Community discussions

 
MerijnB
just joined
Topic Author
Posts: 9
Joined: Sat Aug 10, 2019 6:52 pm

tag all untagged traffic - can't get it working

Mon Aug 26, 2019 2:24 pm

Hi all,

I'm doing some first steps into separation with VLAN's. There are some unmanaged switches in the network, so to make live easier on myself the plan was to let my 2011UiAS-2HnD tag all untagged traffic, so that further down the line everything is tagged.
To test this I've done:
/interface ethernet switch port
set 1 default-vlan-id=10 vlan-header=add-if-missing

However, when I torch this port, or the bridge where this port is part of, I still only see untagged traffic. Do I misunderstand how this feature works? Any other way to add a default VLAN tag to all untagged traffic?

Thanks!
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: tag all untagged traffic - can't get it working

Mon Aug 26, 2019 7:40 pm

Sniffing takes place "close" to physical layer, and tagging might not have happened yet. Have you tried sniffing a trunk port down the hill?

Wrt config, there are few entries, see https://wiki.mikrotik.com/wiki/Manual:S ... p_Examples.
Is the vlan 10 already defined under "switch vlan"?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5730
Joined: Mon Jun 08, 2015 12:09 pm

Re: tag all untagged traffic - can't get it working

Mon Aug 26, 2019 9:11 pm

Correct config for a port that adds some tag to untagged traffic is this:

set 1 default-vlan-id=10 vlan-header=always-strip

i.e. you have to see the command as it is working outbound, not inbound.

Also remember that not all switch chips can do hybrid ports! So you may not be able to have some traffic untagged and other traffic tagged on the same port.
In that case you might have to apply that configuration to the bridge, where it is done in software.
E.g. on the 2011 ports 6-10 are examples of this (impossible to run as hybrid ports in the hardware switch)
 
MerijnB
just joined
Topic Author
Posts: 9
Joined: Sat Aug 10, 2019 6:52 pm

Re: tag all untagged traffic - can't get it working

Mon Aug 26, 2019 9:32 pm

Sniffing takes place "close" to physical layer, and tagging might not have happened yet. Have you tried sniffing a trunk port down the hill?
Sniffing further down the hill is kinda hard (I think?), cause after this the router will NAT network to the outside, where should I sniff?
Wrt config, there are few entries, see https://wiki.mikrotik.com/wiki/Manual:S ... p_Examples.
Is the vlan 10 already defined under "switch vlan"?
No. But while you mention this, I read on multiple places there is a difference between 'interface VLAN' and 'bridge VLAN' (or something similar), which confuses me quite a bit.
I do have a VLAN configured in a bridge.

But just to take 1 step at a time I was hoping to tackle this untagged traffic 'problem'.
 
MerijnB
just joined
Topic Author
Posts: 9
Joined: Sat Aug 10, 2019 6:52 pm

Re: tag all untagged traffic - can't get it working

Mon Aug 26, 2019 9:34 pm

Correct config for a port that adds some tag to untagged traffic is this:

set 1 default-vlan-id=10 vlan-header=always-strip
But always-strip will strip existing VLAN tags, right? That should not happen, on this port both correctly tagged and untagged traffic will be received.
i.e. you have to see the command as it is working outbound, not inbound.
I can't really follow this, can you elaborate a bit please?
Also remember that not all switch chips can do hybrid ports! So you may not be able to have some traffic untagged and other traffic tagged on the same port.
In that case you might have to apply that configuration to the bridge, where it is done in software.
E.g. on the 2011 ports 6-10 are examples of this (impossible to run as hybrid ports in the hardware switch)
I've realized that ports 6-10 can't do hybrid (that's why I'm testing on port 1 for now).

But more in general, is tagging all untagged traffic the way to go here?

Thanks all!
 
mkx
Forum Guru
Forum Guru
Posts: 2828
Joined: Thu Mar 03, 2016 10:23 pm

Re: tag all untagged traffic - can't get it working

Tue Aug 27, 2019 8:32 am

I do have a VLAN configured in a bridge.

The config command you posted a few posts back indicates that you're configuring VLANs on switch chip.

So there are two ways of doing it:
  1. On switch chip
    You configure things in /interface ethernet switch port and /interface ethernet switch vlan configuraton subtrees.
    The first one essentially configures ingress behaviour (or, rather, mix of behaviours: default-vlan-id is for ingress, while vlan-header is for egress) and the second one egress behaviour.
  2. On bridge
    You configure things in /interface bridge port and /interface bridge vlan configuration subtrees. In addition to that, you have to set vlan-filtering=yes on VLAN-aware bridge.
    The first one configures ingress behaviour and the second one configures egress behaviour.
In both cases you configure "L2.5" using /interface vlan ... which exposes individual VLANs for L3 setup.

