Community discussions

MikroTik App
 
pazuwu
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:33 am

Trying to setup VLANs with hAP ac3 and CSS 610-8G-2S+IN

Wed Apr 07, 2021 2:56 pm

Hi,

I want to configure VLANs on my ac3; one of these vlans is a "management" vlan (vlan 5) and I want to make the switch's web interface available on this vlan only.

Cables are connected like this:
[  hAP ac3    (ether1)  (ether2)  (ether3) (ether4)  (ether5)----]-----(poe)--------[--(port 1) (port2)....   CSS 610 ]
So, the switch is connected (and powered) on port 1 to ac3's ether5.

Hopefully relevant router configuration:
# apr/06/2021 23:23:48 by RouterOS 6.48.1
# software id = TANH-DJAS
#
# model = RBD53iG-5HacD2HnD
# serial number = Dxxxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge1
/interface vlan
add interface=bridge1 name=vlan-dmz vlan-id=30
add interface=bridge1 name=vlan-lan vlan-id=10
add interface=bridge1 name=vlan-mgmt vlan-id=5
/interface ethernet switch port
set 1 default-vlan-id=10 vlan-mode=secure
set 2 default-vlan-id=10 vlan-mode=secure
set 3 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface ethernet switch vlan
add independent-learning=yes ports=ether4,ether5,switch1-cpu switch=switch1 vlan-id=5
add independent-learning=yes ports=ether5,ether4,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=yes ports=ether5,ether4,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
/ip address
add address=172.19.1.1/24 interface=vlan-lan network=172.19.1.0
add address=172.19.2.1/25 interface=vlan-wifi-ap network=172.19.2.0
add address=172.19.3.1/24 interface=vlan-dmz network=172.19.3.0
add address=172.19.0.1/24 interface=vlan-mgmt network=172.19.0.0
The only vlan involved in what i'm trying to achieve is vlan 5. I've configured the switch to allow access on all ports, from vlan 5.

Image

Image

Image

With this setup, I can ping the switch from ac3, but note that the VLAN Receive setting on the "uplink" port of the switch (port1) is to accept "any", both tagged and untagged. As soon as I change this to "only tagged", the ping from ac3 starts to time out.

So the router sends the ping via the vlan-mgmt interface (172.19.0.1/24) and it reaches the switch untagged. This is where I'm getting confused, I expected traffic going out from ether5 to the switch to be tagged. It's obvious that I'm lacking some understanding here, can someone shed some light? How can I make traffic for the switch's ip addressed be sent out tagged as vlan 5?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to setup VLANs with hAP ac3 and CSS 610-8G-2S+IN  [SOLVED]

Wed Apr 07, 2021 3:45 pm

/interface ethernet switch port
set 4 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=secure

Port with index 4 uslually relates to ether5 ... and setting I highlited means it'll untag frames from VLAN 5 on egress [*]. Which obviously is not what you want. So unset the default-vlan-id (or set it to some dummy value, such as 0 or 1, one of them happens to be default) ... after you change VLAN receive option on CSS.

[*] I know that the option says differently. I guess your hAP ac3 features an AR8327 switch chip (block diagram says QCA8327, not sure if it's any different from AR8327) which ignores vlan-header setting and untags frames with VID equal PVID on egress instead.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to setup VLANs with hAP ac3 and CSS 610-8G-2S+IN

Wed Apr 07, 2021 3:55 pm

Good reference on switches....... well apparently,
https://www.youtube.com/watch?v=v9GBZMmMBYA&t=209s
 
pazuwu
just joined
Topic Author
Posts: 17
Joined: Sat Feb 29, 2020 12:33 am

Re: Trying to setup VLANs with hAP ac3 and CSS 610-8G-2S+IN

Wed Apr 07, 2021 5:47 pm

/interface ethernet switch port
set 4 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=secure

Port with index 4 uslually relates to ether5 ... and setting I highlited means it'll untag frames from VLAN 5 on egress [*]. Which obviously is not what you want. So unset the default-vlan-id (or set it to some dummy value, such as 0 or 1, one of them happens to be default) ... after you change VLAN receive option on CSS.

[*] I know that the option says differently. I guess your hAP ac3 features an AR8327 switch chip (block diagram says QCA8327, not sure if it's any different from AR8327) which ignores vlan-header setting and untags frames with VID equal PVID on egress instead.

I guess you're right, I'll give it a try later in the evening. I missed this part, written in small letters:

Note: For devices with QCA8337 and Atheros8327 switch chips a default vlan-header=leave-as-is should be used. When vlan-mode=secure is configured, it ignore switch port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works as vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as well, only default-vlan-id frames are untagged at the egress of port.
Later edit:

So, it worked to remove the default-vlan-id in the router; however, I still had trouble, as the switch wasn't answering to pings with VLAN Receive = any and worked only with VLAN Receive = only tagged. This was because of the Default Vlan Id = 5 which i had set on that port, once i changed this to 1, it worked in both vlan receive modes.

I must say that I find these vlan settings very counterintuitive and I wish Mikrotik just added 10 extra checkboxes to configure the exact desired behaviour, instead of having "magic" combinations of defaults, headers, modes, receives and such :(

Who is online

Users browsing this forum: dioeyandika, Rox169 and 44 guests