CRS326 Management Port

mozerd · Fri Jan 04, 2019 3:14 pm

Just got this Switch and I am having some difficulty understanding how to get a management port working.
following is my configuration using RouterOS currently configured as a Switch with a number of VLANs;

# jan/05/1970 13:41:53 by RouterOS 6.43.8
# software id = 6K0L-9RGW
#
# model = CRS326-24G-2S+
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=B8:69:F4:32:CD:68 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6 pvid=10
add bridge=bridge comment=defconf interface=ether7 pvid=10
add bridge=bridge comment=defconf interface=ether8 pvid=10
add bridge=bridge comment=defconf interface=ether9 pvid=10
add bridge=bridge comment=defconf interface=ether10 pvid=10
add bridge=bridge comment=defconf interface=ether11 pvid=20
add bridge=bridge comment=defconf interface=ether12 pvid=20
add bridge=bridge comment=defconf interface=ether13 pvid=20
add bridge=bridge comment=defconf interface=ether14 pvid=30
add bridge=bridge comment=defconf interface=ether15 pvid=30
add bridge=bridge comment=defconf interface=ether16 pvid=40
add bridge=bridge comment=defconf interface=ether17 pvid=40
add bridge=bridge comment=defconf interface=ether18 pvid=40
add bridge=bridge comment=defconf interface=ether19 pvid=40
add bridge=bridge comment=defconf interface=ether20 pvid=50
add bridge=bridge comment=defconf interface=ether21 pvid=50
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether11,ether12,ether13 vlan-ids=20
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether14,ether15 \
    vlan-ids=30
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether16,ether17,ether18,ether19 vlan-ids=40
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether20,ether21 \
    vlan-ids=50
add bridge=bridge tagged=ether24,ether23,ether22 untagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
/ip address
add address=192.168.10.88/24 comment=defconf interface=bridge network=\
    192.168.10.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxxx
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=haloSW
/system routerboard settings
set boot-os=router-os

When vlan-filtering=yes the switch works but with 2 issues:
[1] I am unable to connect via SSH and [2] I am unable to connect using Winbox.
I want VLAN 10 to be my Management vlan where my PC resides on port ether3 that I use to access the Switch via Winbox and SSH.
Question: What needs to be changed in my configuration that helps to achieve my objective?

sebastia · Fri Jan 04, 2019 3:24 pm

Hey

You need to create a vlan interface on bridge with vid=10. This will be the interface by which you'll access the crs from vlan10.

Currently the switch is accessible through: eth1, 2, 22, 23, 24, sfp1 & 2 (untagged)

mozerd · Fri Jan 04, 2019 3:47 pm

Hey

You need to create a vlan interface on bridge with vid=10. This will be the interface by which you'll access the crs from vlan10.

Currently the switch is accessible through: eth1, 2, 22, 23, 24, sfp1 & 2 (untagged)

Thanks @sebastia
So I did the following:
/interface vlan
add interface=bridge name=MGMT vlan-id=10

I can access via winbox but cannot access via SSH ?

sebastia · Fri Jan 04, 2019 3:49 pm

ssh service enabled? on right port, from config "set ssh port=xxxxx"

also the user needs right to ssh. and user can be limited to a range, check that too

mozerd · Fri Jan 04, 2019 3:58 pm

ssh service enabled? on right port, from config "set ssh port=xxxxx"

also the user needs right to ssh. and user can be limited to a range, check that too

Thank You. Yep SSH service is enable with the correct port -- . Will check permissions....

mkx · Fri Jan 04, 2019 4:02 pm

/interface bridge vlan
set [ find bridge=bridge vlan-ids=10 ] tagged=bridge,ether24,ether23,ether22

I.e. bridge "port" has to be tagged member of management vlan.

mozerd · Fri Jan 04, 2019 4:11 pm

[EDIT] Now from my PC I can access the Switch via SSH and Winbox. but I am no longer able to access the Internet.

mozerd · Fri Jan 04, 2019 8:13 pm

Prior to making the 2 suggested changes Internet was accessable
So Managemet Port now works but access to Internet does not

