MikroTik

Posted: **Wed Jun 27, 2018 4:19 pm**

It's me again.

Given that I could not got my Q-in-Q experiments to work I've decided to really work from the ground up and begin with a really basic scenario, only tagged and untagged ports, with my CRS112:

- ether1: VLAN 685 and 686, both tagged
- ether2: Management port, untagged
- ether3: VLAN 685, untagged
- ether4: VLAN 686, untagged
- ether7: VLAN 685, tagged
- ether8: VLAN 686, tagged

I've begun with 6.40.8 (so old master port configuration) and this is my complete configuration:

# jan/02/1970 01:00:41 by RouterOS 6.40.8
# model = CRS112-8G-4S
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether6 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether8 ] master-port=ether1
/interface ethernet switch
# XXXXX why do I need to exclude ether7 and ether8?
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,sfp9,sfp10,sfp11,sfp12,switch1-cpu forward-unknown-vlan=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether7 vlan-id=685
add tagged-ports=ether1,ether8 vlan-id=686
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=685 ports=ether3
add customer-vid=0 new-customer-vid=686 ports=ether4
/interface ethernet switch vlan
add ports=switch1-cpu,ether2 vlan-id=0
add ports=ether1,ether3,ether7 vlan-id=685
add ports=ether1,ether4,ether8 vlan-id=686
/ip address
add address=172.30.10.198/24 interface=ether2 network=172.30.10.0

Everything works as expected with the above config, BUT as you might notice I have not added ether7 and ether8 to the setting drop-if-invalid-or-src-port-not-member-of-vlan-on-ports.
As soon as I do so the respective VLAN does not get forwarded anymore through the port.
Say I add ether7 to the setting - this means that I only get to see outgoing tagged VLAN 686 on ether1 (no longer VLAN 685) and no longer any outgoing untagged traffic on ether3.

By the way, it doesn't matter whether I toggle forward-unknown-vlan to yes or no - the only relevant setting is the drop-if-invalid... setting.

Everything works: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
Everything works: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=""
ether7 fails to work: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
ether8 fails to work: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether8,sfp9,sfp10,sfp11,sfp12,switch1-cpu"
both ether7/8 fail to work: drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,sfp9,sfp10,sfp11,sfp12,switch1-cpu"

I've then done an upgrade to 6.42.5 with the automatically-converted following config, but the exact same results:

# jan/02/1970 01:05:15 by RouterOS 6.42.5
# model = CRS112-8G-4S
/interface bridge
add admin-mac=64:D1:54:12:3E:19 auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,sfp9,sfp10,sfp11,sfp12,switch1-cpu forward-unknown-vlan=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether1
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,ether7 vlan-id=685
add tagged-ports=ether1,ether8 vlan-id=686
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=685 ports=ether3
add customer-vid=0 new-customer-vid=686 ports=ether4
/interface ethernet switch vlan
add ports=switch1-cpu,ether2 vlan-id=0
add ports=ether1,ether3,ether7 vlan-id=685
add ports=ether1,ether4,ether8 vlan-id=686
/ip address
add address=172.30.10.198/24 interface=ether2 network=172.30.10.0
/system routerboard settings
set silent-boot=no

Can someone give me a hint why I cannot get this to work correctly? What's so special about ether7 and ether8?
Also, why do I need to enable the drop-if-invalid-or-src... setting in the first place? Even with the entire setting missing ("blank string") I've still not encountered "stray" traffic on ports that I didn't expect it on.

Posted: **Wed Jun 27, 2018 7:13 pm**

Are you sure switch-cpu must be part of this?

drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,sfp9,sfp10,sfp11,sfp12,switch1-cpu"

Posted: **Wed Jun 27, 2018 8:42 pm**

not entirely certain whether I tested it both with and without switch1-cpu (will test tomorrow). I believe to have tested that and it made no difference either way, similar to how the setting of forward-unknown-vlan doesn't make a difference either.

That still leaves me wondering why ether1 would still work just fine. Both ether1 and ether7 are supposed to carry VLAN 685 tagged, the one and only difference is the fact that ether1 has more than one tagged VLAN to carry, while both affected interfaces ether7 and ether8 are only supposed to carry exactly one VLAN each (tagged, not untagged).

I was so sure to create a scenario that would allow me to find out where exactly I'm thinking wrong, yet the resulting behavior is still utterly inexplicable to me. I would be less confused if ether1 didn't work properly either - yet it works

flawlessly

although it's the most complicated of all the ports I've configured in this scenario. How is this possible?

I've read in some blog posts that forward-unknown-vlan=yes is identical in effect to a drop-if-invalid-or-src-port-not-member-of-vlan-on-ports that includes all ports of a device - is that in fact so, or are there more subtle differences to think about here? (probably something that would interfere with my stated long-term goal of configuring Q-in-Q on this thing)

Because everything does work just fine if I do not set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports at all and instead just set forward-unknown-vlan to no. Now I could just configure it that way and call it a day, but that would not be helpful in either learning where I've made a mistake that causes ether7 and ether8 to misbehave in the presence of drop-if-invalid-or-src-port-not-member-of-vlan-on-ports, or if there is a strange bug there?

I don't think I'm the only one to have configured simple VLAN interfaces as explained above on a CRS112, am I?

Posted: **Wed Jun 27, 2018 10:00 pm**

try with this setting

switch invalid.png

when you uncheck forward invalid vlans you will know if your vlan setup is correct

MikroTik

CRS112: tagged VLAN port isolation not worling as expected

CRS112: tagged VLAN port isolation not worling as expected

Re: CRS112: tagged VLAN port isolation not worling as expected

Re: CRS112: tagged VLAN port isolation not worling as expected

Re: CRS112: tagged VLAN port isolation not worling as expected