VLANs on CRS125 (yet another whine)

So I am another victim of this ‘nice’ switch. All I want is very simple configuration for now, have two ports in single broadcast domain, one port working as untagged, another as tagged for the single vlan. For procurve, it took approx. 5 minutes to figure out the config, with RouterOS 6.13 I cannot make this work at all. Not to mention the so called documentation which restates the names of the config knobs without explaining the meaning.

So I did:

[kostik@MikroTik] > interface ethernet 23 set name=ether24
[kostik@MikroTik] > interface ethernet set 23 name=ether24 master-port=none
[kostik@MikroTik] > interface ethernet set 22 name=ether23 master-port=ether24
[kostik@MikroTik] > interface ethernet printFlags: X - disabled, R - running, S - slave 
 #    NAME                                MTU MAC-ADDRESS       ARP        MASTER-PORT                              SWITCH                             
 0 R  ether1-master-local                1500 D4:CA:6D:F8:E8:83 enabled    none                                     switch1                            
 1  S ether2-slave-local                 1500 D4:CA:6D:F8:E8:84 enabled    ether1-master-local                      switch1                            
 2  S ether3-slave-local                 1500 D4:CA:6D:F8:E8:85 enabled    ether1-master-local                      switch1                            
 3 RS ether4-slave-local                 1500 D4:CA:6D:F8:E8:86 enabled    ether1-master-local                      switch1                            
 4  S ether5-slave-local                 1500 D4:CA:6D:F8:E8:87 enabled    ether1-master-local                      switch1                            
 5  S ether6-slave-local                 1500 D4:CA:6D:F8:E8:88 enabled    ether1-master-local                      switch1                            
 6  S ether7-slave-local                 1500 D4:CA:6D:F8:E8:89 enabled    ether1-master-local                      switch1                            
 7  S ether8-slave-local                 1500 D4:CA:6D:F8:E8:8A enabled    ether1-master-local                      switch1                            
 8  S ether9-slave-local                 1500 D4:CA:6D:F8:E8:8B enabled    ether1-master-local                      switch1                            
 9  S ether10-slave-local                1500 D4:CA:6D:F8:E8:8C enabled    ether1-master-local                      switch1                            
10  S ether11-slave-local                1500 D4:CA:6D:F8:E8:8D enabled    ether1-master-local                      switch1                            
11  S ether12-slave-local                1500 D4:CA:6D:F8:E8:8E enabled    ether1-master-local                      switch1                            
12  S ether13-slave-local                1500 D4:CA:6D:F8:E8:8F enabled    ether1-master-local                      switch1                            
13  S ether14-slave-local                1500 D4:CA:6D:F8:E8:90 enabled    ether1-master-local                      switch1                            
14  S ether15-slave-local                1500 D4:CA:6D:F8:E8:91 enabled    ether1-master-local                      switch1                            
15  S ether16-slave-local                1500 D4:CA:6D:F8:E8:92 enabled    ether1-master-local                      switch1                            
16  S ether17-slave-local                1500 D4:CA:6D:F8:E8:93 enabled    ether1-master-local                      switch1                            
17  S ether18-slave-local                1500 D4:CA:6D:F8:E8:94 enabled    ether1-master-local                      switch1                            
18  S ether19-slave-local                1500 D4:CA:6D:F8:E8:95 enabled    ether1-master-local                      switch1                            
19  S ether20-slave-local                1500 D4:CA:6D:F8:E8:96 enabled    ether1-master-local                      switch1                            
20  S ether21-slave-local                1500 D4:CA:6D:F8:E8:97 enabled    ether1-master-local                      switch1                            
21  S ether22-slave-local                1500 D4:CA:6D:F8:E8:98 enabled    ether1-master-local                      switch1                            
22  S ether23                            1500 D4:CA:6D:F8:E8:99 enabled    ether24                                  switch1                            
23    ether24                            1500 D4:CA:6D:F8:E8:9A enabled    none                                     switch1                            
24  S sfp1-slave-local                   1500 D4:CA:6D:F8:E8:9B enabled    ether1-master-local                      switch1
[kostik@MikroTik] > interface ethernet switch ingress-vlan-translation add port=ether23 new-customer-vid=1 sa-learning=yes
[kostik@MikroTik] > interface ethernet switch egress-vlan-translation add port=ether24 customer-vid=1 new-customer-vid=0
[kostik@MikroTik] > interface ethernet switch ingress-vlan-translation print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ports=ether23 service-vlan-format=any customer-vlan-format=any new-customer-vid=1 pcp-propagation=no sa-learning=yes 

 1 D ports=ether23,ether24 service-vlan-format=any customer-vlan-format=any new-customer-vid=0 pcp-propagation=no sa-learning=yes 