Following is updated config

# jan/02/1970 06:08:51 by RouterOS 6.43.8
# software id = 6K0L-9RGW
#
# model = CRS326-24G-2S+
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=B8:69:F4:32:CD:68 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=MGMT vlan-id=10
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether11,ether12,ether13 vlan-ids=20
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether14,ether15 \
    vlan-ids=30
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether16,ether17,ether18,ether19 vlan-ids=40
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether20,ether21 \
    vlan-ids=50
add bridge=bridge tagged=bridge,ether24,ether23,ether22 untagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
/ip address
add address=192.168.10.88/24 comment=defconf interface=bridge network=\
    192.168.10.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=XXXX
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=haloSW
/system routerboard settings
set boot-os=router-os

Question: Why have I lost access to the Internet?

sebastia · Fri Jan 04, 2019 8:15 pm

Lost internet, from which device?

mozerd · Fri Jan 04, 2019 8:19 pm

Lost internet, from which device?

From the PC I use to manage the switch and Router. The PC resides on van10.

mozerd · Fri Jan 04, 2019 8:26 pm

OOPS just noticed that after switch reboot all my Port PVID settings are lost. ???? Stay Tuned.

sebastia · Fri Jan 04, 2019 8:30 pm

I would advise to isolate mgmt network...

But if you insist

: where do you do your routing? what is your "uplink" / trunk? There is no routing here (rightfully so)

add bridge=bridge tagged=bridge,ether24,ether23,ether22 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10

mozerd · Fri Jan 04, 2019 8:53 pm

I would advise to isolate mgmt network...

But if you insist : where do you do your routing? what is your "uplink" / trunk? There is no routing here (rightfully so)
Code: Select all
add bridge=bridge tagged=bridge,ether24,ether23,ether22 untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10

Yea, I may isolate the mgmt network later as this is a Lab exercise before I put it into production to replace a CISCO Switch.
My CCR1009 ether7 is my Router Trunk connected to ether24 on the CRS326

sebastia · Fri Jan 04, 2019 8:57 pm

So that's where (CCR) you need to do your routing: define vlan10 on eth7 (if needed) and route / nat as normal

mozerd · Fri Jan 04, 2019 9:07 pm

So that's where (CCR) you need to do your routing: define vlan10 on eth7 (if needed) and route / nat as normal

My CCR1007 is working jsut fine

Thanks sebastia

So after I fixed the port pvid issue reported earlier I now have regained access to the Internet. Sure would like to know why it is that I lost all the PVID setting after switch reboot.-- nope I was not using safe mode

mozerd · Sat Jan 05, 2019 11:55 am

[1] On my wired PC that connected to ether8 of the switch I only have access using Winbox no access using SSH.
[2] On my wireless laptop no access to Winbox or SSH using PVID 10 regardless of the fact that the Laptop is in the same subnet.
[3] Using PVID 1 the wireless laptop and wired PC have Winbox and SSH access

# jan/02/1970 21:53:15 by RouterOS 6.43.8
# software id = 6K0L-9RGW
#
# model = CRS326-24G-2S+
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=B8:69:F4:32:CD:68 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=MGMT vlan-id=10
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6 pvid=10
add bridge=bridge comment=defconf interface=ether7 pvid=10
add bridge=bridge comment=defconf interface=ether8 pvid=10
add bridge=bridge comment=defconf interface=ether9 pvid=10
add bridge=bridge comment=defconf interface=ether10 pvid=10
add bridge=bridge comment=defconf interface=ether11 pvid=20
add bridge=bridge comment=defconf interface=ether12 pvid=20
add bridge=bridge comment=defconf interface=ether13 pvid=20
add bridge=bridge comment=defconf interface=ether14 pvid=30
add bridge=bridge comment=defconf interface=ether15 pvid=30
add bridge=bridge comment=defconf interface=ether16 pvid=40
add bridge=bridge comment=defconf interface=ether17 pvid=40
add bridge=bridge comment=defconf interface=ether18 pvid=40
add bridge=bridge comment=defconf interface=ether19 pvid=40
add bridge=bridge comment=defconf interface=ether20 pvid=50
add bridge=bridge comment=defconf interface=ether21 pvid=50
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether11,ether12,ether13 vlan-ids=20
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether14,ether15 \
    vlan-ids=30
add bridge=bridge tagged=ether22,ether23,ether24 untagged=\
    ether16,ether17,ether18,ether19 vlan-ids=40
add bridge=bridge tagged=ether22,ether23,ether24 untagged=ether20,ether21 \
    vlan-ids=50
add bridge=bridge tagged=bridge,ether24,ether23,ether22 untagged=\
    ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
/ip address
add address=192.168.10.88/24 comment=defconf interface=bridge network=\
    192.168.10.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxxx
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=haloSW
/system routerboard settings
set boot-os=router-os