I advise you to read through this tutorial. It is about the bridge vlan setup (#2 in my list above), it helps to understand some basic concepts and the way they're implemented in ROS. If you decide to go with switch chip (#1) way, you can adapt configuration later, conceptually it is similar but perhaps a bit harder to grasp the details if you start to do it without some good background.
BR,
Metod
 
MerijnB
just joined
Topic Author
Posts: 9
Joined: Sat Aug 10, 2019 6:52 pm

Re: tag all untagged traffic - can't get it working

Tue Aug 27, 2019 11:36 am

I do have a VLAN configured in a bridge.

The config command you posted a few posts back indicates that you're configuring VLANs on switch chip.

So there are two ways of doing it:
  1. On switch chip
    You configure things in /interface ethernet switch port and /interface ethernet switch vlan configuraton subtrees.
    The first one essentially configures ingress behaviour (or, rather, mix of behaviours: default-vlan-id is for ingress, while vlan-header is for egress) and the second one egress behaviour.
  2. On bridge
    You configure things in /interface bridge port and /interface bridge vlan configuration subtrees. In addition to that, you have to set vlan-filtering=yes on VLAN-aware bridge.
    The first one configures ingress behaviour and the second one configures egress behaviour.
In both cases you configure "L2.5" using /interface vlan ... which exposes individual VLANs for L3 setup.

I advise you to read through this tutorial. It is about the bridge vlan setup (#2 in my list above), it helps to understand some basic concepts and the way they're implemented in ROS. If you decide to go with switch chip (#1) way, you can adapt configuration later, conceptually it is similar but perhaps a bit harder to grasp the details if you start to do it without some good background.
Tx mkx, much appreciated.

I realised there are two different ways of doing VPN's, and it confuses the heck out of my because of two reasons:
1) I don't really know the practical differences between the two
2) When I'm reading a tutorial, I can't tell which of both methods is being used

Regarding this situation:
- I'd like multiple ports to act as 'single switch' (what I think is called a bridge)
- I'd like to run 2 VLAN's on that 'bridge'
- I can choose if for one of those VLAN's I leave all traffic untagged, or I need to let the board tag it

What would be the best approach for this, which method, and do I use untagged traffic or should I tag it all?

Thanks so much!
 
mkx
Forum Guru
Forum Guru
Posts: 2828
Joined: Thu Mar 03, 2016 10:23 pm

Re: tag all untagged traffic - can't get it working

Tue Aug 27, 2019 12:48 pm

The mentioned tutorial is explaining the "bridge VLAN" (mentioned as #2 on my list). What you describe you want to do is perfectly doable.

The tutorial briefly touches the "hybrid" setup - one VLAN untagged (native) and the rest of VLANs tagged, but also notes that hybrid access is a bit problematic. It is advisable to configure all VLANs are tagged ... which doesn't mean it can not be untagged on the ethernet ports.
BR,
Metod
 
MerijnB
just joined
Topic Author
Posts: 9
Joined: Sat Aug 10, 2019 6:52 pm

Re: tag all untagged traffic - can't get it working

Tue Aug 27, 2019 1:58 pm

It is advisable to configure all VLANs are tagged ... which doesn't mean it can not be untagged on the ethernet ports.
I'm having a hard time digesting this one, can you elaborate a little bit please?
 
mkx
Forum Guru
Forum Guru
Posts: 2828
Joined: Thu Mar 03, 2016 10:23 pm

Re: tag all untagged traffic - can't get it working

Tue Aug 27, 2019 2:00 pm

It is advisable to configure all VLANs are tagged ... which doesn't mean it can not be untagged on the ethernet ports.
I'm having a hard time digesting this one, can you elaborate a little bit please?
Did you study the tutorial I linked in one of my previous posts?
BR,
Metod
 
MerijnB
just joined
Topic Author
Posts: 9
Joined: Sat Aug 10, 2019 6:52 pm

Re: tag all untagged traffic - can't get it working

Tue Aug 27, 2019 2:07 pm

It is advisable to configure all VLANs are tagged ... which doesn't mean it can not be untagged on the ethernet ports.
I'm having a hard time digesting this one, can you elaborate a little bit please?
Did you study the tutorial I linked in one of my previous posts?
Yes, although I'm quite sure I couldn't place all when I read it, I'll re-read it with the extra context you've given me and get back if I have questions after that.
Thanks!
 
anav
Forum Guru
Forum Guru
Posts: 2940
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: tag all untagged traffic - can't get it working

Wed Aug 28, 2019 6:49 pm

I concur with MKX always best to have clean breaks (port is trunk and tagged) or port is access and incoming is untagged and stripped of any tag going back to device etc..
However there is one reference that attempts to discuss the hybrid setup. I have not tried it though.

Scroll down to image 4.
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1364
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: tag all untagged traffic - can't get it working

Thu Aug 29, 2019 11:01 pm

Where hybrid ports are possible, the "always strip" will only remove the tag that matches the pvid of the port, other tags will stay
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: Bing [Bot] and 23 guests