Vlans

wireles1234 · November 11, 2019, 3:06pm

hola buenos días quien me puede ayudar necesito pasar varias vlans por un mismo puerto dichas vlans ya
están entrando por un puerto troncar tengo un ccr 1036

saludos

hello good morning who can help me I need to pass several vlans through the same port said vlans already
they are entering through a trunk port I have a 1036 ccr

regards

sindy · November 11, 2019, 3:33pm

Pass them where? You’ve described only one end of the “passage”, the trunk port; do you want to pass each of the VLANs to its individual access port, or to another trunk port, or do you want your CCR to act as a router for the subnet in each VLAN…? Have you seen the @pcunite’s tutorial on VLANs?

wireles1234 · November 11, 2019, 3:38pm

for example I have vlan 1,2,3 that enter through sfp1 and I want to take them out via ethernet 1

sindy · November 11, 2019, 3:59pm

/interface bridge
add name=bridge-for-vlans
/interface bridge port
add bridge=bridge-for-vlans interface=sfp1
add bridge=bridge-for-vlans interface=ether1

If you do just this, all VLANs will be forwarded betewen sfp1 and ether1.

If you want only permitted VLANs to be forwarded, you have to configure and activate VLAN filtering:
/interface bridge vlan
add vlan-ids=1 bridge=bridge-for-vlans untagged=sfp1,ether1,bridge-for-vlans
add vlan-ids=2,3 bridge=bridge-for-vlans tagged=sfp1,ether1,bridge-for-vlans
/interface bridge set bridge-for-vlans vlan-filtering=yes

You only have to add bridge-for-vlans into the tagged or untagged list of you want to place an IP address of the Mikrotik itself into the VLAN.

Only one VLAN can be untagged on each interface, so whenever the untagged list of some row in the /interface bridge vlan table is not empty, that row’s vlan-ids list must contain exactly one VLAN ID.

VLAN 1 is handled as untagged in default settings of most other vendors’ switches. Also for the virtual port representing the bridge to the rest of the the network stack and for the rows in /interface bridge port, the default value of parameter pvid is 1. You can set the pvid to any other VID between 1 and 4094, but there is no way to set the pvid parameter to none.

If you want to attach a local IP configuration to a VLAN which is tagged on the virtual port representing the bridge, you need to /interface vlan add vlan-id=X interface=bridge-for-vlan name=some-nice-name and then link the /ip address configuration to interface=some-nice-name. If you want to attach a local IP configuration to a VLAN which is tagless on the virtual port representing the bridge, link it directly to the bridge (interface=bridge-for-vlan).

wireles1234 · November 11, 2019, 6:24pm

/interface bridge
add name=BG-TES
add name=bridge12
add arp=proxy-arp name=bridge950
add name=lo0
/interface ethernet
set [ find default-name=ether1 ] comment="CACHE SERVER (SIN USO)"
set [ find default-name=ether2 ] comment="INTERNET RED CORPORATIVA"
set [ find default-name=ether4 ] comment="RED UNIFI"
set [ find default-name=ether6 ] arp=proxy-arp comment=TO-CMTS-LV
set [ find default-name=ether7 ] comment=TO-CMTS-MQ
set [ find default-name=ether8 ] arp=proxy-arp
set [ find default-name=ether10 ] arp=proxy-arp comment=\
    "CONEXION A CMTS-R.CISCO-R.MIKROTIK"
set [ find default-name=ether11 ] comment=\
    "CONEXION B CMTS-R.CISCO-R.MIKROTIK" mac-address=64:D1:54:14:1A:0D
set [ find default-name=sfp2 ] comment="WAN SFP" name=\
    "sfp2 (WAN )"
/interface vlan
add comment="UNIFI LV" interface="sfp2 (WAN)" name=vlan12 vlan-id=12
add interface="sfp2 (WAN)" name=vlan70 vlan-id=70
add arp=proxy-arp comment=RadiusManager interface="sfp2 (WAN)" name=\
    vlan950 vlan-id=950
/interface bonding
add name=bonding1 slaves=ether10,ether11 transmit-hash-policy=layer-2-and-3
/interface vlan
add interface=bonding1 name=vlan1 vlan-id=1
add interface=bonding1 name=vlan10-WAN vlan-id=10
add interface=bonding1 name=vlan100-CMTS vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge950 interface=ether6
add bridge=bridge950 interface=vlan950
add bridge=bridge12 interface=vlan12
add bridge=bridge12 interface=ether4
add bridge=bridge950 interface=ether7

