Community discussions

MikroTik App
 
kozubmat
just joined
Topic Author
Posts: 6
Joined: Mon Aug 12, 2019 8:51 pm

VLAN setup RB4011 CRS112

Sun Sep 18, 2022 2:17 pm

Hi!
I have RB4011 and CRS112 connected with SFP.

On RB4011 I've configured bridge vlans with DHCP:

RB4011:
...
/ip dhcp-server
add address-pool=172.16.30.0 disabled=no interface=hq_bridge_vlan30 name=\
vlan30_172.16.30.0
add address-pool=172.16.20.0 disabled=no interface=hq_bridge_vlan20 name=\
vlan20_172.16.20.0
...
/interface bridge port
add bridge=HQ_BRIDGE interface=sfp_vlan20 pvid=20
add bridge=HQ_BRIDGE interface=sfp_vlan30 pvid=30
...
/ip address
add address=172.16.30.1/24 comment=vlan_30_iot interface=hq_bridge_vlan30 \
network=172.16.30.0
add address=172.16.20.1/24 comment=vlan_20_data interface=hq_bridge_vlan20 \
network=172.16.20.0
...
/interface vlan
add interface=sfp-sfpplus1 name=sfp_vlan20 vlan-id=20
add interface=sfp-sfpplus1 name=sfp_vlan30 vlan-id=30
...
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes
...
/interface bridge vlan
add bridge=HQ_BRIDGE comment="VLAN IOT" tagged=HQ_BRIDGE,sfp_vlan30 untagged=\
wlan1_vlan30_IoT vlan-ids=30
add bridge=HQ_BRIDGE comment="VLAN DATA" tagged=HQ_BRIDGE,sfp_vlan20 \
untagged="wlan1_vlan20_DATA,wlan2_vlan20_DATA,ether2,ether3,ether4,ether1,\
eth10_vlan_20" vlan-ids=20
CRS112
/interface bridge
add name=bridge vlan-filtering=yes
...
/interface vlan
add interface=bridge name=bridge_vlan20 vlan-id=20
add interface=bridge name=bridge_vlan30 vlan-id=30
add interface=sfp12 name=sfp12_vlan20 vlan-id=20
add interface=sfp12 name=sfp12_vlan30 vlan-id=30
...
/interface bridge port
add bridge=bridge interface=sfp12_vlan20 pvid=20
add bridge=bridge interface=bridge_vlan20 pvid=20
add bridge=bridge interface=sfp12_vlan30 pvid=30
add bridge=bridge interface=bridge_vlan30 pvid=30
...
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge tagged=sfp12_vlan20,bridge vlan-ids=20
add bridge=bridge tagged=sfp12_vlan30,bridge vlan-ids=30
...
/ip dhcp-client
add disabled=no interface=bridge_vlan20
add disabled=no interface=bridge_vlan30
The case is:
When I have both sfp.X interfaces on 4011 there is only working with proper communication ONE vlan (20 OR 30) on CRS112 side. I missed something but i don't know where.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup RB4011 CRS112

Sun Sep 18, 2022 2:33 pm

Your rb4011 setup seems whacked.........

1. Define vlans to interface bridge
2. Each vlans gets its ip pool, dhcp-server, dhcp-server-network, IP address
3. /interface bridge port settings trunk port if carrying vlans, access port if going to dumb devices that cannnot read tags (such as wlans if its a wifi router, as traffic is going to wifi devices)
4. /interface bridge vlan settings to match. ( meaning where are the wlans on the bridge port ??)

5. all smart devices should get an IP address on a trusted LAN, if there is no trusted lan, then consider creating a management vlan.
6. Dont play with bridge settings unless you are an expert and based on the config, FAR from it. So delete all this unless you have a specific reason!!!
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes


The CRS well no clue what you are doing really as it seems you continue on a whacked config.
Now I see your intent was to clearly have two vlan20s and two vlan30s working together in some sort of mixed bag of moldy potatoe schnapps.

