Vlan tagging

Greetings,
I got my first MikroTik device today. A CRS310-8G+2S+IN. My home network has been using HP Aruba switches for years and through various work projects I’ve used Netgear, Ubiquti, and Mellanox. In short - I’m not exactly new to switching… but I don’t claim to know much about anything. And I think that’s the problem. I know enough to know how things should work but not enough to figure out what is going on with the MikroTik setup and the documentation doesn’t make sense with what I know from other vendors…

So here’s the setup. My HP-2530-48G has two VLAN’s configure that I want on the MicroTik. 4 & 5. I have a port on the HP configured to allow only tagged traffic for 4 & 5 on that port. I can confirm that the HP is configured to allow and talk to VLAN 4 & 5 on that port (plugging my laptop directly into it). That port is then connected into port 8 of the MikroTik. Right now - just to get things started - all I’m trying to do is get MikroTik to talk VLAN 4 to the HP.

So I gave the MikroTik an IP that is on the HP VLAN4. I configured the VLAN. I configured the bridge. And no amount of tweaking will get the two to talk to each other and it’s driving me nuts. What am I doing wrong? And I’ve not even attempted two VLAN configurations yet…

I’ve got the vlan filtering on 4 in the bridge
https://forum.mikrotik.com/download/file.php?mode=view&id=71872

I’ve configured the ports (note, I attempted to set port 6 as ONLY allowing tagged vlan4 - but it does NOT like that. The only way I can connect to the switch is via the untagged on port 7. However, I know it’s not the laptop configuration because I can plug into the HP on a port that only allows vlan 4 tagged and it works just fine - so it’s something with the Mikrotik configuration.)
https://forum.mikrotik.com/download/file.php?mode=view&id=71873

And I think I’ve got the vlan configured right… but I obviously don’t and am missing something…
https://forum.mikrotik.com/download/file.php?mode=view&id=71875
https://forum.mikrotik.com/download/file.php?mode=view&id=71874

Thank you for your time helping.

Not going to bother deciphering all of that without at least a network diagram

Sorry. I was trying to keep it super simple. 2 VLANs. The HP is fine - I can test that with my laptop and it works. The MikroTik doesn’t want to talk to the HP via VLANs.

the HP is just a conduit and not important. What is important is where is the dhcp for the vlans coming from???
Which vlan is the trusted or management vlan.

No DHCP. I assign IP’s on both of these VLANS. The other switches are on VLAN4 as the management I suppose.

Sorry not familiar with that type of networking.

I guess I don’t know how to simplify this any further. I just want the MikroTik VLAN 4 to talk to the HP VLAN 4. I’ve created the VLAN 4 in MikroTik. I updated the bridge to use VLAN 4. And I’ve assigned the port to use VLAN4. And yet, the MikroTik won’t do it. I don’t get it. This should be easy.

Edit: Welp… I done broke something good… The MikroTik won’t even let me connect via the other ports now… I can ping another system on the same VLAN4, but I can’t get to the interface. sigh

I’ll factory reset it when I can tinker next and I’ll document step by step what I do. Maybe someone can make sense of that.

When you are clear on requirements, then the config will be achievable…
vlans are created by some entity usually a router
switches simply carry that traffic around so that users/devices in various locations can reach each other and sometimes the internet.

I dunno how to make the requirements any clearer - I want two switches to talk to each other over tagged VLAN4. shrug

In a weird way - I think I’m getting closer. I’ve actually got some communication going on now. But this is really strange…

