VLAN setup in RouterOS Switch

Hiya

Got 16 ports originally i just added a VLAN and bridged it. Until our upstream provider required us to tag the 10Gig fibre line. After this it killed the CPU.

I currently have, due to SFP compatibility issues with CCR1072, UBNT SFP in one port and a secondary port into the 1072.

On the end of the SFPs are a mix of Mikrotiks, Siklu and UBNT kit.

On SFP2, i need to tag 3141 and pass it through to SFP6.

i added 3141 PVID to SFP2 and added the relevant bridge. As untagged on as i just need to pass it through to the CCR1072. Currently SFP6 & 2 are UNTAGGED setting.

But when i switch on VLAN filtering it just doesn’t work.

What am i doing wrong?

I need to bridge SFP15 & 16 together. There are some VLANS passing through. I just don’t want these 2 ports seeing any others in the bridge. I gave these PVID 1002, added to bridge under UNTAGGED. I then added a seperate entry of VLANS 11, 25, 503 as TAGGED on SFP 16 / 17. Which goes into CCR1072 and is dealt with.

Again when i switch on Filtering it all stops.

Umm, do I understand it right?
Do you today use this switch as “just an unmanaged switch”, with already-vlan-tagged stuff from other devices flying through, and are wanting to enable vlan filtering?

Any chance you can post contents of /interface/export ?

It is more a managed switch. But in a very basic way. I want to group certain ports until i can migrate to ros7 and dump this 1072. (Very sensitive)

I also need to be able to router vlan 3141 (FROM UPSTREAM) to other ports in the event of an outage of 1072.

originally i had multiple ports and it worked fine, but the CPU died when our upstream required US to tag the traffic, rather than them doing it.

interface bridge
add admin-mac=48:8F:5A:2 auto-mac=no comment=defconf name=bridge
add name=bridge1
add name=bridge2
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment=“FROM OPENREACH ADVA”
set [ find default-name=sfp-sfpplus2 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
comment=CCR1072 mtu=1520
set [ find default-name=sfp-sfpplus3 ] advertise=10000M-full
auto-negotiation=no comment=“server 2 10g” rx-flow-control=auto speed=
10Gbps tx-flow-control=auto
set [ find default-name=sfp-sfpplus4 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
auto-negotiation=no comment=“to CCR2216” speed=10Gbps
set [ find default-name=sfp-sfpplus5 ] comment=“CAPE ADVA” l2mtu=1576
set [ find default-name=sfp-sfpplus6 ] arp=local-proxy-arp comment=
“uplink to bt adva” speed=10Gbps
set [ find default-name=sfp-sfpplus7 ] comment=“1g sfp - spare”
set [ find default-name=sfp-sfpplus10 ] comment=“tref Siklu”
set [ find default-name=sfp-sfpplus15 ] comment=“to CCR” mtu=1530
set [ find default-name=sfp-sfpplus16 ] comment=“Folly Siklu via Brawdy Fire”
mtu=1530
/interface vlan
add interface=sfp-sfpplus16 name=SFP_16_VLAN17 vlan-id=17
/interface ethernet switch port
set 1 storm-rate=20
set 4 storm-rate=20
set 14 storm-rate=30
set 15 storm-rate=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/user group
set full policy=“local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp”
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1 pvid=
3141
add bridge=bridge comment=defconf interface=sfp-sfpplus2 pvid=3141
add bridge=bridge comment=defconf interface=sfp-sfpplus3 pvid=3141
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged
interface=sfp-sfpplus5 pvid=100
add bridge=bridge comment=defconf disabled=yes interface=*1B
add bridge=bridge comment=defconf disabled=yes interface=SFP_16_VLAN17
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus8
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus9
add bridge=bridge comment=defconf interface=sfp-sfpplus10 pvid=1001
add bridge=bridge comment=defconf interface=sfp-sfpplus11 pvid=1001
add bridge=bridge1 comment=defconf disabled=yes interface=sfp-sfpplus12
add bridge=bridge1 comment=defconf disabled=yes interface=sfp-sfpplus13
add bridge=bridge1 comment=defconf disabled=yes interface=sfp-sfpplus14
add bridge=bridge comment=defconf interface=sfp-sfpplus15 pvid=1002
add bridge=bridge comment=defconf interface=sfp-sfpplus16 pvid=1002
add bridge=bridge disabled=yes interface=*19
add bridge=bridge interface=sfp-sfpplus6 pvid=3141
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge comment=“ADVA BT” untagged=sfp-sfpplus6,sfp-sfpplus2
vlan-ids=3141
add bridge=bridge comment=Tref tagged=sfp-sfpplus10,sfp-sfpplus11 vlan-ids=
23,15,10,4063
add bridge=bridge comment=FOL tagged=sfp-sfpplus15,sfp-sfpplus16 vlan-ids=
11,25,503
add bridge=bridge comment=Cape tagged=sfp-sfpplus2,sfp-sfpplus5
vlan-ids=100
add bridge=bridge comment=“FOL PVID” untagged=sfp-sfpplus16,sfp-sfpplus15
vlan-ids=1002
add bridge=bridge comment=“Tref PVID” untagged=sfp-sfpplus10,sfp-sfpplus11
vlan-ids=1001
/ip address
add address=10.0.40.1/24 disabled=yes interface=bridge network=10.0.40.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall service-port
set sip disabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=“10G Switch 169”
/system routerboard settings
set boot-os=router-os
/tool graphing interface
add
/tool graphing resource
add
/tool romon
set enabled=yes
/tool romon port
set [ find default=yes ] forbid=yes
add disabled=no interface=ether1

Please note i have filtering off currently. But… A lot of stuff can see each other! not what i want at all.

