN 1025, 1026)

// FOR TRUNK
[admin@ROUTER] > interface vlan add name=ether1-vlan1025 vlan-id=1025 interface=ether1
[admin@ROUTER] > interface vlan add name=ether1-vlan1026 vlan-id=1026 interface=ether1
[admin@ROUTER] > interface vlan add name=ether2-vlan1025 vlan-id=1025 interface=ether2
[admin@ROUTER] > interface vlan add name=ether2-vlan1026 vlan-id=1026 interface=ether2
[admin@ROUTER] > interface bridge add name=BR_VL
[admin@ROUTER] > interface bridge port add bridge=BR_VL interface=ether1
[admin@ROUTER] > interface bridge port add bridge=BR_VL interface=ether2
[admin@ROUTER] > interface vlan add interface=BR_VL name=VLAN1025 use-service-tag=yes vlan-id=1025
[admin@ROUTER] > interface vlan add interface=BR_VL name=VLAN1026 use-service-tag=yes vlan-id=1026
[admin@ROUTER] > ip address add address=110.35.25.1/24 interface=VLAN1025
[admin@ROUTER] > ip address add address=110.35.26.1/24 interface=VLAN1026



CONFIGURATION SWITCH 1 AND SWITCH 2 IS SAME

//Assign Interface VLAN ID (1025,1026,1125 ) → TRUNK PORT
[admin@SWITCH1] > interface vlan add name=ether1-vlan1025 vlan-id=1025 interface=ether1
[admin@SWITCH1] > interface vlan add name=ether1-vlan1026 vlan-id=1026 interface=ether1


[admin@SWITCH2] > interface vlan add name=spf1-vlan1025 vlan-id=1025 interface=sfp-sfpplus1
[admin@SWITCH2] > interface vlan add name=spf1-vlan1026 vlan-id=1026 interface=sfp-sfpplus1
[admin@SWITCH2] > interface vlan add name=spf1-vlan1125 vlan-id=1125 interface=sfp-sfpplus1


[admin@SWITCH2] > interface vlan add name=spf2-vlan1025 vlan-id=1025 interface=sfp-sfpplus2
[admin@SWITCH2] > interface vlan add name=spf2-vlan1026 vlan-id=1026 interface=sfp-sfpplus2
[admin@SWITCH2] > interface vlan add name=spf2-vlan1125 vlan-id=1125 interface=sfp-sfpplus2

[admin@SWITCH2] > interface vlan add name=spf3-vlan1025 vlan-id=1025 interface=sfp-sfpplus3
[admin@SWITCH2] > interface vlan add name=spf3-vlan1026 vlan-id=1026 interface=sfp-sfpplus3
[admin@SWITCH2] > interface vlan add name=spf3-vlan1125 vlan-id=1125 interface=sfp-sfpplus3


[admin@SWITCH2] > interface vlan add name=spf4-vlan1025 vlan-id=1025 interface=sfp-sfpplus4
[admin@SWITCH2] > interface vlan add name=spf4-vlan1026 vlan-id=1026 interface=sfp-sfpplus4
[admin@SWITCH2] > interface vlan add name=spf4-vlan1125 vlan-id=1125 interface=sfp-sfpplus4



// Assign Interface VLAN ID ( VLAN 1025,1026,1125) → ACCESS PORT

[admin@SWITCH2] > interface vlan add name=spf5-vlan1025 vlan-id=1025 interface=sfp-sfpplus5
[admin@SWITCH2] > interface vlan add name=spf6-vlan1025 vlan-id=1025 interface=sfp-sfpplus6
[admin@SWITCH2] > interface vlan add name=spf7-vlan1026 vlan-id=1025 interface=sfp-sfpplus7
[admin@SWITCH2] > interface vlan add name=spf8-vlan1026 vlan-id=1025 interface=sfp-sfpplus8
[admin@SWITCH2] > interface vlan add name=spf9-vlan1125 vlan-id=1125 interface=sfp-sfpplus9
[admin@SWITCH2] > interface vlan add name=spf10-vlan1125 vlan-id=1125 interface=sfp-sfpplus10
[admin@SWITCH2] > interface vlan add name=spf11-vlan1125 vlan-id=1125 interface=sfp-sfpplus11
[admin@SWITCH2] > interface vlan add name=spf12-vlan1125 vlan-id=1125 interface=sfp-sfpplus12
[admin@SWITCH2] > interface vlan add name=spf13-vlan1125 vlan-id=1125 interface=sfp-sfpplus13
[admin@SWITCH2] > interface vlan add name=spf14-vlan1125 vlan-id=1125 interface=sfp-sfpplus14
[admin@SWITCH2] > interface vlan add name=spf15-vlan1125 vlan-id=1125 interface=sfp-sfpplus15
[admin@SWITCH2] > interface vlan add name=spf16-vlan1125 vlan-id=1125 interface=sfp-sfpplus16



//create bridge group
[admin@SWITCH2] > interface bridge add name=BR_VL vlan-filtering=yes


// Add the bridge ports and specify PVID for each access port:
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=ether1
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus1
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus2
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus3
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus4

[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus5 tag-stacking=yes pvid=1025
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus6 tag-stacking=yes pvid=1025
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus7 tag-stacking=yes pvid=1026
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus8 tag-stacking=yes pvid=1026
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus9 tag-stacking=yes pvid=1125
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus10 tag-stacking=yes pvid=1125
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus11 tag-stacking=yes pvid=1125
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus12 tag-stacking=yes pvid=1125
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus13 tag-stacking=yes pvid=1125
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus14 tag-stacking=yes pvid=1125
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus15 tag-stacking=yes pvid=1125
[admin@SWITCH2] > interface bridge port add bridge=BR_VL interface=sfp-sfpplus16 tag-stacking=yes pvid=1125


