Community discussions

MikroTik App
 
locki
just joined
Topic Author
Posts: 11
Joined: Sun Dec 16, 2012 6:23 pm

CRS326-24G-2S+IN like a switch with vlan mgmt

Sun Oct 03, 2021 9:48 pm

Hello all,
i have issue like a beginer :)

How i want it:
SFP+ and ports 23, 24 are trunks uplinks with all vlans
ports 1-22 are access, vlan 6 and vlan 21
vlan 1 is for device managment, it works properly until I enable Vlan filtering on bridge interface:
Image
After that i am disconected and cant access device anymore if i dont use safe mode ... which recover my wrong config.

I configured it following wiki: https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29 What I am doing wrong? I am connectung to switch via trunk to vlan 1 mgmt ip.

It is good to use it this way, are there any limitation? Can i mix 100Mbit and 1000Mbit ports for users no any slowdown for them?

My configuration:
# oct/03/2021 02:46:38 by RouterOS 6.48.4
# software id = 0QYR-DVY8
#
# model = CRS326-24G-2S+
# serial number = CDA80CA77283
/interface ethernet
set [ find default-name=ether23 ] comment=TRUNK to next switch
set [ find default-name=ether24 ] comment=TRUNK to next switch
set [ find default-name=sfp-sfpplus1 ] comment=TRUNK
set [ find default-name=sfp-sfpplus2 ] comment=TRUNK
/interface bridge
add name=bridge1 protocol-mode=none
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether1 pvid=6
add bridge=bridge1 interface=ether2 pvid=6
add bridge=bridge1 interface=ether3 pvid=6
add bridge=bridge1 interface=ether4 pvid=6
add bridge=bridge1 interface=ether5 pvid=6
add bridge=bridge1 interface=ether6 pvid=6
add bridge=bridge1 interface=ether7 pvid=6
add bridge=bridge1 interface=ether8 pvid=6
add bridge=bridge1 interface=ether9 pvid=6
add bridge=bridge1 interface=ether10 pvid=6
add bridge=bridge1 interface=ether11 pvid=6
add bridge=bridge1 interface=ether12 pvid=6
add bridge=bridge1 interface=ether13 pvid=6
add bridge=bridge1 interface=ether14 pvid=6
add bridge=bridge1 interface=ether15 pvid=6
add bridge=bridge1 interface=ether16 pvid=6
add bridge=bridge1 interface=ether17 pvid=6
add bridge=bridge1 interface=ether18 pvid=6
add bridge=bridge1 interface=ether19 pvid=6
add bridge=bridge1 interface=ether20 pvid=6
add bridge=bridge1 interface=ether21 pvid=21
add bridge=bridge1 interface=ether22 pvid=21
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged="ether1,ether2,et\
    her3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,eth\
    er13,ether14,ether15,ether16,ether17,ether18,ether19,ether20" vlan-ids=6
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 vlan-ids=\
    7
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 untagged=\
    ether21,ether22 vlan-ids=21
add bridge=bridge1 tagged=ether23,ether24,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=\
    1
/ip address
add address=10.10.126.246/28 interface=vlan1 network=10.154.126.240
/ip dns
set servers=10.10.115.1
/ip route
add distance=1 gateway=10.10.126.241
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=mt-crs326-Home
/system routerboard settings
set boot-os=router-os
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS326-24G-2S+IN like a switch with vlan mgmt

Sun Oct 03, 2021 11:18 pm

The bridge-to-cpu port has a default PVID of 1, so attaching a VLAN interface to the bridge with the same ID makes no sense. Remove the /interface vlan entirely, attach the /ip address to the interface bridge not vlan1.

Similarly your trunk ports have a default PVID of 1, so specifying them as tagged under /interface bridge vlan is also incorrect. It is not necessary to explicitly specify untagged membership, this will be generated automatically from the PVID settings.

