Community discussions

MikroTik App
 
spiketechnics
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 10:47 pm

RB3011 VLAN with HP Managed Switch

Wed Oct 06, 2021 2:02 pm

Hi,

We have installed a RB3011 with 2 bridges which are assigned to different Eth-ports.

How can we also create tagged VLAN in the network with combination of a HP Managed switch?

I want to create 3 VLAN's. And use them on different ports on the HP Managed switch. In the attachment i've made a simple overview of exmaple network.

What is the best way to do this?

Best regards,
Joost Lauwen
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8706
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB3011 VLAN with HP Managed Switch

Wed Oct 06, 2021 2:08 pm

The best way is
a. ONE bridge
b. ONE trunk port to the HP switch.

viewtopic.php?t=143620
Read, apply, come back with a config and will be happy to look at it.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
spiketechnics
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 10:47 pm

Re: RB3011 VLAN with HP Managed Switch

Tue Oct 12, 2021 5:49 pm

Hi,

I've managed to create 3 VLANs on one port. When I select VLAN20 on my NIC, i'm getting the right IP-address. If no VLAN is configured the computers will get an IP-address from the BRIDGE-DHCP.

How do I configure an managed (HP J9980A) switch to use the VLANs on different ports?

Should I configure the VLAN-id on the trunkport of the switch?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8706
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB3011 VLAN with HP Managed Switch

Tue Oct 12, 2021 5:58 pm

First, Network diagram to see the relationship physical between devices (ports to ports0
and the network structure Subnets/vlans.

Also post your latest config.........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
tdw
Forum Guru
Forum Guru
Posts: 1015
Joined: Sat May 05, 2018 11:55 am

Re: RB3011 VLAN with HP Managed Switch

Tue Oct 12, 2021 6:16 pm

How do I configure an managed (HP J9980A) switch to use the VLANs on different ports?
https://support.hpe.com/hpesc/public/do ... =c04622710 pages 49-54 & 19-21. If you get the management settings wrong you will have to reset the HP switch to defaults as there is no serial console port.

Note the term 'trunk' is used differently by HP (refers to a static link-aggregation group) and Cisco/others (refers to a connection with multiple VLANs).
 
spiketechnics
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 10:47 pm

Re: RB3011 VLAN with HP Managed Switch

Tue Oct 12, 2021 6:19 pm

Hi,
Network diagram and MK config.
Network-Diagram.pdf
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8706
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB3011 VLAN with HP Managed Switch

Tue Oct 12, 2021 6:30 pm

Which VLAN is your management VLAN? 20? 30? something else?

THe HP should get an IP address on the management vlan subnet for starters!

Why is ether5 part of the bridge???

Why are ether2,3,4 members of the LAN when you already have the bridge identified as LAN.
Why isnt vlan30 also associated with LAN?

Why is this rule open to the entire internet??
add action=accept chain=input comment="Allow Remote Mgmt" log-prefix=\
"Remote Mngment" src-address-list="Remote Mgmt" WHERE IS in-interface-list=SOMETHING

What is the purpose of these two contradictory rules in the input chain...............
Do you not realize the second rule is meaningless and will never get matched ???????????

add action=accept chain=input comment="Allow VPN IPSEC" dst-port=\
500,1701,4500
log-prefix=IPSEC protocol=udp

add action=accept chain=input comment=IPSCEC protocol=ipsec-esp
add action=accept chain=forward comment="Allow IPSEC out" ipsec-policy=\
out,ipsec

add action=drop chain=input comment="Block VPN IPSEC" dst-port=500,1701,4500 \
log=yes log-prefix=VPN-Block protocol=udp src-address-list=VPN-Block


Conclusion and Summary: Configuring the HP printer is the least of your concerns. Using youtube to configure our router without understanding what you have done is the big issue here.
Reset to defaults and learn about firewall rules................
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
tdw
Forum Guru
Forum Guru
Posts: 1015
Joined: Sat May 05, 2018 11:55 am

Re: RB3011 VLAN with HP Managed Switch

Tue Oct 12, 2021 6:58 pm

The management / base VLAN is the bridge and members ether2-5 untagged, which is fine other than some people not liking hybrid over fully-tagged implementations. To match this on the HP you would add VLAN IDs 20 and 30, then assign tagged/untagged membership to the ports as required

Attaching an /interface vlan to an interface which is a member of a bridge was used before VLAN-aware bridges were implemented. It still works at the moment but future RouterOS updates may change that, especially when the bridge uses hardware switching, and is not recommended.

