Community discussions

MikroTik App
 
arkamax
just joined
Topic Author
Posts: 4
Joined: Tue May 10, 2022 9:56 pm

ROS 7.2.2 - access ports won't join VLAN

Tue May 10, 2022 10:06 pm

I think I mostly got all I wanted, but there is one more thing I want to fix. I have a RB3011 with ROS 7.2.2, connected to a managed switch over port 2. The port 2 on Mikrotik is set as s trunk. I only have a single bridge (the default one). All Ethernet ports on the router are assigned to that bridge. I created VLAN 10 on port 2, an address for said VLAN interface and with all the corresponding bits in the switch, I can access my router's VLAN address from a computer connected to the switch, which then connects to router's port 2 (where the VLAN interface is created). However I cannot seem to be able to make my router ports 3-10 to be access interfaces assigned to VLAN 10 on the router or the switch. I set PVIDs on all ports connected to the main bridge to 10, but they still won't access any of VLAN 10 addresses, including the router's internal VLAN 10 interface address (192.168.10.1). Here is the config that I used:
/interface bridge
add comment=defconf fast-forward=no name=bridge

/interface ethernet
set [ find default-name=ether1 ] name=01-WAN speed=100Mbps
set [ find default-name=ether2 ] name=02-main-switch speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] name=ether6-master speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

/interface vlan
add interface=02-main-switch name=02-vlan-lan vlan-id=10

/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp-pool-lan ranges=192.168.10.100-192.168.10.254

/ip dhcp-server
add address-pool=dhcp-pool-lan authoritative=after-2sec-delay interface=02-vlan-lan lease-time=23h59m59s name=dhcp-server-lan

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=02-main-switch
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6-master pvid=10
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1
add bridge=bridge ingress-filtering=no interface=ether3 pvid=10
add bridge=bridge ingress-filtering=no interface=ether4 pvid=10
add bridge=bridge ingress-filtering=no interface=ether5 pvid=10
add bridge=bridge ingress-filtering=no interface=ether7 pvid=10
add bridge=bridge ingress-filtering=no interface=ether8 pvid=10
add bridge=bridge ingress-filtering=no interface=ether9 pvid=10
add bridge=bridge ingress-filtering=no interface=ether10 pvid=10

/interface bridge vlan
add bridge=bridge tagged=02-main-switch vlan-ids=1-4094

/interface list member
add interface=02-main-switch list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether10 list=discover
add interface=01-WAN list=WAN

/ip address
add address=192.168.10.1/24 interface=02-vlan-lan network=192.168.10.0

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
I don't have ingress filtering enabled yet on ports or the bridge, wanted to sort my issues first - but any advice here would also be really appreciated.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: ROS 7.2.2 - access ports won't join VLAN

Tue May 10, 2022 10:27 pm

A couple of issues:
  • without setting vlan-filtering=yes on bridge it doesn't do anything about VLAN tags. Which includes tagging/untagging on access ports.
  • /interface vlan
    add interface=02-main-switch name=02-vlan-lan vlan-id=10
    
    This has to be anchored to bridge interface, not to bridge member port.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ROS 7.2.2 - access ports won't join VLAN

Tue May 10, 2022 10:32 pm

Just by your explanation, it seems clear that you assigned a vlan to an interface and not the bridge so your logic in expectations is OFF.
Plus, nothing will work until vlan filtering is enabled! LOL.


Try this instead (and typically for all ports except hybrid ports add ingress-filtering=yes) and for trunk ports--> frame-types=tagged only and for access ports--> priority and untagged!
Your assignment vlan-ids is INCORRECT.
.........................
/interface vlan
add interface=bridge name=02-vlan-lan vlan-id=10
/interface bridge vlan
add bridge=bridge tagged=bridge,02-main-switch vlan-ids=10
I prefer manually inserting the untags so they show up on the config and an export....
/interface bridge vlan
add bridge=bridge tagged=bridge,02-main-switch, untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10

[edit: thanks mkx]
Last edited by anav on Tue May 10, 2022 11:50 pm, edited 2 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: ROS 7.2.2 - access ports won't join VLAN

Tue May 10, 2022 10:42 pm

/interface bridge vlan
add bridge=bridge tagged=02-main-switch,bridge \
untagged=ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=10
Fixed it for ya.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ROS 7.2.2 - access ports won't join VLAN

Tue May 10, 2022 11:49 pm

Much thanks!!!
 
arkamax
just joined
Topic Author
Posts: 4
Joined: Tue May 10, 2022 9:56 pm

Re: ROS 7.2.2 - access ports won't join VLAN

Wed May 11, 2022 6:29 am

Thank you all very much, this is what fixed it. I spent quite a bit of time working with Cisco terminology, they don't have a bridge, and all assignments are done directly to a port, hence my mistake (well that plus following some misguided instructions on the netz).