Step 0 - factory reset the MikroTik.
Step 1 - set laptop to no vlans, manual IP 192.168.88.6
Step 2 - http://192.168.88.1 - login w/ supplied password - update new password screen.
Step 3 - Quick Set screen - Set Bridge mode, set IP (192.168.4.8 ), set gateway, set DNS - all configured for the VLAN4 settings - apply configuration.
Step 4 - set laptop to no vlans, manual IP 192.168.4.6
Step 5 - http://192.168.4.8 - login - Left bar menu → Bridge → VLANS (Tab) → New (Button) → Comment: Green; VLAN ID 4; tagged: bridge, ether 6, & ether 8; Untagged eth7 - In theory, I should be able to test tagged port (6) and send all data over ether 8 as tagged and leave 7 untagged in case the tagging doesn’t work.
Step 6 - Left bar menu → Bridge → Ports (Tab) → ether 6 → VLAN - PVID: 4, Frame Types: admit all (default), Ingress Filtering: on (default) → OK
Step 7 - Left bar menu → Bridge → Ports (Tab) → ether 7 → VLAN - PVID: 4, Frame Types: admit all (default), Ingress Filtering: on (default) → OK
Step 8 - Left bar menu → Bridge → Ports (Tab) → ether 8 → VLAN - PVID: 4, Frame Types: admit all (default), Ingress Filtering: on (default) → OK
Step 9 - Left bar menu → Bridge → Bridge (Tab) → bridge → VLAN - VLAN Filtering: on, PVID 4 (everything else default) → OK

Testing Round 1:

In theory… there’s a VLAN 4. The bridge and the ports are set for VLAN 4. MikroTik should be able to now talk to the HP switch.

From the untagged laptop on MicroTik port 7 - ping the IP of the HP switch - success!

Switch the laptop to VLAN tag 4 on MicroTik port 7 - Can’t ping MikroTik, Can’t ping HP. (expected result)

Switch laptop to on MicroTik port 6 with VLAN 4 - Can ping HP switch - success! Can NOT ping MikroTik. Hrm… unexpected.

From the HP switch. Can not ping the MikroTik. Can ping the laptop. Hrm.

Switch laptop back to MikroTik port 7 and untagged - can’t ping anything… wait? What? How the…? Double check. Triple check… WTF?

Hard power off MikroTik and power it back on. Leaving a ping running… And it’s back… WTF? Whatever.

Back in the web interface again. Everything looks good.

Testing Round 2:
Quadruple check my network… laptop no VLAN tagging and plugged into port 7. Things are working. Switch to port 6 where it should be VLAN tagged 4. Does not work (as expected). Switch laptop to VLAN 4 can ping HP network, can not talk to MikroTik (192.168.4.8 is unreachable). Hrm.

Switch back to port 7 and switch tagging off on laptop. Can’t ping a thing… Whaaaaat? Why? Reboot the MikroTik again! Now it’s working again… What the actual F#$%? I seriously can’t have to reboot the MikroTik everytime I want to connect to the interface…

Testing Round 3:
Laptop untagged on port 7 and I can ping the MikroTik switch. Do nothing else on the laptop. Unplug the network, count to ten, plug it in. I can’t ping a damn thing. Reboot again! Now it works… This has to be the strangest thing I’ve seen… No idea what the heck is going on…

I don’t know. This is weird and I’m tired of messing with it tonight. Any thoughts at all on what’s going on? I’ve made progress in getting the VLAN 4 to talk to the HP switch, but it seems like I can’t get to the MikroTik interface from VLAN 4. And I have no idea what’s up with port 7 needing reboot to work again.

The link between HP and CRS is trunk I assume. Which means that you need to set port 8 (as per diagram) on MT as tagged member of both VLANs, passed between HP and MT.

BTW, if MT is used only as switch, then you only need bridge “CPU-facing port” member of management VLAN. It can be either untagged (and you have to set pvid on bridge and you bind management IP address to bridge interface) or tagged (and you need corresponding vlan interface with management IP address bound to that vlan interface). But you don’t set bridge CPU-facing port as neither tagged nor untagged member of any other VLANs, passing through the switch.

No capiche, are the switches living entities?
Switches dont talk to another they simply pass vlans to each other via trunk ports and then distribute those vlans out the rest of the ports.
The only communication between switches is the trusted or managment vlan which is provided to the first switch (which should get its IP address from that vlan) and this VLAN must be passed to all subsequent smart devices, aka switches, so that all such devices are managed under that vlan.

OK. Did some more reading and better grasping the terminology I think. This is just so easy under Ubiquiti/Aruba/Netgear that I’m having to adjust my thinking.