The downside of changing to a VLAN-aware bridge is that you loose the hardware switching between ports, it isn't clear which device you are using - the title says RB3011, which has its own issues with multiple switch chips and hardware switching, but the config posted is from an RB960PGS. Hardware switching between ports is only really relevant for wire-speed traffic between ports on the Mikrotik within the same VLAN, so may not be an issue.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8706
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB3011 VLAN with HP Managed Switch

Tue Oct 12, 2021 7:46 pm

Hi tdw, understood all but when managing other smart devices I prefer a consistent approach
and that is to have management vlans, could use an existing rusted vlan too,
with the bridge doing nothing but bridging.
'
So in the ops case I would create vlan50 to replace the bridge subnet,
add the vlan to the bridge, get rid of ether 5 by itself.

ONE bridge bridging a bunch of defined vlans,
Perhaps vlan50 can be considered also a the management vlan, or else add a fourth vlan just for management.
Depends on where the OP will be logging in most of the time for admin work (which vlan).

Its much easier on smart devices to accept an incoming vlan as the management vlan in terms of switch or smart AP settings.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
spiketechnics
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 10:47 pm

Re: RB3011 VLAN with HP Managed Switch

Wed Oct 13, 2021 12:01 am

Hi anav,

This is just a test/sample config and is used behind our "Main" Mikrotik. Some settings can be wrong, but at this moment i'm just testing the VLAN configuration. I'm testing with an RB960PGS, but want to implement this on a RB3011.

If I understand it correctly I should add multiple VLANs to port Eth and delete the bridge on this port. Only a device with VLAN configured should get an IP-address trough this port.

Then my config should be, for example:

Eth5
-> VLAN 20: VoIP (192.168.20.*)
-> VLAN 30: DATA (192.168.30.*)
-> VLAN 99: Management (10.100.10.*)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8706
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB3011 VLAN with HP Managed Switch

Wed Oct 13, 2021 12:21 am

Not quite.
I said, keep the bridge and add all the vlans to the bridge.
Then use
/interface bridge ports and
/interface bridge vlan settings as required.
To distribute the vlans to the appropriate ports.

As per this article.
viewtopic.php?t=143620

quick sample.................
/interface bridge port
add bridge=bridge interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged
etc.......
lets say ether 2-4,6 were attached to pcs on vlan99
add bridge=bridge interface=ether2 pvid=99 ingress-filtering=yes frame-types=admin-only-untagged-and-priority
(repeat for 3,4,6)

/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=20,30
add bridge=bridge tagged=bridge,ether5 untagged=ether2,ether3,ether4,ether6 vlan-ids=99 (if the rest of the etherports were access ports going to dumb devices.)
Last edited by anav on Wed Oct 13, 2021 12:30 am, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
spiketechnics
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 10:47 pm

Re: RB3011 VLAN with HP Managed Switch

Wed Oct 13, 2021 12:28 am

I am going to test this tomorrow and let you know the outcome.

Thanks for your replies!
 
spiketechnics
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 10:47 pm

Re: RB3011 VLAN with HP Managed Switch

Wed Oct 13, 2021 5:50 pm

Hi anav,

If followed the config based on the other forum-post and I managed to add VLAN10, VLAN20 and VLAN99 (MGMT) to VLAN-BRIDGE. Which is enable on the Ether5.

When I connect a laptop to this port and configure one of those VLANs, i'm getting an IP-address from the right DHCP.

Now i'm going to try to configure the HP Switch. Do I need use TAGGED or UNTAGGED VLAN on the switchports?

Who is online

Users browsing this forum: Bing [Bot] and 8 guests