Community discussions

MikroTik App
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

CRS 2XX Management VLAN Question

Fri Jul 23, 2021 5:57 pm

I have a CRS226 configured with 3 VLANS and am having a few weird problems with inter VLAN communications.

I used the guidance at https://wiki.mikrotik.com/wiki/Manual:C ... s_examples and https://wiki.mikrotik.com/wiki/Manual:C ... ith_Trunks

One slight difference is that I have not used a separate management VLAN
I have allocated one of the 3 production VLANS to the bridge and set an IP address on that VLAN.

Could this cause problems? Should I just allocate an IP address directly to the bridge to provide access to the switch (as suggested in the first link above) ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS 2XX Management VLAN Question

Fri Jul 23, 2021 6:22 pm

Post configuratiin for review: /export hide-sensitive file=anynameyouwish and copy-paste contents.
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: CRS 2XX Management VLAN Question

Fri Jul 23, 2021 8:19 pm

Please see below.

Everything had been working fine.....but today :
Intermittent connection when accessing VLAN200 devices from VLAN100 (Allowed in firewall rules)
Also weird problem that I could not ping a certain host on VLAN200 with my PC plugged into ether1 of switch. Moved to another port on VLAN 100 and ping worked again.

As per first post would like to know if having bridge set as VLAN100 is a problem?
Thanks


# jul/23/2021 18:07:30 by RouterOS 6.48.3
# software id = UGF3-0R25
#
# model = CRS226-24G-2S+
# serial number = xxxxxx
/interface bridge
add admin-mac=12:34:56:78:90:AB auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
set [ find default-name=ether14 ] speed=100Mbps
set [ find default-name=ether15 ] speed=100Mbps
set [ find default-name=ether16 ] speed=100Mbps
set [ find default-name=ether17 ] speed=100Mbps
set [ find default-name=ether18 ] speed=100Mbps
set [ find default-name=ether19 ] speed=100Mbps
set [ find default-name=ether20 ] speed=100Mbps
set [ find default-name=ether21 ] speed=100Mbps
set [ find default-name=ether22 ] speed=100Mbps
set [ find default-name=ether23 ] speed=100Mbps
set [ find default-name=ether24 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=sfpplus2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether2,ether3,eth\
    er4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,eth\
    er14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether\
    23,ether24,ether1"
/interface ethernet switch trunk
add member-ports=ether23,ether24 name=trunk1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=none
/interface ethernet switch egress-vlan-tag
add tagged-ports=trunk1,switch1-cpu,ether20 vlan-id=100
add tagged-ports=trunk1,ether20 vlan-id=180
add tagged-ports=trunk1,ether20 vlan-id=200
add tagged-ports=trunk1,ether20 vlan-id=190
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=100 ports="ether1,ether2,ether3,ether4,eth\
    er5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,et\
    her15,ether16"
add customer-vid=0 disabled=yes new-customer-vid=180 ports=ether20
add customer-vid=0 new-customer-vid=200 ports=ether19,ether21,ether22
add customer-vid=0 new-customer-vid=190 ports=ether18,ether17
/interface ethernet switch vlan
add ports="trunk1,switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether7\
    ,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,eth\
    er20" vlan-id=100
add ports=trunk1,ether20 vlan-id=180
add ports=trunk1,ether19,ether20,ether21,ether22 vlan-id=200
add ports=trunk1,ether17,ether18,ether20 vlan-id=190
/ip address
add address=192.168.100.2/24 comment=defconf interface=vlan100 network=\
    192.168.100.0
/ip cloud
set update-time=no
/ip dns
set servers=8.8.8.8
/ip route
add distance=1 gateway=192.168.100.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24 port=42123
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set enabled=no
/lcd pin
set pin-number=8822
/system clock
set time-zone-name=Europe/London
/system identity
set name=CRS_Switch
/system ntp client
set enabled=yes primary-ntp=82.219.4.30
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CRS 2XX Management VLAN Question

Fri Jul 23, 2021 8:22 pm

If this is a switch unit the best starting guide for vlans is here........
https://www.youtube.com/watch?v=Rj9aPoyZOPo
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS 2XX Management VLAN Question

Fri Jul 23, 2021 9:46 pm

Your setup seems fine with regard to vlan100 ... the switch chip settings, bridge and vlan interface.

However, you have a small mess with trunked ports ether23 and ether24. The basic idea is that when ports become members of trunk, they are not referred by configuration anymore. Instead port trunk1 is used. So you should remove ether23 and ether24 from the following settings ... and add trunk1 instead:
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether2,ether3,ether4,\
    ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,\
    ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,ether1"
/interface bridge port
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24

This isn't necessarily causing the problems you're seeing, but with wrong setup anything can happen.
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: CRS 2XX Management VLAN Question

Sat Jul 24, 2021 11:47 am

Many thanks - this is much appreciated advice.

I will make the changes at the next opportunity (end of next week) and report back.
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: CRS 2XX Management VLAN Question

Thu Jul 29, 2021 11:33 am

I have tried to implement the changes (via winbox) but trunk1 is not available as an option in either /interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports OR /interface bridge port ?

The documentation at https://wiki.mikrotik.com/wiki/Manual:C ... _filtering seems to suggest I have it correct.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS 2XX Management VLAN Question

Thu Jul 29, 2021 11:55 am

You're right, you did have trunk configured right, my bad (disclaimer: I don't have a CRS2xx switch to test things myself). You still have to verify that configuration of device, connected via the two trunked ether ports, matches the trunking functionality. Manual says that matching configuration on devices where everything is configured on bridge (e.g. CRS3xx or other devices running ROS without HW offload) should be something like this:
/interface bonding
add name=bonding1 slaves=ether2,ether3 mode=balance-xor transmit-hash-policy=layer-2-and-3 \
    link-monitoring=mii mii-interval=100ms


But your description of the problem you have is a bit unclear to me. What exactly do you expect to happen? And what role should switch have in it?
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: CRS 2XX Management VLAN Question

Thu Jul 29, 2021 12:02 pm

Thanks for the quick reply and confirming all is OK.

Today, with no changes, all seems to be working fine. I have connected my PC back to ether1 and I can now ping and access the device on VLAN200 all OK.
I will keep an eye on the situation.
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: CRS 2XX Management VLAN Question

Tue Aug 03, 2021 11:35 am

The problem is happening again.

I am losing connection to other networked machines intermittently and connections can be slow.

Today I was unable to ping a device on VLAN200 from my PC ON VLAN100. I could ping from the router directly. Other VLAN 200 devices were pinging OK.
Even though I could not ping I could connect to the device via its web interface.

I moved my PC from ethernet1 on the switch to another ethernet port still configured for VLAN100 - Ping has started working again.

Possible reasons 1. Something wrong in the router config causing intermittent cross VLAN problems.
2. Faulty Hardware
3. Bad device somewhere on network.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: CRS 2XX Management VLAN Question

Tue Aug 03, 2021 11:52 am

for some... cleaning, put this on new terminal, without omit the { } :
{
/interface bridge
set bridge protocol=none
/interface bridge port
remove [find where interface~"sfp"]
/interface ethernet
set [ find default-name~"ether" ] speed=1Gbps
set [ find default-name~"sfp" ] advertise="" 
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,!dude,tikapp"
}
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: CRS 2XX Management VLAN Question

Tue Aug 03, 2021 1:06 pm

Thanks. Just to check I should run these commands on the CRS2xx switch (whose config I posted) and not the Cloud Core Router?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: CRS 2XX Management VLAN Question

Tue Aug 03, 2021 1:07 pm

Are for CRS226-24G-2S+, the only export I see
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: CRS 2XX Management VLAN Question

Tue Aug 03, 2021 2:33 pm

Thanks. changes made as suggested.

My laptop on VLAN100 could still not ping machine A on VLAN 200 but could ping machine B
One again I changed to anothe VLAN 100 port and I could now ping machine A but not machine B

I tried another laptop in place of mine and it can ping all machines on VLAN200. Put my laptop back in plac and same problem (My machine is assigned a static IP from router)
Came back after lunch and now my laptop will ping all machines. Very odd.
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: CRS 2XX Management VLAN Question

Tue Aug 03, 2021 6:02 pm

OK think I may have got to the bottom of this.

There was a new misconfigured server on the network which was effectively joinging two VLANS together. Will just need to test a biot more but hopefully that was it.

Thanks for the help
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: CRS 2XX Management VLAN Question

Wed Aug 04, 2021 1:08 pm

Well, there were still problems after this. I have now isolated it to a problematic port on the switch. When any machine is plugged in to this particular port everything goes weird (slow) for other connected machines. Seems worse when traffic crosses VLANs

Anyone heard of this happening before?

Who is online

Users browsing this forum: baragoon, FranMercedesG, GoogleOther [Bot], korg, Soleous75 and 80 guests