I noticed our TP-link managed switches have VLAN’s using tagged ports but the VLAN’s on the CCR + PTP + AP’s don’t have “Use service tag” enabled,
Should the Mikrotik devices have service tag enabled, Which is best when using a lot of VLAN’s (<80) when they start and finish on Mikrotik devices - tagged or untagged?
Service tag is something different, you do not use that in this scenario.
The “VLAN ID” in the VLAN interface is what others call the “tag”.
That’s a misunderstanding. use-service-tag actually means “use the “service” (802.1ad) ethertype (0x88a8) in the VLAN tag rather than the “customer” (802.1Q) ethertype (0x8100)”. SOHO equipment rarely supports the 802.1ad format so only set use-service-tag to yes if you exactly know why.
Other than that, a port may be in untagged (access) mode for at most one VLAN (leaving protocol-based VLANs aside, that’s another can of worms), so if you need to transport more than one VLAN through a port, the port must be a tagged member of all of them (or all of them but one if you have a strong reason to do that).
The reason is simple - when an untagged frame comes from the wire, the port must be able to choose the destination VLAN. So there cannot be more than one. Protocol-based VLANs are an exception from this as the protocol ID may be used to determine the target VLAN.
Thanks for replies and I am still confused ( as always !) the TP-link T2600G-28TS managed switch is showing the VLANs in and out as “tagged”
But in Mikrotik /interface bridge when I add vlan-filtering the “tagged VLAN” is coming up as “untagged” ? Is this normal
The configuration of VLANs in combination with bridges sure is a bit confusing, partly because it was “recently” all changed, and so some existing documents describe the old situation.
But without a concrete usage scenario (network diagram and how you configured it) there is not much more that can be written about it here.
You could look in some other (recent! not 4 years old!) topics on the forum by people that try to find how this works.
Follow the hint in my automatic signature below, and add a list of VLANs you want to have tagged on the TP-link - facing interface of Mikrotik. As @pe1chl says, there are many recent topics dealing with the same, but pinpointing a mistake in your particular configuration is the fastest way ahead.
Our VLAN’s are working but have a intermittent fault ( every few weeks or so) a PTP or AP will lockup and have to recycle power to the effected device,
I thought that VLAN would help but on reading , Bridge VLAN filter disables hardware offloading and reduces performance ?
So now I have just applied
/interface bridge port
set [find where interface=ether1 or interface=wlan1] frame-types=admit-only-vlan-tagged ingress-filtering=yes
Indeed an issue with bridge with VLAN filtering as it is now, is that VLAN filtering disables hardware acceleration.
Without need, I think, because before that bridge filtering we had “ethernet master and slave ports” where you could use a group of ethernet ports in switch mode and the master-port was similar to what now is called the CPU port on the bridge, but on most routers (not all) you could have VLAN configuration on such a switch that was fully hardware accelerated.
So I think that a bridge with VLAN filtering and just the basic config (some numbered VLANs, some combination of tagged or untagged VLAN on each port) should still be accelerated.
It is still possible to have that. You should then (carefully) remove the VLAN filtering on the bridge and make all ports just normal members of the bridge, then go to the switch configuration menu and define the VLANs and ports again there.
It still works, but of course it is now even more confusing than it was before because there is that extra “bridge” on top of it (that does nothing) and it isn’t immediately visible which ports are grouped in a switch.