The changes would be:
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1

/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20 vlan-ids=6
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 vlan-ids=7
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 untagged=ether21,ether22 vlan-ids=21
add bridge=bridge1 tagged=ether23,ether24,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=1
/ip address
add address=10.10.126.246/28 interface=vlan1bridge1 network=10.154.126.240
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CRS326-24G-2S+IN like a switch with vlan mgmt

Mon Oct 04, 2021 12:15 am

Good plan from TDW, however what is missing from the config is the definition of all the VLANS.
PLUS the only thing that should get an address is the switch itself, and it should have an address from the Managment Vlan.
Where I disagree is I prefer to manually insert the untagged ports to ensure my bridge port setting match up with my expectations and its easier to troubleshoot a config as the autogenerated code will not be shown if the rule is not active.

My take on it is that your config is not all wrong, in terms of interface bridge vlan settings excep for the quotation marks on the untagged entries, remove the quotes at the beginning and end.
untagged="ether1
,ether20" vlan-ids=6

# model = CRS326-24G-2S+
# serial number = CDA80CA77283
/interface ethernet
set [ find default-name=ether23 ] comment=TRUNK to next switch
set [ find default-name=ether24 ] comment=TRUNK to next switch
set [ find default-name=sfp-sfpplus1 ] comment=TRUNK
set [ find default-name=sfp-sfpplus2 ] comment=TRUNK
/interface bridge
add name=bridge1 vlans filtering=yes (add the yes bit as the last step in configuration)
/interface vlan
ALL VLANS have to be identified on the device, except the default pvid of 1 on the bridge itself.
add interface=bridge1 name=VLAN6 vlan-ids=6
add interface=bridge1 name=VLAN7 vlan-ids=7
add interface=bridge1 name=VLAN21 vlan-ids=21


/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 ingress filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=sfp-sfpplus2 ingress filtering=yes frame-types=only-vlan-tagged
add bridge=bridge1 interface=ether24 ingress filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=ether23 ingress filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=ether1 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether2 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether3 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether4 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether5 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether6 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether7 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether8 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether9 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether10 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether11 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether12 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether13 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether14 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether15 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether16 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether17 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether18 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether19 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether20 pvid=6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether21 pvid=21 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge1 interface=ether22 pvid=21 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether1,ether2,et\
her3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,eth\
er13,ether14,ether15,ether16,ether17,ether18,ether19,ether20"vlan-ids=6
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 vlan-ids=7
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 untagged=\
ether21,ether22 vlan-ids=21
/ip address
add address=?????????? interface=management vlan network=??????????
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS326-24G-2S+IN like a switch with vlan mgmt

Mon Oct 04, 2021 12:27 am

@anav there is no need to define VLANs under /interface vlan on a switch. They are only required if those particular VLANs are going to access resources on the Mikrotik itself, unlikely on a switch which only requires management access.

The OP is using VLAN ID 1 for management, it can be used untagged using the default PVID of 1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CRS326-24G-2S+IN like a switch with vlan mgmt

Mon Oct 04, 2021 4:41 am

Using vlan 1 for a management vlan is confusing and inconsistent with advice.....
Its not required and if used, then any other switch especially if not MT will be a biatch to work with.

Yes, every device has to define the vlans that are running through, so the device knows they exist.
I didnt say create an IP address, dhcp server, ip pool etc for each vlan, just to indentify.
 
locki
just joined
Topic Author
Posts: 11
Joined: Sun Dec 16, 2012 6:23 pm

Re: CRS326-24G-2S+IN like a switch with vlan mgmt

Mon Oct 04, 2021 12:38 pm

Image

This is current config, I cant change vlan1 for mgmt because I have more devices management on that vlan, all L3 are termianted on that mikrotik router with dhcp etc etc i just need to that CRS326 working like totaly stupid switch with some trunk ports, access ports for hosts and mgmt on vlan1 that is all :)

What is correct? I will try it again.....
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CRS326-24G-2S+IN like a switch with vlan mgmt  [SOLVED]

Mon Oct 04, 2021 1:58 pm

Whilst using VLAN 1 for management is not wrong you have to take greater care, it is often the default and untagged - in fact some vendors prohibit tagging VLAN 1.