IT seems you are making up new ways on how networking is supposed to happen or are a genius in networking..... I dont know enough to state either way.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So what are the user requirements..........dont care about the config at his point.
Identify users and groups of users and what traffic must they have.......
a network diagram will help as well.
 
kozubmat
just joined
Topic Author
Posts: 6
Joined: Mon Aug 12, 2019 8:51 pm

Re: VLAN setup RB4011 CRS112

Sun Sep 18, 2022 3:17 pm

Thank for reply!

ad1)
Its already added, missed that before on 4011:
/interface bridge port
add bridge=HQ_BRIDGE interface=sfp_vlan20 pvid=20
add bridge=HQ_BRIDGE interface=sfp_vlan30 pvid=30
add bridge=HQ_BRIDGE interface=hq_bridge_vlan30 pvid=30
add bridge=HQ_BRIDGE interface=hq_bridge_vlan20 pvid=20
ad2)
Yes, its already done and its working - wifi i can reach different ssid made for separate vlans.
ad3)
I know that, but can you tell me if I have bridge with multiple vlans in it (see attachments) - bridge vlan have to be trunked on bridge itself or not ? For the access/trunking ports/interfaces its clear for me.
ad4)
please check attachments
ad5)
I have another mgmt vlan on other bridge
ad6)
Firewall bridge is made for intervlan traffic (iot and data), but currently there are not any rules.


EDIT:
The case is to get on switch working connectivity both on vlan 20 and 30.
Currently if i shutdown one sfp.X interface on 4011 i have connectivity with proper dhcp address on the other vlan.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup RB4011 CRS112

Sun Sep 18, 2022 4:55 pm

I cannot help a moving target.
Provide a network diagram that at least shows the ports being used to connect the devices and what vlans are flowing through them etc.
Also a full config /export minus any wanip info or serial number.
 
kozubmat
just joined
Topic Author
Posts: 6
Joined: Mon Aug 12, 2019 8:51 pm

Re: VLAN setup RB4011 CRS112

Sun Sep 18, 2022 6:29 pm

Soft on both devices: 6.49.6

RB4011 config
/interface bridge
add comment=MAIN name=HQ_BRIDGE \
vlan-filtering=yes
add comment="MGMT Bridge" name=MGMT-BR-V50 pvid=50 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=\
1000M-full,2500M-full,5000M-full,10000M-full auto-negotiation=no comment=\
DOWNLINK rx-flow-control=auto speed=1Gbps tx-flow-control=auto

/interface vlan

add comment="voip vlan" interface=HQ_BRIDGE name=hq_bridge_vlan10 vlan-id=10
add comment="data vlan" interface=HQ_BRIDGE name=hq_bridge_vlan20 vlan-id=20
add comment="iot vlan" interface=HQ_BRIDGE name=hq_bridge_vlan30 vlan-id=30
add interface=sfp-sfpplus1 name=sfp_vlan10 vlan-id=10
add interface=sfp-sfpplus1 name=sfp_vlan20 vlan-id=20
add interface=sfp-sfpplus1 name=sfp_vlan30 vlan-id=30
add interface=sfp-sfpplus1 name=sfp_vlan50 vlan-id=50
add comment="mgmt vlan" interface=MGMT-BR-V50 name=vlan50 vlan-id=50

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=WAN_INTERFACES name=WAN
add comment="VLAN with full access" name=VLAN_FULL_ACCESS
add comment="MGMT INTER LIST" name=MGMT
add comment="VLAN with limited ACCESS" exclude=VLAN_FULL_ACCESS name=\
VLAN_LIMITED_ACCESS
add comment="VIRTUAL INTERFACES" include=VLAN_FULL_ACCESS,VLAN_LIMITED_ACCESS \
name=VLAN
add comment=LAN_INTERFACES exclude=WAN include=VLAN,MGMT name=LAN
/interface wireless security-profiles

/ip pool
add name=10.10.10.0 ranges=10.10.10.2-10.10.10.254
add name=172.16.30.0 ranges=172.16.30.6-172.16.30.254
add name=172.16.20.0 ranges=172.16.20.200-172.16.20.254
add name=172.16.10.0 ranges=172.16.10.6-172.16.10.20