So apparently I need to stack PVID 1 and PVID 10 if I want to Manage the Switch from either of the 2 devices I use.

Question: What's the best way to do this so that I have Winbox/SSH access from both wireless Laptop and wired PC using VLAN10?

mkx · Sat Jan 05, 2019 2:58 pm

If you want to have management access via IP over VLAN 10, you have to configure IP stuff in /ip address etc. on interface=MGMT (not on interface=bridge as it is now).
To have access via IP from other VLANs it's probably best to configure firewall (both on switch and router) accordingly, connectivity between devices in different subnets is the matter of routing and firewalling.

The export doesn't show anything about /tool mac-server so it's probably still at default. Which probably means that winbox over MAC connections are allowed from interfaces listed in

/interface list member print where list=LAN

... you probably want to update that as well.

mozerd · Sat Jan 05, 2019 4:41 pm

If you want to have management access via IP over VLAN 10, you have to configure IP stuff in /ip address etc. on interface=MGMT (not on interface=bridge as it is now).
To have access via IP from other VLANs it's probably best to configure firewall (both on switch and router) accordingly, connectivity between devices in different subnets is the matter of routing and firewalling.

My current focus is to understand how CRS326/ROS works at Layer 2 .... will Tackle Layer 3 Later. Using SwOS I do not have these issue .... but its ROS/Winbox that interests me not SwOS. Much easier for me to configure CISCO Switches to do similar objectives

Anyway mkx -Thank you for suggestions.

mozerd · Sat Jan 05, 2019 5:32 pm

I find the following somewhat confusing:

Taken from the Wiki

In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired

To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.

/ip address
add address=192.168.88.1/24 interface=bridge1

It is required to add VLAN 1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports ether3,ether4 add this entry to the VLAN table:

/interface bridge vlan
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1

Make sure that PVID on the bridge interface matches the PVID value on these ports:

/interface bridge set bridge1 pvid=1
/interface bridge port set ether3,ether4 pvid=1

Question: So in my case does this mean that I need to find a way to stack PVID 1 on VLAN10?

mkx · Sat Jan 05, 2019 5:59 pm

No, in your case you need to start using the MGMT interface. It is L2 interface, untagged "on the side" where you're about to use it (e.g. as member of LAN interface list which would allow you to use MAC winbox from a PC which is member of VLAN 10).

mozerd · Sat Jan 05, 2019 6:28 pm

No, in your case you need to start using the MGMT interface. It is L2 interface, untagged "on the side" where you're about to use it (e.g. as member of LAN interface list which would allow you to use MAC winbox from a PC which is member of VLAN 10).

mkx, on the switch I do not have any 'list' defined so I do not understand your reference to "as member of LAN interface list LAN Interface List." ... I also currently have no restriction on mac-server. My 2 devices [wireless pc and desktop pc] reside on vlan10 -- I do not need access from any other sub-net. The mgmt IP 192.168.10.88 is in the same subnet as the pc's.

When I change MGMT IP from bridge to Interface Winbox works but SSH does not.

mkx · Sat Jan 05, 2019 6:34 pm

When I change MGMT IP from bridge to Interface Winbox works but SSH does not.

