Community discussions

 
mateito
just joined
Topic Author
Posts: 3
Joined: Mon Feb 15, 2016 4:37 am

Possibility of multiple trunked vlan master ports on single CRS125 switch chip?

Mon Feb 15, 2016 5:11 am

I just configured my CRS125-24G-1S-IN (6.34.1), and ran across a strange issue. I followed this guide: http://wiki.mikrotik.com/wiki/Manual:CR ... Based_VLAN

General traffic flow is:
wan/cpe -> router eth0 interface or eth1 interface -> switch -> access layer
Ideally, I would like to have two interfaces on my router serve two branches of my SOHO on dedicated interfaces - an dmz/sandbox zone and a trusted zone, with distro layer served by the CRS125.

I can get the config working when there is only one master port (ether1-master). When I try to create a secondary master/slave configuration on the CRS and use the same VLAN configuration as ether1-master, I get a very strange issue. Here's a representation of how I tried to configure it and where I saw issues:

Image

When I applied the standard VLAN configuration to ether2-master, the switch passed the VLAN-tagged traffic to the router correctly. The router replied to ARPs and DHCP DISCOVER requests without issue. But the packets never made it back to the originating hosts. When I did a tcpdump on the access ports, I saw all of the tagged traffic even tho the ports were configured as untagged.

The only reason I can think of this happening is due to the 'dynamic' port group made when creating ether2-master, which included switch1-cpu as an interface/port. I didn't see the same for ether1-master. I wasn't able to remove switch1-cpu from that group, so I'm assuming there's some magic behind-the-scenes for that.

My question then becomes: is it possible to have the switch chip host two VLAN trunking ports? Or will this require something like bridging? Is there a known configuration or workaround to get a config like this working as expected?
Last edited by mateito on Mon Feb 15, 2016 5:05 pm, edited 1 time in total.
 
becs
MikroTik Support
MikroTik Support
Posts: 474
Joined: Thu Jul 07, 2011 8:26 am

Re: Possibility of multiple trunked vlan master ports on single CRS125 switch chip?

Mon Feb 15, 2016 2:55 pm

CRS VLAN configurations do not work well with multiple master-ports.
This is the note from CRS manual page:
Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.
Since you have different VLANs in each of group you can use one master-port without any problems. The VLANs will be isolated anyway after configuring VLAN filtering http://wiki.mikrotik.com/wiki/Manual:CR ... _filtering
 
mateito
just joined
Topic Author
Posts: 3
Joined: Mon Feb 15, 2016 4:37 am

Re: Possibility of multiple trunked vlan master ports on single CRS125 switch chip?

Mon Feb 15, 2016 3:08 pm

CRS VLAN configurations do not work well with multiple master-ports.
<snip>
Since you have different VLANs in each of group you can use one master-port without any problems. The VLANs will be isolated anyway after configuring VLAN filtering http://wiki.mikrotik.com/wiki/Manual:CR ... _filtering
Hi becs, thanks for the reply. I figured as much, I did see that comment and wondered what it was referring to.

So do you mean I can apply VLANs (egress-vlan-tag, /interface ethernet switch vlan) to the ether2 interface even though it exists logically underneath ether1-master?

My thought is that a slave trunk would need both ingress and egress translations, while the master carried the additional VLAN definitions per standard config. Is that correct or am I off there?
 
becs
MikroTik Support
MikroTik Support
Posts: 474
Joined: Thu Jul 07, 2011 8:26 am

Re: Possibility of multiple trunked vlan master ports on single CRS125 switch chip?

Mon Feb 15, 2016 4:02 pm

So do you mean I can apply VLANs (egress-vlan-tag, /interface ethernet switch vlan) to the ether2 interface even though it exists logically underneath ether1-master?
Yes, because the main purpose for the master-port is setting an internal connection from switch chip to the CPU (it is an interface which can have an IP address). VLAN trunk ports in switch chip do not require being master-ports to do Layer2 forwarding.

Note that everything you configure on the master-port interface in the "Switch" menu (/interface ethernet switch), you actually do it on physical port.
From the hardware switch chip point there is a separate "switch1-cpu" port in "Switch" menu and it is the same as the "master-port" looking from CPU (RouterOS software) point.
 
mateito
just joined
Topic Author
Posts: 3
Joined: Mon Feb 15, 2016 4:37 am

Re: Possibility of multiple trunked vlan master ports on single CRS125 switch chip?

