Community discussions

 
plisken
Forum Guru
Forum Guru
Topic Author
Posts: 2374
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:

VLAN CCR to CRS 328

Fri May 17, 2019 9:22 am

Hello,
I want 4 VLANs on the CCR with IP addresses and DHCP server configured on.
I want to transfer these VLAN networks to my CRS-328 via a SFP1 trunk.
I don't get IP addresses distributed on the CRS-328
What am I doing wrong? I think it depends on the configuration of the CCR.
Who can help me clarify this.

CCR-1036
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
/interface vlan
add interface=sfp-sfpplus1 name=vlan1-management vlan-id=1
add comment=secure-network interface=sfp-sfpplus1 name=vlan100-secure use-service-tag=yes vlan-id=100
add comment=unsecure-network interface=sfp-sfpplus1 name=vlan110-unsucure use-service-tag=yes vlan-id=110
add comment=synology-survey interface=sfp-sfpplus1 name=vlan120-synology-survey use-service-tag=yes vlan-id=120
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-secure-network ranges=10.10.100.50-10.10.100.254
add name=pool-unsecure-network ranges=10.10.110.50-10.10.110.254
add name=pool-synology-survey ranges=10.10.120.50-10.10.120.254
add name=pool-management ranges=10.10.99.2-10.10.99.254
/ip dhcp-server
add address-pool=pool-secure-network disabled=no interface=vlan100-secure lease-time=1d name=dhcp-secure-network
add address-pool=pool-unsecure-network disabled=no interface=vlan110-unsucure lease-time=1d name=dhcp-unsecure-network
add address-pool=pool-synology-survey disabled=no interface=vlan120-synology-survey lease-time=1d name=dhcp-synology-survey
add address-pool=pool-management disabled=no interface=vlan1-management lease-time=1d name=dhcp-management
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface list member
add interface=ether1-wan list=WAN
/ip address
add address=10.10.100.1/24 comment=secure-network interface=vlan100-secure network=10.10.100.0
add address=10.10.110.1/24 comment=unsecure-network interface=vlan110-unsucure network=10.10.110.0
add address=10.10.120.1/24 comment=synology-survey interface=vlan120-synology-survey network=10.10.120.0
add address=10.10.99.1/24 comment=management interface=vlan1-management network=10.10.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip dhcp-server network
add address=10.10.99.0/24 gateway=10.10.99.1
add address=10.10.100.0/24 gateway=10.10.100.1
add address=10.10.110.0/24 gateway=10.10.110.1
add address=10.10.120.0/24 gateway=10.10.120.1
/ip firewall address-list
add address=10.10.99.0/24 list=vlans
add address=10.10.100.0/24 list=vlans
add address=10.10.110.0/24 list=vlans
add address=10.10.120.0/24 list=vlans
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN protocol=tcp src-address-list=vlans
/system clock
set time-zone-name=Europe/Brussels
/system routerboard settings
set protected-routerboot=enabled
/tool user-manager database
set db-path=user-manager
CRS-328
/interface bridge
add admin-mac=74:4D:28:34:AE:46 auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-secure
set [ find default-name=ether2 ] name=ether2-secure
set [ find default-name=ether3 ] name=ether3-secure
set [ find default-name=ether4 ] name=ether4-secure
set [ find default-name=ether5 ] name=ether5-secure
set [ find default-name=ether6 ] name=ether6-secure
set [ find default-name=ether7 ] name=ether7-secure
set [ find default-name=ether8 ] name=ether8-secure
set [ find default-name=ether9 ] name=ether9-unsecure poe-voltage=low
set [ find default-name=ether10 ] name=ether10-unsecure
set [ find default-name=ether11 ] name=ether11-unsecure
set [ find default-name=ether12 ] name=ether12-unsecure
set [ find default-name=ether13 ] name=ether13-unsecure
set [ find default-name=ether14 ] name=ether14-unsecure
set [ find default-name=ether15 ] name=ether15-unsecure