Do you use IP address in winbox to connect or MAC address? If IP address, are you trying winbox and ssh from same PC? Do you have any FW rules defined?

mozerd · Sat Jan 05, 2019 6:48 pm

When I change MGMT IP from bridge to Interface Winbox works but SSH does not.
Do you use IP address in winbox to connect or MAC address? If IP address, are you trying winbox and ssh from same PC? Do you have any FW rules defined?

In Winbox I use MAC Addy.
Currently I have no FW rules defined in the switch. My CCR1009 Router is where my FW rules reside.
Tile FW

# jan/05/2019 12:00:09 by RouterOS 6.44beta50
# software id = 1TLQ-B555
#
# model = CCR1009-7G-1C-1S+
# serial number = xxxxxxxxxxx
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.10.55 list=allowed_to_router
add address=192.168.10.50 list=allowed_to_router
add address=192.168.10.44 list=Printers
add address=192.168.10.36 list=Printers
add address=66.240.192.0/18 list=rogue_vpn_hosts
add address=71.6.165.200 list=rogue_vpn_hosts
add address=80.82.77.139 list=rogue_vpn_hosts
add address=195.37.190.88 list=rogue_vpn_hosts
add address=93.174.95.106 list=rogue_vpn_hosts
add address=216.218.128.0/17 list=rogue_vpn_hosts
add address=192.168.5.249 list=access_points
add address=192.168.5.248 list=access_points
add address=192.168.10.15 comment=NAS list=UPnPdevices
add address=192.168.40.90 comment=XBOX list=UPnPdevices
add address=192.168.20.254 comment="Apple Time Capsule" list=UPnPdevices
add address=71.6.158.128/26 list=rogue_vpn_hosts
add address=71.6.146.128/26 list=rogue_vpn_hosts
add address=158.85.70.151 list=voipms
add address=67.205.74.179 list=voipms
add address=185.195.201.148 list=rogue_vpn_hosts
add address=216.195.192.0/19 list=rogue_vpn_hosts
add address=203.91.118.0/24 list=rogue_vpn_hosts
add address=71.6.135.0/24 list=rogue_vpn_hosts
add address=154.85.56.0/24 list=rogue_vpn_hosts
add address=71.6.167.142 list=rogue_vpn_hosts
add address=144.217.181.56 list=rogue_vpn_hosts
add address=77.243.148.0/22 list=rogue_vpn_hosts
add address=83.169.211.0/24 list=rogue_vpn_hosts
add address=46.148.174.31 list=rogue_vpn_hosts
add address=76.190.234.39 list=rogue_vpn_hosts
add address=198.20.64.0/18 list=rogue_vpn_hosts
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=accept chain=input comment="INPUT Established, Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="INPUT Drop Invalid" connection-state=\
    invalid log-prefix="invalid connection"
add action=drop chain=input comment="INPUT DROP FireHOL Blacklist" \
    in-interface=ether1 log-prefix="firehole blacklist" src-address-list=\
    blacklist
add action=drop chain=input comment="INPUT DROP Rogue Webservs" in-interface=\
    ether1 log-prefix="rogue webservers" src-address-list=bkserver
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=2d chain=input comment="INPUT Telnet Port Scans" \
    dst-port=23 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="INPUT DROP Rogue VPN Hosts" dst-port=\
    500,4500 in-interface=ether1 log=yes log-prefix=rogue_vpn protocol=udp \
    src-address-list=rogue_vpn_hosts
add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=4500 in-interface=ether1 log=yes \
    log-prefix=who_is_this protocol=udp
add action=accept chain=input comment=\
    "INPUT Allow to Router from address list" src-address-list=\
    allowed_to_router
add action=accept chain=input comment="INPUT ICMP" protocol=icmp
add action=accept chain=input comment="INPUT Allow UPnP port 1900 udp" \
    dst-port=1900 log-prefix=UPnP protocol=udp src-address-list=UPnPdevices
add action=accept chain=input comment="INPUT Allow UPnP port 2828 tcp" \
    dst-port=2828 log-prefix=UPnP protocol=tcp src-address-list=UPnPdevices
add action=drop chain=input comment="INPUT DROP ALL"
add action=accept chain=forward comment="FORWARD Accept in IPsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="FORWARD Accept out IPsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "FORWARD Accept FastTrack Established, Related" connection-state=\
    established,related
add action=accept chain=forward comment="FORWARD Accept Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="FORWARD Drop invalid" \
    connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment=\
    "FORWARD Drop incoming packets that are not NATted" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=accept chain=forward comment="FORWARD VLANs to WAN" \
    in-interface-list=VLANs out-interface=ether1
add action=accept chain=forward comment="FORWARD Allow Access for AP's" \
    src-address-list=access_points
add action=accept chain=forward comment=\
    "FORWARD ALLOW Linux station access to printers" dst-address-list=\
    Printers src-address=192.168.40.50
add action=drop chain=forward comment="FORWARD Drop all" log-prefix=who
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=drop chain=prerouting comment="Drop Port Scaners" in-interface=\
    ether1 log-prefix="Port Scaners" src-address-list="Port Scanners"

