VLAN via switch chip: how do I reach the router?

Jeroen1000 · March 28, 2011, 4:48pm

Hi everyone,

I’ve never seen anyone attempt this and together with andrewluck I’ve been trying to get a wire-speed VLAN working. The “easy” part is setting up the VLAN itself (communication between hosts in the same VLAN). Mikrotik documentation has an example on how to do this.
The hard part is getting to the CPU port = the router. Wthout access to the router things like inter-vlan routing and getting to the internet become impossible. In fact, all actions that require routing or bridging are out of the window if you can’t use your router as a gateway.
I need some help reaching the router though. I’m sure we can solve it and then this topic can serve as some sort of an example.

Let’s get on with the setup now:

Cisco switch (port 1)-/-/-/-/-/-/- (ether5) Mikrotik (ether 1) --------- Cable modem
… …|(ether2)
…Netgear switch (VLAN10)

-/-/- is a trunk line (a link where traffic for multiple VLANs is carried)
The … have no meaning, they are just used for allignment purposes.

As you can see, there is a trunk line on the Mikrotik (ether5). This trunk will, for simplicity, only carry VLAN10. I will add configuration for VLAN20 too, but this VLAN only applies to my special case. The 2nd thing to notice is that ether2 on the Mikrotik will function as an access port (untagged port) in VLAN10, and hence, all devices connected to the Netgear switch are in VLAN10.

Part 1

Step 1:

Define ether3 as master-port for ether2 and ether5. The master port is the port leading to the router. I’m not 100% sure such a port is needed but this is how I’ve done it. Things should look like this:

/interface ethernet

Flags: X - disabled, R - running, S - slave
 #    NAME      MTU   MAC-ADDRESS       ARP        MASTER-PORT      SWITCH
 0    ether1    1500  00:0C:42:3E:57:A3 enabled    none             switch1
 1 RS ether2    1500  00:0C:42:3E:57:A4 enabled    ether3           switch1
 2 R  ether3    1500  00:0C:42:3E:57:A5 enabled    none             switch1
 3    ether4    1500  00:0C:42:3E:57:A6 enabled    none             switch1
 4 RS ether5    1500  00:0C:42:3E:57:A7 enabled    ether3           switch1

Step 2:
Next I’ve set up the /interface ethernet switch port configuration:

Flags: I - invalid
 #   NAME                    SWITCH                    VLAN-MODE VLAN-HEADER
 0   ether1                  switch1                   secure    always-strip
 1   ether2                  switch1                   secure    always-strip
 2   ether3                  switch1                   secure    always-strip
 3   ether4                  switch1                   secure    always-strip
 4   ether5                  switch1                   secure    add-if-missing

Note the VLAN-HEADER setting ‘add-if-missing’ for the trunk, ether5.

Step 3:
Next on the list is /interface ethernet switch vlan:

Flags: X - disabled, I - invalid
 #   SWITCH                            VLAN-ID PORTS
 0 X switch1                           0       ether2
                                               cpu
 1 X switch1                           20      ether5
                                               ether1
 2   switch1                           10      ether5
                                               cpu

Here you see that the CPU-port is in VLAN10 together with ether5. This is required for ether5 to be able to access the router.
Pay no attention to numbers 0 and numbers 1 at this point.

Step 4:

Last step. I’ll just textual describe what to do here as this is the easiest one.

create an interface VLAN10 (vlan-id 10!) and enable it (/interface vlan).
Assign an IP address to this interface (I used 192.168.0.251/24) using the menu /ip address

Well, that’s it really for the VLAN related stuff. Please note you still need to do basic stuff like set up, for example, masquerading (NAT) and obviously you need an interface with a public IP if you want internet. I won’t deal with that here in order to stay on topic.

Part 2

At this point ether2 is totally out of the picture. I could explain how to get it in VLAN10 so you can communicate over the trunk to other VLAN10 devices. But that’s not too hard (hey I managed to do it;)). Of course I will add this later but now it would only complicate an already long post. Instead I’m going to show you how you can get ether2 in contact with the CPU. And herein lies the big big problem I have. I don’t know how to without breaking ether5’s access to the CPU.

So let’s get started on this:

Step 1:

Here you should see that number 0 is not enabled.

Flags: X - disabled, I - invalid
 #   SWITCH                            VLAN-ID PORTS
 0 X switch1                           0       ether2
                                               cpu
 1 X switch1                           20      ether5
                                               ether1
 2   switch1                           10      ether5
                                               cpu

You should enable number 0 so the above will change to:

Flags: X - disabled, I - invalid
 #   SWITCH                            VLAN-ID PORTS
 0   switch1                           0       ether2
                                               cpu
 1 X switch1                           20      ether5
                                               ether1
 2   switch1                           10      ether5
                                               cpu

Step 2:

Next I’ll just explain what to do as I’ve lost connection the my router when doing it:). It’s very easy though if you know your way around the menu’s

Delete the VLAN10 interface you made earlier
Assign the IP address previously assigned to the VLAN10 interface to ether3

That’s it. Now ether3 can ping the router but ether5 can no longer do so. If someone could please help me solve that issue I’ll have my setup completed.

Cheers,
Jeroen

willy · March 31, 2011, 7:27am

Hello
Atheros-8316 a 5 port switch but have “virtual” port this is a cpu port this cpu port connect to ROS. (this is explained also in Switch Chip Features page well, but this page very confusing)
This problem related you could not set vlan-header and vlan mode on cpu port. This is a known problem. You can’t reach tagged port on ROS from untagged port from switch.

Wyoming · April 27, 2011, 2:59pm

I have found a work around for this on the RB493G which have 2 switch chips. One with 4 ports and one with 5. It does waist 2 ports but it will allow you to access the router locally from an untagged port. In my setup I put a jumper from port 5 to port 6, connecting the two switch chips together through an Ethernet cable instead of through the CPU. Then in my setup I connected one switch to the CPU through the switch setup. I then put all the untagged ethernet ports on the other switch and forwarded that traffic out the cross connect. This tags the packets going into the other switch and allows you to talk to the local router.

Jeroen1000 · April 27, 2011, 5:55pm

Nice find actually! I do prefer having a real switch in front of the router now. Makes life so much easier. Routerboards are great though, but they do have their oddities. I’d say you get a lot more than you pay for but at times to many bugs exist.

Wyoming · April 27, 2011, 9:03pm

I to would prefer to have an actual switch in front of the router. My issue is that they bought us RB493Gs for a project with the intent of using the switching functionality in them so I had to find a way to make it work and this is what i came up with.