set [ find default-name=ether16 ] name=ether16-unsecure
set [ find default-name=ether17 ] name=ether17-synology-survey
set [ find default-name=ether18 ] name=ether18-synology-survey
set [ find default-name=ether19 ] name=ether19-synology-survey
set [ find default-name=ether20 ] name=ether20-synology-survey
set [ find default-name=ether21 ] name=ether21-synology-survey
set [ find default-name=ether22 ] name=ether22-synology-survey
set [ find default-name=ether23 ] name=ether23-synology-survey
set [ find default-name=ether24 ] name=ether24-management
set [ find default-name=sfp-sfpplus1 ] name="sfp-sfpplus1-vlan-trunk -> CCR-1036"
set [ find default-name=sfp-sfpplus2 ] name="sfp-sfpplus2-vlan-trunk -> CRS-326"
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface list
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether1-secure pvid=100
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether2-secure pvid=100
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether3-secure pvid=100
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether4-secure pvid=100
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether5-secure pvid=100
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether6-secure pvid=100
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether7-secure pvid=100
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether8-secure pvid=100
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether9-unsecure pvid=110
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether10-unsecure pvid=110
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether11-unsecure pvid=110
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether12-unsecure pvid=110
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether13-unsecure pvid=110
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether14-unsecure pvid=110
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether15-unsecure pvid=110
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether16-unsecure pvid=110
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether17-synology-survey pvid=120
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether18-synology-survey pvid=120
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether19-synology-survey pvid=120
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether20-synology-survey pvid=120
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether21-synology-survey pvid=120
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether22-synology-survey pvid=120
add bridge=bridge ingress-filtering=yes interface=ether23-synology-survey pvid=120
add bridge=bridge interface=ether24-management
add bridge=bridge interface="sfp-sfpplus1-vlan-trunk -> CCR-1036"
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge comment=secure-network tagged="sfp-sfpplus1-vlan-trunk -> CCR-1036,sfp-sfpplus2-vlan-trunk -> CRS-326" untagged=ether1-secure,ether2-secure,ether3-secure,ether4-secure,ether5-secure,ether6-secure,ether7-secure,ether8-secure \
    vlan-ids=100
add bridge=bridge comment=unsecure-network tagged="sfp-sfpplus1-vlan-trunk -> CCR-1036,sfp-sfpplus2-vlan-trunk -> CRS-326" untagged=\
    ether9-unsecure,ether10-unsecure,ether11-unsecure,ether12-unsecure,ether13-unsecure,ether14-unsecure,ether15-unsecure,ether16-unsecure vlan-ids=110
add bridge=bridge comment=synology-survey tagged="sfp-sfpplus1-vlan-trunk -> CCR-1036,sfp-sfpplus2-vlan-trunk -> CRS-326" untagged=\
    ether19-synology-survey,ether20-synology-survey,ether21-synology-survey,ether22-synology-survey,ether23-synology-survey vlan-ids=120
/interface list member
add interface=bridge list=VLAN
/ip address
add address=10.10.99.2/24 comment=defconf interface=bridge network=10.10.99.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system routerboard settings
set boot-os=router-os
 
