VLAN trunk port with switch chip

Hi,

I have trouble with my RB750GL used in a VLAN network configuration. There are 6 VLANs (ID 1, 100, 200, 300, 400, 500) which should be handled by this routerboard with its internal switch chip. So I want to do native switching without any (software)bridges. ether1 is configured as a tagged trunk port which receives all the VLANs from a HP 1820-24G switch. ether2 is another trunk port which forward all VLANs from ether1. ether3 is a untagged access port for VLAN 1, ether4 is an untagged access port for VLAN 400(not yet configured) and ether5 for VLAN 500. The RB750GL has a management IP address in VLAN 1 which is 192.168.0.190 which is pingable from other devices in the 192.168.0.0/24 network.

Here are the things I trouble with:

1. VLAN trunk on ether2 is not working as expected, I did connect a correctly configured CAP access point(mAP lite) and I cannot ping this device.
2. Do I have to configure the swich chip rules for each VLAN? Or does the frame forwarding work out of the box in my current configuration?
3. My RB750GL does not have any internet access, I can ping the gateway 192.168.0.254 but the ping to 8.8.8.8 gives me a timeout. I think the default route should be ok?

Thanks for your help!

Here is my config:

/interface ethernet
set [ find default-name=ether1 ] name=ether1_trunk
set [ find default-name=ether2 ] master-port=ether1_trunk name=\
    ether2_trunk_out
set [ find default-name=ether3 ] master-port=ether1_trunk name=\
    "ether3_e Heimnetz"
set [ find default-name=ether4 ] name=ether4_SmartHome
set [ find default-name=ether5 ] master-port=ether1_trunk name=ether5_IPv6
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=1 vlan-header=always-strip
set 4 default-vlan-id=500 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface ethernet switch rule
add new-dst-ports="ether3_e Heimnetz,switch1-cpu" ports=ether1_trunk \
    switch=switch1 vlan-header=present vlan-id=1
/interface ethernet switch vlan
add independent-learning=yes ports=\
    "ether1_trunk,ether2_trunk_out,ether3_e Heimnetz,switch1-cpu" \
    switch=switch1 vlan-id=1
add independent-learning=yes ports=ether1_trunk,ether2_trunk_out switch=\
    switch1 vlan-id=100
add independent-learning=yes ports=ether1_trunk,ether2_trunk_out switch=\
    switch1 vlan-id=200
add independent-learning=yes ports=ether1_trunk,ether2_trunk_out switch=\
    switch1 vlan-id=300
add independent-learning=yes ports=\
    ether1_trunk,ether2_trunk_out,ether4_SmartHome switch=switch1 vlan-id=400
add independent-learning=yes ports=ether1_trunk,ether2_trunk_out,ether5_IPv6 \
    switch=switch1 vlan-id=500
/ip address
add address=192.168.0.190 interface=ether1_trunk network=255.255.255.0
/ip dns
set servers=192.168.0.254
#error exporting /ip firewall calea
/ip route
add distance=1 gateway=ether1_trunk
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MkTkSwitch
/system ntp client
set enabled=yes primary-ntp=192.168.0.254

I think VLAN1 on Procurve is “native” VLAN. native VLAN on RouterOS is VLAN 0.
So set it to VLAN0.

Also I think you should specify IP of gateway not Interface. I only set Interface when using with PPPoe client and VPN Client interface.

For Mirroring ether1 to ether2 you shoukd use this command:

/interface ethernet switch set switch1 mirror-source=ether1_trunk mirror-target=ether2_trunk_out

and not:

/interface ethernet switch rule add new-dst-ports=“ether3_e Heimnetz,switch1-cpu” ports=ether1_trunk switch=switch1 vlan-header=present vlan-id=1

No rules are neccesary the swithing works out of the box.. Rules are used for mirroring or other security or forwarding (blocking etc..)

But I am transferring the native VLAN 1 as a normal tagged VLAN towards the MikroTik. So in my opinion the correct VLAN ID is important? All the traffic coming in in ether1 is tagged VLAN traffic.

When I do that the connection to the MikroTik is lost. Thanks to SafeMode I am able to reconnect after a reboot I have assigned the IP 192.168.0.190 to ether1 as I want to connect by winbox with an IP. This did not work until my single switch rule was added. As far as I understand this is neede in order to get an working IP for the mikrotik switch. But maybe the rule is wrong, which could also affect the default route topic?

