Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Sun Jan 28, 2018 6:45 pm

Hi.

What is functional difference between using /interface bridge vlan confing comparing to just creating /interface vlan on several interfaces and then bridging vlan interfaces? Also - is this new /interface bridge vlan menu replacement of old /interface ethernet switch vlan menu? (I can't check because the only router I'm testing 6.41 on is CCR1009 without hardware switch)

I mean for example VLAN Example #1 from wiki: https://wiki.mikrotik.com/wiki/Manual:I ... ge#Summary looks to me just like equivalent of:
/interface vlan:
vlan-v400: ether2
vlan-v300: ether2
vlan-v200: ether2
/interface bridge:
br-v400: [ether8, vlan-v400]
br-v300: [ether7, vlan-v300]
br-v200: [ether6, vlan-v200]

it's in pseudo code but I think it's clear what I mean. I don't really see any benefits of using that new option instead of /interface vlan on devices without hardware switches (because if I understand correctly on devices with hardware switches it should be hardware accelerated unlike /interface vlan and it looks somewhat friendlier than old /interface ethernet switch vlan)
MTCNA, MTCRE, MTCINE
 
pe1chl
Forum Guru
Forum Guru
Posts: 5822
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Sun Jan 28, 2018 9:10 pm

One reason for this change is that it was impossible to get standards-compliant spanning tree protocol (that would inter-operate with main brand switches) without it.
There also is some advantage in doing away with switch and bridge as separate config items with overlapping use.
But of course we don't want any reduced functionality or bugs that are caused by the change :-)
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Sun Jan 28, 2018 9:35 pm

But of course we don't want any reduced functionality or bugs that are caused by the change :-)
Well one thing I can tell for sure is that this "standard-compliant" handling of vlans in all common enterprise switches is reason why we had to use MikroTik routers and switches instead of Cisco ones in client datacenter even though they already had spare Cisco switches. Following config doesn't seem to be possible to achieve on Cisco switch (at least we didn't know any way of doing that without Cisco router which was too expensive for this case):

/interface vlan:
v200: ether2
v300: ether2
v400: ether2
/interface bridge
br-main: [v200, v300, v400]
/interface addr
br-main: 192.168.60.1/24

I'm aware it's not "standard" proper network situation but we encountered crappy device that didn't allow having more than 1 IP per interface and at the same time didn't have enough interfaces to get rid of vlans at all because it was lower model so we had to give 3 IPs in the same network for 3 VLAN interfaces and then bridge them. Using 1 cable and MikroTik router.
MTCNA, MTCRE, MTCINE
 
anav
Forum Guru
Forum Guru
Posts: 2967
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Fri Apr 27, 2018 9:39 pm

Okay I am just starting out thinking about VLANS and google brought me here LOL.
I see that there are two places to create VLANS. The Interface menu selection and the Bridge menu selection.
Disclaimer, I prefer winbox. ( no external access, just internal ;-) )

The interface selection seems most like my older router zyxel USG40 whereas the Bridge one looks more like switch settings???

My setup is basic.
2 WANS
2 BRIDGES
HOMEBRIDGE - LAN1
DMZBRIDGE - LAN2
ether1- secondary ISP
ether5-primary ISP(failover)
ether2-LAN1
ether3-LAN1
ether4-LAN2
LAN1-192.168.1.0/24
LAN2-192.168.2.0/24
Assume I have managed switches.
Assume I have vlan capable APs (seeing as they work now, need to get me some hAP-ac2s)

ON my zyxel40, I would create a new VLAN, complete with IP address and DHCP Serving etc but one step was identifying which was my host (Symbiotic) network the VLAN would piggyback on.
In other words a VLAN has to travel within an existing network. I am not sure how to do this on hex??????

Example Lets say I want
Normal LAN traffic for the wired house and use VLANS to partition off everything else.
vlan10 192.168.10.0/24 android boxes, appletv etc.....
vlan20 192.168.20.0/24 guest wifi
vlan30 182.168.30.0./24 house wifi

I want to run VLAN10 and VLAN20 off of LAN2 - DMZ bridge
I want to run VLAN 30 off of LAN1 - Homebridge

I want to forward block appropriately so will need
vlan10 TO vlan 20, vlan 30, LAN1, LAN2 : DROP
vlan20 TO vlan10, vlan 30, LAN1, LAN2 : DROP

I want to ensure VLAN30 to LAN1 traffic and LAN1 to VLAN30 traffic works easily.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Fri Apr 27, 2018 11:38 pm

hEX has hardware switch so in this case vlan settings in /interface bridge are supported by wire-speed switch chip. My question was regarding routers that DO NOT have hardware switch (like CCR series for example) and still have this option. Then it looks redundant to me a bit. Sounds like doing stuff hard way with no gain.

