Why does this VLAN configuration work? It shouldn't!

RouteRite · May 9, 2014, 4:32pm

The switch chip is giving me fits. I’ve read lots of material on how to make it work, and I’ve been 99% successful.

However, there seems to be something odd with the way it handles traffic when VLAN ID=1.

See my configuration below. It is successfully passing VLAN ID=1 traffic on ether2 as an access port despite the fact that VLAN Mode has been disabled on that port and the trunk port (ether5) is set to VLAN Mode=Secure and VLAN Header=add if missing.

Note that ether4 is set to pass VLAN ID=4 as an access port and does this properly. If I set up ether2 in a similar fashion for VLAN ID=1, the switch will not pass traffic for VLAN ID=1.

My configuration below is working, and I have no idea why. Any clues to help me debug or submit a report would be appreciated. Thanks!

Model: RB2011UiAS, ROS: 6.12, Firmware: 3.14
Upstream switch on ether5 is a Procurve 2610 gigE port, with tagged VLANS 1,4.

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2

/interface ethernet switch port
set 4 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=secure


/interface ethernet switch vlan
add independent-learning=no ports=ether5,ether2,switch1-cpu switch=switch1 \
    vlan-id=1
add independent-learning=no ports=ether4,ether5 switch=switch1 vlan-id=4

CelticComms · May 9, 2014, 6:20pm

Are you 100% sure that the HP has VLAN1 tagged? Does it have a native VLAN set?

If you create a VLAN1 interface on the interface seen by the CPU does torch see traffic? Does it see traffic on the basic physical interface?

RouteRite · May 9, 2014, 10:26pm

On the Procurve: I am 100% certain the HP has VLAN1 tagged. Checked it many times and verified port. Primary VLAN is set to Default_Vlan, which is 1.

On the Mikrotik: I just created a VLAN1 interface on ether2. Torch sees traffic on VLAN1 and directly on ether2. On ether2, traffic shows a VLAN ID of 1 on Torch. On VLAN1, traffic shows no VLAN ID on Torch. Most of the traffic it shows is received broadcast traffic, though.

Any other suggestions for troubleshooting? I just want to understand what the RB2011 is doing and why this is working.

CelticComms · May 10, 2014, 10:06am

Could you try swapping the port usage as follows:

Use Ether 2 as your trunk to the HP Procurve.
Use Ether 5 as the VLAN 1 access port.

Is the behaviour more in line with expectations then?

RouteRite · May 12, 2014, 5:43pm

Thank you for your suggestions. I just tried that. Same results.

I did find this forum posting (see bottom) that hints that the switch chip implementation might have some quirks.
http://forum.mikrotik.com/t/ar8327/61692/1

My issue feels like an edge-case problem since the problem only occurs when vlan ID=1. I have a CRS that just arrived. I will try to reproduce the problem on that hardware.

At least I have a work-around for now.

In case anyone else runs into a similar problem, this is the cleanest statement of my the problem:

With the Atheros 8327 switch chip on the RB2011, vlan1 (vlan ID=1) traffic from a trunk connection is only visible on an access port as untagged traffic if VLAN Mode is disabled. Enabling any VLAN mode on the Vlan1 access port will prevent traffic from appearing on that port as untagged even if the VLAN Header setting is “always strip.”

CelticComms · May 14, 2014, 12:18am

Could you upload or email me the config that showed the issue? I would like to try to reproduce it. I generally do not use VLAN 1 in any production systems due to historical risks associated with Cisco and other equipment.

RouteRite · May 14, 2014, 5:00pm

Here’s the complete config. Using latest 6.12 release and firmware. I haven’t tried 6.13 RC.
Model is RB2011UiAS.

I am bridging the gigE and fastE chips, but I had the same problem even when the fastE was not used or disabled.
I set up 192.168.1.99 as the management address when plugged into the switch. Removing the address, however, didn’t change the vlan behavior. In practice, the management IP would be on a different VLAN and accessible via the trunk port.

In the config below, ether2 is the Master Port, ether5 is the trunk port for vlans 1,4.

Ether4 is the vlan4 access port and works properly.

Ether1-3 have Vlan Mode=disabled. Vlan1 works perfectly on those ports and the traffic is sent out the trunk port to the rest of the lan.

(LCD is turned off because the screen cracked, but it was barely functional prior to that. It’s not very sensitive and required a hard press to register anything.)

# jan/03/1970 23:00:03 by RouterOS 6.12
#
/interface bridge
add l2mtu=1598 name=bridgeGigandFast
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
/interface ethernet switch port
set 4 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=secure
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeGigandFast interface=ether2
add bridge=bridgeGigandFast interface=ether6
/interface ethernet switch vlan
add independent-learning=no ports=ether5,ether2,switch1-cpu,ether3 switch=\
    switch1 vlan-id=1
add independent-learning=no ports=ether4,ether5 switch=switch1 vlan-id=4
/ip address
add address=192.168.1.99/24 interface=bridgeGigandFast network=192.168.1.0
/ip upnp
set allow-disable-external-interface=no
/lcd
set enabled=no
/lcd interface
add interface=sfp1
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=ether10
/lcd interface pages
add interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,e\
    ther9,ether10"
/tool graphing interface
add

CelticComms · May 15, 2014, 4:22am

Could you confirm exactly what you mean by this? Untagged traffic on Ethers 1 - 3 finds it way to tagged VLAN 1 on Ether 5?

RouteRite · May 15, 2014, 5:18pm

Yes. That’s exactly what’s happening with this setup.

Ether1-3 are passing untagged traffic successfully for Vlan1 and sending it out the trunk.
Ether4 is passing untagged traffic successfully for Vlan4 and sending it out the trunk.

If I enable Vlan Mode=Secure, VLAN Header=always strip, Vlan ID=1 for Ether1-3, they will not pass untagged traffic for Vlan1. If I disable VLAN Mode, then it passes untagged traffic.

I haven’t had a chance to test this with another Mikrotik switch chip yet.

CelticComms · May 15, 2014, 8:37pm

I am not clear about the reference to Ether 1 since it didn’t seem to be slaved elsewhere in the config.

If you set the trunk (Ether and CPU) ports to “leave-as-is” I would expect this effect (untagged traffic from a port in “vlan disabled” mode appearing as tagged traffic on the trunks) to disappear. I think that the VLAN the traffic gets to is based on the default VLAN set for the untagged port.

RouteRite · May 15, 2014, 10:45pm

Sorry. My Ether1 reference was a mistake. You can ignore that.

If I change the VLAN Header to “leave-as-is” for the Ether3 access port, it will stop routing Vlan1 traffic. This happens even though VLAN Mode=disabled. Apparently, Vlan Mode must be disabled and VLAN Header set to “always strip” before an access port can see VLAN1 traffic.

For what it’s worth, if I change the trunk port to “leave-as-is”, untagged traffic does indeed stop. That makes sense and functions as it should.