mkx · Sat Jan 05, 2019 8:28 pm

OK, CCR's firewall denies most of inter-VLAN connectivity.

When CRS' address is set on MGMT ... where is your PC connected? To ether3 of CRS as mentioned in one of your early posts or ether8 from a later post? Is ether3 (ether8) still configured with pvid=10? How do IP settings on PC, plugged to ether3, correlate to IP settings on MGMT interface of CRS?

mozerd · Sat Jan 05, 2019 8:58 pm

OK, CCR's firewall denies most of inter-VLAN connectivity.

When CRS' address is set on MGMT ... where is your PC connected? To ether3 of CRS as mentioned in one of your early posts or ether8 from a later post? Is ether3 (ether8) still configured with pvid=10? How do IP settings on PC, plugged to ether3, correlate to IP settings on MGMT interface of CRS?

Wired PC is connected to either8 of CRS. either8 is configured with pvid=10. All devices connected to eithe3’4’5’6’7’8’9’10 are in vlan10 and are in network 192.168.10.0/24 as is MGMT IP. The wireless pc also resides in vlan10.
So to recap:
CRS MGMT = 192.168.10.88
Wired PC = 192.168.10.55
Wireless PC = 192.168.10.50
the last config I posted is the current config.

mkx · Sat Jan 05, 2019 10:03 pm

If CRS' IP config is on MGMT interface, then I don't have any idea about why you can't connect via ssh to the port you've set instead of standard port 22 ...

mozerd · Sat Jan 05, 2019 10:24 pm

If CRS' IP config is on MGMT interface, then I don't have any idea about why you can't connect via ssh to the port you've set instead of standard port 22 ...

mkx, thank for all your efforts to help. I am rarely stumped but this one does it.

what I want to accomplish should be a breeze to configure on a managed switch or a smart switch.

mozerd · Sun Jan 06, 2019 5:11 am

When IP Address is set to bridge from my wired and wireless PC I can ping the Switch address

bridge.GIF

ping_bridge.GIF

When IP Address is set on MGMT Interface from my wired and wireless PC ping the switch Address fails

mozerd · Mon Jan 07, 2019 1:00 am

If CRS' IP config is on MGMT interface, then I don't have any idea about why you can't connect via ssh to the port you've set instead of standard port 22 ...

@mkx
You [me and the goal post] will be pleased to learn that configuring the IP on MGMT interface does NOW work and both my pc devices can SSH etc.
Some strange anomalies to report:
1: Winbox see's 2 CRS switches .... ??? Picture below shows 2 Mac addresses and I have no idea why?
2. I shutdown the CRS326 Switch and removed the power cord. Then re-powered the switch, changed the IP from bridge to MGMT Interface and low and behold everything works to my satisfaction -- but where does the 2nd CRS326 come from?

mkx · Mon Jan 07, 2019 8:46 am

Check the ether ports MAC addresses ... most probably one of MACs listed belongs to the bridge (and hence to MGMT interface) while the other MAC address belongs to another ether port ... it's worth to examine as to why it actually announces its own MAC to the world ... proper bridge member ports should be using MAC of the bridge.