easiest way will be to use software vlans, ones in /interface vlan. You just create some vlans here, pointing base interface and then in /ip address, you assign address to vlan interface, NOT ether interface. If you have ip both on vlan and ether interface, one on ether interface will handle untagged frames so it may not be desired if you don't plan to use untagged packets. Regarding firewall you operate on vlans like on conventional interfaces. You can use eg. in-interface=myvlan property in firewall rule. This solution is really really easy to pull off but you won't get hardware acceleration so... it depends on what you expect. Conceptually interfaces in RouterOS work like Linux interfaces. You can imagine it as set of connected boxes which perform certain operations on packets. Eg your case could look like this:

ether - vlan - bridge - cpu(router)
or:
ether - vlan - cpu(router)

vlan box just filters packets with required vlan so it works like filter box that catches appropriate packets and strip vlan headers so that they behave like normal untagged packets from this point. And adds vlan header to outgoing packets that are outputted through vlan interface. You know a bit like audio filter boxes for example for guitar. Just working in both directions, not just input.

Second option will be to create hardware accelerated vlans. Advantage is that afaik it allows to specify traffic rules via ACL but they will be stateless and in general this option is more complicated conceptually because it's much closer to hardware and less abstract.

If you don't need full gigabit between vlans I'd go for software vlan. It gives you much better control in terms of firewall and traffic control in general as it's proper routing. vlans defined by /interface bridge are more switch-oriented. You can look at them as vlans in realms of managed switch. And I never used them so I can't help you there from top of my head
MTCNA, MTCRE, MTCINE
 
User avatar
artz
MikroTik Support
MikroTik Support
Posts: 88
Joined: Tue Oct 17, 2017 5:51 pm
Location: Riga
Contact:

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 10:33 am

Currently only CRS3xx series switches are able to hardware offload configurations with /interface bridge vlan. If a device (including the old CCR1009) has a switch chip and is capable of VLAN switching on a hardware level (look for VLAN table here: https://wiki.mikrotik.com/wiki/Manual:S ... troduction ), then configuration in order to achieve wire-speed performance must be done under /interface ethernet switch menu, like this: https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29
(not including CRS1xx/CRS2xx, they have a bit different type of configuration).

The reason why bridge VLAN filtering and the new bridge implementation was made is because of compliance with RSTP and to add new features (MSTP, for example).
It is known that when you add a physical interface in a bridge with a VLAN interface, that can block a switch port on a switch that is using BPDU Guard function, you read more about this case here:
https://wiki.mikrotik.com/wiki/Manual:L ... _interface
 
pe1chl
Forum Guru
Forum Guru
Posts: 5822
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 10:56 am

Thanks for the explanation artz!
Can you explain as well why a configuration with brige VLAN filtering on 6.41 and higher does not support hardware acceleration?
As it is now, the situation is very confusing. We used to have the switch-oriented config (master-port and switch config) and it had
to be migrated to a bridge config, but when this is fully done there is no hardware acceleration. Why isn't it possible to have the
bridge config with VLAN filtering do the switch configuration automatically in the background, so there is only one config to worry about?

Our typical config on pre-6.41 was to have a couple of VLAN interfaces on the master port, and in the switch some ports are trunked
and some are untagged on a certain VLAN. This should translate 1:1 to the new bridge config where ports are tagged or untagged
members of a VLAN and the VLAN interfaces are now on the bridge interface. The hardware should be capable of handling that,
as it also could do that in the switch config. But when this config is migrated to 6.41 there is only a single bridge without VLAN.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1395
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 4:31 pm

@artz, in your quoted article, https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29

How would you add IP Address to the various VLAN's and enable routing between VLAN's?

I thought maybe following the "Management IP Config" example in that article, but there it shows to add to physical port 2 which is the master port, but in new bridge config, the bridge will be the new master port and you can't select bridge in "/interface ethernet switch vlan"
MTCNA, MTCTCE, MTCRE & MTCINE
 
pe1chl
Forum Guru
Forum Guru
Posts: 5822
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 4:47 pm

CZFan: you add VLAN interfaces to the bridge interface (instead of to the master port ethernet interface) and then add IP addresses to the VLAN interfaces.
That will automatically enable routing between all VLANs unless prohibited by firewall rules.
You have to make sure that the bridge interface is a tagged member of the VLAN in the bridge.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1395
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 5:25 pm

Thx @petchi, if I follow you correctly, that will be in the Bridge VLAN config and not in the switch VLAN config. If I follow the Bridge VLAN config, I am ok and all seems to work, BUT, and I think you mentioned it also, you lose hardware offload and since @artz was quoting an article for wire-speed VLAN, I was hoping it will be possible to do via Switch VLAN config way.

