I'm not alone. Discussing with network managers guys i got the same feeling, switch features are difficult to understand and use, and most of the time the switch is wrongly considered buggy, because documentation is incomplete. This tendency mean that advanced switch features are most of the time not used, because they are too difficult to setup as soon as something a bit complex is necessary.
This is specially difficult when there is a mix of untagged and tagged traffic, with more than one port (mac address) on Router OS CPU side. More, there are some differences at the hardware level according to the switch chip used. This add to the complexity. For example, i was surprised to see that the switch chip on the high end RB3011 ARM dual core "home" router is not able to rewrite the VLAN ID and priority. This is not indicated in the wiki. This function is useful to split traffic to different VLANs without using different destination ports.
Some things are really not clear to me. Those questions are the ones who came to me during the setup of a quite complex half bridge (routing IPv4 and bridging IPv6) between a WAN and two LANs, on a RB3011 :
- When using VLAN mode (secure, check or fallback) how untagged packets are managed exactly ? Is there a difference for untagged packets between "disable" VLAN mode and other VLAN modes ?
- It is not clear to me what the disable VLAN mode mean, specially when it does allow VLAN tagged traffic to be passed to VLAN Router OS interfaces.
- How is managed traffic when there is a mix of ports with "disable" VLAN mode, and other ports with "fallback", "check" or "secure" mode ?
In the manual we can read :
But how are treated untagged packets if default-vlan-id is not defined ? Do they get an internal vlan-id ? If yes witch one ? Can this conflict with a user vlan ID ? I've read somewhere that VLAN ID = 1 is used internally to mark this traffic. Is that true or still the case in actual products ?Packets without vlan tag are treated just like if they had a vlan tag with port default-vlan-id. This means that if "vlan-mode=check or secure" to be able to forward packets without vlan tags you have to add a special entry to vlan table with the same vlan id set according to default-vlan-id.
It seems that rules override vlan rules. But are they effective for ports where VLAN mode is "disable" ? VLAN rules on the other side are effective only for ports with VLAN mode different from "disable", if i'm right.
Other points :
- I've seen that it is possible to send traffic to Router OS ether interfaces, even if the Master-port function is not used. Traffic coming from a physical ether port, will go the the Router OS CPU port with the same number (ether1 physical will go to Router OS ether1 port) even if some part of the traffic is switched at the hardware level between physical ports, using VLAN switch rules and switch rules.
But why is it impossible to send traffic to router OS ether ports where there is no connected cable on the corresponding physical port ? It would be interesting to be able to use Router OS CPU interfaces when cables are not connected in their corresponding physical port (when the interface in Router OS does not have the Running flag). This would give the possibility to switch between physical ports, and give at the same time access to virtual CPU ports. This would be useful to send filtered switched traffic to different Router OS interfaces, independently from physical ports, for later inclusion inside software bridges for example. Actually it is only possible to do this with Router OS ether interfaces where a cable is connected.
Ideally, we should have the possibility to use more than one CPU port for each switch, and get those ports through virtual ether interfaces inside Router OS.
- On the manual it is stated that we need to use the master port function to be able to switch between two or more ports. This is not true. I've been able to switch between two or more ports of the switch physical ports using rules, without using the Master port function. And still getting traffic on the router OS side. Effectively, when not using master port function, each physical port is connected to its corresponding Router OS CPU interface with its own mac address. But this does not forbid to use rules to switch traffic between hardware ports.
The manual says here :
- Master port function seems to silently write some switch rules, something like automatic configuration of rules. The manual says that switch rules have priority, but it is not clear to me how things are managed if master port function is used at the same time as switch rules. It is impossible to know the result except perhaps with trial and error method, because master port rules are not available in the rule list. A better manual here, or a better GUI would be useful here.Switching feature allows wire speed traffic passing among a group of ports, like the ports were a regular Ethernet switch. You configure this feature by setting a "master-port" property to one ore more ports in /interface ethernet menu.
All this add to the difficulty of using the Mikrotik switch features, mainly i think because the manual is not precise enough.