Another possibility would be that there are actually two switch chips in the CRS and that bridge, spanning both switch chips, somehow mishandles the MACs. But according to block diagram this shouldn't be the case with CRS326.

[edit] Looking at your latest posted config, I noticed the admin-mac setting. So winbox sees the bridge as interface without IP config. If bridge still has MAC set to the same value and MGMT port is part of that bridge, then add this to the list of anomalies.

mozerd · Mon Jan 07, 2019 2:43 pm

Check the ether ports MAC addresses ... most probably one of MACs listed belongs to the bridge (and hence to MGMT interface) while the other MAC address belongs to another ether port ... it's worth to examine as to why it actually announces its own MAC to the world ... proper bridge member ports should be using MAC of the bridge.

The 'other" MAC Address shows up on ether3
The MGMT Interface and the Bridge have the same MAC Address

mkx · Mon Jan 07, 2019 3:03 pm

Huh ... ether3 is not treated in any special way in the config you've posted. So I don't see any reason for it to show on the winbox' MAC address list, let alone being configured with IP address.
I'll pass this as another glitch which might (or might not) disappear with another cold boot. Or with upgrade to latest beta (just announced). Or with both.

mozerd · Mon Jan 07, 2019 3:04 pm

I also observed that ether3 is flapping consistently ???

[haloSW@haloSW] > log print where message~"ether3"
00:38:28 bridge,info hardware offloading activated on bridge "bridge" ports: ether3 
05:55:57 interface,info ether3 link up (speed 10M, full duplex) 
06:01:02 interface,info ether3 link down 
06:01:07 interface,info ether3 link up (speed 1G, full duplex) 
07:00:34 interface,info ether3 link down 
07:00:37 interface,info ether3 link up (speed 10M, full duplex) 
07:00:40 interface,info ether3 link down 
07:00:43 interface,info ether3 link up (speed 10M, full duplex) 
11:06:54 interface,info ether3 link down 
11:06:59 interface,info ether3 link up (speed 1G, full duplex) 
11:35:55 interface,info ether3 link down 
11:35:58 interface,info ether3 link up (speed 10M, full duplex) 
11:36:03 interface,info ether3 link down 
11:36:06 interface,info ether3 link up (speed 10M, full duplex) 
13:22:00 interface,info ether3 link down 
13:22:05 interface,info ether3 link up (speed 1G, full duplex) 
13:25:01 interface,info ether3 link down 
13:25:04 interface,info ether3 link up (speed 10M, full duplex) 
13:25:09 interface,info ether3 link down 
13:25:12 interface,info ether3 link up (speed 10M, full duplex) 
13:27:59 interface,info ether3 link down 
13:28:04 interface,info ether3 link up (speed 1G, full duplex) 
13:31:01 interface,info ether3 link down 
13:31:04 interface,info ether3 link up (speed 10M, full duplex) 
13:31:09 interface,info ether3 link down 
13:31:12 interface,info ether3 link up (speed 10M, full duplex) 
21:22:01 interface,info ether3 link down 
21:22:05 interface,info ether3 link up (speed 1G, full duplex)

mkx · Mon Jan 07, 2019 3:22 pm

What's the real status of said port? One thing that might cause observed behaviour: when a PC goes to power saving mode (either sleep or even off, but with WOL enabled), the ether port stays active but it might well switch down to 10Mbps mode ... saves some energy while it still can receive WOL packet. If the PC connected to ether3 does nothing like this, does it experience some disruptions? Like popping up notification about unplugged ethernet cable or something?

mozerd · Mon Jan 07, 2019 3:24 pm

What's the real status of said port? One thing that might cause observed behaviour: when a PC goes to power saving mode (either sleep or even off, but with WOL enabled), the ether port stays active but it might well switch down to 10Mbps mode ... saves some energy while it still can receive WOL packet. If the PC connected to ether3 does nothing like this, does it experience some disruptions? Like popping up notification about unplugged ethernet cable or something?

Yep, you hit the nail on the head. WOL is active on the PC attached to that port.

CRS326 Management Port [SOLVED]

CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port [SOLVED]

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Re: CRS326 Management Port

Who is online