So I see it this way:

Downgrade to 6.40.8 and have wire-speed VLAN, or use latest, greatest new RoS version and lose hardware offload

Is my synopsis correct or am I very confused :?
MTCNA, MTCTCE, MTCRE & MTCINE
 
pe1chl
Forum Guru
Forum Guru
Posts: 5822
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 6:00 pm

Well it looks like that, and I question like you why it is that way.
When bridge with VLAN filtering is the new way to configure a device, it should include the hardware acceleration and switch config.
For now I have kept all devices that really need this feature (due to 1Gbps traffic between switchports) on bugfix release ( 6.40.8 ) but
I am fearing the moment that MikroTik decide to make 6.41 or higher the bugfix release and we cannot have hardware accelerated
VLAN switching anymore...
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1395
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 6:10 pm

Well it looks like that, and I question like you why it is that way.
When bridge with VLAN filtering is the new way to configure a device, it should include the hardware acceleration and switch config.
For now I have kept all devices that really need this feature (due to 1Gbps traffic between switchports) on bugfix release ( 6.40.8 ) but
I am fearing the moment that MikroTik decide to make 6.41 or higher the bugfix release and we cannot have hardware accelerated
VLAN switching anymore...

Maybe it will be there in V7 :D
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
artz
MikroTik Support
MikroTik Support
Posts: 88
Joined: Tue Oct 17, 2017 5:51 pm
Location: Riga
Contact:

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 6:54 pm

VLAN switching will not be removed and it is still possible to do VLAN switching when you have configured your device with 6.41.x or later. The configuration stays the same, only the master-port part is replaced (even converted) to a bridge configuration, VLAN switching configuration part has not been changed. The bridge VLAN filtering option was designed to make VLAN configuration easier, but for now this type of configuration is only hardware offloaded for CRS3xx series switches.

Updated the wiki for more detailed examples for management ports on generic switch chip devices:
https://wiki.mikrotik.com/wiki/Manual:S ... figuration
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1395
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 7:15 pm

VLAN switching will not be removed and it is still possible to do VLAN switching when you have configured your device with 6.41.x or later. The configuration stays the same, only the master-port part is replaced (even converted) to a bridge configuration, VLAN switching configuration part has not been changed. The bridge VLAN filtering option was designed to make VLAN configuration easier, but for now this type of configuration is only hardware offloaded for CRS3xx series switches.

Updated the wiki for more detailed examples for management ports on generic switch chip devices:
https://wiki.mikrotik.com/wiki/Manual:S ... figuration

Thx @artz, looking forward to when VLAN filter hw offload will be available on other switch chips, as that does seem to make config easier (I think...)

Now have some testing to do in lab based on updated Wiki...
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 8:18 pm

Thx @petchi, if I follow you correctly, that will be in the Bridge VLAN config and not in the switch VLAN config. If I follow the Bridge VLAN config, I am ok and all seems to work, BUT, and I think you mentioned it also, you lose hardware offload and since @artz was quoting an article for wire-speed VLAN, I was hoping it will be possible to do via Switch VLAN config way.
Well, I may have missed something in your requirements, but if I get you right you would be happy with setting up in 6.41+ what the 6.40.8 can do, right? So the issue referred to by @artz doesn't bother you.

If so: as far as I have tested that, the bridge and switch configurations do not interfere much until you enable
vlan-filtering
on the bridge, which you only need to do if you want to use MSTP or to make RSTP work correctly as @artz has mentioned. So you can set up a bridge with
vlan-filtering=no
, create an
/interface vlan
for each VLAN you need to access locally and attach it to that bridge, and use the
/interface switch vlan
menu to configure VLAN filtering on the switch chip if you need to control membership of ports in VLANs. The trick is that you must make the CPU port of the switch chip (both chips in your case, as your home lab device has two) members of those VLANs which you either want to access locally.

This way you'll get wire-speed forwarding with VLAN filtering within each chip and access to them from the bridge.

I'm not sure whether there is a direct path between the two switch chips, I've only seen the RB2011 alive once and only from outside. If there is, you need to permit VLANs which you want on both switch chips on their interconnect ports but only on the 8337's CPU port (guess why), if there isn't, you have to permit these VLANs on the CPU ports and you may forget about wire-speed forwarding between the switch chips of course.

What is a bit tricky is that the FastEthernet switch chip (ports 6-10) doesn't support "hybrid" mode of ports, i.e. several tagged VLANs and one tagless, but that should not be a show stopper for you.

Off-topic: will you also go to the optician if I do :-) (I've been planning that since a year and still cannot get there)? Rob's nickname is pe1chl, not petchi
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1395
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: VLAN aware bridges in 6.41 - difference between bridging /interface vlan?

Mon Apr 30, 2018 9:16 pm

@pe1chl, my sincere apologies for getting your forum handle / nickname incorrect. It is a habit from my Regional IT Manager days where I had to sit in meetings all day and still get minimum 100+ e-mails per day, so got in habit to scan things quickly and sometimes I do get things wrong, my apologies again if I have offended anyone.

@sindy, you must have a memory like an elephant, no disrespect meant. Reason I say this is you recalling what model I have at home, but I have expanded my "lab" area and now use Hap Mini + Hap ac Lite + RB951Ui-2HnD for this :D But your feedback is relevant and as always, highly appreciated and respected, thank you again.
MTCNA, MTCTCE, MTCRE & MTCINE

Who is online

Users browsing this forum: MSN [Bot], senux1988 and 77 guests