//TAGGED AND UNTAGGED in the bridge VLAN table
[admin@SWITCH2] > interface bridge vlan add bridge=BR_VL tagged=ether1,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 untagged=sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16 vlan-ids=1025,1026,1125


//For management and Remote
[admin@SWITCH2] > interface bridge vlan add bridge=BR_VL tagged=BR_VL,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,ether1 vlan-ids=1025, vlan-ids=1026
[admin@SWITCH2] > interface vlan add interface=BR_VL name=VLAN1025 use-service-tag=yes vlan-id=1025
[admin@SWITCH2] > interface vlan add interface=BR_VL name=VLAN1026 use-service-tag=yes vlan-id=1026
[admin@SWITCH2] > ip address add address=110.35.25.2/24 interface=VLAN1025
[admin@SWITCH2] > ip address add address=110.35.26.2/24 interface=VLAN1026

Your VLAN setup is, basically, all wrong. Carefully read this great tutorial to learn the right way.

i have attached my config as below. After i test config i cannot access my switch interface.
news config sw.txt (6.23 KB)

I’ll just write this once more: your VLAN setup is all wrong. Read the tutorial I linked in my previous post. If you’re unwilling to pursue that way of configuring VLANs on your device, then you’re on your own (as far as I’m concerned).

Sorry to ask, i already see the link that you given for me and follow the command , but i seriously don’t which part are doing mistake.Is it my VLAN id ip route doing mistake or which part my VLAN setup are wrong? hopefully can assist me where i’m doing mistake..please2 help me..

My switch hv 16 port spf + 1 ethernet port = Total 17 ports
2 ports for Remote using VLAN 10 (IP add: 110.30.25.0/24) , 2 ports for Management using VLAN 20(IP add: 110.50.26.0/24), 12 Ports for Production using VLAN 30 (IP add: 110.30.25.0/24),
5 ports(include ethernet) for TRUNKING (Will link to another 3 switch and router)

As I wrote: everything. Reset to factory default and start from scratch … following the wisdom from the linked tutorial.

i already reset to default factory and already follow the tutorial ling given. i seriously not found the answer which part i’m doing the mistake

It would be better if you posted actual configuration of your switch, not the commands you used to configure it (because that leaves the unknow about the starting point). You can get the configuration by running command /export file=anynameyouwish …

Anyway: how do you connect to the switch for management (which then breaks)? Via which port, what kind (winbox over IP, winbox over MAC, ssh, …)?

i will send config tomorrow because i need to reset everything cannot login interface switch after setting vlan. i attach my network diagram as below.

int spf 1-4 want can be access using winbox MAC or IP address
int spf 1-2 for remote
int spf 3-4 for management

As noted, for the router use only one bridge, and all vlans for subnets using this guide → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

For the switches follow these guides…
https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features

https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading
https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=1s

Your configuration sets those 4 SFP+ ports as trunk ports, so no untagged access. Your management PC (running winbox/webfig/ssh) most likely doesn’t know anything about VLANs, in other words it requires to connect to access or hybrid port. If you’re trying to connect your management PC to one of SFP1-SFP4, then those have to be configured as hybrid ports (allowing untagged access to VLAN 1099). But it really depends what will these ports be used in normal operations. Please clarify before we go further.
You can connect your management PC to some other device which provides access port for VLAN1099 (e.g. CCR1009), your interconnects (ether1 on switches) is properly set as tagged for that VLAN as well.

BTW, if you have a look at bock diagram of your switches, you will see that ether1 is not managed by switch chip, it’s rather run by device’s CPU. Meaning that any traffic between SFPx ports and router (ether1) will go via CPU and the switch will struggle. You really should use one of SFP ports to connect to router (either use DAC cables and use those two SFP ports on CCR or use either S+RJ10 or S-RJ01 modules to connect to ether ports of router).
And then use ether1 as OOB managmenet access (which is the primary purpose of that port on these switches) meaning you should keep it off bridge.

hai mkx, i already attach my switch and router config as below, can help me take a look to check. tq2 for help.
ROUTERCONFIG.rsc (709 Bytes)
SWITCHconfig.rsc (4.09 KB)

The switch config export .. did you by any chance transfer the config from the other CRS317 to this one by copying binary backup file? Because that can have a few (nasty) side effects, one of them is overriding MAC addresses of SFP+ interfaces. Which can be a bid problem or a minor nuance, depending on particular use case. But you really should remove those mac-address settings under [ig/interface ethernet[/i].

Now: you have 3 VLAN interfaces (you only need one for management if you’re not trying to use CRS317 as router), but they won’t be able to interact with the rest of network because BR_VL port is not member of same VLANs. This is kind of confusing, you can read more about multiple bridge personalities.

In short: you need something like this:

/interface vlan
add interface=BR_VL name=BASE_VLAN1025 vlan-id=1025
/interface bridge vlan
add bridge=BR_VL tagged=> BR_VL,> sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15,sfp-sfpplus16 vlan-ids=1025

(the untagged ports, e.g. sfp-sfpplus1, will be automatically added as untagged ports to corresponding VLAN … but it would help for readability if you added them manually).

Do the above for VLAN which you will use for management.

As for router: you really should upgrade ROS version … you can stay with ROS v6, but install latest long-term (6.49.8 as of time of writing this). The config is weird, I’ll take you didn’t really do much about it yet. No VLANs, no nothing. So I won’t go any further with it for now.