Community discussions

MikroTik App
 
macx979
just joined
Topic Author
Posts: 9
Joined: Tue Dec 04, 2018 10:28 pm

Access Management IP in dedicated vlan

Mon Jun 07, 2021 12:03 am

Hi there,

I have a crs328-24p-4s+rm and every now and then I switch from swos to routeros to get used to routeros a little bit more. This time due to the fact, that swos doesn't boot anymore - but that's a different story.

My setup is:
Firewall -> Port1 on CRS (Trunk)

I managed to set up all needed vlans on that switch by reseting routeros with "no default config" and "do not backup" and starting from scratch. I connect to CRS via Winbox on a Windows client on Port 24.
/
# create bridge
interface bridge
add name=bridge1 vlan-filtering=no

# set up Trunk Ports
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether22 hw=yes

# set up Access Ports
add bridge=bridge1 interface=ether8 hw=yes pvid=100
add bridge=bridge1 interface=ether9 hw=yes pvid=100
add bridge=bridge1 interface=ether16 hw=yes pvid=10
add bridge=bridge1 interface=ether17 hw=yes pvid=2
add bridge=bridge1 interface=ether18 hw=yes pvid=2
add bridge=bridge1 interface=ether19 hw=yes pvid=10
add bridge=bridge1 interface=ether20 hw=yes pvid=2
add bridge=bridge1 interface=ether21 hw=yes pvid=20
add bridge=bridge1 interface=ether23 hw=yes pvid=100
add bridge=bridge1 interface=sfp-sfpplus2 hw=yes pvid=20
add bridge=bridge1 interface=sfp-sfpplus3 hw=yes pvid=100
add bridge=bridge1 interface=sfp-sfpplus4 hw=yes pvid=100

# Assign Ports to Vlans
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=1
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=ether17,ether18,ether20 vlan-ids=2
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=ether16,ether19 vlan-ids=10
add bridge=bridge1 tagged=ether1,ether6 untagged=ether21,sfp-sfpplus2 vlan-ids=20
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=ether8,ether9,ether23,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=100

# Activate Vlan Filtering
/interface bridge
set bridge1 vlan-filtering=yes
Now I'd like to assign an IP address to CRS which belongs to Vlan2
/interface vlan
add interface=bridge1 vlan-id=2 name=MGMT
/ip address
add address=192.168.2.55/24 interface=MGMT
The way I'd like to access the Management IP of CRS is the following:
from client on Vlan100 via port sfp-sfpplus4 -> Trunk Port1 on CRS to Firewall -> Firewall back to CRS

Vlan routing for all vlans is done by the firewall and this is set up correctly since I can reach vlan2 clients on ether17, ether18 & ether20 this way.

What am I missing regarding the set up of the ip address?

thx & Best

EDIT:
here's my config:
# jan/02/1970 00:04:57 by RouterOS 6.44.6
# software id = PCUM-HC59
#
# model = CRS328-24P-4S+
# serial number = C7810C418392
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=MGMT vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether8 pvid=100
add bridge=bridge1 interface=ether9 pvid=100
add bridge=bridge1 interface=ether16 pvid=10
add bridge=bridge1 interface=ether17 pvid=2
add bridge=bridge1 interface=ether18 pvid=2
add bridge=bridge1 interface=ether19 pvid=10
add bridge=bridge1 interface=ether20 pvid=2
add bridge=bridge1 interface=ether21 pvid=20
add bridge=bridge1 interface=ether23 pvid=100
add bridge=bridge1 interface=sfp-sfpplus2 pvid=20
add bridge=bridge1 interface=sfp-sfpplus3 pvid=100
add bridge=bridge1 interface=sfp-sfpplus4 pvid=100
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=1
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=\
    ether17,ether18,ether20 vlan-ids=2
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=ether16,ether19 \
    vlan-ids=10
add bridge=bridge1 tagged=ether1,ether6 untagged=ether21,sfp-sfpplus2 \
    vlan-ids=20
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=\
    ether8,ether9,ether23,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=100
/ip address
add address=192.168.2.55/24 interface=MGMT network=192.168.2.0
/system routerboard settings
set boot-os=router-os
 
sid5632
Long time Member
Long time Member
Posts: 553
Joined: Fri Feb 17, 2017 6:05 pm

Re: Access Management IP in dedicated vlan  [SOLVED]

Mon Jun 07, 2021 2:40 am

You need to add bridge1 to the tagged list for VLAN 2.
You don't need to set all those untagged ports either - they are implicitly (dynamically) defined as untagged by virtue of setting the PVID.
(ether22 is missing from your trunk ports tagged list for VLAN 20 - I don't know whether this is what you intended. VLAN 1 is not used anywhere and is not a good idea anyway.)
So:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether6,ether22 vlan-ids=2
add bridge=bridge1 tagged=ether1,ether6,ether22 vlan-ids=10,20,100
 
macx979
just joined
Topic Author
Posts: 9
Joined: Tue Dec 04, 2018 10:28 pm

Re: Access Management IP in dedicated vlan

Mon Jun 07, 2021 8:09 pm

thanks a lot.
vlan1 was a mistake and has been removed and ether22 is not supposed to be part of vlan20. So that's intended.

your advice to add bridge1 tagged on bridge1 help me to keep going. That way CRS was available via any vlan2 access port.
After that I just needed to add the gateway for vlan2 to reach the firewall.

Best

Who is online

Users browsing this forum: Bing [Bot], dozer46 and 41 guests