sindy
Forum Guru
Forum Guru
Posts: 3019
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN CCR to CRS 328

Fri May 17, 2019 6:01 pm

I think you have misunderstood the purpose of use-service-tag=yes in configuration of /interface vlan. The /interface vlan always marks the frames with a tag; setting use-service-tag to yes means it will be an 802.1ad tag (S(ervice)-VLAN, ethertype 0x88a8) whereas setting use-service-tag to default value no means it will be an 802.1Q tag (C(ustomer)-VLAN, ethertype 0x8100).

In the CRS, there is nothing about use of service-tags, so it expects C-tags while you are sending S-tags from the CCR (and vice versa of course).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
plisken
Forum Guru
Forum Guru
Topic Author
Posts: 2374
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:

Re: VLAN CCR to CRS 328

Fri May 17, 2019 10:13 pm

Hello Sindy, thanks for your reply

I have changed the CCR to this.
I hope that's correct?
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
/interface vlan
add interface=sfp-sfpplus1 name=vlan1-management vlan-id=1
add comment=secure-network interface=sfp-sfpplus1 name=vlan100-secure vlan-id=100
add comment=unsecure-network interface=sfp-sfpplus1 name=vlan110-unsucure vlan-id=110
add comment=synology-survey interface=sfp-sfpplus1 name=vlan120-synology-survey vlan-id=120
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-secure-network ranges=10.10.100.50-10.10.100.254
add name=pool-unsecure-network ranges=10.10.110.50-10.10.110.254
add name=pool-synology-survey ranges=10.10.120.50-10.10.120.254
add name=pool-management ranges=10.10.99.2-10.10.99.254
/ip dhcp-server
add address-pool=pool-secure-network disabled=no interface=vlan100-secure lease-time=1d name=dhcp-secure-network
add address-pool=pool-unsecure-network disabled=no interface=vlan110-unsucure lease-time=1d name=dhcp-unsecure-network
add address-pool=pool-synology-survey disabled=no interface=vlan120-synology-survey lease-time=1d name=dhcp-synology-survey
add address-pool=pool-management disabled=no interface=vlan1-management lease-time=1d name=dhcp-management
/ip neighbor discovery-settings
set discover-interface-list=WAN
/interface list member
add interface=ether1-wan list=WAN
/ip address
add address=10.10.100.1/24 comment=secure-network interface=vlan100-secure network=10.10.100.0
add address=10.10.110.1/24 comment=unsecure-network interface=vlan110-unsucure network=10.10.110.0
add address=10.10.120.1/24 comment=synology-survey interface=vlan120-synology-survey network=10.10.120.0
add address=10.10.99.1/24 comment=management interface=vlan1-management network=10.10.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip dhcp-server network
add address=10.10.99.0/24 gateway=10.10.99.1
add address=10.10.100.0/24 gateway=10.10.100.1
add address=10.10.110.0/24 gateway=10.10.110.1
add address=10.10.120.0/24 gateway=10.10.120.1
/ip firewall address-list
add address=10.10.99.0/24 list=vlans
add address=10.10.100.0/24 list=vlans
add address=10.10.110.0/24 list=vlans
add address=10.10.120.0/24 list=vlans
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN protocol=tcp src-address-list=vlans
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system routerboard settings
set protected-routerboot=enabled
 
sindy
Forum Guru
Forum Guru
Posts: 3019
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN CCR to CRS 328

Fri May 17, 2019 10:27 pm

Seems fine to me, except that you have configured VLAN ID 1 only at CCR side but not at CRS one, why is that? Do the other three VLANs work now?

Other than that, using CRS as a software bridge is quite a waste of resources :)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 2105
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN CCR to CRS 328

Fri May 17, 2019 10:39 pm

Other than that, using CRS as a software bridge is quite a waste of resources
Isn't CRS3xx family supposed to HW offload bridge vlan-filtering?
BR,
Metod
 
plisken
Forum Guru
Forum Guru
Topic Author
Posts: 2374
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:

Re: VLAN CCR to CRS 328

Fri May 17, 2019 10:45 pm

This must have been a mistake was a management VLAN.
I have to remove the VLAN1
On the CRS I have configured 1 bridge and then created the VLANs. But the three VLANs don't work on the CRS.
VLAN is not my strongest topic and I find it somewhat confusing with all the different switch chips
 
sindy
Forum Guru
Forum Guru
Posts: 3019
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN CCR to CRS 328

Fri May 17, 2019 10:47 pm

Isn't CRS3xx family supposed to HW offload bridge vlan-filtering?
Are you saying that it automatically translates the vlan-related behaviour defined for bridge-filtering=yes into switch chip configuration?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 3019
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN CCR to CRS 328

Fri May 17, 2019 10:54 pm

the three VLANs don't work on the CRS.
I have no hands-on experience with a CRS , but I'd be afraid of the frame-types=admit-only-vlan-tagged setting of the bridge when you use access mode ports in that bridge.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 2105
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN CCR to CRS 328

Fri May 17, 2019 11:46 pm

Isn't CRS3xx family supposed to HW offload bridge vlan-filtering?
Are you saying that it automatically translates the vlan-related behaviour defined for bridge-filtering=yes into switch chip configuration?
User's manual seems to imply that. And CRS3xx is the only device family with this kind of capability.
It's been this way ever since ROS 6.41 ... giving us some hope that HW offload capability might spread to (some) other devices eventually. I've lost my hopes while waiting ...
BR,
Metod
 
mkx
Forum Guru
Forum Guru
Posts: 2105
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN CCR to CRS 328

Fri May 17, 2019 11:50 pm

the three VLANs don't work on the CRS.
I have no hands-on experience with a CRS , but I'd be afraid of the frame-types=admit-only-vlan-tagged setting of the bridge when you use access mode ports in that bridge.
I think @plisken is right about this setting. Bridge only accepts VLAN-tagged frames forcing configuration of pvid on all access ports (so that frames get tagged on ingress) ... which he did ...
BR,
Metod
 
mkx
Forum Guru
Forum Guru
Posts: 2105
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN CCR to CRS 328

Fri May 17, 2019 11:57 pm

This must have been a mistake was a management VLAN.
I have to remove the VLAN1
On the CRS I have configured 1 bridge and then created the VLANs. But the three VLANs don't work on the CRS.
VLAN is not my strongest topic and I find it somewhat confusing with all the different switch chips
I've got impression that in MT world sometimes VLAN with VID=1 is treated as untagged. So I tend to avoid using VID=1 when frames should be tagged ...