A few quick questions:

1. Does it really matter what PVID my trunk port is on, as long as it's set to only admit tagged frames? I would think not. IMO this setting looks like trunk port's "native VLAN" setting on a Cisco switch, and with the port set to admit only tagged frames, it's kinda moot, no?

2. In a similar manner, does it matter what bridge's PVID is set to, if it's set to only admit tagged frames? This setting appears in the web UI only when VLAN filtering is on, so I'm assuming if it's set to "admit all frames" (not only VLAN-tagged), then with PVID set to 10 it would only admit frames tagged VLAN 10 or untagged ones? Or would it consider untagged frames to be from VLAN 10 then?

3. Why do we need to explicitly add ports as untagged to a bridge VLAN, given that they should be dynamically added by their PVIDs? I saw a thread in this forum where OP said his router gave a warning about untagged ports explicitly added to a VLAN, and IIRC he chalked it off to the admit setting set wrong (mine are at "admit only untagged and priority tagged" as you suggested). I saw this warning once (couldn't figure out an exact reason), but after some more config-fu and a reboot it didn't reappear. Things are working, so I'm going to let the warning question go for now.

4. I thought anything tied to a Mikrotik bridge port will go through CPU. From what I've read, that's somewhat discouraged - Mikrotik CPUs being relatively weak, they might be limiting performance. I just tested a quick download off the Internet (as all my heavy storage is within the same VLAN, so that is all handled inside my switch), and with around 480 Mbps throughput through the RB3011 bridge, it's CPU usage drones around 32%. When I bring it to 800 Mbps throughput, CPU usage is around 47%. For comparison, loading a few ports on my switch to about 800 Mbps, its CPU barely lifts a finger. I guess I won't be doing much more than this throughput between my VLANs, given that I only have gig speeds on my wiring. I don't really mind router CPU doing the work it was designed to do, as long as it's not known to overheat or something when put under some notable load.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: ROS 7.2.2 - access ports won't join VLAN

Wed May 11, 2022 9:25 am

1. Does it really matter what PVID my trunk port is on, as long as it's set to only admit tagged frames? I would think not. IMO this setting looks like trunk port's "native VLAN" setting on a Cisco switch, and with the port set to admit only tagged frames, it's kinda moot, no?
No, it doesn't matter. If port has frame-types=allow-only-vlan-tagged, then PVID parameter is ignored.

2. In a similar manner, does it matter what bridge's PVID is set to, if it's set to only admit tagged frames? This setting appears in the web UI only when VLAN filtering is on, so I'm assuming if it's set to "admit all frames" (not only VLAN-tagged), then with PVID set to 10 it would only admit frames tagged VLAN 10 or untagged ones? Or would it consider untagged frames to be from VLAN 10 then?
Similarly it doesn't matter.

3. Why do we need to explicitly add ports as untagged to a bridge VLAN, given that they should be dynamically added by their PVIDs?
It's not necessary. But it does add to readability of exported config, reader doesn't have to "add it in the head".

4. I thought anything tied to a Mikrotik bridge port will go through CPU.
Some devices (CRS3xx, select devices with switch chips RTL8367, MT7621 running ROS v7) can offload bridge operations to underlying hardware. You can verify that by running /interface bridge port print, ports that have functions offloaded will have 'H' in the flags column (the second from left). For the rest of devices, if one needs ultimate performance, it is possible to configure VLANs directly on switch chip. However, every switch chip has slightly different configuration syntax and it's even easier to lock self out if entering some wrong setting. If device's CPU has enough umph it's generally easier to go with bridge VLAN filtering.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ROS 7.2.2 - access ports won't join VLAN

Wed May 11, 2022 3:54 pm

I will disagree with MKX.
I really dont care that it may work and the PVID will be ignored, there are reasons for the PVID including functionality for /interface bridge vlans.....

