VLAN configuration with RB 1100AH en CRS125

Fri Sep 21, 2018 12:59 pm

Hello,

VLAN configuration on the RB 1100AHx2
This is the trunk

/interface vlan
add interface=ether2 name=vlan-guest vlan-id=150
add interface=ether2 name=vlan-management vlan-id=200
add interface=ether2 name=vlan-private vlan-id=100

I want to transfer the VLANs to the 3 groups of the CRS.
So, port 1 = trunk to router RB1100

Port2 to 8 = vlan200
Port9 to 16 = vlan150
Port17 to 24 = vlan100

How do I configure the CRS125?

mkx · Fri Sep 21, 2018 2:38 pm

Definitely do it "the old school" way ... that is using /interface ethernet switch configuration section. If you'll do it "the new" way, everything will pass CRS' CPU which will overload both CPU and connection between CPU and switch chip.

I don't have CRS125 so I don't know if commands are same as on my RBs. But something like this:

# add all ether ports to single bridge ... this will keep HW offload enabled on all ports
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
# I'll assume that port numbering is as follows:
# 0-23 ether ports 1-24
# 24 SFP port
# 25 link towards CPU
/interface ethernet switch port
# ether1 is trunk port, no untagged packets allowed
set 0 vlan-mode=secure
set 1 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set 2 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set 3 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set 4 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set 5 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set 6 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set 7 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set 8 vlan-mode=secure vlan-header=always-strip default-vlan-id=150
set 9 vlan-mode=secure vlan-header=always-strip default-vlan-id=150
set 10 vlan-mode=secure vlan-header=always-strip default-vlan-id=150
set 11 vlan-mode=secure vlan-header=always-strip default-vlan-id=150
set 12 vlan-mode=secure vlan-header=always-strip default-vlan-id=150
set 13 vlan-mode=secure vlan-header=always-strip default-vlan-id=150
set 14 vlan-mode=secure vlan-header=always-strip default-vlan-id=150
set 15 vlan-mode=secure vlan-header=always-strip default-vlan-id=150
set 16 vlan-mode=secure vlan-header=always-strip default-vlan-id=100
set 17 vlan-mode=secure vlan-header=always-strip default-vlan-id=100
set 18 vlan-mode=secure vlan-header=always-strip default-vlan-id=100
set 19 vlan-mode=secure vlan-header=always-strip default-vlan-id=100
set 20 vlan-mode=secure vlan-header=always-strip default-vlan-id=100
set 21 vlan-mode=secure vlan-header=always-strip default-vlan-id=100
set 22 vlan-mode=secure vlan-header=always-strip default-vlan-id=100
set 23 vlan-mode=secure vlan-header=always-strip default-vlan-id=100
/interface ethernet switch vlan
# add switch1-cpu "port" to the list of ports with VLAN ID where you want to have management access
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 switch=switch1 vlan-id=200
add ports=ether1,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-id=150
add ports=ether1,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-id=100
# add vlan interface to vlan for management access
/interface vlan
add interface=bridge name=mgmt vlan-id=<management vlan id>

beware that before applying all of the above, you need to think about management access during the configuration changes. If you don't prepare yourself before setting all VLAN settings, you might loose access and not even winbox MAC connection might be an option any more.

Fri Sep 21, 2018 5:47 pm

Thanks MKX but it's don't work.

The CRS has another switch chip i think.

I configured like this:
CRS

/interface bridge
add fast-forward=no name=bridge1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-id=100
add ports=ether1,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 \
    vlan-id=150
add ports=ether1,ether17,ether18,ether19,ether20,ether21,ether22,ether23 \
    vlan-id=200
/system routerboard settings
set silent-boot=no

CRS

/ interface vlan 
toevoegen interface = ether2 naam = vlan-gast vlan-id = 150 
toevoegen interface = ether2 naam = vlan-management vlan-id = 200 
toevoegen interface = ether2 naam = vlan -private vlan-id = 100

It is not working yet what do i wrong?

mkx · Fri Sep 21, 2018 8:53 pm

AFAIK in the second config snippet, those vlan interfaces shoud have been created on bridge not on ether2.

