CRS112: tagged VLAN port isolation not worling as expected
Posted: Wed Jun 27, 2018 4:19 pm
It's me again.
Given that I could not got my Q-in-Q experiments to work I've decided to really work from the ground up and begin with a really basic scenario, only tagged and untagged ports, with my CRS112:
- ether1: VLAN 685 and 686, both tagged
- ether2: Management port, untagged
- ether3: VLAN 685, untagged
- ether4: VLAN 686, untagged
- ether7: VLAN 685, tagged
- ether8: VLAN 686, tagged
I've begun with 6.40.8 (so old master port configuration) and this is my complete configuration:
Everything works as expected with the above config, BUT as you might notice I have not added ether7 and ether8 to the setting drop-if-invalid-or-src-port-not-member-of-vlan-on-ports.
As soon as I do so the respective VLAN does not get forwarded anymore through the port.
Say I add ether7 to the setting - this means that I only get to see outgoing tagged VLAN 686 on ether1 (no longer VLAN 685) and no longer any outgoing untagged traffic on ether3.
By the way, it doesn't matter whether I toggle forward-unknown-vlan to yes or no - the only relevant setting is the drop-if-invalid... setting.
Everything works: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
Everything works: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=""
ether7 fails to work: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
ether8 fails to work: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether8,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
both ether7/8 fail to work: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
I've then done an upgrade to 6.42.5 with the automatically-converted following config, but the exact same results:
Can someone give me a hint why I cannot get this to work correctly? What's so special about ether7 and ether8?
Also, why do I need to enable the drop-if-invalid-or-src... setting in the first place? Even with the entire setting missing ("blank string") I've still not encountered "stray" traffic on ports that I didn't expect it on.
Given that I could not got my Q-in-Q experiments to work I've decided to really work from the ground up and begin with a really basic scenario, only tagged and untagged ports, with my CRS112:
- ether1: VLAN 685 and 686, both tagged
- ether2: Management port, untagged
- ether3: VLAN 685, untagged
- ether4: VLAN 686, untagged
- ether7: VLAN 685, tagged
- ether8: VLAN 686, tagged
I've begun with 6.40.8 (so old master port configuration) and this is my complete configuration:
Code: Select all
# jan/02/1970 01:00:41 by RouterOS 6.40.8
# model = CRS112-8G-4S
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
/interface ethernet switch
# XXXXX why do I need to exclude ether7 and ether8?
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,sfp9,sfp10,sfp11,sfp12,switch1-cpu forward-unknown-vlan=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether7 vlan-id=685
add tagged-ports=ether1,ether8 vlan-id=686
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=685 ports=ether3
add customer-vid=0 new-customer-vid=686 ports=ether4
/interface ethernet switch vlan
add ports=switch1-cpu,ether2 vlan-id=0
add ports=ether1,ether3,ether7 vlan-id=685
add ports=ether1,ether4,ether8 vlan-id=686
/ip address
add address=172.30.10.198/24 interface=ether2 network=172.30.10.0
As soon as I do so the respective VLAN does not get forwarded anymore through the port.
Say I add ether7 to the setting - this means that I only get to see outgoing tagged VLAN 686 on ether1 (no longer VLAN 685) and no longer any outgoing untagged traffic on ether3.
By the way, it doesn't matter whether I toggle forward-unknown-vlan to yes or no - the only relevant setting is the drop-if-invalid... setting.
Everything works: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
Everything works: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=""
ether7 fails to work: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
ether8 fails to work: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether8,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
both ether7/8 fail to work: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
I've then done an upgrade to 6.42.5 with the automatically-converted following config, but the exact same results:
Code: Select all
# jan/02/1970 01:05:15 by RouterOS 6.42.5
# model = CRS112-8G-4S
/interface bridge
add admin-mac=64:D1:54:12:3E:19 auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,sfp9,sfp10,sfp11,sfp12,switch1-cpu forward-unknown-vlan=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether1
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether7 vlan-id=685
add tagged-ports=ether1,ether8 vlan-id=686
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=685 ports=ether3
add customer-vid=0 new-customer-vid=686 ports=ether4
/interface ethernet switch vlan
add ports=switch1-cpu,ether2 vlan-id=0
add ports=ether1,ether3,ether7 vlan-id=685
add ports=ether1,ether4,ether8 vlan-id=686
/ip address
add address=172.30.10.198/24 interface=ether2 network=172.30.10.0
/system routerboard settings
set silent-boot=no
Also, why do I need to enable the drop-if-invalid-or-src... setting in the first place? Even with the entire setting missing ("blank string") I've still not encountered "stray" traffic on ports that I didn't expect it on.