Please please please please please stop giving interfaces like “etherXYZ - Heimnetz”. That’s dirty… Use comment for that.

Well that depends on the point of view. A programmer knows that good named variable is self-explanatory, the same is with interface names. etherX in a dropdown menu does not tell me whats this interface for… But enough off topic, I want to solve my VLAN problem

I will check your settings against a HP procurve 1920-8g tommorow. Especialy VLAN1 because I am not sure how MK and HP see native VLAN..

But in the mean time you could do following for test purpuse:
remove ether2 from switch group - set master port to none.
Add an IP to the interface and you connect a test computer to that port and connect to winbox (or telenet, ssh…).
Also dont forget to remove the VLAN rule. Let’s make VLANs work and then make port mirroring if you need it.
Lastly in switch port menu disable vlan mode for ether2
This way you can test ether1,3,4,5 for VLAN settings without locking out yourself.. You can do that on other port if you want ether2 unchanged..

Then try the following:

1. Connect HP trunk port to ether1
2. ping 192.168.0.254 (your gateway). the ping must work or VLAN config is wrong
3. ip default route should point to 192.168.0.254 (else it wont work)
4. Try to ping 8.8.8.8 it should also work if you have NAT on gateway
5. Check your IP Firewall filter and NAT rules.. Delete them all for testing purpuse
6. ping 8.8.8.8 if it works

When I do that the connection to the MikroTik is lost. Thanks to SafeMode I am able to reconnect after a reboot > > I have assigned the IP 192.168.0.190 to ether1 as I want to connect by winbox with an IP. This did not work until my single switch rule was added. As far as I understand this is neede in order to get an working IP for the mikrotik switch. But maybe the rule is wrong, which could also affect the default route topic?

In my live setup for management IP I have to make VLAN interface on top of my “trunk” port. and not directly on interface!
Because you have VLAN1 tagged I gues you should make an VLAN interface in ROS

/interface vlan add interface=ether1_trunk l2mtu=1594 name=vlan1 vlan-id=1

This is also explained here:
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Management_IP_Configuration

This is very strange, I did configure my management IP like described here http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Management_IP_Configuration and it does not work. I do even see the MAC address belonging to the IP I want to ping in the /switch host table. But looking at the ARP list tells me the mac address 00:00:00:00:00:00 is assigned to the ping destination. So as a result ping does not work…

HI,

sadly I did not find time to configure 1920 yet but here is a working setup based on your initial export.
I changed and added more VLANs (for test). Every Interfave gets DHCP from VLAN DHCP (on main Mikrotik Router).
Also for Access ports you must just set it like default VLANID (ie PVID in HP) and vlan-header=strip vlan-mode=secure (enforce VLANs) and add it to VLAN table:

/interface ethernet switch port 
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch vlan
add ports="ether1_trunk,ether2_trunk_out,ether3_e Heimnetz,switch1-cpu" switch=switch1 vlan-id=20

switch1-cpu is needed if you want to test VLANs inside ROS:

/interface vlan add interface=ether1_trunk name=vlan20 vlan-id=20
/ip dhcp-client add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan20

Here is the switch config from hAP Lite. Cant use rules but I gave you the syntax for port mirroring earlier. I guess you will use your ether2-trunk_out for Wireshark..

[admin@MkTkSwitch] > interface ethernet switch export
# nov/30/2016 22:52:10 by RouterOS 6.34.2
#
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=24 vlan-header=always-strip vlan-mode=secure
set 4 vlan-mode=secure
/interface ethernet switch vlan
add ports="ether1_trunk,ether2_trunk_out,ether3_e Heimnetz,switch1-cpu" switch=switch1 vlan-id=1
add ports=ether1_trunk,ether2_trunk_out,switch1-cpu switch=switch1 vlan-id=15
add ports="ether1_trunk,ether2_trunk_out,ether3_e Heimnetz,switch1-cpu" switch=switch1 vlan-id=20
add ports=ether1_trunk,ether2_trunk_out,switch1-cpu switch=switch1 vlan-id=21
add ports=ether1_trunk,ether2_trunk_out,ether4_SmartHome,switch1-cpu switch=switch1 vlan-id=24
add ports=ether1_trunk,ether2_trunk_out,switch1-cpu switch=switch1 vlan-id=39

For VLAN1 try setting VLAN to 0 on Mikrotik .. I will try that hopefully tommorow if I find time..

