VLAN on CRS326

lieuze · March 10, 2020, 12:00pm

Hi guys,

I’m fairly new to MikroTik ans I’m struggling with some topics. So I have a brand new CRS326-24S+2Q+ and I want to configure VLAN on it. The default gateway is a router with an IP of 10.0.250.1 in VLAN 250, connected to port sfp-sfpplus24. Pretty basic.

Here is an extract of my config :

/interface bridge
add admin-mac=74:4D:28:FE:8C:05 auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=bridge name=ADMIN-250 vlan-id=250

/interface bridge port
add bridge=bridge interface=sfp-sfpplus24 pvid=999

/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus24 untagged=
sfp-sfpplus7,sfp-sfpplus8,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp-sfpplus13,sfp-sfpplus14,sfp-sfpplus15 vlan-ids=250
add bridge=bridge untagged=sfp-sfpplus24 vlan-ids=999

/ip address
add address=10.0.250.30/24 interface=ADMIN-250 network=10.0.250.0

Pretty basic. As soon as I enable the vlan-filtering feature, the switch refuse to ping 10.0.250.1 (alternating timeout and unreachable). It does not even learn the mac address. Apart from that, the config works : my devices can reach their default gateway through the port sfp-sfpplus24 (which send tagged frames). I perform a packet capture and both the ARP request and response are correctly tagged in the VLAN 250. I try to add a static ARP entry for my router, same thing.

Any idea ?

Thanks a lot,

François

mkx · March 10, 2020, 12:30pm

Until you enable vlan-filtering on bridge, switch doesn’t care about VLAN tags, doesn’t tag frames on ingress (for the untagged ports) and doesn’t strip them on egress. Which means you can connect your (untagged) management station to any port and it’ll work.

After you enable vlan-filtering, switch will start to behave according to vlan config. Which means you have to connect untagged management station to one of untagged ports (sfp-sfpplus 7-15).
BTW, the posted config is either not complete or wrong: you have to add all sfp-sfpplus ports to bridge and set pvid=250 on all ports that are configured as untagged (7-15), otherwise it won’t tag untagged frames on ingress (doesn’t know which VID to use).
Additionally: bridge interface has to be configured as tagged member of VLAN 250 on bridge like-a-switch, otherwise the VLAN interface doesn’t see any frames for said VLAN.

The post is full of guessing … but one can’t do much better as you decided to post only a part of config … an obviously uneducated decission - you don’t know what’s wrong with your config and yet you decided which part of non-working setup is wrong??

planetcoop · March 11, 2020, 11:00pm

here is my vlan config that may help:

http://forum.mikrotik.com/t/best-crs-354-multi-vlan-config-with-access-and-trunk-ports-trying-to-have-public-vlan-10-on-ports-1-4-lan-access/137313/5