In my home lab I set vlans to match the IPs. Thus, VLAN4 is 192.168.4.x, VLAN5 is 192.168.5.x, ect ect ect. For the purposes of what I want to use this switch for, VLAN4 is my “management” network. I should be able to connect to the MikroTik from any other switch across VLAN4. Which means, I want to make ether8 a trunk port to the HP switch for VLAN 4 & 5.

I was attempting to follow along with the examples in the documentation this morning (using vlan4 instead of vlan10 in the examples) and all that managed to do was ensure I couldn’t access the switch at all… It seems when I get to the part of removing the default vlan1 (which I don’t use anywhere) and attempt to use just vlan4 across all the interfaces (set vlan4br vlan-filtering=yes) - it borks and I get nothin. Can’t connect w/ vlan 4 nor untagged.

This is no different then what I do with other switches. I create a vlan, I add the IP to the switch for that vlan, I set ports to that vlan, and I disable all the default stuff, then switch over to vlan4 and it just works. But I haven’t figured out the MikroTik way yet.

I also noticed that I lost hardware acceleration when I created a new bridge. Even though my commands were pretty much exactly the same (just the names/vlan were different) and the examples showed that hardware acceleration was on for the bridge. I dunno…

This is the last attempt that borked everything.

interface bridge
/interface/bridge> add name=vlan4br
/interface/bridge> print
Flags: X - disabled, R - running
0 R ;;; defconf
name=“bridge” mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=D4:01:C3:69:05:EE protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=D4:01:C3:69:05:EE ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no port-cost-mode=long mvrp=no max-learned-entries=auto
1 R name=“vlan4br” mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=B6:E5:97:60:C4:17 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
vlan-filtering=no dhcp-snooping=no port-cost-mode=long mvrp=no max-learned-entries=auto
/interface/bridge> port
/interface/bridge/port> add bridge=vlan4br interface=ether8 frame-types=admit-only-vlan-tagged
/interface/bridge/port> add bridge=vlan4br interface=ether7 pvid=4 frame-types=admit-only-untagged-and-priority-tagged
/interface/bridge/port> ..
/interface/bridge> vlan
/interface/bridge/vlan> add bridge=vlan4br vlan-ids=4 tagged=ether8
/interface/bridge/vlan> ..
/interface/bridge> set vlan4br vlan-filtering=yes
[Lost access here… nothing will connect to it now… will have to reset it. Also notice that this time I didn’t remove vlan1…though I want it gone eventually.]

Thoughts?

Use single bridge.

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

One key diff between router and switch is that only the management vlan on switch is tagged to bridge on /interface bridge vlan settings and of course only that vlan need be identified in /interface vlan

Thanks for that information. Unfortunately, I’ve been called out of town for a few days. I will read all I can and maybe this weekend I will have time to apply what I read. Will post back later.

Thanks again for the help.

I had some time to think this morning. In my excitement about getting a new switch, I just wanted to get started with something that I thought was super basic. VLAN4. Apparently, what I thought was simple - isn’t. So I took some time to think about the why behind buying this thing. Two reasons. 1) I now have multiple devices that are 2.5G and I want to increase the bandwidth between those devices. 2) my wifi infrastructure is now 7 years old and I want to replace it - right now, I’ve only watched a few videos about CAP Ax but I really like it in theory. After I figure out VLAN’s I’d like to get one and set it up.

VLAN4 - using the documentation wording this is my “management” network - it’s all my home lab stuff. Thus, the MikroTik web interface must be accessible on this. I prefer it to not be available on any other VLANs.
VLAN5 - Stuff I host for family.
VLAN6 - Ideally, this is a network that routes no where but within the MikroTik environment. I want a local play ground.

Eventually, I want to play around with getting all three into CAP Ax as wifi - but that’s future. Right now, I think this is the best plan for my immediate use cases.

Is this enough to help me figure out where I’m going wrong?

I would wait until MT has wifi 7 devices. The reason being is that wifi7 devices also expect a 2.5 gb port due to the high throughput rates of the newer wifi.