Thanks a lot for your efforts! I will continue with this topic on monday because I am on vacation until sunday… Hopefully I can make it work

OK I did some test with HP Procurve 1920-8g and hAP Lite.
So to sum it up:
VLAN1 HP as PVID (or Access Point) translates to VLAN ID 0 on Mikrotik
If you change PVID on HP to lets say 450 (something you are not using) and make VLAN1 tagged then it translates on Mikrotik as VLAN1 but you need to create a VLAN1 interface on top of your “trunk” port (ether1-trunk).

So I think it is best if you just make HP Procurve tagged 5,500,400 etc as tagged and use PVID 1.
On Mikrotik you set all tagged ports to approriate VLANs and use Default VLANID 0 for native VLAN.

Here is the working config:
HP Procurve:
Port 1 - RJ-45 - Uplink to Mikrotik hAP
Port 10 - SFP port - Uplink to my main router (DHCP server, internet…)
Here are the port settings:
Port Untagged Membership Tagged Membership Link Type PVID
GE1/0/1 1 15, 20-21, 24, 37, 39 Trunk 1
GE1/0/10 1 15, 20-21, 24, 37, 39 Trunk 1

This is the Mikrotik Config:

# dec/03/2016 12:32:48 by RouterOS 6.34.2
#
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] name=ether1_trunk
set [ find default-name=ether2 ] master-port=ether1_trunk name=ether2_trunk_out
set [ find default-name=ether3 ] master-port=ether1_trunk name="ether3_e Heimnetz"
set [ find default-name=ether4 ] master-port=ether1_trunk name=ether4_SmartHome
/interface vlan
add interface=ether1_trunk name=vlan1 vlan-id=1
add interface=ether1_trunk name=vlan15 vlan-id=15
add interface=ether1_trunk name=vlan20 vlan-id=20
add interface=ether1_trunk name=vlan21 vlan-id=21
add interface=ether1_trunk name=vlan24 vlan-id=24
add interface=ether1_trunk name=vlan39 vlan-id=39
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=24 vlan-header=always-strip vlan-mode=secure
set 4 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface ethernet switch vlan
add ports="ether1_trunk,ether2_trunk_out,ether3_e Heimnetz,switch1-cpu" switch=switch1
add ports=ether1_trunk,ether2_trunk_out,switch1-cpu switch=switch1 vlan-id=15
add ports="ether1_trunk,ether2_trunk_out,ether3_e Heimnetz,switch1-cpu" switch=switch1 vlan-id=20
add ports=ether1_trunk,ether2_trunk_out,switch1-cpu switch=switch1 vlan-id=21
add ports=ether1_trunk,ether2_trunk_out,ether4_SmartHome,switch1-cpu switch=switch1 vlan-id=24
add ports=ether1_trunk,ether2_trunk_out,switch1-cpu switch=switch1 vlan-id=39
/ip address
add address=192.168.123.190/24 interface=wlan1 network=192.168.123.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1_trunk
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan15
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan20
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan21
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan39
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan24
/ip dns
set allow-remote-requests=yes
/ip route
add distance=1 gateway=192.168.3.1
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=MkTkSwitch
/system ntp client
set enabled=yes primary-ntp=192.168.0.254
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled

As you can see I have set wlan1 as independent port and assigned IP so I can connect via wireless with my notebook (maunally set the IP on wifi interface) and play with switch chip without locking myself out.

Also default route with interface did not work for me as I said before use IP or DHCP assigned to appropriate VLAN with add default route checkbox checked.
I just noticed that you specified ip address without /24 at the end so I am not sure if mikrotik assigns subnet correctly if you do not specify that.

Here is my config for now:

/interface ethernet
set [ find default-name=ether1 ] name=ether1_trunk
set [ find default-name=ether2 ] master-port=ether1_trunk name=\
    ether2_trunk_out
set [ find default-name=ether3 ] master-port=ether1_trunk name=\
    ether3_Heimnetz
set [ find default-name=ether4 ] master-port=ether1_trunk name=\
    ether4_SmartHome
set [ find default-name=ether5 ] master-port=ether1_trunk name=ether5_IPv6
/ip neighbor discovery
set ether1_trunk discover=no
set ether2_trunk_out discover=no
set ether3_Heimnetz discover=no
set ether4_SmartHome discover=no
set ether5_IPv6 discover=no
/interface vlan
add interface=ether1_trunk loop-protect-disable-time=0s \
    loop-protect-send-interval=0s name=vlan1_Heimnetz vlan-id=1
add disabled=yes interface=ether1_trunk loop-protect-disable-time=0s \
    loop-protect-send-interval=0s name=vlan100_GuestWLAN vlan-id=100
add disabled=yes interface=ether1_trunk loop-protect-disable-time=0s \
    loop-protect-send-interval=0s name=vlan200_FreyPV vlan-id=200
add disabled=yes interface=ether1_trunk loop-protect-disable-time=0s \
    loop-protect-send-interval=0s name=vlan300_Test vlan-id=300
add disabled=yes interface=ether1_trunk loop-protect-disable-time=0s \
    loop-protect-send-interval=0s name=vlan400_SmartHome vlan-id=400
add disabled=yes interface=ether1_trunk loop-protect-disable-time=0s \
    loop-protect-send-interval=0s name=vlan500_IPv6 vlan-id=500
/ip neighbor discovery
set vlan100_GuestWLAN discover=no
set vlan200_FreyPV discover=no
set vlan300_Test discover=no
set vlan400_SmartHome discover=no
set vlan500_IPv6 discover=no
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=0 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=400 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=500 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
#error exporting /interface bridge calea
/interface ethernet switch vlan
add independent-learning=no ports=\
    ether1_trunk,ether2_trunk_out,switch1-cpu,ether3_Heimnetz switch=switch1 \
    vlan-id=1
add independent-learning=no ports=ether1_trunk,ether2_trunk_out,switch1-cpu \
    switch=switch1 vlan-id=100
add independent-learning=no ports=ether1_trunk,ether2_trunk_out,switch1-cpu \
    switch=switch1 vlan-id=200
add independent-learning=no ports=ether1_trunk,ether2_trunk_out,switch1-cpu \
    switch=switch1 vlan-id=300
add independent-learning=no ports=\
    ether1_trunk,ether2_trunk_out,switch1-cpu,ether4_SmartHome switch=switch1 \
    vlan-id=400
add independent-learning=no ports=\
    ether1_trunk,ether2_trunk_out,switch1-cpu,ether5_IPv6 switch=switch1 \
    vlan-id=500
/ip address
add address=192.168.0.190/24 interface=vlan1_Heimnetz network=192.168.0.0

It is working so for with the following features:

• Internet access is working with default rout to 192.168.0.254.
• Access ports for VLANs 1, 400 and 500 are working

But i have also a lot of things which make trouble:

• All MAC addresses in the Host tab are shown with VLAN ID 0. How is that possible?

• There is a CAPs device connected to the “trunk_out” interface. As soon as it is connected the CAPsMAN see it and is able to connect but I cannot ping it. In contrast when I connect the CAPs device directly to trunk cable from port “trunk” I can ping the device. Is this related to the VLAN ID 1/0 topic?
  
  
  This stuff with the different VLAN ID from HP switches drives me crazy. Are my following assumptions correct?
  VLAN ID 1 traffic on HP arrives at Mikrotik(using a trunk link) with VLAN ID 0. Thus I have to set my VLAN ID in Mikrotik from 1 to 0(in all places). Strange is that using a vlan interface on my trunk interface tells me that VLAN ID 0 cannot be set?
  Furthermore what happens when Mikrotik sends traffic with VLAN ID 0 to the HP, does he see it as VLAN ID 1?

I am looking forward to learn about VLANs

• All MAC addresses in the Host tab are shown with VLAN ID 0. How is that possible?

If you mean when you double click on specific host and see status window I also have all hosts in VLANID 0-
. maybe you found a bug (write to support@mikrotik.com). Or if someone else knows why is this feel free to elaborate
However this is only cosmetic bug as it is working correctly on my router.

There is a CAPs device connected to the “trunk_out” interface. As soon as it is connected the CAPsMAN see it and is able to connect but I cannot ping it. In contrast when I connect the CAPs device directly to trunk cable from port “trunk” I can ping the device. Is this related to the VLAN ID 1/0 topic?

I dont understand what you mean exactly. Your ports ether1 and ether2 are configured the same (i dont see any rules.. if you have them delete them and try). I dont have so much expierience in CAPsMAN setups.. but set default VLAN ID to 0 in switch - port. You havent specified it..Maybe this is problem. Mikrotik to mikrotik VLAN ID is the same!