My earlier suggestion was to have VLAN 1 untagged and all other VLANs tagged on the trunks. If you wish to keep it tagged there are a couple methods, my preferred one would be:
/interface bridge
add name=bridge1 protocol-mode=none pvid=1 # this is the default PVID
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1

/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 ingress filtering=yes frame-types=admit-only-vlan-tagged # this removes the PVID
add bridge=bridge1 interface=sfp-sfpplus2 ingress filtering=yes frame-types=admit-only-vlan-tagged # this removes the PVID
add bridge=bridge1 interface=ether24 ingress filtering=yes frame-types=admit-only-vlan-tagged # this removes the PVID
add bridge=bridge1 interface=ether23 ingress filtering=yes frame-types=admit-only-vlan-tagged # this removes the PVID
add bridge=bridge1 interface=ether1 pvid=6
add bridge=bridge1 interface=ether2 pvid=6
add bridge=bridge1 interface=ether3 pvid=6
add bridge=bridge1 interface=ether4 pvid=6
add bridge=bridge1 interface=ether5 pvid=6
add bridge=bridge1 interface=ether6 pvid=6
add bridge=bridge1 interface=ether7 pvid=6
add bridge=bridge1 interface=ether8 pvid=6
add bridge=bridge1 interface=ether9 pvid=6
add bridge=bridge1 interface=ether10 pvid=6
add bridge=bridge1 interface=ether11 pvid=6
add bridge=bridge1 interface=ether12 pvid=6
add bridge=bridge1 interface=ether13 pvid=6
add bridge=bridge1 interface=ether14 pvid=6
add bridge=bridge1 interface=ether15 pvid=6
add bridge=bridge1 interface=ether16 pvid=6
add bridge=bridge1 interface=ether17 pvid=6
add bridge=bridge1 interface=ether18 pvid=6
add bridge=bridge1 interface=ether19 pvid=6
add bridge=bridge1 interface=ether20 pvid=6
add bridge=bridge1 interface=ether21 pvid=21
add bridge=bridge1 interface=ether22 pvid=21
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20 vlan-ids=6 # untagged membership is generated from PVID settings
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 vlan-ids=7
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 untagged=ether21,ether22 vlan-ids=21 # untagged membership is generated from PVID settings
add bridge=bridge1 tagged=ether23,ether24,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=1
/ip address
add address=10.10.126.246/28 interface=vlan1bridge1 network=10.154.126.240


