I am writing to both request help with this configuration and to express frustration with MikroTik Support. I have had a few RB3011s running for a few weeks now and have been unable to properly get the switch chip working on basically any of them. The documentation in the WIKI for the switch chip is atrocious and thus I have been trying to work through it with support. Support has been giving me information which contradicts the WIKI and even today told me that I should hire a consultant if I needed help with the configuration. What I need is functional documentation....
Here is what I am trying to accomplish (which seems trivial)...
Ether01 through Ether10 untagged traffic to bridge local and tagged vlan 2 traffic to bridge-guest. I want to drop all other traffic. I'd ideally like to use the switch chip to get the VLAN part since it will be wirespeed and offload the CPU.
Right now I have Ether2 to Ether5 set with ether1 as their master-port and put ether1 in bridge-local. I have ether7 to ether10 with ether5 as their master port and put ether5 in bridge local. I have vlan2 on bridge-local and put that into bridge-guest. Everything works correctly, but it doesn't use the switch chip. My goal is to convert to using the switch chip.
Thoughts?
.
-
-
mpreissner
Member
- Posts: 357
- Joined:
- Location: Columbia, MD
Re: RB3011 Switch Chip and Frustration with Support
Have you tried translating the untagged traffic into another VLAN? I think the biggest problem you're going to have is that Bridge only operates at the CPU...there is no hardware bridging implemented at the switch chip, so any bridging between the two switch chips is going to involve the CPU. I do think you should be able to leverage the switch chip, at least for wire-speed comms between devices on the same switch. Can you post your export?
Re: RB3011 Switch Chip and Frustration with Support
You should understand that there are 2 switches in the RB3011 so you will never have full
switching between all the ports. It is often best to do all LAN switching on one group, and
use the other group for misc purposes like link to another router where you don't need the
LAN range. Then you can omit the bridge (which consumes CPU resources)
The switches will by default be transparent to VLAN. You can add switch config to only allow
traffic of your VLAN tags and not other, but when all ports are configured the same it does
not really add much.
I agree with you that the switch documentation is in a bad state. It does not explain general
concepts too well and quickly drops into examples that are too simple to be very useful.
You can configure untagged and tagged-2 VLAN by adding those VLAN definitions in the
switch menu and including all ports including the CPU port into them, then set the switch
ports to "secure".
This will do your VLAN tag filtering, but at the CPU side you still need the software handing
of the VLAN tag. I would recommend to make .vlan2 interfaces for each parent ethernet
interface and put those .vlan2 interfaces into the guest bridge, rather than putting the vlan2
under the bridge-local. Or use the .vlan2 interface directly without bridge, as said above.
switching between all the ports. It is often best to do all LAN switching on one group, and
use the other group for misc purposes like link to another router where you don't need the
LAN range. Then you can omit the bridge (which consumes CPU resources)
The switches will by default be transparent to VLAN. You can add switch config to only allow
traffic of your VLAN tags and not other, but when all ports are configured the same it does
not really add much.
I agree with you that the switch documentation is in a bad state. It does not explain general
concepts too well and quickly drops into examples that are too simple to be very useful.
You can configure untagged and tagged-2 VLAN by adding those VLAN definitions in the
switch menu and including all ports including the CPU port into them, then set the switch
ports to "secure".
This will do your VLAN tag filtering, but at the CPU side you still need the software handing
of the VLAN tag. I would recommend to make .vlan2 interfaces for each parent ethernet
interface and put those .vlan2 interfaces into the guest bridge, rather than putting the vlan2
under the bridge-local. Or use the .vlan2 interface directly without bridge, as said above.
Re: RB3011 Switch Chip and Frustration with Support
Sorry... I forgot to mention I completely understand that there are two switch chips. and that one splits its backbone to the CPU with the SFP port.
This is the code I'm currently using. Every time I try to turn on the switch chip all traffic drops.
This is the code I'm currently using. Every time I try to turn on the switch chip all traffic drops.
Code: Select all
/interface bridge
add comment="Guest Bridge" mtu=1500 name=bridge-guest protocol-mode=none
add comment="Local Bridge" mtu=1500 name=bridge-local protocol-mode=none
add comment="Internet Bridge" mtu=1500 name=bridge-internet protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether01-master-local
set [ find default-name=ether2 ] master-port=ether01-master-local name=ether02-slave-local
set [ find default-name=ether3 ] master-port=ether01-master-local name=ether03-slave-local
set [ find default-name=ether4 ] master-port=ether01-master-local name=ether04-slave-local
set [ find default-name=ether5 ] master-port=ether01-master-local name=ether05-slave-local
set [ find default-name=ether6 ] name=ether06-master-local
set [ find default-name=ether7 ] master-port=ether06-master-local name=ether07-slave-local
set [ find default-name=ether8 ] master-port=ether06-master-local name=ether08-slave-local
set [ find default-name=ether9 ] master-port=ether06-master-local name=ether09-slave-local
set [ find default-name=ether10 ] master-port=ether06-master-local poe-out=off name=ether10-slave-local
set [ find default-name=sfp1 ] name=sfp01-gateway
/interface vlan
add interface=bridge-local name=vlan-guest-bridge-local vlan-id=2
/interface bridge port
add bridge=bridge-guest interface=vlan-guest-bridge-local
add bridge=bridge-local interface=ether01-master-local
add bridge=bridge-local interface=ether06-master-local
add bridge=bridge-internet interface=sfp01-gateway
/interface ethernet switch port
set 0 vlan-mode=disabled
set 1 vlan-mode=disabled
set 2 vlan-mode=disabled
set 3 vlan-mode=disabled
set 4 vlan-mode=disabled
set 5 vlan-mode=disabled
set 6 vlan-mode=disabled
set 7 vlan-mode=disabled
set 8 vlan-mode=disabled
set 9 vlan-mode=disabled
set 10 vlan-mode=disabled
set 11 vlan-mode=disabled
/interface ethernet switch vlan
Re: RB3011 Switch Chip and Frustration with Support
I don't think I'm getting the entire picture.
Is VLAN 2 on the same subnet as the untagged traffic you want it switching with (I'd assume not, but)? That's the only time the switch would take over for wirespeed, otherwise if a different subnet, it would have to be routed through the cpu port anyway, as the switch won't route.
One thing I've noticed on the 2011 switch chips (same menu and functionality) is that once I start tweaking with the menu settings, I have to set it up completely otherwise it get's weird.
The vlan-mode=disabled is supposed to treat all packets as if they didn't have one. (Documentation is bad, so I don't know if it drops the packet, vlan header or what
)
Is VLAN 2 on the same subnet as the untagged traffic you want it switching with (I'd assume not, but)? That's the only time the switch would take over for wirespeed, otherwise if a different subnet, it would have to be routed through the cpu port anyway, as the switch won't route.
One thing I've noticed on the 2011 switch chips (same menu and functionality) is that once I start tweaking with the menu settings, I have to set it up completely otherwise it get's weird.
The vlan-mode=disabled is supposed to treat all packets as if they didn't have one. (Documentation is bad, so I don't know if it drops the packet, vlan header or what
)