as you can see the configuration I have vlan 950 and 12 entering through sfp2 and I need them to exit through port 7

sindy · November 12, 2019, 10:25pm

From your configuration I can see that you have VLAN 950 tagged on sfp2 and untagged on ether6 and ether7, and VLAN 12 tagged on sfp2 and untagged on ether4. This is the old way of configuring VLAN filtering, where you had one bridge per each VLAN (in your case, bridge12 and bridge950) and you needed the same number of /interface vlan as the number of ports on which the VLAN is tagged. So to change the ether7 to a tagged port for VLAN 950 and adding a tagged VLAN 12 to it without redoing your configuration completely to the new way, you have to

/interface bridge port remove [find bridge=bridge950 interface=ether7]
/interface vlan add name=ether7.950 vlan-id=950 interface=ether7
/interface bridge port add bridge=bridge950 interface=ether7.950
/interface vlan add name=ether7.12 vlan-id=12 interface=ether7
/interface bridge port add bridge=bridge12 interface=ether7.12

If you don’t mind to keep VLAN 950 tagless on ether7, just skip all the first three steps (related to bridge950) above, but in that case, the equipment connected to ether7 must be configured the same way (VLAN 950 tagless on the wire, VLAN 12 tagged).

wireles1234 · November 13, 2019, 5:57pm

From your configuration I can see that you have VLAN 950 tagged on sfp2 and untagged on ether6 and ether7, and VLAN 12 tagged on sfp2 and untagged on ether4. This is the old way of configuring VLAN filtering, where you had one bridge per each VLAN (in your case, bridge12 and bridge950) and you needed the same number of /interface vlan as the number of ports on which the VLAN is tagged. So to change the ether7 to a tagged port for VLAN 950 and adding a tagged VLAN 12 to it without redoing your configuration completely to the new way, you have to
/interface bridge remove [find bridge=bridge950 interface=ether7]
/interface vlan add name=ether7.950 vlan-id=950 interface=ether7
/interface bridge add bridge=bridge950 interface=ether7.950
/interface vlan add name=ether7.12 vlan-id=12 interface=ether7
/interface bridge add bridge=bridge12 interface=ether7.12
If you don’t mind to keep VLAN 950 tagless on ether7, just skip all the first three steps (related to bridge950) above, but in that case, the equipment connected to ether7 must be configured the same way (VLAN 950 tagless on the wire, VLAN 12 tagged).

But with that the two vlans pass through the same port7?
because what I need is that the vlan950 and vlan12 go out through port 7

sindy · November 13, 2019, 6:48pm

Yes, sure. A frame tagged with VID 950 comes to sfp2, where it is matched and processed by the tagged side of “your” existing /interface vlan named “vlan950”. The tagless end of this interface is a member port of bridge950. “My” /interface vlan named “ether7.950” takes this untagged frame from bridge950, tags it with VID 950 and sends it out tagged via ether7. The same will happen with incoming frames tagged with VID 12, except that they will travel between sfp2 and ether7 through a different pair of /interface vlan and a different bridge.

Maybe I did not understand you well and you actually want to make ether7 an access port to both VLANs, 12 and 950? It is technically possible but there is a number of good reasons not to do that. Is that what you really want?

wireles1234 · November 14, 2019, 10:43am

But with that the two vlans pass through the same port7?

Yes, sure. A frame tagged with VID 950 comes to sfp2, where it is matched and processed by the tagged side of “your” existing /interface vlan named “vlan950”. The tagless end of this interface is a member port of bridge950. “My” /interface vlan named “ether7.950” takes this untagged frame from bridge950, tags it with VID 950 and sends it out tagged via ether7. The same will happen with incoming frames tagged with VID 12, except that they will travel between sfp2 and ether7 through a different pair of /interface vlan and a different bridge.

Maybe I did not understand you well and you actually want to make ether7 an access port to both VLANs, 12 and 950? It is technically possible but there is a number of good reasons not to do that. Is that what you really want?

I really want port 7 to be a trunk service port which goes through those two vlans

sindy · November 14, 2019, 11:34am

In that case, just do what I suggested in post #6 (just fixed the commands, sorry for missing “port”). If something doesn’t work, post an export taken after those changes were made.

Sorry, believe me you don’t want to read my direct writing in Spanish