After doing some of the suggested reading, I’m home and ready to try again. Except… All the instructions that state to “/system reset-configuration” all that does is make me lose connection. I’ve tried 4 times now. But the WinBox never sees the configuration via MAC. So I guess I’m just going to have to try to figure this out with the default configuration…

Many vendors allow you to configure a list of VLANs for a given port. So you say “ether5 is a member of VLANs 10,20,27,39” and specify whether it is an “access” or “trunk” member of that VLAN. For just a few VLANs, many users prefer this even if the other way round (specifying a list of ports that are members of a given VLAN) is also available.

For tagged handling of VLANs, Mikrotik only allows you to specify the list of member ports for a VLAN, but at the same time, you have to indicate which VLAN a port will handle in access mode in the settings of the port itself, which also automatically adds the port to that VLAN.

So to make ether1 to ether3 trunk ports for VLANs 4 and 5, ether4 an access port to VLAN 4, and ether5 an access port to VLAN 5, you need the following configuration:
/interface bridge port
add bridge=bridge interface=ether1 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge interface=ether4 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=4
add bridge=bridge interface=ether4 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=5
/interface bridge vlan
add bridge=bridge vlan-ids=4 tagged=ether1,ether2,ether3
add bridge=bridge vlan-ids=5 tagged=ether1,ether2,ether3

A critical point is that vlan-filtering must be set to yes in the bridge configuration, otherwise no tagging and untagging happens.

If you want the Mikrotik device itself to have an address in a VLAN, let’s say 4, you have to add a VLAN interface (much like the “subinterface” on a Cisco router, or a VLAN interface on a Cisco switch):
/interface vlan
add name=bridge.vlan4 interface=bridge vlan-id=4
/ip address
add address=x.x.x.x/y interface=bridge.vlan4
On RouterOS 7.16 and above, the above is enough; on older versions, you must manually add bridge to the tagged list on the /interface bridge vlan row for vlan-ids=4.

Thanks. I think I’m getting closer to my intended setup. However, the trunk port wasn’t working at all. And when I switched my laptop over to test another VLAN - I lost complete access to the device. Nothing works. None of the ports will let me communicate with the device - doesn’t matter if it’s tagged or untagged nor which VLAN. sigh I even tried a reboot.

Fortunately, I did an export before I switched network. So this is the latest configuration. Where did I go wrong?

[Edit] Frack… I swear I set the frame-types= but I just noticed they aren’t in the export… That probably screwed me over.
Double frack… I also somehow missed the interface on the IP. It got set to ether8 not the vlan… grrr… Ok. Just did another reset. Going to try to fix those mistakes this time.

[admin@MikroTik] > export

# 1970-01-02 00:27:04 by RouterOS 7.17.2
# software id = AHR5-N6U8
#
# model = CRS310-8G+2S+
# serial number = {snip}
/interface bridge
add admin-mac={snip} auto-mac=no comment=defconf ingress-filtering=yes name=bridge pvid=4 vlan-filtering=yes
/interface list
add name=LAN
/interface bridge port
add bridge=bridge comment=eth1 interface=ether1 ingress-filtering=yes pvid=4
add bridge=bridge comment=eth2 interface=ether2 ingress-filtering=yes pvid=4
add bridge=bridge comment=eth3 interface=ether3 ingress-filtering=yes pvid=4
add bridge=bridge comment=eth4 interface=ether4 ingress-filtering=yes pvid=5
add bridge=bridge comment=eth5 interface=ether5 ingress-filtering=yes pvid=4
add bridge=bridge comment=eth6 interface=ether6 ingress-filtering=yes pvid=6
add bridge=bridge comment=eth7 interface=ether7 ingress-filtering=yes pvid=6 
add bridge=bridge comment=Uplink frame-types=admit-only-vlan-tagged interface=ether8 pvid=4
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=Green tagged=bridge,ether8,ether5,ether7 untagged=ether3,ether1,ether2 vlan-ids=4
add bridge=bridge comment=Orange tagged=bridge,ether5,ether7,ether8 untagged=ether4 vlan-ids=5
add bridge=bridge comment=Blue tagged=ether7,ether5,bridge untagged=ether6 vlan-ids=6
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/ip address
add address=192.168.4.8/24 comment="Trunk Port" interface=ether8 network=192.168.4.0
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN