I read Bridge VLAN Table - RouterOS - MikroTik Documentation and was able to get my VLAN running with 10 intercom devices. Some of them come with VLAN support and the others are integrated doing Port Based VLAN tagging.
Have been reading endless sources about how VLAN is configured and so on but still don't get it what happens when. UPDATED ON 12.Arp2021
- INgress and Egress at Port, Bridge -> Ports -> Bridge Port -> VLAN PVID (priority tagged not specifically considered):
- UNtagged traffic INCOMING:
- frame-types=admit all & ingress filtering=off.
VLAN tagging is added according to PVID, traffic goes in. - frame-types=admit only VLAN tagged all & Ingress Filtering=off
dropped, because no VLAN tag in traffic - frame-types=admit only untagged and priority tagged & Ingress Filtering=off
The VLAN tag is added according to the PVID, traffic goes in. - frame-types=any & Ingress Filtering=ON
The above rules are applied, subsequently, it is checked whether the VLAN ID is stored as a rule in the egress, VLAN filter (see below), means whether this VLAN ID is available on this port. If so, traffic is leaving the bridge otherwise traffic is dropped.
- frame-types=admit all & ingress filtering=off.
- tagged traffic INCOMING:
- frame-types=admit all & Ingress Filtering=off
the VLAN tag is read but not changed, traffic goes in. - frame-types=admit only VLAN tagged all & Ingress Filtering=off
the VLAN tagging is read but not changed, traffic goes in. - frame-types=admit only untagged and priority tagged & Ingress Filtering=off
dropped, because VLAN tag is present - frame-types=any & Ingress Filtering=ON
The above rules are applied, then it is checked whether the VLAN ID is stored as a rule in the egress, VLAN filter (see below), port is allowed. If so, traffic goes in, otherwise dropped (same as in 1.A.iv)
- frame-types=admit all & Ingress Filtering=off
- UNtagged traffic OUTGOING (e.g origins from CPU Port/Bridge):
The VLAN-Tag/ID is added according to the PVID, the traffic leaves the devices - Tagged traffic OUTGOING
- VLAN ID and PVID are not identical:
traffic remains unchanged, the traffic leaves the devices - VLAN ID and PVID are identical:
the VLAN ID is removed from the traffic, the traffic leaves the devices
- VLAN ID and PVID are not identical:
- UNtagged traffic INCOMING:
- egress at the bridge, Bridge -> VLAN -> Bridge VLAN:
- Untagged traffic outgoing: traffic dropped. This does not exist because default VLAN1 is assigned if it has no VLAN tag, by the ingress rule above. This results in other implications when I read through Wiki etc., that then becomes too much here (?)
- tagged traffic outgoing, VLAN ID is checked:
- There is no filter rule for this VLAN ID: traffic dropped
- Rule for VLAN ID exists:
- Port, where traffic occurs, is listed as Tagged: VLAN ID is not changed
- Port, where traffic occurs, is listed as untagged: VLAN ID is removed
- Port, where traffic occurs, is not listed: traffic dropped
any help around this mystery will be greatly appreciated
Stefan