But that is not stopping the switching. Somehow you have to set all those ports with vlan configuration ... There's a WiKi about VLAN config on CRS1xx/2xx and indeed it is different than on most RB devices.

CZFan · Fri Sep 21, 2018 8:55 pm

I don't see anywhere you are specifying tagged and or untagged (Access) ports, etc.

Below is my understanding for the CRS1xx VLAN config straight from manual https://wiki.mikrotik.com/wiki/Manual:C ... s_ports.29

To configure Port 1 as trunk on the CRS, do
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=100
add tagged-ports=ether1 vlan-id=150
add tagged-ports=ether1 vlan-id=200

My assumption is that the following ports on the CRS must be access ports, and the PVID is set the following way
/interface ethernet switch ingress-vlan-translation
add ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 customer-vid=0 new-customer-vid=150 sa-learning=yes
add ports=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 customer-vid=0 new-customer-vid=100 sa-learning=yes
etc.

For isolation between VLANs, you will need:
/interface ethernet switch vlan
add ports=ether1,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-id=150 learn=yes
add ports=ether1,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-id=100 learn=yes
etc

The to drop invalid /unknown VLANs
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,....,ether24

CZFan · Fri Sep 21, 2018 8:58 pm

AFAIK in the second config snippet, those vlan interfaces shoud have been created on bridge not on ether2.

...

For OP's setup, you don't need to create any VLAN interfaces on the CRS

mkx · Fri Sep 21, 2018 9:05 pm

AFAIK in the second config snippet, those vlan interfaces shoud have been created on bridge not on ether2.

...
For OP's setup, you don't need to create any VLAN interfaces on the CRS

Indeed. Maybe one for management access from the selected VLAN, from names one would assume VLAN ID 200. Or OP can decide to keep ether24 just for that, in this case all IP related setup goes directly to ether24.

[edit] Aargh, the second code snippet is actually from RB1100... in this case it's probably fine.

CZFan · Fri Sep 21, 2018 9:07 pm

Yes, sorry, for management to the device itself you will need to create a vlan interface on the device

Fri Sep 21, 2018 10:21 pm

Thanks for this help its solved

I've looked at the link you gave me.
I solved it as follows:

The configuration on the RB1100AH

/ interface vlan
add comment = cameranet interface = ether2 name = vlan-camera-net vlan-id = 200
add comment = guestnet interface = ether2 name = vlan-guest vlan-id = 300
add comment = storagenet interface = ether2 name = vlan-storage vlan-id = 400

The configuration on the CRS125

/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=\
    ether2,ether1,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2 vlan-id=200
add tagged-ports=ether2 vlan-id=300
add tagged-ports=ether2 vlan-id=400
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=200 ports=ether3,ether4,ether5,ether6,ether7,ether8
add customer-vid=0 new-customer-vid=300 ports=ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16
add customer-vid=0 new-customer-vid=400 ports=ether17,ether18,ether19,ether20,ether21,ether22,ether23
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-id=200
add ports=ether2,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-id=300
add ports=ether2,ether17,ether18,ether19,ether20,ether21,ether22,ether23 vlan-id=400
/system routerboard settings
set silent-boot=no

VLAN configuration with RB 1100AH en CRS125

VLAN configuration with RB 1100AH en CRS125

Re: VLAN configuration with RB 1100AH en CRS125

Re: VLAN configuration with RB 1100AH en CRS125

Re: VLAN configuration with RB 1100AH en CRS125

Re: VLAN configuration with RB 1100AH en CRS125

Re: VLAN configuration with RB 1100AH en CRS125

Re: VLAN configuration with RB 1100AH en CRS125

Re: VLAN configuration with RB 1100AH en CRS125

Re: VLAN configuration with RB 1100AH en CRS125 SOLVED

Who is online