 2 D ports="" service-vlan-format=any customer-vlan-format=any new-customer-vid=0 pcp-propagation=no sa-learning=no 
[kostik@MikroTik] > interface ethernet switch egress-vlan-translation print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   ports=ether24 service-vlan-format=any customer-vlan-format=any customer-vid=1 new-customer-vid=0 pcp-propagation=no 
[kostik@MikroTik] > interface ethernet switch vlan print                   
Flags: X - disabled, I - invalid, D - dynamic 
 #   VLAN-ID PORTS                                               SVL LEARN FLOOD INGRESS-MIRROR QOS-GROUP                                              
 0 D    4095 switch1-cpu                                         no  no    no    no             none                                                   
 1 D    4091 ether23                                             no  yes   no    no             none                                                   
             ether24                                            
             switch1-cpu

Now, if I do tcpdump on ws connected to the port ether24, I see untagged packets coming out:

pooma% sudo tcpdump -i em1 -n -vvv -e
    192.168.102.80.63206 > 239.255.255.250.1900: [udp sum ok] UDP, length 395
13:11:53.399754 00:22:4d:7a:47:f6 > 01:00:5e:7f:ff:fa, ethertype IPv4 (0x0800), length 496: (tos 0x0, ttl 2, id 21917, offset 0, flags [none], proto UDP (17), length 482)
    192.168.102.80.63206 > 239.255.255.250.1900: [udp sum ok] UDP, length 454
13:11:53.399756 00:22:4d:7a:47:f6 > 01:00:5e:7f:ff:fa, ethertype IPv4 (0x0800), length 437: (tos 0x0, ttl 2, id 21918, offset 0, flags [none], proto UDP (17), length 423)

Could, please, anybody help me. I want the untagged packets from port ether23 come out on port ether24 as tagged for vlan id 1, and tagged packets from port ether24 for vlan id 1 to come out to port ether 23, untagged. Would ether24 deny receive of any other tags or untagged packets, it would be good as well.

Thank you.

You may have already tried this, but I know that with v6.12+ the vlan code changed a bit. Here’s my basic setup for VLANs now to get them working, and maybe then you can try to see if stuff is leaking after this setup.

As for simple tagging/untagging from port 24 to 23, try this:

#Slave ether23 to ether24, to switch them together
/interface ethernet set [ find default-name=ether23 ] master-port=24

#Set up VLAN trunking of VLAN1 to ether24
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24 vlan-id=1

# Tag packets going into ether23 (from customer) as VLAN1
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=1 ports=ether23 sa-learning=yes

# Tell the Mikrotik that there is VLAN1 on ether23, ether24
/interface ethernet switch vlan
add ports=ether23,ether24 vlan-id=1

You used to have to do a egress-vlan-translation to untag the packets leaving ether23 from VLAN1 to VLAN0 (no vlan), but apparently with v6.12 and above it just knows to do this somehow anyways if you set up the tagged port trunking? That part is still a mystery to me. But this is my basic four-step setup for this.

Try the above and see if packets are still being untagged sent. Then see if the VLAN is leaking elsewhere. If it is, try setting up port isolation.

I already found the knob

interface ethernet switch port set ether17 egress-vlan-mode=unmodified

, also I did the

interface ethernet switch egress-vlan-translation add ports=ether17 customer-vid=1 new-customer-vid=0

from the beginning, but both spells do nothing (for me).

I also found that if I use non-master port as a trunk, then the packets on trunk come out tagged, as it should be, but non-trunk interface also receives the packets tagged. This makes me crazy. I probably miss something obvious, it cannot be that such bugs exist in the released version of the firmware ?

I cannot stay away from complaining about the “documentation” which basically repeats the knobs names with removed dashes.

I took two ports which I did not touched in any way after the configuration reset, ether5 and ether6, and did the following:

[kostik@MikroTik] /interface ethernet> set [find default-name=ether6] master-port=none
[kostik@MikroTik] /interface ethernet> set [find default-name=ether5] master-port=ether6
[kostik@MikroTik] /interface ethernet> switch egress-vlan-tag add tagged-ports=ether6 vlan-id=100
[kostik@MikroTik] /interface ethernet> switch ingress-vlan-translation  add new-customer-vid=100 ports=ether5 sa-learning=yes
[kostik@MikroTik] /interface ethernet> switch vlan add ports=ether5,ether6 vlan-id=100

On the machine connected to ether5, I see:

sandy% sudo tcpdump -i em2 -envvvs0
tcpdump: listening on em2, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
19:17:12.564169 00:30:48:d6:31:1b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.140.2 tell 192.168.140.1, length 42

Apparently, at least 6.13 and 6.14rc25 have bug which prevents vlans from working correctly on the other ports groups. It was answered by the support.

No idea about ETA for a fix.