Mon Feb 15, 2016 4:53 pm

Bingo! Thanks again. Here's my working config, for anyone else that's curious.

ether1-master and ether2 are connected to router
management VLAN set to 100, gateway set to router

NOTE: all VLANs are logically defined on ether1-master via "/interface vlan"

All routing takes place 'above' mikrotik
/export hide-sensitive compact
# feb/15/2016 09:42:09 by RouterOS 6.34.1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master
set [ find default-name=ether2 ] master-port=ether1-master
set [ find default-name=ether3 ] master-port=ether1-master
set [ find default-name=ether4 ] master-port=ether1-master
set [ find default-name=ether5 ] master-port=ether1-master
set [ find default-name=ether6 ] master-port=ether1-master
set [ find default-name=ether7 ] master-port=ether1-master
set [ find default-name=ether8 ] master-port=ether1-master
set [ find default-name=ether9 ] master-port=ether1-master
set [ find default-name=ether10 ] master-port=ether1-master
set [ find default-name=ether11 ] master-port=ether1-master
set [ find default-name=ether12 ] master-port=ether1-master
set [ find default-name=ether13 ] master-port=ether1-master
set [ find default-name=ether14 ] master-port=ether1-master
set [ find default-name=ether15 ] master-port=ether1-master
set [ find default-name=ether16 ] master-port=ether1-master
set [ find default-name=ether17 ] master-port=ether1-master
set [ find default-name=ether18 ] master-port=ether1-master
set [ find default-name=ether19 ] master-port=ether1-master
set [ find default-name=ether20 ] master-port=ether1-master
set [ find default-name=ether21 ] master-port=ether1-master
set [ find default-name=ether22 ] master-port=ether1-master
set [ find default-name=ether23 ] master-port=ether1-master
set [ find default-name=ether24 ] master-port=ether1-master
set [ find default-name=sfp1 ] master-port=ether1-master
/interface vlan
add comment="VLAN10" interface=ether1-master name=vlan10 vlan-id=10
add comment="VLAN100" interface=ether1-master name=vlan100 vlan-id=100
add comment="VLAN200" interface=ether1-master name=vlan200 vlan-id=200
add comment="VLAN299" interface=ether1-master name=vlan299 vlan-id=299
add comment="VLAN999" interface=ether1-master name=vlan999 vlan-id=999
/ip neighbor discovery
set vlan10 comment="VLAN10"
set vlan100 comment="VLAN100"
set vlan200 comment="VLAN200"
set vlan299 comment="VLAN299"
set vlan999 comment="VLAN999"
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1-master,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1-master,switch1-cpu vlan-id=100
add tagged-ports=ether1-master vlan-id=10
add tagged-ports=ether2 vlan-id=200
add tagged-ports=ether2 vlan-id=299
add tagged-ports=ether2 vlan-id=999
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 sa-learning=yes
add customer-vid=0 new-customer-vid=200 ports=ether9 sa-learning=yes
add customer-vid=0 new-customer-vid=299 ports=ether10 sa-learning=yes
add customer-vid=0 new-customer-vid=999 ports=ether11 sa-learning=yes
/interface ethernet switch port
set 8 vlan-type=edge-port
set 9 vlan-type=edge-port
set 10 vlan-type=edge-port
set 11 vlan-type=edge-port
set 12 vlan-type=edge-port
set 13 vlan-type=edge-port
set 14 vlan-type=edge-port
set 15 vlan-type=edge-port
set 16 vlan-type=edge-port
set 17 vlan-type=edge-port
set 18 vlan-type=edge-port
set 19 vlan-type=edge-port
set 20 vlan-type=edge-port
set 21 vlan-type=edge-port
set 22 vlan-type=edge-port
set 23 vlan-type=edge-port
set 24 vlan-type=edge-port
/interface ethernet switch vlan
add ports=ether1-master,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-id=10
add ports=ether1-master,switch1-cpu vlan-id=100
add ports=ether2,ether9 vlan-id=200
add ports=ether2,ether10 vlan-id=299
add ports=ether2,ether11 vlan-id=999
/ip address
add address=192.168.1.2/28 comment=defconf interface=vlan100 network=192.168.1.0
/ip dns
set servers=192.168.1.1
/ip route
add distance=1 gateway=192.168.1.1
/ip ssh
set strong-crypto=yes

Who is online

Users browsing this forum: Bing [Bot] and 30 guests