If you wish to keep the /interface vlan it would be:
/interface bridge
add name=bridge1 protocol-mode=none ingress filtering=yes frame-types=admit-only-vlan-tagged # this removes the PVID
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 ingress filtering=yes frame-types=admit-only-vlan-tagged # this removes the PVID
add bridge=bridge1 interface=sfp-sfpplus2 ingress filtering=yes frame-types=admit-only-vlan-tagged # this removes the PVID
add bridge=bridge1 interface=ether24 ingress filtering=yes frame-types=admit-only-vlan-tagged # this removes the PVID
add bridge=bridge1 interface=ether23 ingress filtering=yes frame-types=admit-only-vlan-tagged # this removes the PVID
add bridge=bridge1 interface=ether1 pvid=6
add bridge=bridge1 interface=ether2 pvid=6
add bridge=bridge1 interface=ether3 pvid=6
add bridge=bridge1 interface=ether4 pvid=6
add bridge=bridge1 interface=ether5 pvid=6
add bridge=bridge1 interface=ether6 pvid=6
add bridge=bridge1 interface=ether7 pvid=6
add bridge=bridge1 interface=ether8 pvid=6
add bridge=bridge1 interface=ether9 pvid=6
add bridge=bridge1 interface=ether10 pvid=6
add bridge=bridge1 interface=ether11 pvid=6
add bridge=bridge1 interface=ether12 pvid=6
add bridge=bridge1 interface=ether13 pvid=6
add bridge=bridge1 interface=ether14 pvid=6
add bridge=bridge1 interface=ether15 pvid=6
add bridge=bridge1 interface=ether16 pvid=6
add bridge=bridge1 interface=ether17 pvid=6
add bridge=bridge1 interface=ether18 pvid=6
add bridge=bridge1 interface=ether19 pvid=6
add bridge=bridge1 interface=ether20 pvid=6
add bridge=bridge1 interface=ether21 pvid=21
add bridge=bridge1 interface=ether22 pvid=21
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20 vlan-ids=6 # untagged membership is generated from PVID settings
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 vlan-ids=7
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 untagged=ether21,ether22 vlan-ids=21 # untagged membership is generated from PVID settings
add bridge=bridge1 tagged=bridge1,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=1
/ip address
add address=10.10.126.246/28 interface=vlan1 network=10.154.126.240
 
locki
just joined
Topic Author
Posts: 11
Joined: Sun Dec 16, 2012 6:23 pm

Re: CRS326-24G-2S+IN like a switch with vlan mgmt

Sun Oct 17, 2021 12:18 am

Thank you for your tip! I am sorry for my late reply but i was busy, there is small issue :)

config:

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes ### this was missing in my config!!!####
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus2
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether24
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether23
add bridge=bridge1 interface=ether1 pvid=6
add bridge=bridge1 interface=ether2 pvid=6
add bridge=bridge1 interface=ether3 pvid=6
add bridge=bridge1 interface=ether4 pvid=6
add bridge=bridge1 interface=ether5 pvid=6
add bridge=bridge1 interface=ether6 pvid=6
add bridge=bridge1 interface=ether7 pvid=6
add bridge=bridge1 interface=ether8 pvid=6
add bridge=bridge1 interface=ether9 pvid=6
add bridge=bridge1 interface=ether10 pvid=6
add bridge=bridge1 interface=ether11 pvid=6
add bridge=bridge1 interface=ether12 pvid=6
add bridge=bridge1 interface=ether13 pvid=6
add bridge=bridge1 interface=ether14 pvid=6
add bridge=bridge1 interface=ether15 pvid=6
add bridge=bridge1 interface=ether16 pvid=6
add bridge=bridge1 interface=ether17 pvid=6
add bridge=bridge1 interface=ether18 pvid=6
add bridge=bridge1 interface=ether19 pvid=6
add bridge=bridge1 interface=ether20 pvid=6
add bridge=bridge1 interface=ether21 pvid=21
add bridge=bridge1 interface=ether22 pvid=21
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 vlan-ids=21
add bridge=bridge1 tagged=bridge1,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=1
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 vlan-ids=6
add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus2,ether23,ether24 vlan-ids=7
/ip address
add address=10.10.126.246/28 interface=vlan1 network=10.154.126.240
/ip dns
set servers=10.10.115.1
/ip route
add distance=1 gateway=10.10.126.241



I can acces now to switch mgmt vlan 1 via SFP port, but when i connect host to port for examplet 14 i cant reach to vlan6 interface on router side, something is wrong :(
//edit: traffic from that port goes via trunk untagged and that is wrong .... how to tag it?
//edit2: solved

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 protocol-mode=none vlan-filtering=yes :shock: Thank you very much!!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CRS326-24G-2S+IN like a switch with vlan mgmt

Sun Oct 17, 2021 3:04 am

Almost right I didnt state in red I stated it in blue ;-PP
vlan filtering=yes (add the yes bit as the last step in configuration)

Who is online

Users browsing this forum: Bing [Bot], kevinds, lurker888 and 56 guests