Hello,

First, my english is bad so, forgive me about this!

I have a CRS-125-24G and I am begginer in VLANs(I red a lots about subject but I did used before .... so be gentle with me if you can ... ). I have some knoldge about Roterbord operation(for several years with ... with, let say around 20 routers, mostly RB4xx,RB7XX, RB20XX)

I have some other switches(with or with-out vlan capabilities, let say Sw1,Sw2,...Swn) and I want to make a "clasic star design" with these and the CRS-125-24G(as a central switch). I want to put in CRS-125-24G only other switches from lan(mentioned above) and some servers(10 pcs., like SRV1,SRV2,...SRVn). I also make some vlans on the CRS-125-24G like this(are other better solutions?):
- one vlan(VID=100) with any server, SRV1-SRVn;
- one vlan(VID=101) with any server and the first switch(Sw1)
...
- one vlan(VID=110) with any server and the last switch(SW10, so n=10)

The mains objectives are:
1. any client conected in a switch(Sw1,Sw2,...Swn) will be able to make a link with any server(SRV1-SRVn);
2. any client conected in a switch(for example Sw4) will not make a link with any other client conected in any another switch(different from Sw4 for the same example);
3. I want to have some ports(3 or 4) on CRS-125-24G who can make a link with any switch(Sw1,Sw2,...Swn) and on any server(SRV1-SRVn), and who can access with winbox/ssh/etc the CRS-125-24G admin interface for management;

OBS:
a. Any client(PC/printers mostly) and servers are in the same network IP space(172.16.23.x/24);
b. I also use a dhcpd server for any client(on a server, not on CRS);


It is possible to achive this objectives with CRS-125-24G? How I can obtain this functions? If I can, I would think to use a second CRS-125-24G(I allready have 2 pieces) for split the load(with a kind of trunking vlan, I do not know yet ....)

And this is for Mikrotik company staff ONLY, IF they read this:
- it is not legal in my country(EU country) to sold this kind of stuff without at lest 2 year warranty (but mikrotik sold this with 1 year);
- it also embarrassing to not have any documentention(CD included like for cheap moddels RB4xx,RB7XX) and more embarrassing to not have any web speciffic documentation about this model(CRS-125-24G) about VLANs for example. The only link I find was this: http://wiki.mikrotik.com/wiki/Manual:CRS_examples(thx. for Forum), and I was not able to find any other usefull links(I spent almost a hole day with google ....) about the significance of the various parameters/settings from the switch menu. So Mikrotik what I can do in the future .... to wait that somebody(from Mikrotik) write a usefull documentation about this model, or to see other competitors models with usefull documentations? So, because of lack of documentation and short warranty period I was forced to buy 6(six pieces) from another vendor(5 years warranty) for the same amount of money like CRS-125-24G/piece(I should want to have 8 x CRS-125-24G, ....). And by the way I pay a lot of money(I work hard for for this if you do not know ...) for this switches( 2 x CRS-125-24G) and I deserved usefull documentation, because I pay for it .... I my country it is use this: "... our client is our master" for anybody who want to hear! So I think it will be wise to solve this problems, and to become a happy customer like I was in the past.

Have a nice day to all of you!



Thx. a lot for any usefull responses, and forgive my angry ....

Iulian

- it is not legal in my country(EU country) to sold this kind of stuff without at lest 2 year warranty (but mikrotik sold this with 1 year);

Well, since I went to law school (in another EU country) for quite a few years, and have worked quite a few years with international logistics of consumer products, I would like to comment on this item by saying:

You are wrong.

Warranties are pretty much completely optional within the EU. You are most likely confusing "warranty" with "claim".

A manufacturer does not have to issue a warranty at all if he so pleases. But, the customer does have a right to claim original defects for no less than 24 mo, and in some countries it is even longer. But, after six month the burden of proof transfers from the seller to the buyer, meaning that from month 7 the buyer must prove that the defect was present at the time of manufacture of the product.

Also, please note that the product is manufactured in a member state, by a company registered in a member state. I honestly do think that they have a legal department on their pay roll

Do I, however, agree that the documentation for the CRS series is lacking? Yep, certainly.

But more on topic, I really see nothing in your post which indicates why you must use VLAN. Why not just stick everything in different subnets and just use routing/firewalling?

What is your motivation to specifically use VLAN?


If you DO wish to use VLAN, you will need to be more specific about your physical and logical structure of your network.

JanJo,

I can not change my IP infrastructure. But I can use vlans. If it no
possibile with this Mikrotik switch, ok, I will buy another switch from
another brand maker. I do not have another option to solve this!

JanJo,

I can not change my IP infrastructure. But I can use vlans. If it no
possibile with this Mikrotik switch, ok, I will buy another switch from
another brand maker. I do not have another option to solve this!

