Community discussions

 
UnderSlepT
just joined
Topic Author
Posts: 2
Joined: Fri Sep 06, 2019 11:52 am

RouterOS VLAN tagging on multiple ports

Fri Sep 06, 2019 12:29 pm

Hello, I am stuck with problem of setting up VLAN config for switch HA, so that it works. My router is CCR-1009 - CPU usage is not a consideration, security is. I have 2 directly connected HP Aruba 2530 switches in a mesh setup for HA and two more, which are not directly connected. I can setup router using sigle port guides, so that I am able to tag/untag packets and direct them to their VLANs. I have not found, how to setup my router, so that I have bridges for tagged and untagged VLAN traffic, connected to physical ports, between which I would be able to setup firewall rules for inter VLAN communication. Rough sketch is in the attached picture.

I appreciate any help.
You do not have the required permissions to view the files attached to this post.
 
mkx
Forum Guru
Forum Guru
Posts: 2778
Joined: Thu Mar 03, 2016 10:23 pm

Re: RouterOS VLAN tagging on multiple ports

Fri Sep 06, 2019 12:48 pm

If your CCR doesn't have switch chip (I read that the oldest versions did have one while later versions don't have one), then you should follow the 'new' vlan-filtering=yes bridge setup. Which allows you to have both tagged and untagged traffic running between bridge ports (such bridge acts as a smart switch). There are numerous official sources, but many people find this tutorial worth reading.

Basically you'd create a bridge, make interfaces eth7 and eth8 its member and then use this bridge for any L2/L3 operations (similarly as you do now directly with eth interface).

As tutorial hints, when using VLANs, the untagged part can be considered as just another VLAN but a special one because it doesn't have tags and thus has to be configured slightly differently. In theory tagging and untagging frames consumes some time (CPU cycles) but IMHO this is neglectable while configuring it as another tagged VLAN on bridge (all ports belonging to it have PVID set ... just choose ID not used for any tagged VLAN) makes configuration uniform. And, BTW, using VLAN ID=1 can cause some unexpected behaviour as it's default PVID in default configuration.
BR,
Metod
 
UnderSlepT
just joined
Topic Author
Posts: 2
Joined: Fri Sep 06, 2019 11:52 am

Re: RouterOS VLAN tagging on multiple ports

Fri Sep 06, 2019 1:16 pm

Thank you for your swift reply, I will look into it and will test it.
 
mkx
Forum Guru
Forum Guru
Posts: 2778
Joined: Thu Mar 03, 2016 10:23 pm

Re: RouterOS VLAN tagging on multiple ports

Fri Sep 06, 2019 1:32 pm

In the second thought: you might actually want to configure eth7 and eth8 as bond device. And use bond device as anchor for all the rest of setup.
BR,
Metod

Who is online

Users browsing this forum: No registered users and 23 guests