How do you determine that VLANs are not working on CRS?

BTW, I'd remove settings on CRS section /interface bridge settings ... firewall is not configured, but current bridge settings might disable HW offload and force all traffic through CPU ...
BR,
Metod
 
plisken
Forum Guru
Forum Guru
Topic Author
Posts: 2374
Joined: Sun May 15, 2011 12:24 am
Location: Belgium
Contact:

Re: VLAN CCR to CRS 328

Sat May 18, 2019 5:09 am

@MKX and Sindy
If I understand correctly, the CRS-328 only supports using the VLAN filter. And this is how I set it up.

But I'm confused about the CCR VLAN configuration.
Many tutorials are incorrect and incomplete and this is my problem. Although I configured the CRS correctly, it cannot transport the VLANs to the CCR and vice versa.
I am grateful to both of you for helping me.
Everything has changed since the hw-offload implementation.
And then you have the different switch chips that all require different VLAN configurations. Sorry for my unclear English.
I hope you understand me.

How do you determine that VLANs are not working on CRS?
I think the problem is the CCR VLAN configuration
 
sindy
Forum Guru
Forum Guru
Posts: 3019
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN CCR to CRS 328

Sat May 18, 2019 9:22 am

If I understand correctly, the CRS-328 only supports using the VLAN filter. And this is how I set it up.
On any device it should be possible to set hw=no for each interface row of /interface bridge port to bypass the switch chip processing of the frames. It is not suitable for production but good for diagnostic. And in this mode (hw=no), vlan-filtering=yes is the only way to tag/untag frames on ingress/egress to/from a bridge.

But I'm confused about the CCR VLAN configuration.
Since you want the VLANs on a single Ethernet interface, your configuration is correct.

Sorry for my unclear English. I hope you understand me.
You have no idea what unclear English really means :)

How do you determine that VLANs are not working on CRS?
I think the problem is the CCR VLAN configuration
It is better to know than to think. Your best friend is /tool sniffer quick interface=ether1 running on the CCR, as it will show you what passes through the interface in both directions.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 2105
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN CCR to CRS 328

Sat May 18, 2019 1:32 pm

But I'm confused about the CCR VLAN configuration.
Since you want the VLANs on a single Ethernet interface, your configuration is correct.
As CCR1036 doesn't have a traditional switch-chip, VLANs have to be configured either directly on port (as OP has it) or using bridge vlan-filtering (which should be wirespeed as well as the Tile CPU somehow processes any feame anyway).

I agree with @sindy suggesting to sniff off sfp-sfpplus1 interface (I believe that's the interface connecting to CRS) to see what's tagged and what not.
BR,
Metod
 
Dude2048
newbie
Posts: 39
Joined: Thu Sep 01, 2016 4:04 pm

Re: VLAN CCR to CRS 328

Sat May 18, 2019 2:24 pm

Basically what works for me;

CCR
/interface vlan					
add interface=ether5 name=ether5Vlan99 vlan-id=99					
add interface=ether5 name=ether5Vlan100 vlan-id=100					
add interface=ether5 name=ether5Vlan200 vlan-id=200					
add interface=ether5 name=ether5Vlan300 vlan-id=300					
Patch between "ether5 CCR" - "ether1 CRS328"

CRS 328
/interface bridge port
add bridge=Bridge interface=ether1
add bridge=Bridge interface=ether2
add bridge=Bridge interface=ether3
add bridge=Bridge interface=ether4
add bridge=Bridge interface=ether5
add bridge=Bridge interface=ether6

/interface bridge vlan
add bridge=Bridge tagged=ether1,ether2,ether3,ether5,ether5,ether6 vlan-ids=99 (add and untag bridge-interface on CCR if that is your management)
add bridge=Bridge tagged=ether1,ether2,ether3,ether5,ether5,ether6 vlan-ids=100
add bridge=Bridge tagged=ether1,ether2,ether3,ether5,ether5,ether6 vlan-ids=200
add bridge=Bridge tagged=ether1,ether2,ether3,ether5,ether5,ether6 vlan-ids=300
Security is not implemented in the example, but this should get you going.

Who is online

Users browsing this forum: No registered users and 93 guests