Community discussions

MikroTik App
 
christian178
newbie
Topic Author
Posts: 42
Joined: Fri Sep 25, 2020 4:26 pm

CRS317 Switch VLAN

Sat Sep 11, 2021 1:10 pm

Hello,

my CRS317 becomes Traffic on ether1.
on ether2, ether3 should outgoing the Traffic untagged.
on ether4 should outgoing/incomming the traffic of/to untagged (no vlan) ether1 in tagged vlan 201. nothing else.
the ports ether2, ether3, and vlan on ether4 and all from ether1 shoud see each other.

i have set:
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4 pvid=201

/interface bridge vlan
add bridge=bridge1 tagged=ether4 vlan-ids=201

/interface bridge set bridge1 vlan-filtering=yes

but will not working. ether1,ether2,3 all works fine, but no traffic to vlan 201 on ether4.

can you help?
Thanks
Christian
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: CRS317 Switch VLAN

Sat Sep 11, 2021 2:46 pm

You only have vlan 201 defined on one port. It will not get switched to any other port. You would have to tag another port or set the pvid on another port to 201. If you are trying to route between vlans, this is best done on your router, not the switch. To route with this switch you would need ros7 which is still a release candidate and isn't fully ready yet.

If you still have issues please post an export. Your example is inaccurate as there is only one ether interface on a crs317 - the rest are sfp-sfpplus interfaces.
 
christian178
newbie
Topic Author
Posts: 42
Joined: Fri Sep 25, 2020 4:26 pm

Re: CRS317 Switch VLAN

Sat Sep 11, 2021 6:21 pm

Hi,

O.k.
It's an CRS326
I will no vlan routing.
tagged vlan201 on ether4 should only work with complete untagged on bridge.

/interface bridge vlan
add bridge=bridge1 tagged=ether4 vlan-ids=201 untagged=bridge1

possible?
i have tested, but also not working...

When i make an Interface "Vlan201" on ether4 under "/interface vlan" and put them to the bridge, it works. But no HW offload?

Christian
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS317 Switch VLAN

Sat Sep 11, 2021 6:30 pm

Create a network diagram with your network topology and the VLANs that will be used.
On your diagram note the Trunk and Access ports ...
It will help understand better what you want to achieve...
 
christian178
newbie
Topic Author
Posts: 42
Joined: Fri Sep 25, 2020 4:26 pm

Re: CRS317 Switch VLAN

Sat Sep 11, 2021 7:13 pm

1.jpg
On PC3 is only VLAN201 possible (no untagged). PC3 should communicate with PC1,PC2 and Router
You do not have the required permissions to view the files attached to this post.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS317 Switch VLAN

Sat Sep 11, 2021 7:40 pm

i have set:
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4 pvid=201

/interface bridge vlan
add bridge=bridge1 tagged=ether4 vlan-ids=201
Ok, can you provide more details as to why you 've configured PVID 201 on ether4 ? We do configure PVIDs on bridge ports if we want them to behave as Access Ports. Access ports TAG traffic on ingress and untag traffic on egress for the matching VID.
Or in case of Hybrid ports, where we can tag an Untagged traffic on ingress with the PVID configured on the Port and let an already TAGED traffic on ingress pass through...

If you want ether4 to be an access port, specify as tagged ports your Bridge interface and ether4 as untagged port...
Configure IP address, DHCP etc for that VLAN and you will be ok...

In case there is something else you need to achieve more details are needed ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS317 Switch VLAN

Sun Sep 12, 2021 11:32 am

On PC3 is only VLAN201 possible (no untagged). PC3 should communicate with PC1,PC2 and Router

If you need ether4 tagged and the rest untagged, then configuration has to be the opposite of what you did ... ether4 without PVID set, the rest of ports (ether1..ether3) PVID set. The /interface bridge vlan config is fine.

Not to forget: bridge has to have PVID set as well:
/interface bridge set [ find bridge=bridge1 ] pvid=201
if you need management access through that common network and you don't want to use vlan interface.


If you don't want to have the whole bridge VLAN aware, then there's alternative but means involving switch' CPU for traffic towards PC3 (likely means PC3 will have reduced network connectivity speed): remove ether4 from bridge, create vlan interface on ether4 and join vlan interface to bridge:
/interface bridge port
remove [ find interface=ether4 ]
/interface vlan
add name=e4v291 interface=ether4 vlan-ids=201
/interface bridge port
add bridge=bridge1 interface=e4v201
In this case no other VLAN config is needed (neither VLAN interfaces nor PVIDs nor vlan-filtering on bridge).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CRS317 Switch VLAN

Sun Sep 12, 2021 3:33 pm

Clearly, the OP needs to read this resource first
viewtopic.php?f=23&t=143620
Providing the correct setup is useless if the OP isnt learning anything along the way.

In addition the gross errors in one part of the config begs for a review of the whole config.
One learns quickly that errors are not isolated and that the RoS config has many hooks in different spots
Please provide config.
/export hide-sensitive file=anynameyouwish
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS317 Switch VLAN

Sun Sep 12, 2021 5:56 pm

@mkx,
Not to forget: bridge has to have PVID set as well:
The Bridge has already a PVID of 1, what would be the purpose of changing the PVID of the Bridge to something else ?
The only that comes to my mind is to not allow untagged Traffic with the default PVID of 1 ( or any other ) to access the Device / CPU...

But that can be prevented by enabling the ingress filtering on the Bridge it self ( and admit only VLAN tagged ), so that all untagged traffic towards the CPU will be dropped and no ports will be anymore added as untagged dynamically in the Bridge Table ....
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS317 Switch VLAN

Sun Sep 12, 2021 9:22 pm

@mkx,
Not to forget: bridge has to have PVID set as well:
The Bridge has already a PVID of 1, what would be the purpose of changing the PVID of the Bridge to something else ?
If OP indeed wants to have ether4 tagged with VID 201 and the rest of ports untagged ... and he says he wants all PCs to communicate, it's clear that all ports have to be members of VLAN 201. Which probably includes management of switch. If OP doesn't want to deal with VLAN interfaces, then bridge needs setting pvid=201.

I wouldn't do it this way for myself, but for somebody without knowledge of VLANs it might be easier this way.

But then I may understand OP's needs completely wrong ...
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS317 Switch VLAN

Sun Sep 12, 2021 9:39 pm

@mkx,
Changing the PVID on the Bridge itself is all about the VID the untagged traffic will be assigned too...
If for example an access port with PVID 201 and a Bridge with PVID 201 as well, access to that CPU/Device management will be successful through the untagged traffic between these ports...

I don't understand the connection between the Tagged traffic and the Bridge PVID ? Or i understood something you said wrong.. or i miss something ...

Also, adding a VLAN interface as a Bridge port in some cases might cause problems
https://wiki.mikrotik.com/wiki/Manual:L ... _interface
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS317 Switch VLAN

Sun Sep 12, 2021 10:06 pm

Let's not get into theoretical discusions, it would be hijacking of the thread.

For OP's case (judging from the network topology chart he posted) the problems with VLAN interface as bridge port will not happen. Ditto for the bridge PVID ... it was my suggestion based on my understanding if OP's problem, perhaps not the most by-the-book one, but would surely get work done. So Zacharias, if you have concrete doubts about my solution to OP's problem, discuss that.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS317 Switch VLAN

Sun Sep 12, 2021 10:10 pm

Changing the PVID on the Bridge itself is all about the VID the untagged traffic will be assigned too...
If for example an access port with PVID 201 and a Bridge with PVID 201 as well, access to that CPU/Device management will be successful through the untagged traffic between these ports...

Setting PVID on any bridge port (bridge interface included) makes that untagged port member of said VLAN. As OP seems to want to have single LAN with particular port tagged, one has to make whole LAN belong to same VLAN. Including management interface of the switch.

Or, my alternative suggestion, keep whole LAN untagged, but make that particular pirt tagged with desired VID by using vlan interface.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CRS317 Switch VLAN

Sun Sep 12, 2021 11:14 pm

One cannot make any conclusions or helpful config due to the very incoherent and limited requirements communicated.
For example how can all the traffic coming on ether one somehow untagged from the router be magically sent to all devices behind the switch but magically one device is using vlan201.
Is the switch providing DHCP for this vlan or the router is another unanswered question.

1. Does router provide DHCP for all subnets/vlans ?
2. What are the subnets coming from the router headed towards the switch.

3. Post the complete config of the switch.
/export hide-sensitive file=anynameyouwish


If I was to play everybody elses silly game of guessing ;-PPP

(Note: I suspect the router is sending both untagged and tagged data on ether1 to the switch and thus
ETHER1 is a hybrid port.

Thus on the switch I would assign/identify two vlans
one for the untagged traffic (10) and one for vlan 201

/Hello,

/interface bridge port
add bridge=bridgeswitch interface=ether1 pvid=10
add bridge=bridgeswitch interface=ether2 pvid=10 allow only priority and untagged frames ingress-filtering=yes
add bridge=bridgeswitch interface=ether3 pvid=10 allow only priority and untagged frames ingress-filtering=yes
add bridge=bridgeswitch interface=ether4 pvid=201 allow only priority and untagged frames ingress-filtering=yes

/interface bridge vlan
add bridge=bridgeswitch tagged=bridgeswitch,ether1 untagged=ether4 vlan-ids=201
add bridge=bridgeswitch tagged=bridgeswitch untagged=ether1,ether2,ether3 vlan-ids=10

/interface bridge set bridge1 vlan-filtering=yes


It is not clear if the OP wants to make ether4 also a hybrid port and carry both vlans but knowing what is on the other end of ether4 would help.
Finally the requirement that all the port see each other??
For what purpose, if they all need to see each other then why the two subnets.............. or simply why have vlan 201??

Would not the firewall rules on the main router determine who can see who at layer 3??
As stated the lack of information makes this confusing.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS317 Switch VLAN

Mon Sep 13, 2021 1:11 am

Changing the PVID on the Bridge itself is all about the VID the untagged traffic will be assigned too...
If for example an access port with PVID 201 and a Bridge with PVID 201 as well, access to that CPU/Device management will be successful through the untagged traffic between these ports...

Setting PVID on any bridge port (bridge interface included) makes that untagged port member of said VLAN. As OP seems to want to have single LAN with particular port tagged, one has to make whole LAN belong to same VLAN. Including management interface of the switch.

Or, my alternative suggestion, keep whole LAN untagged, but make that particular pirt tagged with desired VID by using vlan interface.
I have difficulty understanding what you describe...

Setting the PVID on the Bridge Interface itself allows untagged communication between the Bridge Interface and the Access Ports that have the same PVID configured as well... So an access port with PVID 201 can communicate with the Bridge that has PVID 201 as well using untagged traffic.. Right?

What does the PVID on the Bridge Interface itself has to do with a Tagged Port VID?
To allow communication with the CPU, we add the Bridge as Tagged member for the VID we want to use for MGMT purposes plus the Trunk Port, create a VLAN interface on the Bridge for that VID, assign an address etc...

But if i understand right, you re saying that a tagged port can communicate with the CPU if the VID is the same as the PVID of the Bridge Interface itself ???
So a tagged port with VID 201 can communicate with the CPU if the PVID is 201 ? That cant be right...

Or you simply mean that all untagged traffic entering the Bridge will be Tagged with VID 201 because of the PVID 201 on the Bridge itself thus allowing communication toward tagged ports with VID 201 ?
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: CRS317 Switch VLAN

Mon Sep 13, 2021 1:27 am

For management, you can either set the pvid or create a vlan interface and assign it to the bridge. The DHCP client or IP address would be set on the bridge when using pvid but would be handled via the vlan interface otherwise.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS317 Switch VLAN

Mon Sep 13, 2021 8:24 am

As @biomesh already wrote ...

IMO when bridge has vlan-filtering=yes set, then all traffic passes bridge (the switch-like entity) tagged. And frames get tags either a) because they enter bridge already tagged through trunk port or b) get tagged on ingress by bridge due to PVID setting. So if ether4 is tagged for VID 201, frames entering bridge from PC3 adhere to case a). All the rest (including ether1 connection towards router and bridge for management) adhere to case b) ... at the end of the day, all ports belong to VLAN 201 either as access ports (ether1, ether2, ether3, bridge) or trunk ports (ether4). Which would make all 5 ports (the 4 ether ports and bridge) member of same L2 network (in this case VLAN 201).

I hope things are clearer now.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CRS317 Switch VLAN

Mon Sep 13, 2021 6:05 pm

Jajajaj, Yes clear for everyone, except me. Brain fried.
Seriously, I understand what you said, it just confirms that all traffic on the bridge is tagged.
Just dont comprehend what the op is asking or stating and thus everything is muddy.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS317 Switch VLAN

Tue Sep 14, 2021 5:23 pm

@mkx, i ll try to explain and i hope you can help

What i find difficulty to understand is this:
If tagged traffic comes from lets say switch 1:

SW1:
/interface vlan
add interface=bridge name=vlan1 vlan-id=201
...
/ip address
add address=192.168.201.4/24 interface=vlan1 network=192.168.201.0
...
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge vlan-ids=201
The traffic coming from ether1 on SW1 is tagged on egress with VID 201...

On Switch2 VID 201 is allowed on egress through ether 5
SW2:
/ip address
add address=192.168.201.1/24 interface=bridge1 network=192.168.201.0
...
/interface bridge vlan
add bridge=bridge1 tagged=ether5 vlan-ids=201
...
/interface bridge
add name=bridge1 pvid=201 vlan-filtering=yes
...
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5

From SW1 i can successfully ping 192.168.201.1 SW2 only if PVID on the Bridge itself on SW2 is set to 201...

-1. So since the traffic comes Tagged from SW1 and goes to SW2, SW2 allows VID to egress, so why if the PVID on the Bridge is different than 201 on SW2, SW1 can not communicate with SW2 ?
-2. Also i noticed that although ether5 is set to accept only tagged from SW1, and that works fine, if i do the same on the Bridge, to accept only tagged, communication is then lost... Why ?
-3. However, if i repeat the same, but this time on SW2 Interface VLAN is added on the Bridge, IP address to the VLAN interface, Tagged Ports the Bridge and ether 5 PVID value on the Bridge makes no different and when setting the Bridge to accept Tagged traffic only it works just fine ...

That is that i do not understand since the beginning of the post, why the PVID on the bridge affects tagged traffic, why the Bridge behaves differently when only tagged traffic must be accepted and why using VLAN interfaces changes the whole behavior in comparison with 1,2...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CRS317 Switch VLAN

Tue Sep 14, 2021 5:55 pm

Since you are intent on hijacking the thread.........
Why on earth would you put the pvid of the birdge to 201.....
Why are you assigning addresses on both switches, only the router (or switch acting as router requires address assignment).

To Christian,
So the router sends traffic down WHICH SUBNET to the switch?
Does the router provide DHCP for all the subnets?

What is the switches function?
What are your expectation for the switch to do with the traffic
a. coming from the router
b. going to PC1
c. going to PC2
d. going to PC3

e. Why do you want PC3 on its own VLAN.
f. IS the switch supposed to provide the VLAN and DHCP for PC3
g. if PC1 PC2 and PC3 are supposed to see each other, why have the VLAN??
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: CRS317 Switch VLAN

Tue Sep 14, 2021 6:20 pm

@Zacharias:

1) If you change the PVID, on switch2, you are effectively changing the vlan it is on and so it cannot communicate with it anymore, especially with vlan-filtering and ingress-filtering enabled
2) The traffic coming from the bridge (internal) what is affected by this setting - if you are using PVID then you are relying on the untagged traffic to make it through. By setting it to tagged only, then you prevent the pvid from working
3) Using a vlan interface gets around these issues since it does the work of tagging the traffic and you don't need to worry about how the bridge handles the untagged traffic.

Who is online

Users browsing this forum: hjf and 71 guests