/ip dhcp-server
add address-pool=10.10.10.0 disabled=no interface=MGMT-BR-V50 name=\
MGMT_10.10.10.0
add address-pool=172.16.30.0 disabled=no interface=hq_bridge_vlan30 name=\
vlan30_172.16.30.0
add address-pool=172.16.20.0 disabled=no interface=hq_bridge_vlan20 name=\
vlan20_172.16.20.0
add address-pool=172.16.10.0 disabled=no interface=hq_bridge_vlan10 name=\
vlan10_172.16.10.0


/interface bridge port

add bridge=MGMT-BR-V50 comment="ACCESS;;;vlan50;;;mgmt" interface=ether8 \
pvid=50
add bridge=HQ_BRIDGE interface=sfp_vlan20 pvid=20
add bridge=MGMT-BR-V50 interface=sfp_vlan50 pvid=50
add bridge=HQ_BRIDGE interface=sfp_vlan30 pvid=30
add bridge=HQ_BRIDGE interface=hq_bridge_vlan30 pvid=30
add bridge=HQ_BRIDGE interface=hq_bridge_vlan20 pvid=20

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=HQ_BRIDGE comment="VLAN IOT" tagged=HQ_BRIDGE,sfp_vlan30 untagged=\
wlan1_vlan30_IoT,hq_bridge_vlan30 vlan-ids=30
add bridge=HQ_BRIDGE comment="VLAN DATA" tagged=HQ_BRIDGE,sfp_vlan20 \
untagged="wlan1_vlan20_DATA,wlan2_vlan20_DATA,ether2,ether3,ether4,ether1,\
eth10_vlan_20,hq_bridge_vlan20" vlan-ids=20
add bridge=HQ_BRIDGE comment="VLAN VOIP" tagged=\
eth10_vlan_10,sfp_vlan10,BOND_eth6_eth7_vlan10_voip vlan-ids=10
add bridge=MGMT-BR-V50 comment="VLAN MGMT" untagged=\
sfp_vlan50,eth10_vlan_50,MGMT-BR-V50 vlan-ids=50

/interface ethernet switch vlan
add independent-learning=no ports=ether10_AP switch=switch2 vlan-id=20
/interface l2tp-server server
set ipsec-secret=vpn use-ipsec=yes

/ip address
add address=10.10.10.1/24 comment=MGMT_LOCAL interface=MGMT-BR-V50 network=\
10.10.10.0
add address=172.16.30.1/24 comment=vlan_30_iot interface=hq_bridge_vlan30 \
network=172.16.30.0
add address=172.16.20.1/24 comment=vlan_20_data interface=hq_bridge_vlan20 \
network=172.16.20.0
add address=172.16.50.1/24 comment=vlan_50_mgmt interface=vlan50 network=\
172.16.50.0
add address=172.16.10.1/24 comment=vlan_10voice interface=hq_bridge_vlan10 \
network=172.16.10.0

/ip service
set telnet address=172.16.20.0/24,10.10.10.0/24
set ftp address=172.16.20.0/24,10.10.10.0/24
set www address=172.16.20.0/24,10.10.10.0/24
set ssh address=172.16.20.0/24,10.10.10.0/24
set www-ssl address=172.16.20.0/24,10.10.10.0/24 disabled=no
set api address=172.16.20.0/24,10.10.10.0/24
set winbox address=172.16.20.0/24,10.10.10.0/24,10.2.0.0/29
set api-ssl address=172.16.20.0/24,10.10.10.0/24
/ip smb
set interfaces=hq_bridge_vlan20
/ip traffic-flow
set cache-entries=1M
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=HQ_BRIDGE type=internal
add interface=ether1 type=external
CRS112 config:
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp9 ] auto-negotiation=no disabled=yes
set [ find default-name=sfp10 ] auto-negotiation=no disabled=yes
set [ find default-name=sfp11 ] auto-negotiation=no disabled=yes
set [ find default-name=sfp12 ] auto-negotiation=no comment=UPLINK
/interface vlan
add interface=bridge name=bridge_vlan20 vlan-id=20
add interface=bridge name=bridge_vlan30 vlan-id=30
add interface=sfp12 name=sfp12_vlan20 vlan-id=20
add interface=sfp12 name=sfp12_vlan30 vlan-id=30
add interface=sfp12 name=sfp12_vlan50 vlan-id=50
/interface list
add include=static name=TRUNK
add exclude=static include=static name=ACCESS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge disabled=yes interface=sfp12
add bridge=bridge interface=ether3
add bridge=bridge interface=sfp12_vlan20 pvid=20
add bridge=bridge interface=bridge_vlan20 pvid=20
add bridge=bridge interface=sfp12_vlan30 pvid=30
add bridge=bridge interface=bridge_vlan30 pvid=30
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge tagged=sfp12_vlan20,bridge vlan-ids=20
add bridge=bridge tagged=sfp12_vlan30,bridge vlan-ids=30
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp12 vlan-id=20
add tagged-ports=sfp12 vlan-id=10
add tagged-ports=sfp12 vlan-id=30
add tagged-ports=switch1-cpu,sfp12 vlan-id=50
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether2
add customer-vid=0 new-customer-vid=30 ports=ether3
/interface ethernet switch vlan
add ports=ether2,sfp12 vlan-id=20
add ports=ether3,sfp12 vlan-id=30
add ports=switch1-cpu,sfp12 vlan-id=50
/interface list member
add interface=sfp10 list=TRUNK
add interface=sfp12 list=TRUNK
add interface=sfp9 list=TRUNK
add interface=sfp11 list=TRUNK
/ip dhcp-client
add disabled=no interface=ether1
add disabled=no interface=sfp12_vlan50
add disabled=no interface=bridge_vlan20
add disabled=no interface=bridge_vlan30
/system clock
set time-zone-name=Europe/Warsaw
Network diagram:
Attachment


