Community discussions

 
miro10hr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Fri Nov 11, 2011 3:03 pm

CRS switch, VLANs not working when invalid VLAN filtering enabled

Mon May 23, 2016 10:41 am

Hi,

I'm trying to do basic switch configruation. I will simplify everything so it is more clear. I can't understand why it is not working.

Here is the setup:
- two CRS switches that are interconnected
- one trunk port between them - tagged packets
- access ports - untagged packets
- MGMT IP for each switch in mgmt VLAN

Here is the picture:
CRS125_VLAN_mgmtIP_v0.1_160523.jpg
Port 20 - VLAN 60 untagged
Port 21 - VLAN 70 untagged
Port 24 - trunk - VLAN 60, 70 tagged
MGMT IP - VLAN 60

Here is the configuration.

Master port is set to eth 20:

/interface ethernet
/interface ethernet
set [ find default-name=ether1 ] master-port=ether20
set [ find default-name=ether2 ] master-port=ether20
set [ find default-name=ether3 ] master-port=ether20
set [ find default-name=ether4 ] master-port=ether20
set [ find default-name=ether5 ] master-port=ether20
set [ find default-name=ether6 ] master-port=ether20
set [ find default-name=ether7 ] master-port=ether20
set [ find default-name=ether8 ] master-port=ether20
set [ find default-name=ether9 ] master-port=ether20
set [ find default-name=ether10 ] master-port=ether20
set [ find default-name=ether11 ] master-port=ether20
set [ find default-name=ether12 ] master-port=ether20
set [ find default-name=ether13 ] master-port=ether20
set [ find default-name=ether14 ] master-port=ether20
set [ find default-name=ether15 ] master-port=ether20
set [ find default-name=ether16 ] master-port=ether20
set [ find default-name=ether17 ] master-port=ether20
set [ find default-name=ether18 ] master-port=ether20
set [ find default-name=ether19 ] master-port=ether20
set [ find default-name=ether21 ] master-port=ether20
set [ find default-name=ether22 ] master-port=ether20
set [ find default-name=ether23 ] master-port=ether20
set [ find default-name=ether24 ] master-port=ether20
set [ find default-name=sfp1 ] master-port=ether20


Configuration for access (untagged) ports 20 and 21:
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=60 ports=ether20
add customer-vid=0 new-customer-vid=70 ports=ether21
/interface ethernet switch egress-vlan-translation
add customer-vid=60 customer-vlan-format=untagged-or-tagged new-customer-vid=\
0 ports=ether20 service-vlan-format=untagged-or-tagged
add customer-vid=70 customer-vlan-format=untagged-or-tagged new-customer-vid=\
0 ports=ether21 service-vlan-format=untagged-or-tagged

Configuration for trunk port 24 (and added switch chip for mgmt IP):
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24,switch1-cpu vlan-id=60
add tagged-ports=ether24 vlan-id=70

Adding VLAN assignment to ports:
/interface ethernet switch vlan
add ports=ether20,ether24,switch1-cpu vlan-id=60
add ports=ether21,ether24 vlan-id=70

Creating VLAN interface-vlan60-mgmt for mgmt IP on ethernet 20:
/interface vlan
add interface=ether20 name=vlan60-mgmt vlan-id=60

Assigning mgmt IP address to VLAN interface:
/ip address
add address=192.168.88.1/24 interface=vlan60-mgmt network=192.168.88.0

Everything works as it should. Clients in VLAN 60 can see each other and can reach MGMT IP and clietns in VLAN 70 can only see each other.

In the moment when I enable VLAN filtering of invalid VLANs:
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=\
ether24,ether23,ether22,ether21,ether20 \
drop-if-no-vlan-assignment-on-ports=\
ether24,ether23,ether22,ether21,ether20

clients in VLAN 60 can only reach MGMT IP on a switch they are connected to and nothing else works.

Why is that? That means something in the VLAN configuration is invalid and packets are being dropped, but I can't find what could be the reason for that?

Can anyone please suggest what is wrong?
You do not have the required permissions to view the files attached to this post.
 
miro10hr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Fri Nov 11, 2011 3:03 pm

Re: CRS switch, VLANs not working when invalid VLAN filtering enabled

Mon May 23, 2016 12:07 pm

I'm trying to troubleshoot this.

I've mirrored the port 24 to port 23
/interface ethernet switch
set egress-mirror0=ether23 ingress-mirror0=ether23
/interface ethernet switch port
set 23 egress-mirror-to=mirror0 ingress-mirror-to=mirror0 \
(23 in this case is port 24 because the counting starts from 0. 0 is first port)

By using wireshark I can see that none of the packets are tagged on port 24. How can that be? Did I miss something in the configuration?
 
becs
MikroTik Support
MikroTik Support
Posts: 477
Joined: Thu Jul 07, 2011 8:26 am

Re: CRS switch, VLANs not working when invalid VLAN filtering enabled

Mon May 23, 2016 4:51 pm

"drop-if-no-vlan-assignment-on-ports" setting blocks traffic on ports which do not have Ingress VLAN Translation rules configured (VLAN Trunk ports). Your configuration does not seem to need it.
It would be enough to configure "drop-if-invalid-or-src-port-not-member-of-vlan-on-ports" to ensure proper VLAN filtering and block unwanted VLAN traffic on ports.
 
miro10hr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 99
Joined: Fri Nov 11, 2011 3:03 pm

Re: CRS switch, VLANs not working when invalid VLAN filtering enabled

Tue May 24, 2016 11:36 am

Hi,

Thanks, that's clear now. It's my first time to work with switch options on CRS so it takes a bit to understand the logic.

VLAN tags not appearing is due to network adapter in laptop and I've managed to resolve it.

Everything is resolved then.

Thanks.

Who is online

Users browsing this forum: No registered users and 43 guests