EDIT: You replied while I was writing, I’ll comment on the config in a sec.
But already - you have two bridges so only one of them will have any kind of hardware offload, so that’s probably solid part of your problem.
Can you please tell what is the model of the switch?

there is nothing active in bridge1, as i had to quickly sort something when our provider changed requirements. But yes, mutiple bridges was bad! its just how i’ve always done it and been fine. until we had 10Gig!

Ok, yeah, so…
Stating the obvious, but once you enable vlan-filtering any vlans that are not listed in /interface/bridge/vlan will not be able to pass through.

And also, you have the switch management interface (only entry in /ip/address menu) assigned to the bridge-cpu port (the interface named “bridge”).
This “port” is not listed in any /interface/bridge/vlan assignments at all, so when you enable vlan filtering you will lose management access to the switch, I think, unless romon magic helps here (I have zero experience with that).

I’m sorry but I’m still super confused which vlan numbers “come from outside” and must remain the same, etc, and which vlans you’re wanting to just use internally in this switch to sort things around.
Any chance you could quickly tell what you want to go where?
And once again, what is the switch model number? It’s not that CCR1072 itself, is it…?
EDIT: If this is the CRS317, then if properly configured it should be able to do all this in hardware…

CRS317-1G-16S+

So, ROMON did seem to work, i.e not killing my access.

I need to group ports 16 and 15 together. I have items on VLAN1 which will be a pain to change. I do also have some tagged ports on these 2. i.e. 25, 11, 503.

Siklu comes in on port 16 and out on 15 to the CCR.

When i switched on filtering it killed everything. Especially 3141.

3141 needs to be tagged on SFP 6 This is from my carrier (BT), i then need to pass it through to SFP2. Where i have a VLAN 3141 on the CCR. This is currently working.

See image

Need a coherent plan.
Provide a network diagram detailing what is supposed to travel over ports, from that, takes 2 minutes to configure okay maybe 5

Well, “This is currently working” kinda doesn’t really matter if you have vlan filtering off - packets are just zipping around through all the ports that are non-disabled members of the bridge (sfp 2, 3, 5, 6, 10, 11, 15, 16), preserving their existing tags (or lack of).

The config as you posted above is definitely a lot of trouble with all the emergency changes and leftover experiments.

• engage safe mode
• possibly temporarily disable the physical ports which are anyway disabled in bridge config under /interface/ethernet (sfp 1, 4, 8, 9, 12, 13, 14) so they won’t get in the way
• delete the unused bridge1 and bridge2
• clean up all the entries referring to invalid/removed items (marked with asterisks, e.g. “interface=*1B”) and all the disabled stuff, to get to the bare minimum of what’s currently active

At this point things should work the same as until now, if it is the case, commit and re-enable safe mode as a checkpoint.

I think you should also remove that layer3 vlan17 interface attached to sfp16, because you can’t have it attached to a bridge member like that.
It may be what’s disabling hardware offloading for the whole switch, although I’d sort of expect for it to just show up as invalid.

For every access port that should auto insert vlan tag on ingress / and remove on egress

• under /interface/bridge/port, add this port, set mode to “admit only untagged”, set pvid 1234
• under /interface/bridge/vlan make sure to have entry for vlan 1234, add this port to untagged list

For every trunk port that should take tagged stuff from outside, and emit tagged stuff as well (234, 456, 789)

• under /interface/bridge/port, add this port, set mode to “admit only vlan tagged”, set pvid to 1
• under /interface/bridge/vlan make sure to have entry for each of the vlans 234, 456, 789, and in those existing entries put the port in the tagged list

For every hybrid port that should do both kinds of traffic

• under /interface/bridge/port, add this port, set mode to “admit all”, set pvid to what will be used for untagged/access (native in ciscospeak)
• under /interface/bridge/vlan add to untagged list for the access vlan
• under /interface/bridge/vlan add to tagged list for all the other trunked relevant vlans

if you have stuff that is today set for untagged (not the same as vlan 1) and you want to just tunnel it through, you can do it by access port in vlan 1 or you can use any other local temporary transit vlan as you for example have 1002 on your current config above as long as it won’t conflict with the vlans you want to pass-through with already-meaningful numbers.

After all this, you should still “feel no change”, if that’s the case, again commit and re-activate safe mode, and try to enable vlan filtering on the bridge…

PS.
Can you post whether you currently see HW-Offload flags on any ports?
“H” flag in the /interface/bridge/port listing.