All i want is to get ip address on each vlan on switch from rb4011 DHCP

Currently on above config I cannot obtain on CRS ip on vlan 20 and 30 simultanously.
If i bring down SFP.20 on RB4011 i obtain DHCP address on CRS on vlan 30, vlan 20 cannot obtain adress from DHCP
If i bring down SFP.30 on RB4011 i obtain DHCP address on CRS on vlan 20, vlan 30 cannot obtain adress from DHCP

After reboot i only obtain IP on vlan 20 on CRS, while vlan 30 cannot obtain address.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup RB4011 CRS112

Sun Sep 18, 2022 6:51 pm

Last post, you are mixing up etherports and bridge and vlans in such a mess.........
Where did you learn about bridge and vlan filtering???????
You should have started here ---> USE THE LINK PROVIDED AT PARA C. - viewtopic.php?t=182373

ONE BRIDGE
ALL VLANS identified with interface of the BRIDGE
Define vlans with IP address, pool, dhcp server, dhcp server network.

/interface bridge ports
add bridge=bridge interface=sfp-sfpplus1 ingress-filtering=yes frame-types=admit-only-vlan-tagged

/interface bridge vlans
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=10,20,30,50

DONE! Easy! Clean!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CRS

ON the switch you dont need to identify any VLANS except the management vlan as that is used by the switch for its IP address.
/interface vlan
add interface=bridge-switch name=sfp12_vlan50 vlan-id=50

NO IP pool, no dhcp server, no dhcp-server network.
Only need ONE IP Address on the switch and that is assigned to the vlan manually.

/ip address
add address=10.10.10.X/24 interface=sfp12_vlan50

/interface list
add name=management
/interface list member
add interface=spf12_vlan50 list=management

/ip neighbor discovery-settings
set discover-interface-list=management

/ip dns
set allow-remote-requests=yes servers=10.10.10.1 comment="dns through trusted subnet gateway"

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.10.10.1 comment="ensures route avail through trusted subnet gateway"

/system ntp client servers (if you use NTP)
add address=10.10.10.1

/tool mac-server mac-winbox
set allowed-interface-list=management

/interface bridge port
add bridge=bridge-switch interface=spf12 ingress-filtering=yes frame-types=admit-only-vlan-tagged

/interface bridge vlan
add bridge=bridge-switch tagged=bridge-switch,spf12 vlan-ids=10,20,30,50

to finish the CRS assignments for /interface bridge vlan, you would need to detail
a. which ports on the switch are carrying one or more data vlans and if so which vlans
b. which ports are going to dumb devices (untagged), smart devices (tagged), or hybrid devices (both)
 
kozubmat
just joined
Topic Author
Posts: 6
Joined: Mon Aug 12, 2019 8:51 pm

Re: VLAN setup RB4011 CRS112

Sun Sep 18, 2022 8:17 pm

Hi!
According to switch config:
I really want to get ip address from DHCP on vlan 20 and 30 on switch - i want to get this IP, not as mgmt vlan, on interface, but throught the bridge - as in my config.
I wan't use this device as L2, but for training purposes as L3. That's why i want to get this connectivity working. Why its is not working properly in my config? I don't wan't just to configure, but undestand why.

I really know this model its not made for routing, but i wan't to undestand how it works.

BTW:
There will be only one TRUNK (as hybrid port)- SFP12 with multiple data vlans (data + voice + iot + mgmt for ilo/idrac) and acts as an access port for CRS mgmt.

For test lets give:
port 5 as access for VLAN20
port 6 as hybrid (trunk for vlan 10, access for vlan 20) - for example IP Phone case
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup RB4011 CRS112

Sun Sep 18, 2022 8:53 pm

I will bite, and hybrid to iphone >> how bout a voip type phone with two ports, incoming port is hybrid, second port goes to untagged PC

If on router..
/interface bridge ports
add bridge=bridge interface=sfp-sfpplus1 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge interface=ether5 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=20
add bridge=brigde interface=ether6 pvid=20

/interface bridge vlans
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=30,50
add bridge=bridge tagged=bridge,sfp-sfpplust,ether6 vlan-ids=10
add bridge=bridge tagged=bridge,sfpplus1 untagged=ether5,ether6 vlan-ids=20
 
User avatar
andkar
newbie
Posts: 47
Joined: Tue Aug 11, 2020 9:20 pm

Re: VLAN setup RB4011 CRS112

Sun Sep 18, 2022 9:22 pm

CRS112 does not sopport Bridge HW offloaded VLAN configuration.

VLAN configuration on CRS112 should be done on the swich, not bridge. At least if wirespeed if desired. Configuring VLAN on the bridge will give terrible performance as all CPU will have to do all work.

Se documentation: https://help.mikrotik.com/docs/pages/vi ... =103841836

Anav, didn't you copy "pcunite" CRS1-2 example config to one of your how to threads a while back? Please link to it som OP can get correct info.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup RB4011 CRS112

Sun Sep 18, 2022 10:23 pm

Yup,, my advice is suitable for the RB4011, also my advice on everything else for the switch is still correct, one ip address, interface list, route etc...............

other refs: P. SWITCH CHIP VLANS
https://help.mikrotik.com/docs/display/ ... p+Features
https://help.mikrotik.com/docs/display/ ... switchchip

other refs:
https://www.youtube.com/watch?v=Rj9aPoyZOPo - Vlans using the Switch Chip
https://www.youtube.com/watch?v=rvQ6o4RfnoU - Configure Vlan on Switch Chip
https://www.youtube.com/watch?v=YLtGQAQ8iS0 - CRS3XX Step by Step



This is the CRS.... update...... It does not include hybrid ports however..........


#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="CRS1xx_Switch"

#######################################
# VLAN Overview
#######################################

# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN

#######################################
# Bridge
#######################################

# create one bridge
/interface bridge add name=BR1 protocol-mode=none

# add "all" ports to this one bridge
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
# and so on until you get to 24 ...

#######################################
# -- Access Ports --
#######################################

# ingress behavior, egress dynamically handled
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=30 ports=ether4

#######################################
# -- Trunk Ports --
#######################################

# ingress behavior
# L2 switching only, Bridge (aka switch1-cpu) not needed as tagged member (except for BASE_VLAN)
/interface ethernet switch vlan
add ports=ether1,ether2 vlan-id=10
add ports=ether1,ether3 vlan-id=20
add ports=ether1,ether4 vlan-id=30
add ports=switch1-cpu,ether1 vlan-id=99

# egress behavior
# L2 switching only, Bridge (aka switch1-cpu) not needed as tagged member (except for BASE_VLAN)
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=10
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=30
add tagged-ports=switch1-cpu,ether1 vlan-id=99

#######################################
# VLAN Security
#######################################

# drop traffic that does not follow the above port layout
/interface ethernet switch set forward-unknown-vlan=no

Who is online

Users browsing this forum: No registered users and 43 guests