Yes, that is our goal! And the "old style" bridges with VLAN interfaces and per-VLAN RSTP behavior also will remain.With the new MSTP implementation will MikroTik's STP/RSTP implementation behave like the standard (untagged BPDU that represents all VLANS)?
Has it been promised?will we be seeing MSTP in 6.40 (a latter RC) perhaps? is it in planning?
In case it has, can you provide a link, please?
If not, please stop spamming with the topic not directly related to the 6.40rc series.
thank you for the much needed MSTP, as well to andriys for the much needed support in making this happen.!) bridge - implemented software based "igmp-snooping" (untested, undocumented, CLI only);
!) bridge - implemented software based MSTP (untested, undocumented, CLI only);
!) bridge - implemented software based vlan-aware bridges;
Will these "appropriate conditions" be documented on the wiki? When can we expect to see these?Bridge will handle all Layer2 forwarding and the use of switch-chip (hw-offload) will be automatically turned on based on appropriate conditions.
#^M
#^M
Version 6.40rc36 has been released.
!) bridge - implemented software based "igmp-snooping" (untested, undocumented, CLI only);
IMHO stay with previous setup/version untill implementation is stable and complete; to edit bridge/switch functionality adding MSTP and igmp snooping is surely not easy step fo mt guys...cut.. What to do? ..cut..
It is obvious, but I want to know how to migrate existing things to these new implementations in the right way. Already downgraded.IMHO stay with previous setup/version
Becs, excellent thank you! This will be something we don't want to bungle in the documentation. It'd be great if we, the community, and you, MikroTik, are able to clearly articulate the behavior of each bridge and spanning-tree implementation. Hopefully it will aid those of us on the forum when we try to help fellow members solve problems and work to reduce inbound support cases to MikroTik techs.Yes, that is our goal! And the "old style" bridges with VLAN interfaces and per-VLAN RSTP behavior also will remain.With the new MSTP implementation will MikroTik's STP/RSTP implementation behave like the standard (untagged BPDU that represents all VLANS)?
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 11,41-42,999 priority 12288
/interface bridge
add fast-forward=no name=br11
add fast-forward=no name=br41
add fast-forward=no name=br42
add fast-forward=no name=br999
add fast-forward=no name=loopback0
/interface bridge port
add bridge=br11 interface=eth2-vlan11
add bridge=br11 interface=eth3
add bridge=br11 interface=eth4
add bridge=br41 interface=eth2-vlan41
add bridge=br42 interface=eth2-vlan42
add bridge=br999 interface=eth2
/interface vlan
add interface=eth2 name=eth2-vlan11 vlan-id=11
add interface=eth2 name=eth2-vlan41 vlan-id=41
add interface=eth2 name=eth2-vlan42 vlan-id=42
spanning-tree mst configuration
name pri-211
revision 1
instance 1 vlan 11, 999
instance 2 vlan 41-42
spanning-tree mst 0 priority 8192
spanning-tree mst 1-2 priority 12288
spanning-tree mode mst
swi-core1#sh span vlan 1
MST0
Spanning tree enabled protocol mstp
Root ID Priority 8192
Address 8cb6.4f20.2180
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8192 (priority 8192 sys-id-ext 0)
Address 8cb6.4f20.2180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 20000 128.1 P2p Bound(PVST)
Gi1/0/47 Desg FWD 200000 128.47 P2p
swi-core1#
swi-core1#
swi-core1#sh span vlan 11
MST1
Spanning tree enabled protocol mstp
Root ID Priority 12289
Address 8cb6.4f20.2180
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 12289 (priority 12288 sys-id-ext 1)
Address 8cb6.4f20.2180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 20000 128.1 P2p Bound(PVST)
Gi1/0/3 Desg FWD 20000 128.3 P2p Edge
Gi1/0/35 Desg FWD 20000 128.35 P2p Bound(PVST)
Gi2/0/35 Desg FWD 20000 128.91 P2p Bound(PVST)
swi-core1#
swi-core1#
swi-core1#sh span vlan 41
MST2
Spanning tree enabled protocol mstp
Root ID Priority 12290
Address 8cb6.4f20.2180
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 12290 (priority 12288 sys-id-ext 2)
Address 8cb6.4f20.2180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 20000 128.1 P2p Bound(PVST)
Gi1/0/13 Desg FWD 20000 128.13 P2p Edge
Gi1/0/14 Desg FWD 20000 128.14 P2p Bound(PVST)
Gi1/0/15 Desg FWD 20000 128.15 P2p Edge
Gi1/0/35 Desg FWD 20000 128.35 P2p Bound(PVST)
Gi2/0/35 Desg FWD 20000 128.91 P2p Bound(PVST)
swi-core1#
swi-core1#
swi-core1#sh span
MST0
Spanning tree enabled protocol mstp
Root ID Priority 8192
Address 8cb6.4f20.2180
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 8192 (priority 8192 sys-id-ext 0)
Address 8cb6.4f20.2180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 20000 128.1 P2p Bound(PVST)
Gi1/0/3 Desg FWD 20000 128.3 P2p Edge
Gi1/0/13 Desg FWD 20000 128.13 P2p Edge
Gi1/0/14 Desg FWD 20000 128.14 P2p Bound(PVST)
Gi1/0/15 Desg FWD 20000 128.15 P2p Edge
Gi1/0/35 Desg FWD 20000 128.35 P2p Bound(PVST)
Gi1/0/47 Desg FWD 200000 128.47 P2p
Gi2/0/35 Desg FWD 20000 128.91 P2p Bound(PVST)
MST1
Spanning tree enabled protocol mstp
Root ID Priority 12289
Address 8cb6.4f20.2180
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 12289 (priority 12288 sys-id-ext 1)
Address 8cb6.4f20.2180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 20000 128.1 P2p Bound(PVST)
Gi1/0/3 Desg FWD 20000 128.3 P2p Edge
Gi1/0/35 Desg FWD 20000 128.35 P2p Bound(PVST)
Gi2/0/35 Desg FWD 20000 128.91 P2p Bound(PVST)
MST2
Spanning tree enabled protocol mstp
Root ID Priority 12290
Address 8cb6.4f20.2180
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 12290 (priority 12288 sys-id-ext 2)
Address 8cb6.4f20.2180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 20000 128.1 P2p Bound(PVST)
Gi1/0/13 Desg FWD 20000 128.13 P2p Edge
Gi1/0/14 Desg FWD 20000 128.14 P2p Bound(PVST)
Gi1/0/15 Desg FWD 20000 128.15 P2p Edge
Gi1/0/35 Desg FWD 20000 128.35 P2p Bound(PVST)
Gi2/0/35 Desg FWD 20000 128.91 P2p Bound(PVST)
swi-core1#
/interface bridge add name=br-master1 protocol-mode=mstp region-name=pri-211 region-revision=1 vlan-filtering=yes
/interface bridge msti add bridge=br-master1 identifier=1 vlan-mapping=11,999
/interface bridge msti add bridge=br-master1 identifier=2 vlan-mapping=41-42
/interface bridge vlan add bridge=br-master1 vlan-ids=1,42
/interface bridge port add bridge=br-master1 interface=eth4
/interface vlan add interface=br-master1 name=br-master1-vl42 vlan-id=42
[admin@rtr1] > interface bridge msti monitor 1
state: enabled
current-mac-address: 6C:3B:6B:AF:FE:DB
root-bridge: no
root-bridge-id: 0.00:00:00:00:00:00
regional-root-bridge-id: 0x3002.8C:B6:4F:20:21:80
root-path-cost: 0
root-port: eth4
port-count: 1
designated-port-count: 0
[admin@rtr1] > interface bridge port print where bridge=br-master1
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 eth4 br-master1 yes 1 0x80 10 10 none
1 eth5 br-master1 yes 1 0x80 10 10 none
[admin@rtr1] > interface bridge msti print
Flags: X - disabled
# BRIDGE IDENTIFIER PRIORITY VLAN-MAPPING
0 br-master1 1 0x8000 11
999
1 br-master1 2 0x8000 41-42
[admin@rtr1] >
[admin@rtr1] >
[admin@rtr1] > interface bridge msti monitor 0
state: enabled
current-mac-address: 6C:3B:6B:AF:FE:DB
root-bridge: no
root-bridge-id: 0.00:00:00:00:00:00
regional-root-bridge-id: 0x3001.8C:B6:4F:20:21:80
root-path-cost: 0
root-port: eth4
port-count: 2
designated-port-count: 0
[admin@rtr1] > interface bridge msti monitor 1
state: enabled
current-mac-address: 6C:3B:6B:AF:FE:DB
root-bridge: no
root-bridge-id: 0.00:00:00:00:00:00
regional-root-bridge-id: 0x3002.8C:B6:4F:20:21:80
root-path-cost: 0
root-port: eth4
port-count: 2
designated-port-count: 0
^^ I can't speak for the CRS as I don't have it but I'm learning as I go right now.I roll back to the previous rc,
Until I figure out how to set up vlan and trunk on crs
Enviado de meu XT1580 usando Tapatalk
/interface bridge add name=my-new-bridge
/interface bridge vlan add bridge=my-new-bridge vlan-ids=1,2,3,4,5,6,7 untagged=ether2
/interface vlan add name=my-new-bridge-vl2 interface=my-new-bridge vlan-id=2
/ip address add interface=my-new-bridge-vl2 address=10.1.2.21/24
If your CRS is running RouterOS then this would work. The point of MikroTik doing this is to remove the switch specific configurations. They are working to provide a single way to configure VLANs and RouterOS will do what is necessary to use hardware features away from the user.@idlemind
Thanks, by maybe this config is for the router side, I will give a try later.
As I using crs as a switch only , don't make sense that configuration, it will make useless the switch menu on crs
Enviado de meu XT1580 usando Tapatalk
yes, i found myself blocked strangely by anti bruteforce rules...dynamic firewall address-list items are not being removed when they expire.
/interface ethernet
set [ find default-name=ether2 ] name=ether1
set [ find default-name=ether1 ] name=ether2
/interface ethernet
set [ find default-name=ether5 ] mac-address=64:D1:54:CF:04:3B
set [ find default-name=ether11 ] speed=1Gbps
set [ find default-name=ether12 ] name=ether12-IoT
set [ find default-name=ether13 ] name=ether13-WAN
[djoyce@Intrus_AltaLoma] /interface ethernet> print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
2 RS ether3 1500 64:D1:54:CF:04:3A enabled none switch1
3 RS ether4 1500 64:D1:54:CF:04:3B enabled none switch1
4 RS ether5 1500 64:D1:54:CF:04:3B enabled none switch1
5 RS ether6 1500 64:D1:54:CF:04:3D enabled none switch2
Does /interface ethernet reset-mac-address ether5 command fail?before this RC, ether5 was 64:D1:54:CF:04:3C. I can't get it to change back
Ok, I tried this upgrade again. Before the upgrade I had disabled bridge from some old experiments or config. Bridge had only one port ether2. Mikrotik has some script inside this new version, which converts master-slave into bridge. Script took that bridge and placed other ports that was in master-slave into that bridge and enabled it.I have rb2011 with 2 to 5 ports in master-slave relations via "master-port". Also I had switch filter rule to limit broadcast packets to 5th port of this group flowing from other ports in this group (I have wifi access point on this 5th port and significant broadcasts on other ports). What should I do now with these new changes about discontinuing master-port? I tried to set up bridge and bridge filter rules, but after adding a rule I lost "fast path". What to do? And yes, switch rule is in place and not working, broadcasts are forwarded to 5th port:
add dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF mac-protocol=ip ports=ether2-sv,ether3,ether4 switch=switch1 new-dst-ports=ether2-sv,ether3,ether4,switch1-cpu
Master is ether2, and 3-5 are slaves.
Quite how you expect anybody to be able to understand or test this in any meaningful way (and thus provide meaningful feedback), without any documentation whatsoever, is beyond me.!) bridge - implemented software based MSTP (untested, undocumented, CLI only);
!) switch - "master-port" conversion into a bridge with hardware offload "hw" option (undocumented, CLI only);
hw=true is the default when you add new ports to a bridge. So your problem did not come from here i think.Ok, I tried this upgrade again. Before the upgrade I had disabled bridge from some old experiments or config. Bridge had only one port ether2. Mikrotik has some script inside this new version, which converts master-slave into bridge. Script took that bridge and placed other ports that was in master-slave into that bridge and enabled it.I have rb2011 with 2 to 5 ports in master-slave relations via "master-port". Also I had switch filter rule to limit broadcast packets to 5th port of this group flowing from other ports in this group (I have wifi access point on this 5th port and significant broadcasts on other ports). What should I do now with these new changes about discontinuing master-port? I tried to set up bridge and bridge filter rules, but after adding a rule I lost "fast path". What to do? And yes, switch rule is in place and not working, broadcasts are forwarded to 5th port:
add dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF mac-protocol=ip ports=ether2-sv,ether3,ether4 switch=switch1 new-dst-ports=ether2-sv,ether3,ether4,switch1-cpu
Master is ether2, and 3-5 are slaves.
If I remember it right, I deleted that not needed bridge, recreated it with new name. And of course I did not set "hw=yes" to the ports, didn't know how. because it is new feature etc.etc. Abscence of knowledge.
Second try after downgrade and restore from backup. I deleted that disabled bridge and upgraded. Now script created new "bridge1" and places master-slave ports into it.
My switch rule is working fine now.
To sum this up I was confused why my disabled bridge becomes enabled, deleted it and created new one without hw=true.
I think it will be better, if conversion script will not touch existing bridges and will create a new one to not confuse people. Or at least write a note to community what will be done.
That's true, specially for bridges, where at least two important things did change : vlan filtering and the new software / hardware bridge with hw=yes default port option.Quite how you expect anybody to be able to understand or test this in any meanigful way (and thus provide meaningful feedback), without any documentation whatsoever, is beyond me.!) bridge - implemented software based MSTP (untested, undocumented, CLI only);
!) switch - "master-port" conversion into a bridge with hardware offload "hw" option (undocumented, CLI only);
Well said !!!Quite how you expect anybody to be able to understand or test this in any meanigful way (and thus provide meaningful feedback), without any documentation whatsoever, is beyond me.!) bridge - implemented software based MSTP (untested, undocumented, CLI only);
!) switch - "master-port" conversion into a bridge with hardware offload "hw" option (undocumented, CLI only);
I too think documentation is a good thing. You gave to remember this is the RC thread. From the development perspective they probably wanted te feature out in the wild over the weekend. I imagine and expect MikroTik to work with the community to create and update the documentation as we move towards GA of 6.40.Well said !!!Quite how you expect anybody to be able to understand or test this in any meanigful way (and thus provide meaningful feedback), without any documentation whatsoever, is beyond me.!) bridge - implemented software based MSTP (untested, undocumented, CLI only);
!) switch - "master-port" conversion into a bridge with hardware offload "hw" option (undocumented, CLI only);
< set [ find default-name=ether3 ] master-port=ether2
< set [ find default-name=ether4 ] master-port=ether2
< set [ find default-name=ether5 ] master-port=ether2
---
> /interface bridge
> add admin-mac=D4:CA:6D:D6:6E:C3 auto-mac=no igmp-snooping=no name=bridge1 \
> protocol-mode=none
20a23,27
> /interface bridge port
> add bridge=bridge1 interface=ether3
> add bridge=bridge1 interface=ether4
> add bridge=bridge1 interface=ether5
> add bridge=bridge1 interface=ether2
HiTested upgrade (not new features) on...
CCR1009, 2xCRS226, RB922UAGS-5HPacT, RB Metal 2SHPn, RB493G
All went OK except for the 1st CRS226. That switch was configured as a dumb switch. No bridges, all ports switched, 2 VLANS with the mgmt IP address on one of the ports. not the master as it turns out. After the upgrade I lost all contact with the switch including mac-telnet, romon, etc. The only way back was to do a reset. After getting basic connectivity back, I restored the backup and after the reboot I got connectivity and saw the new bridge created. Everything else was intact. The 2nd CRS was configured the same way but before the upgrade, I created a bridge myself, assigned the mgmt ip address to it and added the master port to it. It then upgraded fine.
I also ran a bandwidth test from the CCR to the RB493G through one of the CRSs to make sure that I was getting wire speed through the CRS switch chip even with all ports having their master port set to none. I was. CPU utilization on the CRS remained about 5%.
Does /interface ethernet reset-mac-address ether5 command fail?before this RC, ether5 was 64:D1:54:CF:04:3C. I can't get it to change back
Is it what your are looking for ?EDIT 2: I'm taking a break for a bit, I'm not seeing a way to configure MST instances yet
[admin@MikroTik] /interface bridge msti> print detail
Flags: X - disabled
0 identifier=5 bridge=bridge3 priority=0x6400 vlan-mapping=4060
[admin@MikroTik] /interface bridge msti>
FIPTech I think that's it. I was outside working on the garden until I just checked my phone. I'll check lab later tonight and let you know. That said, I'm pretty sure it is. Not sure how I missed that sub menu lol.Is it what your are looking for ?EDIT 2: I'm taking a break for a bit, I'm not seeing a way to configure MST instances yet
Code: Select all[admin@MikroTik] /interface bridge msti> print detail Flags: X - disabled 0 identifier=5 bridge=bridge3 priority=0x6400 vlan-mapping=4060 [admin@MikroTik] /interface bridge msti>
[admin@MikroTik] /interface bridge msti> monitor 0
state: enabled
current-mac-address: 00:00:00:00:00:00
root-bridge: yes
root-bridge-id: 0x6005.00:00:00:00:00:00
regional-root-bridge-id: 0x6005.00:00:00:00:00:00
root-path-cost: 0
root-port: none
port-count: 2
designated-port-count: 0
/tool fetch url=(https://api.telegram.org/botXXX/sendMessagechat_id=YYY&text=test) check-certificate=no keep-result=no mode=https
failure: invalid URL protocol
Syntax is not correct i think.I am tryand receive error:Code: Select all/tool fetch url=(https://api.telegram.org/botXXX/sendMessagechat_id=YYY&text=test) check-certificate=no keep-result=no mode=https
failure: invalid URL protocol
/tool fetch url="https://api.telegram.org/botxxx/sendMessage\?chat_id=yyy&text=Bonjour" keep-result=no
As far as I can tell, there's no difference. You still use the switch menu to manage VLANs just as before.Hi
@gtj
Can you post your config?
I have a 450g as router
Crs 125 as layer 2 switch with vlan 2-8,99,210,220 using the switch menu
But I can't figure out how to set up vlan on new config mode.
What you mean for switched port***WARNING*** Attempting to disable or delete a bridge port corresponding to a switched port will will render the device inaccessible!! Only a reboot will bring it back. Happens on my CCR1009 and CRS226's.
A port that is connected to the switch chip. For the CRSs, it's all of them. For the CCR1009, it's ports 1-4.What you mean for switched port***WARNING*** Attempting to disable or delete a bridge port corresponding to a switched port will will render the device inaccessible!! Only a reboot will bring it back. Happens on my CCR1009 and CRS226's.
Enviado de meu XT1580 usando Tapatalk
Hmm,As far as I can tell, there's no difference. You still use the switch menu to manage VLANs just as before.Hi
@gtj
Can you post your config?
I have a 450g as router
Crs 125 as layer 2 switch with vlan 2-8,99,210,220 using the switch menu
But I can't figure out how to set up vlan on new config mode.
So far in my testing the hw=on flag has been set by default for my hex w/MT7621. Not sure if it going to cause functionality issues. I'd imagine the software is smart-enough to only enable hardware support if it's warranted.Good news!
Will bridge on MT7621 have hw offloaded vlans?
Looks like something that can almost cause a seizure or headache. Luckily I don't have that anymore.After updating to version 6.40rc36 I observe the blinking display on RB2011UiAS
https://drive.google.com/open?id=0B6LPC ... S1lSU5ja0k
Yes. And IP source guard of some sort?"Bridge will handle all Layer2 forwarding and the use of switch-chip (hw-offload) "
What about bonding? How bridge will use switch-chip?
[admin@MikroTik] /interface bridge port> print detail
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
0 interface=VLAN-LAB-Ether2 bridge=bridge3 priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto external-fdb=auto horizon=none hw=yes
auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=no
[admin@MikroTik] /interface bridge> print detail
Flags: X - disabled, R - running
0 R name="bridge3" mtu=auto actual-mtu=1500 l2mtu=1516 arp=enabled arp-timeout=auto mac-address=00:0C:42:70:13:66 protocol-mode=none fast-forward=yes igmp-snooping=no
priority=0x9000 auto-mac=yes admin-mac=02:3C:97:6D:89:E1 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m region-name="002561e33e80"
region-revision=0 max-hops=20 vlan-filtering=no pvid=1
[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 VLAN-LAB-Ether2 bridge3 yes 1 0x80 10 10 none
1 I H ether5 bridge1 yes 1 0x80 10 10 none
2 I vlan1 bridge1 yes 1 0x80 10 10 none
Isn't this supposed to be all automatic in the future versions? What I read in the initial announcement was that all switch configuration wouldOn RB750G [AR8316] to keep hw-offload enabled with VLANs, they have to be configured in "/interface ethernet switch" menu.
Yup, this was the impression I got to and what I was excited about. Tbh the "switch chip" configurations were way to hard. Cisco shows how to do it right with trunk and access ports or routed interfaces with sub-interfaces. The important thing is the 2 methods they use are consistent and have been present for a very long time. This reduces complexity and abstracts any kind of acceleration away from the user.Isn't this supposed to be all automatic in the future versions? What I read in the initial announcement was that all switch configuration wouldOn RB750G [AR8316] to keep hw-offload enabled with VLANs, they have to be configured in "/interface ethernet switch" menu.
be migrated into bridge configuration where the hw offloading to switch features would be done as far as possible. That would be great, as
the existing situation with bridge and switch (especially with added STP support) was becoming more and more confusing for newcomers.
To really solve that, it would be best if "switch" configuration would disappear entirely from user view.
[admin@MikroTik] /interface bridge vlan> print detail
Flags: X - disabled, D - dynamic
0 D bridge=bridge3 vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge3,VLAN-LAB-Ether2
As soon as the GUI / Console gives a good understanding of the underlying technology, it's not a problem for me to have something slightly different compared to other manufacturers or even compared to previous hardware. Mikrotik is the right solution for cost (low cost hardware and free software updates).This puts you in the position someone like Cisco is in. Easy and consistent to configure across your platforms for layer 2.
TLDR; consistency breeds confidence and confidence brings hardware sales.
My MT7621 doesn't seem to shut off hw-offload correctly. If I'm assuming correctly, any VLAN actions should disable the hw-offload feature for that chipset. While the VLAN configuration options are present for the Ethernet switch in RouterOS they up until this point have never produced a functioning VLAN configuration in practice. Support ticket #2017032422000958 will confirm this behavior. You can configure it all day long on the hex but it simply won't work in practice. I'm guessing at least in rc36 I'll need to manually disable hw-offload until the detection has been fixed or this release now enables VLAN switching in hardware for the hex. Please clarify.For starters, here is clarification about bridge hardware offloading:
https://wiki.mikrotik.com/wiki/Manual:S ... Offloading
Information about the new bridge VLAN implementation is coming next.
/interface bridge
add name=br-master1 protocol-mode=mstp region-name=pri-211 region-revision=1 vlan-filtering=yes
/interface bridge msti
add bridge=br-master1 identifier=1 vlan-mapping=11,999
add bridge=br-master1 identifier=2 vlan-mapping=41-42
/interface bridge port
add bridge=br-master1 interface=eth4
add bridge=br-master1 interface=eth5
/interface bridge vlan
add bridge=br-master1 tagged=eth4,eth5 vlan-ids=1,42
[admin@rtr1] > interface bridge port print where bridge=br-master1
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 eth4 br-master1 yes 1 0x80 10 10 none
1 eth5 br-master1 yes 1 0x80 10 10 none
+1 reading now.Here is the article about new VLAN-aware bridge implementation:
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
A couple examples will be added and more information will be updated based on your feedback.
@becsHere is the article about new VLAN-aware bridge implementation:
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
A couple examples will be added and more information will be updated based on your feedback.
on CRS 125 the vlan on switch menu, i ignore / wipe up ?On VLAN Example #2 (Trunk and Hybrid Ports) there is a port mismatch
/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether4 vlan-ids=300
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether5 vlan-ids=400
Seems right to me. Ether2 and ether8 are trunk ports for vlan 200, 300 and 400. Ether6 is trunk for vlan 300. Ether7 is trunk for vlan 200 and 400.@becs
On VLAN Example #2 (Trunk and Hybrid Ports) there is a port mismatch
/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether4 vlan-ids=300
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether5 vlan-ids=400
on CRS 125 the vlan on switch menu, i ignore / wipe up ?
Is not,
Seems right to me. Ether2 and ether8 are trunk ports for vlan 200, 300 and 400. Ether6 is trunk for vlan 300. Ether7 is trunk for vlan 200 and 400.
Ether3 is access port for vlan 200, ether4 is access port for vlan 300, ether5 is access port for vlan 400.
Sent from my LG-H910 using Tapatalk
I agree with raffav, it doesn't look right to me either.Seems right to me. Ether2 and ether8 are trunk ports for vlan 200, 300 and 400. Ether6 is trunk for vlan 300. Ether7 is trunk for vlan 200 and 400.@becs
On VLAN Example #2 (Trunk and Hybrid Ports) there is a port mismatch
/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether4 vlan-ids=300
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether5 vlan-ids=400
on CRS 125 the vlan on switch menu, i ignore / wipe up ?
Ether3 is access port for vlan 200, ether4 is access port for vlan 300, ether5 is access port for vlan 400.
Sent from my LG-H910 using Tapatalk
Something is not clear to me for vlan-id=1, the default for PVID.Here is the article about new VLAN-aware bridge implementation:
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
A couple examples will be added and more information will be updated based on your feedback.
also, 'add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether8 vlan-ids=400' should be 'add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400', I believeHere is the article about new VLAN-aware bridge implementation:
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
A couple examples will be added and more information will be updated based on your feedback.
Yes, the below methods.Currently RouterOS6.40rc does support any of EAP authentication methods?
/interface bridge port
add bridge=br-trunk1 interface=ether23
add bridge=br-trunk1 interface=ether19
add bridge=br-trunk1 interface=ether22
add bridge=br-trunk1 interface=ether2 pvid=2
add bridge=br-trunk1 interface=ether3 pvid=2
add bridge=br-trunk1 interface=ether4 pvid=2
add bridge=br-trunk1 interface=ether5 pvid=2
add bridge=br-trunk1 interface=ether6 pvid=2
add bridge=br-trunk1 interface=ether7 pvid=2
add bridge=br-trunk1 interface=ether8 pvid=2
add bridge=br-trunk1 interface=ether20 pvid=220
/interface bridge vlan
add bridge=br-trunk1 tagged=ether23 untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=2
add bridge=br-trunk1 tagged=ether19,ether23 vlan-ids=4,5,6,7,99
add bridge=br-trunk1 tagged=ether22,ether23 vlan-ids=210,220
/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400
Has the RouterOS behavior changed.. I havent tried it yes but this confusion has been discussed here:So it seems logical to use vlan-id=0 internally to mark untagged traffic instead of using the conflicting (according to me) vlan-id=1 ?
For Example #2 I believe you are correct.also, 'add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether8 vlan-ids=400' should be 'add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400', I believe
You are missing ether20 from the /interface vlan bridge section. Needs to be listed likeCan any one help my on my senario ?
vlan 220 port 20Code: Select all/interface bridge vlan add bridge=br-trunk1 tagged=ether23 untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=2 add bridge=br-trunk1 tagged=ether19,ether23 vlan-ids=4,5,6,7,99 add bridge=br-trunk1 tagged=ether22,ether23 vlan-ids=210,220
add bridge=br-trunk1 untagged=ether20 vlan-ids=220
that is the problem
You are missing ether20 from the /interface vlan bridge section. Needs to be listed likeCode: Select alladd bridge=br-trunk1 untagged=ether20 vlan-ids=220
Never mindhost print where !local
Flags: L - local, E - external-fdb
BRIDGE VID MAC-ADDRESS ON-INTERFACE AGE
br-trunk1 1 08:EB:74:44:0E:C0 ether6 50s
br-trunk1 1 4C:5E:0C:47:53:3E ether23 1s
br-trunk1 1 4C:5E:0C:7E:74:3F ether19 7s
br-trunk1 1 74:D4:35:B1:E4:FD ether4 4s
br-trunk1 2 4C:5E:0C:47:53:3E ether23 0s
br-trunk1 3 4C:5E:0C:47:53:3E ether23 0s
br-trunk1 4 4C:5E:0C:47:53:3E ether23 0s
br-trunk1 5 4C:5E:0C:47:53:3E ether23 0s
br-trunk1 6 4C:5E:0C:47:53:3E ether23 0s
br-trunk1 6 4C:5E:0C:7E:74:3F ether19 0s
br-trunk1 7 18:83:BF:B5:EB:F1 ether19 6s
br-trunk1 7 4C:5E:0C:47:53:3E ether23 0s
br-trunk1 7 4C:5E:0C:7E:74:3F ether19 0s
br-trunk1 7 90:B9:31:A1:C1:92 ether19 3s
br-trunk1 7 A4:77:33:FF:A8:94 ether19 5s
br-trunk1 99 4C:5E:0C:47:53:3E ether23 0s
br-trunk1 99 4C:5E:0C:7E:74:3F ether19 0s
br-trunk1 210 4C:5E:0C:47:53:3E ether23 0s
br-trunk1 220 00:90:D0:63:FF:00 ether22 1m29s
br-trunk1 220 0C:A4:02:D5:9A:9C ether22 0s
br-trunk1 220 4C:5E:0C:47:53:3E ether23 1s
br-trunk1 220 84:8D:C7:21:E0:3D ether20 2s
Yes, but regardless what is used internally to mark untagged traffic, and regardless the induced confusion, it seems to me important that untagged traffic does not conflict with the use of tagged vlan1 (commonly used as the default vlan-id for the primary vlan inside switches).Has the RouterOS behavior changed.. I havent tried it yes but this confusion has been discussed here:
viewtopic.php?f=2&t=115115&p=572377&hil ... +0#p572377
Different vendros use different approach to native VLAN..
[admin@MikroTik] /interface bridge> print detail
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1520 arp=enabled arp-timeout=auto mac-address=00:0C:42:70:13:66 protocol-mode=none
fast-forward=yes igmp-snooping=no priority=0x8000 auto-mac=no admin-mac=00:0C:42:70:13:66 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m region-name="" region-revision=0 max-hops=20 vlan-filtering=yes pvid=1
Did you create a VLAN interface with the interface set to the VLAN aware bridge and a VLAN ID of 99 and assign the IP to the VLAN interface?In my understanding native vlan is always untagged even on trunk port
On cisco is 1 by default
I used vlan 99 tagged to be my management vlan, but now on this new way I can't find
PS
My dot1q it is on my rb 450g where All vlan is set up on eth 2.
And management ip is set to vlan 99
But I can't ping it.
Enviado de meu XT1580 usando Tapatalk
Did you create a VLAN interface with the interface set to the VLAN aware bridge and a VLAN ID of 99 and assign the IP to the VLAN interface?In my understanding native vlan is always untagged even on trunk port
On cisco is 1 by default
I used vlan 99 tagged to be my management vlan, but now on this new way I can't find
PS
My dot1q it is on my rb 450g where All vlan is set up on eth 2.
And management ip is set to vlan 99
But I can't ping it.
Enviado de meu XT1580 usando Tapatalk
If you are using the new vlan aware bridge method (vlan filtering), my understanding is that you should put your vlan interface on your bridge, not the physical port. And put your vlan99 management IP address on this interface.Did you create a VLAN interface with the interface set to the VLAN aware bridge and a VLAN ID of 99 and assign the IP to the VLAN interface?In my understanding native vlan is always untagged even on trunk port
On cisco is 1 by default
I used vlan 99 tagged to be my management vlan, but now on this new way I can't find
PS
My dot1q it is on my rb 450g where All vlan is set up on eth 2.
And management ip is set to vlan 99
But I can't ping it.
Enviado de meu XT1580 usando Tapatalk
Yes
On both
Crs and 450
I set interfere vlan
Vlan id 99 on eth 23/2
And set ip on vlan
Just to be clear
Vlan it linked to eth and not to bridge
Enviado de meu XT1580 usando Tapatalk
[admin@MikroTik] /interface bridge vlan> print detail
Flags: X - disabled, D - dynamic
0 bridge=bridge vlan-ids=300 tagged=ether2,bridge untagged="" current-tagged=bridge,ether2 current-untagged=""
1 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge,ether3,ether2
[admin@MikroTik] /interface vlan> print detail
Flags: X - disabled, R - running, S - slave
0 R name="VLAN-INVITE" mtu=1500 l2mtu=1516 mac-address=00:0C:42:70:13:66 arp=enabled arp-timeout=auto
loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m
vlan-id=300 interface=bridge use-service-tag=no
[admin@MikroTik] /ip address> print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf
address=192.168.88.1/24 network=192.168.88.0 interface=bridge actual-interface=bridge
1 D address=192.168.88.10/24 network=192.168.88.0 interface=bridge actual-interface=bridge
2 D address=192.168.220.152/26 network=192.168.220.128 interface=VLAN-INVITE actual-interface=VLAN-INVITE
How can spanning tree port states be seen? (show spanning-tree equavelant)
/interface bridge monitor bridge1
/interface bridge port monitor [find where bridge=bridge1]
/interface bridge msti monitor [find]
Currently, it is not supported.Any way to enable STP / RSTP / MSTP logging ?
Thanks becsHow can spanning tree port states be seen? (show spanning-tree equavelant)Code: Select all/interface bridge monitor bridge1 /interface bridge port monitor [find where bridge=bridge1] /interface bridge msti monitor [find]
Agree but winbox isn't alway possible to use.I think i would be interesting to have an option inside Winbox to automatically create a vlan rule on a brige when adding a vlan interface to it.
This would create a vlan rule with the vlan id of the interface, including all bridge ports.
Victory, I now feel confident enough to migrate some additional VLANs over nowThanks becsHow can spanning tree port states be seen? (show spanning-tree equavelant)Code: Select all/interface bridge monitor bridge1 /interface bridge port monitor [find where bridge=bridge1] /interface bridge msti monitor [find]
[admin@rtr1] > interface bridge port monitor [ find where bridge=br-master1 ]
interface: eth4 eth5
status: in-bridge in-bridge
port-number: 1 2
role: root-port alternate-port
edge-port: no no
edge-port-discovery: yes yes
point-to-point-port: no no
external-fdb: no no
sending-rstp: yes yes
learning: yes no
forwarding: yes no
internal-root-path-cost: 10 10
designated-bridge: 0x2000.8C:B6:4F:20:21:80 0x2000.8C:B6:4F:20:21:80
designated-internal-cost: 0 0
designated-port-number: 57 58
multicast-router: no no
Another possibility would be to optionally create a default vlan rule for newly created bridges, allowing all tagged vlan-id on all ports of the bridge. If this does not trig a performance issue.Agree but winbox isn't alway possible to use.I think i would be interesting to have an option inside Winbox to automatically create a vlan rule on a brige when adding a vlan interface to it.
This would create a vlan rule with the vlan id of the interface, including all bridge ports.
I still think that step need to be simplified
Enviado de meu XT1580 usando Tapatalk
you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?..It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.
i think some like thatAnother possibility would be to optionally create a default vlan rule for newly created bridges, allowing all tagged vlan-id on all ports of the bridge. If this does not trig a performance issue.
I tried to put such a rule, with vlan-ids 2-4094. This does not seem to rise the CPU %.
# This part you tell Mikrotik the port mode
/interface bridge port
add bridge=br-trunk1 interface=ether23 |\
add bridge=br-trunk1 interface=ether19 | TRUNK PORTS
add bridge=br-trunk1 interface=ether22 |/
add bridge=br-trunk1 interface=ether2 pvid=2 |\
add bridge=br-trunk1 interface=ether3 pvid=2 | \
add bridge=br-trunk1 interface=ether4 pvid=2 | \
add bridge=br-trunk1 interface=ether5 pvid=2 | \
add bridge=br-trunk1 interface=ether6 pvid=2 | \
add bridge=br-trunk1 interface=ether7 pvid=2 | \
add bridge=br-trunk1 interface=ether8 pvid=2 | ACCESS PORTS
add bridge=br-trunk1 interface=ether17 pvid=2 | /
add bridge=br-trunk1 interface=ether18 pvid=2 | /
add bridge=br-trunk1 interface=ether14 pvid=4 | /
add bridge=br-trunk1 interface=ether15 pvid=5 | /
add bridge=br-trunk1 interface=ether17 pvid=2 | /
add bridge=br-trunk1 interface=ether20 pvid=220|/
/interface bridge vlan
## Make Mikrotik smart enough to understand that vlans belong to the same bridge
# Tell that on eth is allowed only this tagged vlan
add bridge=br-trunk1 interface=ether23 tagged-vlan-ids=2,4,5,6,7,99,210,220
# Tell that on eth is allowed only this tagged vlan
add bridge=br-trunk1 interface=ether19 tagged-vlan-ids=4,5,6,7,99
# Tell that on eth is allowed only this tagged vlan
add bridge=br-trunk1 interface=ether22 tagged-vlan-ids=210,220
#----------------------------------
# a Hybrid mode e.g
add bridge=br-trunk1 interface=ether22 tagged-vlan-ids=210,220 utagged-vlan-ids=2
I think he means "have vlan 1 tagged on some port, and at the same time have some other vlan untagged on that or another port".you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?..It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.
FIPTech, I'm not following you. I just did a test with 2 MikroTik's and 2 Cisco routers in GNS3. I used the new VLAN aware bridges with the PVID set to 1. I added an IP directly to the bridge. I setup the link between the MIkroTik's to send traffic untagged for VLAN1 and the Cisco routers to tag VLAN1 with an IP on that sub-interface.According to a simple test i've just done on a vlan aware bridge, it is not possible to use tagged vlan 1 and untagged traffic at the same time.
As soon as a bridge vlan rule is set with vlan-ids=1 and bridge ports added as tagged, Winbox connection (connected on the bridge untagged vlan IP) is lost.
This result seems to confirm what i felt yesterday : because of the internal vlan id = 1 used for untagged external traffic, It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.
The hardware switches i'm used to, (procurves) do allow to use untagged and tagged vlan=1 at the same time without any problem. More, vlan=1 is the default vlan vlan-id in those switches. This mean that it is not uncommon to see vlan 1 tagged inside an hybrid trunk, with untagged traffic from another vlan. In this case, it is not possible to connect such an hybrid trunk on a Mikrotik vlan aware bridge.
Please confirm. If i'm right this should be clearly stated in the documentation, or better, corrected in the code.
/interface bridge
add name=br-master1 protocol-mode=stp vlan-filtering=yes
/interface bridge port
add bridge=br-master1 interface=ether4
add bridge=br-master1 interface=ether1
add bridge=br-master1 interface=ether2
/interface bridge vlan
add bridge=br-master1 untagged=ether1,ether2 vlan-ids=999
add bridge=br-master1 tagged=ether1,ether2 vlan-ids=1
/ip address
add address=192.168.1.11/24 interface=br-master1 network=192.168.1.0
/interface bridge
add name=br-master1 protocol-mode=stp vlan-filtering=yes
/interface bridge port
add bridge=br-master1 interface=ether4
/ip address
add address=192.168.1.21/24 interface=br-master1 network=192.168.1.0
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1
ip address 192.168.1.31 255.255.255.0
!
interface FastEthernet0/0.999
encapsulation dot1Q 999 native
c1#ping 192.168.1.21 repeat 4
Type escape sequence to abort.
Sending 4, 100-byte ICMP Echos to 192.168.1.21, timeout is 2 seconds:
!!!!
Success rate is 100 percent (4/4), round-trip min/avg/max = 4/9/20 ms
^^ Exactly the reason I create and use VLAN999 on all of my switch to switch (or VLAN speaking router) links as the untagged VLAN. I also ensure that no IP addressing is ever applied to VLAN999. This is 1 of 2 recommended approaches for dealing with VLAN hopping. The other is to tag all traffic including the native VLAN. This method is less common and essentially discards any untagged traffic (in a similar fashion as having it on a non-routable VLAN).I think in a complex VLAN scenario with tagged/untagged use, one simply should not use VLAN 1 or not use it for something important.
exactly^^ Exactly the reason I create and use VLAN999 on all of my switch to switch (or VLAN speaking router) links as the untagged VLAN. I also ensure that no IP addressing is ever applied to VLAN999. This is 1 of 2 recommended approaches for dealing with VLAN hopping. The other is to tag all traffic including the native VLAN. This method is less common and essentially discards any untagged traffic (in a similar fashion as having it on a non-routable VLAN).I think in a complex VLAN scenario with tagged/untagged use, one simply should not use VLAN 1 or not use it for something important.
Yes, i mean put on the same trunk (hybrid) untagged traffic and tagged VLAN 1. This is not working with vlan aware bridges (except if you are using "PVID=something else than 1" to change the untagged traffic vlan-id).I think he means "have vlan 1 tagged on some port, and at the same time have some other vlan untagged on that or another port".you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?..It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.
While vlan 1 is nothing special, it would not be the first case where it causes problems to use it tagged. In the past I have
also tried to hunt down bugs on other manufacturer's switches, and even faced the situation where the manuf "could not reproduce"
the problem and it was because the Windows driver for the ethernetcard he uses to debug the problem (or maybe even Windows itself)
invisibly deleted a VLAN 1 tag from the packet even before wireshark gets it. Wireshark under Linux showed the problem clearly.
I think in a complex VLAN scenario with tagged/untagged use, one simply should not use VLAN 1 or not use it for something important.
1 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge,ether2
Yes, i mean put on the same trunk (hybrid) untagged traffic and tagged VLAN 1. This is not working with vlan aware bridges (except if you are using "PVID=something else than 1" to change the untagged traffic vlan-id).I think he means "have vlan 1 tagged on some port, and at the same time have some other vlan untagged on that or another port".you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?..It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.
While vlan 1 is nothing special, it would not be the first case where it causes problems to use it tagged. In the past I have
also tried to hunt down bugs on other manufacturer's switches, and even faced the situation where the manuf "could not reproduce"
the problem and it was because the Windows driver for the ethernetcard he uses to debug the problem (or maybe even Windows itself)
invisibly deleted a VLAN 1 tag from the packet even before wireshark gets it. Wireshark under Linux showed the problem clearly.
I think in a complex VLAN scenario with tagged/untagged use, one simply should not use VLAN 1 or not use it for something important.
1 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge,ether2
I agree with you that it should work and indeed it does work on Procurve (I have such a scenario at work) but before that we hadI've used vlan1 tagged mixed with untagged traffic without problems in the past with procurve switches as well as Mikrotiks.
No you are right tagged for vlan1 and untagged for vlan1 at the same time on the same port is not possible.Are you able to dump a configuration from the ProCurve's showing a single port untagged for VLAN1 and tagged for VLAN1? I'd be extremely surprised if that is the case as well as confused as to how that isn't at the least causing the link to bridge traffic twice if not forming a loop.
I know this is wandering dangerously off-topic of the actual content of the RC release so we may need to take it to a new thread. I can create one. At this point I'm more curious as to how something like that would actually work. I'm pretty sure what you're describing is definitely not standard behavior. The Cisco switches and routers I have in my lab won't let me do it. I don't have any ProCurve hardware to lab with, largely because they fall into the each model is configured differently category and that annoys me (at least since the 3com purchase).
1 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge,ether2
#1) Create a bridge with ports:
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=no
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
#2) Configure VLANs:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2 untagged="" vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1,ether2 untagged="" vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether1,ether2 untagged="" vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether1,ether2 untagged="" vlan-ids=40
#3) Assign VLANs to MST instances:
/interface bridge msti
add bridge=bridge1 identifier=1 vlan-mapping=10,20
add bridge=bridge1 identifier=2 vlan-mapping=30,40
#4) Enable VLAN Filtering and MSTP:
/interface bridge set bridge1 protocol-mode=mstp vlan-filtering=yes
#5) Check MSTP status:
/interface bridge msti monitor [find]
Any updates when we can expect fastpath support for PPPoE Client interfaces?*) lte - added initial fastpath support (except SXT LTE and Sierra modems);
It is supported since 6.35. And there also were improvements in 6.39. Check changelogs out for details.Any updates when we can expect fastpath support for PPPoE Client interfaces?
It doesn't work on RB850Gx2.It is supported since 6.35. And there also were improvements in 6.39. Check changelogs out for details.Any updates when we can expect fastpath support for PPPoE Client interfaces?
RB850Gx2 Ethernets doesn't have fastpath support, MT doesn't have their own driver there, they use ones provided by CPU manufactures so that IPsec hardware acceleration works. I asked about this at the MUM.It doesn't work on RB850Gx2.
No.I thought this problem can be solved on the forum.John39 - There are no related fixes mentioned in chagelog. Have you contacted support@mikrotik.com? Are you sure that problem was introduced in 6.40rc version and downgrade to older version fixes this problem?
Yes, I'm sure the upgrade to version 6.39.2 or earlier fixes this problem.John39 - There are no related fixes mentioned in chagelog. Have you contacted support@mikrotik.com? Are you sure that problem was introduced in 6.40rc version and downgrade to older version fixes this problem?
Preparing for the future: viewtopic.php?f=2&t=121533*) mmips - added support for NVME disks;
what possible current mmips based router has slot/interface to get an nvme ssd attached to it?
interface bridge vlan print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 br1 1 eth2 br1
eth3
1 br1 11 br1 eth4
eth2
eth3
2 br1 12 br1
eth2
eth3
3 br1 41 br1
eth2
eth3
4 br1 42 br1
eth2
eth3
5 br1 999 br1 eth2
eth3
Maybe M33 ??*) mmips - added support for NVME disks;
what possible current mmips based router has slot/interface to get an nvme ssd attached to it? afaik nvme is pcie, and the hexR3 (the sole mmips based mikrotik device) doesn’t have anything similar...
Many thanks!Here is a simple MSTP configuration example for insight. It could be used on 3 routers connected in a ring.
The upcoming RouterBoard M3 has a M.2 slot which could be used for a NVMe SSD....*) mmips - added support for NVME disks;
what possible current mmips based router has slot/interface to get an nvme ssd attached to it? afaik nvme is pcie, and the hexR3 (the sole mmips based mikrotik device) doesn’t have anything similar...
The upcoming RouterBoard M3 has a M.2 slot which could be used for a NVMe SSD....*) mmips - added support for NVME disks;
what possible current mmips based router has slot/interface to get an nvme ssd attached to it? afaik nvme is pcie, and the hexR3 (the sole mmips based mikrotik device) doesn’t have anything similar...
viewtopic.php?f=1&t=123497#p607883Yes, everything that saves to file from console is broken, export to file print to file etc. We will try to fix this in future rc versions.
When you press the backup button on winbox is encrypted by default, if you don't set up password you locked out,you lost the backup.. [emoji30]Not getting happier about this and I had to revert back current 39.2 to have my settings back. The backups I have all say "provide password" and I what am think WHAT password!!!! I tired many but none did work so that means all my carefully made backups are toast or is there some way to use them. The export .rsc are all trowing errors so that is also a no go.
This sets me back a few months in changes made in firewall and a lot of scripting I did in that time. I cant even go back to 6.40rc38 because of I have only the .backup and no .rsc.
Is there a reliable way to backup you settings so one can restore their router in case of disaster?
So back ot Bridge and Master. The load on the cores are with master more even and none is stressed to the utmost.
I wanted to show two pictures showing the difference in speed but I can't find the attach option any more. So bad luck all the way.
Known issue. See viewtopic.php?f=1&t=123497#p607883Unable to export configuration to a file
(...)
Tom
I had the same problem yesterday. RB2011UASUnable to export configuration to a file
Is anyone else having this issue? I can run /export from the CLI, but if I do:
/export file=x (or /export file="x")
No files get created.
It seems that it was corrected by rc41 as in Changelog of RouterOS 6.40rc41.I had the same problem yesterday. RB2011UASUnable to export configuration to a file
Is anyone else having this issue? I can run /export from the CLI, but if I do:
/export file=x (or /export file="x")
No files get created.
I thought I was too stupid to find the file.
ISSUE since rc38
Webfig:
No File download possible
ftp download is OK
*) pppoe-server - fixed situation when some of 100+ pppoe-servers can become invalid on reboot;
I'll keep on 6.40rc38 until 6.41rc hits the downloads then. Can't say i'm interested in reverting my new VLAN aware bridges back to the old way and then back again into VLAN aware bridges. Good progress. Don't fall asleep at the wheel. I hope you guys got some good initial testing on MSTP / VLAN ware bridging.v6.40 is scheduled for release, so we reverted hw-offload as well as igmp-snooping, because it requires more testing and bugfixes.
Most likely it will be back in v6.41rc
Important: This means all the new bridge/switch/igmp-snooping functionality is removed and will return in 6.41rc. The reason is that we found that these new features need more testing, and v6.40 was too close to release, so it would delay the release for some time. Those of you who used the RC, there is no painless way to upgrade or downgrade.!) bridge hw-offload implementation reverted back to pre-6.40rc36 state (testing will continue in v6.41rc);
!) wireless - added Nv2 AP synchronization feature "nv2-modes" and "nv2-sync-secret" option;
*) bonding - fixed 802.3ad mode on RB1100AHx4;
*) export - fixed export to a file (introduced in v6.40rc39);
*) hotspot - added "address-list" support in "walled-garden" IP section;
*) hotspot - fixed firewall accept rules created by "/ip hotspot walled garden ip" (introduced in v6.40rc18);
*) ike1 - create tunnel policy when no split net provided;
*) ike1 - wait for cfg set reply before ph2 creation with xAuth;
*) ipsec - allow to specify chain in "firewall" peer option;
*) ppp - fixed non-standard PAP or CHAP packet handling;
*) pppoe-server - fixed situation when some of 100+ pppoe-servers can become invalid on reboot;
*) routerboard - added "caps-mode" option for "reset-configuration";
*) sfp - fixed invalid temperature reporting when ambient temperature is less than 0;
*) winbox - make IPSec policies table an order list;
*) winbox - show "/interface wireless cap print" warnings;
Can I make partition(s) on my mAP Lite? It has only 32MB disk space.I really think Mikrotik should discuss using partitions in addition to backups.
You are right, but try to use partitioning on a hEX (or any other "zero flash") devices!This was very easy to roll back with a partition. Just make the partition..
Are you sure about that? mAP lite should have 64MB RAM and 16MB flash ... and no you cant use partitions ...Can I make partition(s) on my mAP Lite? It has only 32MB disk space.I really think Mikrotik should discuss using partitions in addition to backups.
+1This was very easy to roll back with a partition. Just make the partition active that was right before the upgrade. Took seconds.. As I mentioned, everyone doing RCs should use partitions. I copy my current RC and config over to a partition before I try out a new RC. Any issue, I just move back..
I had to with 38, upgraded to 41. On the 2011 it was still causing the display to flash. So 41 did not fix something from 38. So I "made active" my original partition and the issue was gone.
I really think Mikrotik should discuss using partitions in addition to backups.
Normis, what is the time-line for 6.40 GA and 6.41rc?Important: This means all the new bridge/switch/igmp-snooping functionality is removed and will return in 6.41rc. The reason is that we found that these new features need more testing, and v6.40 was too close to release, so it would delay the release for some time. Those of you who used the RC, there is no painless way to upgrade or downgrade.
It can boot off the secondary partition when booting off the first partition fails. Although it is not clearly defined what failing to boot really means.This is a wonderful idea. I didn't even know this was possible till you mentioned so as well some means to boot once off a secondary partition?
In the V6.40rc41 version, I can not find this option. Please tell me the details of the setup steps and methods, thanks. Please forgive me, my English is very badYes, the below methods.Currently RouterOS6.40rc does support any of EAP authentication methods?
The EAP section is on Wireless > Security Profiles > Profile entries (via winbox).In the V6.40rc41 version, I can not find this option. Please tell me the details of the setup steps and methods, thanks. Please forgive me, my English is very bad
+1I'm with you guys. I'm not sure what class embedded designers are taught to use tiniest flash chip available on the market but I'd like to alter that curriculum. That said, I do get that in the hardware world, cents does multiply out to dollars when the sale quantity gets high enough. It seems like an area were you could cheaply separate yourself from other router brands even with a 128mb or 256mb flash chip.
For poops and giggles, a quick google search shows:
0.61 USD = 32MB flash chip
3.43 USD = 256MB flash chip
9.52 USD = 1GB flash chip
These numbers are very quick and dirty. Naturally the product would have to be vetted to make sure it fits the design and volume purchase discounts could soften the cost. I was just hoping to put a cost per unit for the upgrade into print in hopes of giving us all a little perspective on what kind of price impact we'd see if MikroTik moved to larger chips and passed that cost onto consumers. A device like the hap AC already in that +100 USD cost may handle an additional ~9 USD different easier than say a cap lite. I personally would be very happy with a 256MB (even 128MB) upgrade at a ~3 USD impact per device across the product line. The cost increase for storage capacity would be a justifiable reason that would increase my likelyhood to purchase MikroTik. That is just me, I can't speak for all forum members in all markets.
This does seem strange in today's world.... but then again, as Idlemind points out - $2 for every unit sold can translate to hundreds of thousands or millions of dollars less in profits for a particular unit if it's popular...You are right, but try to use partitioning on a hEX (or any other "zero flash") devices!
There is no common sense in putting 16mb flash on new devices.. IMHO .. the real reason is obviously NOT save 2 bucks
I see yours point, but .... less in profits ..
Thanks null31, i try to try mikrotik route to build an iKEV2 VPN server, i have no radius, my client is windows7, i read wik i but still can not succeed. Would you like to help me?The EAP section is on Wireless > Security Profiles > Profile entries (via winbox).In the V6.40rc41 version, I can not find this option. Please tell me the details of the setup steps and methods, thanks. Please forgive me, my English is very bad
I forgot to ask.
Do you want the Mikrotik as EAP Client or as EAP Access Point?
The print that I showed is about EAP Client.
Now about EAP AP:
Page 16.
> https://mum.mikrotik.com//presentations ... 009077.pdf (Spanish language)
I'm with you guys. I'm not sure what class embedded designers are taught to use tiniest flash chip available on the market but I'd like to alter that curriculum. That said, I do get that in the hardware world, cents does multiply out to dollars when the sale quantity gets high enough. It seems like an area were you could cheaply separate yourself from other router brands even with a 128mb or 256mb flash chip.
For poops and giggles, a quick google search shows:
0.61 USD = 32MB flash chip
3.43 USD = 256MB flash chip
9.52 USD = 1GB flash chip
These numbers are very quick and dirty. Naturally the product would have to be vetted to make sure it fits the design and volume purchase discounts could soften the cost. I was just hoping to put a cost per unit for the upgrade into print in hopes of giving us all a little perspective on what kind of price impact we'd see if MikroTik moved to larger chips and passed that cost onto consumers. A device like the hap AC already in that +100 USD cost may handle an additional ~9 USD different easier than say a cap lite. I personally would be very happy with a 256MB (even 128MB) upgrade at a ~3 USD impact per device across the product line. The cost increase for storage capacity would be a justifiable reason that would increase my likelyhood to purchase MikroTik. That is just me, I can't speak for all forum members in all markets.
I don't think he did get it wrong, 8gbit (1gbyte) FLASH on digikey can cost as little as between $6.16 (each in 1000 of quantity) and $9.45 (each in 1 of quantity).You got this wrong ... flash chips are declared in Megabits ... so the prices you found are for 4MB, 32MB and 128MB respectively ...
Better use API call, will be faster way I suppose, likeAny chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.
/interface/wireless/registration-table
This is not realistic.Better use API call, will be faster way I suppose, likeAny chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.and play with.Code: Select all/interface/wireless/registration-table
I do understand your pain but Mikrotik is quite slow with SNMP so far. Keep asking, maybe one day?..This is not realistic.
Oh, I see you're wise person already, will not teach you this way I can't say how many routers you need to monitor from you initial question. Yes, let's wait for MT to help with this.scalable or manageable. Hence not realistic for production environment.
+1 support for thisAny chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.
That feature is actually available! But it is a bit hard to find and understand.They should add scripting into SNMP server, so you can set OID and which script to execute to reply the query This is where MT win all the time - scripting!
+1+1 support for thisAny chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.
Yes, and adding the "Radio Name" field is something that should, IMO, be relatively easy for them to do.APIs are good but tbh SNMP is far easier to work with in NMS tools. I've found a handful of OIDs I'd really like to see supported. Particularly IPv6 traffic tracking and connection counts. Saying it's solved with scripting to custom OIDs is a total hack over supporting standardized mibs.
There is probably a list of things that are relatively easy to do that is so long that it requires considerable effort to sort it all out...that should, IMO, be relatively easy for them to do.
Running 6.40rc38 (won't be upgrading until 6.41rc is released) I don't get hardware offload on any ports. That's ok for me because I have the hex doing intervlan routing which is done in CPU anyways per MikroTik support. I have a separate layer 2 switch that is capable of faster speeds between the hex and my various devices for intravlan traffic.By the way, I now can see two block diagrams for routers, one for non-switched config and other is for switched. So as 6.41 is out both still be there but "switched" become "attached to the same bridge", right?
Also, on this diagram:
am I right to say that if I set 2-4 ports to be switched, and port 1 as non-switched, then port 1 will be 1 Gbps, and four remaining will share another 1 Gpbs in routing scenario?
[admin@rack1_b3] /interface ipip> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000
1 D ;;; ipip-tunnel4
src-address=1.1.1.1/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt
level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0
[admin@rack1_b3] /interface ipip> print
Flags: X - disabled, R - running, D - dynamic
# NAME MTU ACTUAL-MTU LOCAL-ADDRESS REMOTE-ADDRESS KEEPALIVE DSCP
0 ipip-tu... auto 1480 1.1.1.1 1.1.1.2 10s,10 inherit
[admin@rack1_b3] /interface ipip> set 0 local-address=2.2.2.2
[admin@rack1_b3] /interface ipip> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000
1 D ;;; ipip-tunnel4
src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt
level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0
Sorry, I just found why it is not working correct (may be I doing it incorrect). The reason is that I use mikrotik DDNS as destination address in tunnel. So situation is:@HeadCraft be more specific, what you described works:
Code: Select all[admin@rack1_b3] /interface ipip> /ip ipsec policy print Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 1 D ;;; ipip-tunnel4 src-address=1.1.1.1/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0 [admin@rack1_b3] /interface ipip> print Flags: X - disabled, R - running, D - dynamic # NAME MTU ACTUAL-MTU LOCAL-ADDRESS REMOTE-ADDRESS KEEPALIVE DSCP 0 ipip-tu... auto 1480 1.1.1.1 1.1.1.2 10s,10 inherit [admin@rack1_b3] /interface ipip> set 0 local-address=2.2.2.2 [admin@rack1_b3] /interface ipip> /ip ipsec policy print Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 1 D ;;; ipip-tunnel4 src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0
[admin@MikroTik] > /interface ipip
add allow-fast-path=no ipsec-secret=123 !keepalive local-address=1.1.1.1 name=\
ipip-tunnel1 remote-address=google-public-dns-a.google.com
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
1 D ;;; ipip-tunnel1
src-address=1.1.1.1/32 src-port=any dst-address=8.8.8.8/32 dst-port=any
protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no
proposal=default priority=0 ph2-count=0
[admin@MikroTik] > /interface ipip set [find name=ipip-tunnel1] local-address=3.3.3.3
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
1 D ;;; ipip-tunnel1
src-address=1.1.1.1/32 src-port=any dst-address=8.8.8.8/32 dst-port=any
protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no
proposal=default priority=0 ph2-count=0
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 D ;;; ipip-tunnel1
address=8.8.8.8/32 local-address=1.1.1.1 auth-method=pre-shared-key secret="123"
generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m
dpd-maximum-failures=5