vlan tagging between router and switch not working

ctmkuk · January 25, 2020, 11:24pm

Hi. I replaced my old Draytek router with a Mikrotik RB4011iGS+ running 6.46 and have run into a problem. I have two switches connected to the Mikrotik. I have not changed the config on either of the switches. The first works fine and is on a default ether2 port. My problem is with the switch which sits over a tagged vlan100 connection from ether5 on the router side. I am fairly convinced I am not tagging the ether5 port correctly.

Switch1 192.168.50.2 – untagged – ether2 on router 192.168.50.1. All works, Everything hanging off the switch comes up to the router and out on the CPE
Switch2 192.168.100.1 – tagged vlan 100 – ether5 on router 192.168.100.254. I can’t ping the router from switch2 or the switch2 from the router. Stuck at 1st base!

The commands I’ve entered to set this up are after reading the basic vlan setup manual pages

– not required as already present
– interface bridge add name=bridge1
interface bridge port add interface=ether5 bridge=bridge1
interface vlan add name=vlan-100 interface=bridge1 vlan-id=100
ip address add address=192.168.100.254/24 interface=vlan-100
– tagged bridge1 after reading some feedback in another post on this forum
interface bridge vlan add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=100
interface bridge set bridge1 vlan-filtering=yes

Have I missed a step? Or completely misunderstood?

Switch2 config snippet for completeness. Router is on port 2

2930F-Core1# sh vlans 100
Status and Counters - VLAN Information - VLAN 100
VLAN ID : 100
Name : management
Status : Port-based
Voice : No
Jumbo : No
Private VLAN : none
Associated Primary VID : none
Associated Secondary VIDs : none

Port Information Mode Unknown VLAN Status

2 Tagged Learn Up
5 Tagged Learn Up
6 Tagged Learn Up
7 Tagged Learn Up

All help, suggestions and feedback appreciated!

mkx · January 26, 2020, 12:13pm

Post export of interfaces config … run command /interface export in a terminal window/CLI and copy-paste the result.

sid5632 · January 26, 2020, 4:23pm

You need to add switch1-cpu to the VLAN table:

/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether5,switch1-cpu vlan-ids=100

Ugh, confused myself by mixing switch chip and bridge config. (and I don’t have a 4011!).
Switch VLAN table is non-functional anyway on these devices.

ctmkuk · January 26, 2020, 5:22pm

@mkx Apologies. Newbie error. Thanks for the pointer and here is the output. I’ve redacted username and password for WAN

[admin@MikroTik] /interface bridge vlan> /interface export

jan/26/2020 17:19:14 by RouterOS 6.46

software id = 4W5U-0ISZ

model = RB4011iGS+

serial number = B8F30BCDC953

/interface bridge
add admin-mac=C4:AD:34:32:25:D6 auto-mac=no comment=defconf name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=CPE
set [ find default-name=ether2 ] comment=“Home Stack”
set [ find default-name=ether5 ] comment=“ether5 to LabCore”
/interface vlan
add interface=bridge1 name=vlan-100 vlan-id=100
add comment=“Vodafone Internet” interface=ether1 name=vlan911 vlan-id=911
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=vlan911 name=pppoe-out1 password=XXXXXX user=YYYYYY
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether6
add bridge=bridge1 comment=defconf interface=ether7
add bridge=bridge1 comment=defconf interface=ether8
add bridge=bridge1 comment=defconf interface=ether9
add bridge=bridge1 comment=defconf interface=ether10
add bridge=bridge1 comment=defconf interface=sfp-sfpplus1
add bridge=bridge1 interface=ether5
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=100
/interface ethernet switch vlan
add independent-learning=yes ports=ether5 switch=switch1 vlan-id=100
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
[admin@MikroTik] /interface bridge vlan>

ctmkuk · January 26, 2020, 5:24pm

@sid5632

Thanks. Tried that suggestion but get the following error

[admin@MikroTik] /interface bridge vlan> /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether5,switch1-cpu vlan-ids=100
input does not match any value of interface

After some feedback from a colleague I’m wondering if it’s firewall… looking at that now! Thanks for all your help so far.

ctmkuk · January 26, 2020, 7:40pm

Interestingly the /ip neighbour print is showing it’s there!

[admin@MikroTik] /ip neighbor> print

INTERFACE ADDRESS MAC-ADDRESS IDENTITY VERSION BOARD

0 ether2 192.168.50.2 38:21:C7:BA:10:79 CTHome_…
bridge1
1 ether5 192.168.0.1 F4:03:43:72:18:DE 2930F-C…
bridge1

CZFan · January 26, 2020, 7:54pm

You don’t need to set switch-cpu as tagged, the bridge interface is the switch CPU port.

You seem to have configured VLAN’s via switch and bridge config. Set ether5 under switch vlan menu back to defaults and test again

ctmkuk · January 26, 2020, 8:47pm

@CZFan yes! that’s done the trick. Thank you very much for going to the effort of looking through that config.

So does that imply that there are two ways of doing this and because I’ve done both, I’ve managed to break it?

Would you recommend using bridge config over switch config? Or are they interchangeable?

mkx · January 26, 2020, 10:06pm

Yes, there are two ways of doing it, they are mostly interchangeable but are distinct enough to make things hard.

The old way was to do it via /interface ethernet switch configuration subtree and was device specific (some even don’t support VLANs this way, RB4011 is supposedly one of them).
The new way is via /interface bridge configuration subtree and is universaly available on all ROS-driven devices. The drawback is that traffic is handled by CPU on all but CRS3xx devices and some devices’ CPUs are weak causing performance bottleneck. Some devices feature powerful CPUs that are able near-wirespeed bridging (RB4011 is one of them), the switch-chip to CPU interconnect might be a bottleneck.