VLAN ID 1 traffic on HP arrives at Mikrotik(using a trunk link) with VLAN ID 0. Thus I have to set my VLAN ID in Mikrotik from 1 to 0(in all places). Strange is that using a vlan interface on my trunk interface tells me that VLAN ID 0 cannot be set?

Correct. HP sends VLAN1 but Mikrotik recognizes/sees it as VLAN0. And dont create VLAN interface on trunk interface but simply add address to the interface itself (ip address add) in your case ether1.

Furthermore what happens when Mikrotik sends traffic with VLAN ID 0 to the HP, does he see it as VLAN ID 1?

Yes. To simplify

1. Mikrotik Native VLAN ID 0
2. HP Native VLAN ID 1

Different vendors different implementation.

I dont understand what you mean exactly. Your ports ether1 and ether2 are configured the same (i dont see any rules.. if you have them delete them and try). I dont have so much expierience in CAPsMAN setups.. but set default VLAN ID to 0 in switch - port. You havent specified it..Maybe this is problem. Mikrotik to mikrotik VLAN ID is the same!

You were right, adding Default VLAN ID 0 to my trunk ports solved the problem with the CAP device being not visible. Thanks a lot!

Ok to summarize my current view on the Mikrotik VLAN world. If you use the hardware switch chip the HP VLAN ID 1 maps to Mikrotik VLAN ID 0. But in contrast when I use the software VLAN layer in the way that I am adding a vlan1 interface to my trunk port then I have to set VLAN ID 1. This works well I did set my device management IP on this interface.

You said I should not add the address to this interface? What is the reason for that? If I add it to trunk port (ether1) itself how can I be sure that it is only visible in VLAN 1?

You said I should not add the address to this interface? What is the reason for that? If I add it to trunk port (ether1) itself how can I be sure that it is only visible in VLAN 1?

Native VLAN (VLAN0) is ony visible in this VLAN as any other VLAN. It is the same with HP and VLAN1 which is only visible to VLAN1. For cross VLAN communication you need a router.
But If it works for you as you set it up then super!

I just would not complicate myself settings and add aditional interface and put the address of VLAN0 on the interface.I would just set HP trunk to PVID1 and all others tagged (Hybrid port).
Maybe this is not correct and if someone else can tell me (and you ) why not I will glady learn something new

The reason for setting my management IP on a vlan interface on the trunk port is that this trunk port is always up an running, thus I can connect to my switch. If I use an untagged port for that which is not always up and running I cannot connect to my device.

The reason for setting my management IP on a vlan interface on the trunk port is that this trunk port is always up an running, thus I can connect to my switch. If I use an untagged port for that which is not always up and running I cannot connect to my device.

I must say I dont understand exactly what you mean. I thought that your trunk port will always be up (ether1) and setting address on interface ether1 solves your problem. .. but if it works for you then use your approach.

• All MAC addresses in the Host tab are shown with VLAN ID 0. How is that possible?
  If you mean when you double click on specific host and see status window I also have all hosts in VLANID 0-
  . maybe you found a bug (write to > support@mikrotik.com> ). Or if someone else knows why is this feel free to elaborate >
  However this is only cosmetic bug as it is working correctly on my router.

I have contacted support about this and recieved an explanation:

QCA8337 and AR8327 switch-chips support Independent VLAN learning (IVL) which does the learning based on both MAC addresses and VLAN IDs thus allowing the same MAC to be used in multiple VLANs. The option “independent-learning” in VLAN table entries enables this feature. If it is disabled or unsupported then Host table learns with VLAN-ID 0.

I have tested it and it works if you check the independent learnig checkbox in Switch - VLAN.

More info on this IVL:
http://forum.mikrotik.com/t/independent-learning-on-switch-vlan/58692/1

I must say I dont understand exactly what you mean. I thought that your trunk port will always be up (ether1) and setting address on interface ether1 solves your problem. .. but if it works for you then use your approach.

Well if setting the IP address on ether1 directly works in the same way than setting it on a VLAN 1 interface of the trunk then its ok for me. I always thought I have to assign my management IP to an explicit VLAN… Because of this I created a VLAN interface on trunk ether1. In other words how is my IP on ehter1 mapped to a VLAN?!

As I said before HP VLAN1 is native VLAN and if you set PVID 1 (or untagged VLAN1) on trunk port of HP it translates to Mikrotik native VLAN 0. Ergo then set up ip directly on interface.. No need for aditional VLAN interface.
Anyhow this is how I do it because it is simpler..