JanJo,

I can not change my IP infrastructure. But I can use vlans. If it no
possibile with this Mikrotik switch, ok, I will buy another switch from
another brand maker. I do not have another option to solve this!

JanJo,

I can not change my IP infrastructure. But I can use vlans. If it no
possibile with this Mikrotik switch, ok, I will buy another switch from
another brand maker. I do not have another option to solve this!

Well, your original post is (quite frankly) extremely hard to understand. I atleast simply cannot understand what you actually want to acheice here. Maybe you should consider drawing a diagram?

Can the CRS do what you wish? Yes, Almost certainly, despite the less-then-stellar documentation for the switching chip.

Ok, I try again:

SW1,2,3 = switch
SRV1,2 = server
PC1,2 = management PC

CRS-125 ports: V1,V2,W1,W2,W3,C1,C2

All devices use untag traffic(access ports) on CRS - this devices do not have any vlan capabilities !!

ACCESS rules:
SRV1,SRV2: can access each other, and can be accesible from SW1. SW2, SW3, PC1 and PC2

SW1,SW2,SW3; each can not be accesiblie(so no comunication beetwen any of this switches), and accesible from SRV1, SRV2, PC1, PC2, CRS switch

PC1,PC2: can access ANY device connected on any port on CRS (CRS switch,SRV1,SRV2,PC1,PC2,SW1,SW2,SW3)


Thx. again !

Ok, I try again:

SW1,2,3 = switch
SRV1,2 = server
PC1,2 = management PC

CRS-125 ports: V1,V2,W1,W2,W3,C1,C2

All devices use untag traffic(access ports) on CRS - this devices do not have any vlan capabilities !!

ACCESS rules:
SRV1,SRV2: can access each other, and can be accesible from SW1. SW2, SW3, PC1 and PC2

SRW1,SRW2,SRV3; each can not be accesiblie(so no comunication beetwen any of this switches), and accesible from SRV1, SRV2, PC1, PC2, CRS switch

PC1,PC2: can access ANY device connected on any port on CRS (CRS switch,SRV1,SRV2,PC1,PC2,SW1,SW2,SW3)


Thx. again !

So, what is the subnet-configuration for all segments then? You said you could not alter the layout, so you must have access to this information.

So, what is the subnet-configuration for all segments then? You said you could not alter the layout, so you must have access to this information.

Like I wrote:

All devices are in the same network IP space(172.16.23.x/24);

So, what is the subnet-configuration for all segments then? You said you could not alter the layout, so you must have access to this information.

Like I wrote:

All devices are in the same network IP space(172.16.23.x/24);

Okaaaayyyy......

In that case, you will a number of bridges, and (and this is the important bit) all traffic will have to be shuffled to the routerboard in the CRS. You will be therefor limited to 1Gbps of _total_ traffic (probably less given the large amount of filtering that will be required.

But, I so not see any reason to use VLAN. Just a bunch of bridges


But basically... Set up your ports as stand alone (no master port), add them all to a bridge, enable ip-firewall for the bridge, and then set up your rules in the forward chain.

It should do it.

So, it can be done, but I lose a lot on the switch bandwith/performance/load?

So, it can be done, but I lose a lot on the switch bandwith/performance/load?

Yes.

Okaaaayyyy......

In that case, you will a number of bridges, and (and this is the important bit) all traffic will have to be shuffled to the routerboard in the CRS. You will be therefor limited to 1Gbps of _total_ traffic (probably less given the large amount of filtering that will be required.

But, I so not see any reason to use VLAN. Just a bunch of bridges

But basically... Set up your ports as stand alone (no master port), add them all to a bridge, enable ip-firewall for the bridge, and then set up your rules in the forward chain.

It should do it.

I want to use VLANs not firewall rules. I can not change the firewall ervery day because a client are gone from SW1 and is now in SW2, or maybe I missunderstood you?

I want to use VLANs not firewall rules. I can not change the firewall ervery day because a client are gone from SW1 and is now in SW2, or maybe I missunderstood you?

That does not matter. VLAN are not magical. As log as you want "something to see something on Another interface, but NOT something at Another interface" that is a firewall. You will need to maintain your firewall with or without vlan.

It does not matter if it says "Mikrotik", "Cisco" , "Juniper" or anything else on the box. What you want is conditional traffic. That means you need a paket filter with rules ("A firewall")

That does not matter. VLAN are not magical. As log as you want "something to see something on Another interface, but NOT something at Another interface" that is a firewall. You will need to maintain your firewall with or without vlan.

It does not matter if it says "Mikrotik", "Cisco" , "Juniper" or anything else on the box. What you want is conditional traffic. That means you need a paket filter with rules ("A firewall")

No it is not the same thing. VLAN is on layer2(ethernet frame). Firewall is on a layer3 .... By the way, I have a friend who has a switch(layer2) without any firewall, and he has this setup with VLANs. So tehnically(form point of view of VLANs only) it is posible, my question it is also posssible with this switch?

