Tagged VLANs on CRS1xx

miebachpw · Thu Jun 21, 2018 8:20 am

Hello,

I've just tried to do some initial setup on a CRS112 with RouterOS 6.42.4 (so, bridge hw offloading).

I've tried to configure a tagged mgmt port (ether2) on the device according to https://wiki.mikrotik.com/wiki/Manual:C ... les#Tagged and this does in fact work just fine, but I'm really confused because the example configuration adds entries to the egress-vlan-tag and the /interface ethernet switch vlan table, but on my device none of it was neccessary for my tagged management connection to become reachable?

I've also done everything I believe I need to to enable port VLAN isolation by adding drop-if-invalid-or-src-port-not-member-of-vlan-on-ports for ether2 and setting forward-unknown-vlan=no globally, nevertheless I can still access the CRS just fine on my tagged mgmt IP without those egress / switch vlan entries that are noted in the example guide? Are they no longer neccessary either with 6.41+ and are just missing that distinction in the documentation?

Or did I miss something? Do I need those in place only when I begin doing VLAN translation or Q-in-Q or similar advanced L2 operations as seen in the same example guide?

# jan/02/1970 07:20:53 by RouterOS 6.42.4
/interface bridge
add admin-mac=64:D1:54:11:11:D9 auto-mac=no comment=defconf name=bridge
add name=bridge-MGMT
/interface vlan
add interface=bridge-MGMT name=nwinfra vlan-id=810
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2 forward-unknown-vlan=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
add bridge=bridge-MGMT interface=ether2
/ip address
add address=172.30.10.198/24 interface=nwinfra network=172.30.10.0

EDIT: also weird - the CRS bridge-MGMT is running RSTP, but regards itself as the root bridge. On the adjacent L2 switch on ether2 (a Cisco switch) I can confirm that the Cisco switch sends BPDUs, but has not received a single one from the CRS (and apparently the CRS seems to ignore the superior BPDUs it receives from the Cisco switch on L2).

/interface bridge port monitor [ find bridge=bridge-MGMT ]
            interface: ether2
               status: in-bridge
          port-number: 1
                 role: designated-port
            edge-port: yes
  edge-port-discovery: yes
  point-to-point-port: yes
         external-fdb: no
         sending-rstp: yes
             learning: yes
           forwarding: yes
     hw-offload-group: switch1

artz · Thu Jun 21, 2018 4:53 pm

Please note that multiple master-port/bridge setup is not supposed to work properly with VLANs.
You should use a single bridge instead, it is very likely that your described issues are caused because of multiple isolated port groups by using multiple bridges.
This has been mentioned in the manual as well:
https://wiki.mikrotik.com/wiki/Manual:C ... mples#VLAN

miebachpw · Fri Jun 22, 2018 8:18 am

Hello artz,

I'm going to test if this makes a difference. If so, you should rearrange this WARNING and make it more explicit (as none of the examples on this page would work properly save for untagged port configurations). Currently this warning is positioned below the "management port" section, so if I just read from top to bottom I'm not aware of this limitation if I just want to configure a tagged mgmt port.

Also, this would mean that my tagged mgmt port would share a RSTP instance with anything else I configure on the device, for example a Q-in-Q translation on 2 other ports?

miebachpw · Fri Jun 22, 2018 9:31 am

Just tested, success in one respect, no success in another:

/interface vlan add name=mgmt-NWInfra vlan-id=810 interface=bridge
# not reachable (not expected to be reachable, did not configure IP address yet)
/ip address add address=172.30.10.198/24 interface=mgmt-NWInfra network=172.30.10.0
# reachable
/interface ethernet switch egress-vlan-tag add tagged-ports=ether2,switch1-cpu vlan-id=810
# still reachable
/interface ethernet switch vlan add ports=ether2,switch1-cpu vlan-id=810 learn=yes
# still reachable
/interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp9,sfp10,sfp11,sfp12
# still reachable

--> OK!

BUT:

/interface ethernet switch set bridge-type=service-vid-used-as-lookup-vid
# no longer reachable, but I need this setting in order to be able to do Q-in-Q scenarios, don't I?

If I use multiple bridges (seperate bridges for mgmt port and Q-in-Q member ports) I do not lose connectivity if I set bridge-type=service-vid-used-as-lookup-vid (which I need for Q-in-Q) and it allows for disabling RSTP on the Q-in-Q members, but apparently multiple bridges are not supported for anything but the most basic scenarios (which makes me wonder why I should use them in the first place) and I conclude that I cannot configure a CRS for Q-in-Q if I also want to manage the CRS via a tagged port? Is this correct?

Could I use a separate management bridge if I used it untagged, and then use the remaining ports in a single bridge with STP disabled and service-vid-used-as-lookup-vid set?

Also, my CRS still mistakenly believes itself to be the STP root bridge although it should receive superior BPDUs via ether2:

/interface bridge monitor              
numbers: 0
                     ;;; defconf
                  state: enabled
    current-mac-address: 64:D1:54:02:7E:D9
            root-bridge: yes
         root-bridge-id: 0x8000.64:D1:54:02:7E:D9
         root-path-cost: 0
              root-port: none
             port-count: 12
  designated-port-count: 3

artz · Thu Jul 05, 2018 7:02 pm

One option is to simply leave the MGMT Ethernet port out of a bridge and use Firewall filter rules to limit access to the device.

There is a way if you really need to allow forwarding one SVID, but allow MGMT access from a certain CVID (trunk/access port setup with VLAN filtering), find an example below:

/interface bridge
add name=bridge
/interface vlan
add interface=bridge name=MGMT vlan-id=99
/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=200
add tagged-ports=ether2,switch1-cpu vlan-id=99
/interface ethernet switch egress-vlan-translation
add customer-vid=99 new-service-vid=0 ports=switch1-cpu
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-service-vid=200 ports=ether2 service-vid=0
add customer-vid=99 new-service-vid=99 ports=ether2
/interface ethernet switch vlan
add ports=ether1,ether2 vlan-id=200
add ports=ether2,switch1-cpu vlan-id=99
/ip address
add address=192.168.0.2/24 interface=MGMT

CRS1xx/CRS2xx will not comply with 802.1ad and will send regular BPDUs to 01:80:C2:00:00:00. It is very likely that your other switches are listening to BPDUs that are sent to 01:80:C2:00:00:08.

Thu Jul 05, 2018 7:37 pm

keep in mind unless you uncheck forward invalid VLAN you cannot verify your VLAN filtering

switch invalid.png

Tagged VLANs on CRS1xx

Tagged VLANs on CRS1xx

Re: Tagged VLANs on CRS1xx

Re: Tagged VLANs on CRS1xx

Re: Tagged VLANs on CRS1xx

Re: Tagged VLANs on CRS1xx

Re: Tagged VLANs on CRS1xx

Who is online