In other words, be concise and meaningful for your config. It will be much much less confusing to yourself ( you can map ports to vlans more easily) and for anybody trying to help you.
Trunk ports are trunk ports
Access ports are access ports
Hybrid ports should be the only 'tricky' port to setup.

(1) Trunk ports DO NOT have any PVID assigned on the etherport setting for /interface bridge ports!
(2) Access ports DO require PVID assignment
(3) Hybrid ports DO require PVID assignment
What should be considered optional is whether or not you add in the 'extras' ingress filtering and frame types.

Typically
(4) Trunk ports ---> ingress-filtering=yes frame-types=admit-only-tagged
(5) Access ports ---> ingress-filtering=yes frame-types=admit-priority-and-untagged
(6) Hybrid ports ---> frame-types=admit-all ( I believe this is the default )

Normally PVID is not used on the bridge, but it can be done. I personally dont see the point for 95% of the scenarios out there.

Clear communication of ones config is provided by manually adding the untagged ports to /interface bridge vlans.
Personally, I prefer to do it this way because otherwise.
a. it will not be shown on the config for an export
b. i like to cross match my vlan settings with the bridge port settings
c. it helps me troubleshoot other peoples configs when visible - more an issue with new users that implement bridge vlan filtering and being able to see what they think should be tagged and untagged is extremely beneficial.
d. personal choice for an experienced admin, but I will do it until they bury me with my MT devices. :-)

If worried about CPU buy a bigger device!!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: ROS 7.2.2 - access ports won't join VLAN

Wed May 11, 2022 9:05 pm

(1) Trunk ports DO NOT have any PVID assigned on the etherport setting for /interface bridge ports!
The problem is that it is not possible to unset/remove pvid property on bridge ports. If left to default, then it's set to pvid=1, but will be hidden from exported config unless one uses verbose property when running it. And if running print command, this is shown actually. So one actually has to set frame-types=allow-only-tagged to make bridge ignore pvid setting. In this case VLAN 1 disappears from output of print command. Mind that default setting is frame-types=allow-all which makes port hybrid port with untagged VID 1.

And just to clear possible confusion about question #2: bridge has twin personality, one is "switch-like" and the other is "interface" (allows CPU/ROS to interact with network(s) running over bridge the "switch like"). Properties that have same names as for bridge ports (under /interface/bridge/port) are about bridge the interface! They are not e.g. default values for bridge ports or something ...
 
arkamax
just joined
Topic Author
Posts: 4
Joined: Tue May 10, 2022 9:56 pm

Re: ROS 7.2.2 - access ports won't join VLAN

Wed May 11, 2022 9:30 pm

You can verify that by running /interface bridge port print, ports that have functions offloaded will have 'H' in the flags column (the second from left).
Interesting, I now don't see any ports offloaded to HW - neither in CLI nor through web UI. UI says "not HW offloaded" for any port. I'm guessing it might be since they are all added to a VLAN that is serviced by the bridge, which in turn is not offloaded?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: ROS 7.2.2 - access ports won't join VLAN

Wed May 11, 2022 9:35 pm

I dont really count vlan1 as its transparent for all intensive purposes but it does act like the glue holding everything together.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: ROS 7.2.2 - access ports won't join VLAN

Wed May 11, 2022 11:02 pm

You can verify that by running /interface bridge port print, ports that have functions offloaded will have 'H' in the flags column (the second from left).
Interesting, I now don't see any ports offloaded to HW - neither in CLI nor through web UI. UI says "not HW offloaded" for any port. I'm guessing it might be since they are all added to a VLAN that is serviced by the bridge, which in turn is not offloaded?

Bridge with VLAN filtering can't be HW offloaded on RB3011.
 
arkamax
just joined
Topic Author
Posts: 4
Joined: Tue May 10, 2022 9:56 pm

Re: ROS 7.2.2 - access ports won't join VLAN

Thu May 12, 2022 2:04 am


Interesting, I now don't see any ports offloaded to HW - neither in CLI nor through web UI. UI says "not HW offloaded" for any port. I'm guessing it might be since they are all added to a VLAN that is serviced by the bridge, which in turn is not offloaded?
Bridge with VLAN filtering can't be HW offloaded on RB3011.
Thanks, that explains it. You guys have been super helpful, I appreciate it.

Who is online

Users browsing this forum: Amazon [Bot], dido1236, dj23, fibracapi, Josephny, patrikg, soulflyhigh and 91 guests