That does not matter. VLAN are not magical. As log as you want "something to see something on Another interface, but NOT something at Another interface" that is a firewall. You will need to maintain your firewall with or without vlan.

It does not matter if it says "Mikrotik", "Cisco" , "Juniper" or anything else on the box. What you want is conditional traffic. That means you need a paket filter with rules ("A firewall")

No it is not the same thing. VLAN is on layer2(ethernet frame). Firewall is on a layer3 .... By the way, I have a friend who has a switch(layer2) without any firewall, and he has this setup with VLANs. So tehnically(form point of view of VLANs only) it is posible, my question it is also posssible with this switch?

with all respect, I have been working with enterprise networks since the nineties. I know the ISO model quite well, and trust me when I say this: I is the same thing

On a l3 packet filter you usually use ip-addresses as your criteria.
On a l2 packet filter you user MAC , or ingress/egress interface or VLAN ID

But regardless of if you filter on l3 or l2 you WILL need rules to do what you want to suggest. These rules will require you (for the time being) to pull all traffic over the 1Gbps line to the routerboard in the CRS.

And finally, no, your friend has NOT been able to do what you want to do with just VLANS. Either he has use a packet filter or else all traffic on a vlan WILL be accessible by all hosts on the vlan.

But, feel free to post his network spec and config and we can analyze that.

Edit: I suppose you MIGHT be able to do it by specifying "In interface" and "Out interface" in your forward chain, and set up your accept/reject combinations there, but it would still mean you pull everything via the CPU, and it is still a packet filter.

with all respect, I have been working with enterprise networks since the nineties. I know the ISO model quite well, and trust me when I say this: I is the same thing


On a l3 packet filter you usually use ip-addresses as your criteria.
On a l2 packet filter you user MAC , or ingress/egress interface or VLAN ID

Yes, for the final result, it is the same. The difference, is about switch load and latency. It is "cheap" to use l2(less load) filtering compared with L3. And like I wrote already, if I have an device who are moving from SW1 and it is now on SW2, I must edit/modify some l3 roules. It is not the case if I can use vlan. The same situation is in the case when a client must change an IP address, or if I add a new client(with a new IP).

But regardless of if you filter on l3 or l2 you WILL need rules to do what you want to suggest. These rules will require you (for the time being) to pull all traffic over the 1Gbps line to the routerboard in the CRS.

And finally, no, your friend has NOT been able to do what you want to do with just VLANS. Either he has use a packet filter or else all traffic on a vlan WILL be accessible by all hosts on the vlan.

But, feel free to post his network spec and config and we can analyze that.

Edit: I suppose you MIGHT be able to do it by specifying "In interface" and "Out interface" in your forward chain, and set up your accept/reject combinations there, but it would still mean you pull everything via the CPU, and it is still a packet filter.

This link http://www.smallnetbuilder.com/lanwan/l ... an?start=2 show it is possible what I want with VLANs and without any L3 firewall roules! It is not exactly my test case, but is very close to what I want.

This link http://www.smallnetbuilder.com/lanwan/l ... an?start=2 show it is possible what I want with VLANs and without any L3 firewall roules! It is not exactly my test case, but is very close to what I want.

Yes, you can easily define that infrastructure in the CRS. But, as I have said Before, you WILL have a 1Gbps limit total until the support for the switching chip includes more advanced functions that may (or may not...) become implemented by Mikrotik in the future. Before that time, the Linksys in the article would probably be faster than the CRS, because it has multiple 1Gbps ports to the CPU.

In fact, i actually Think you could do this without the use of VLAN in Mikrotik by simply using "in interface" and "out interface" in your rules, but you would still hit the 1Gbps limit. I havent tried this tho.

And yes, the Linksys definitely uses its packet filter in the example you link to. You just do not see it from a user perspective.

So until then my best option is to return the 2 x CRS-125-24G to the re-seller, and to buy another switch that can fit my needs. I am sorry for the time spent on this. Thx. a lot for yours kindly responses!

So until then my best option is to return the 2 x CRS-125-24G to the re-seller, and to buy another switch that can fit my needs. I am sorry for the time spent on this. Thx. a lot for yours kindly responses!

It depends on what you mean by "best option". But yes, as i have understood it, if you want >1Gbps that is your only option for the time being.

I run VLAN at home with the CRS, and it works nicely enough. I can live with the 1Gbps thing, but I hope that the switch chip does get more support, because the hardware can do more.

The CRS is a bit of a strange animal. If you have not figured it out yet, you can look at the device as a 24-port gig switch that is connected to a routerboard via a singel 1Gbps Ethernet Connection. With the current software, all "fancy stuff" needs to happen in the Routerboard.