Community discussions

MikroTik App
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

RB3011 - VLAN - Untagged

Wed Nov 23, 2022 9:56 pm

Hi,

our uplink into the network would be the SFP.
We have a bridge and all ports are in there.

Now how can I add port 5 or port 6 untagged in VLAN 100 or VLAN200?
/interface bridge
add name=BRIDGE


/interface vlan
add comment=MGT interface=sfp1 name=VLAN_99 vlan-id=99
add comment=COMPANY interface=sfp1 name=VLAN_100 vlan-id=100
add comment=GAST interface=sfp1 name=VLAN_200 vlan-id=200
add comment=DMZ interface=sfp1 name=VLAN_300 vlan-id=300
add comment=HOTSPOT interface=sfp1 name=VLAN_400 vlan-id=400
add comment=PRIVAT interface=sfp1 name=VLAN_500 vlan-id=500
add comment=LTE interface=sfp1 name=VLAN_600 vlan-id=600
add comment=BACKUP1 interface=sfp1 name=VLAN_700 vlan-id=700
add comment=BACKUP2 interface=sfp1 name=VLAN_800 vlan-id=800
add comment=PHONE interface=sfp1 name=VLAN_900 vlan-id=900
add comment=IOT interface=BRIDGE name=VLAN_1000 vlan-id=1000
add comment=PRINTER disabled=yes interface=sfp1 name=VLAN_1100 vlan-id=1100
add comment=MUSIK disabled=yes interface=sfp1 name=VLAN_1200 vlan-id=1200
add comment=KAMERA disabled=yes interface=sfp1 name=VLAN_1300 vlan-id=1300
add disabled=yes interface=sfp1 name=VLAN_1400 vlan-id=1400
add disabled=yes interface=sfp1 name=VLAN_1500 vlan-id=1500
add disabled=yes interface=sfp1 name=VLAN_1600 vlan-id=1600
add disabled=yes interface=sfp1 name=VLAN_1700 vlan-id=1700


/interface ethernet switch port
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 5 default-vlan-id=1000 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=1000 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 8 vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure

/interface list
add name=WAN
add name=VLAN
add name=LAN

/interface bridge port
add bridge=BRIDGE interface=ether5
add bridge=BRIDGE interface=ether6
add bridge=BRIDGE interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether9
add bridge=BRIDGE interface=sfp1
add bridge=BRIDGE interface=ether8

/interface bridge settings
set use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=99
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=100
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=200
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=300
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=400
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=500
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=600
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=700
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=800
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=900
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=1000
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=1100
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=1200
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=1300
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=1400
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=1500
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=1600
add bridge=BRIDGE disabled=yes tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 vlan-ids=1700

/interface detect-internet
set internet-interface-list=WAN wan-interface-list=WAN

/interface dot1x client
add eap-methods=eap-mschapv2 identity=user1 interface=WAN1

/interface ethernet switch vlan
add independent-learning=yes ports=switch2-cpu,ether6,ether7,ether8,ether9 switch=switch2 vlan-id=1000
add independent-learning=yes ports=switch2-cpu,ether6,ether7,ether8,ether9 switch=switch2 vlan-id=99
add independent-learning=yes ports=switch2-cpu,ether6,ether7,ether8,ether9 switch=switch2 vlan-id=100

/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN3_LTE list=WAN
add interface=VLAN_99 list=VLAN
add interface=VLAN_100 list=VLAN
add interface=VLAN_200 list=VLAN
add interface=VLAN_300 list=VLAN
add interface=VLAN_400 list=VLAN
add interface=VLAN_500 list=VLAN
add interface=VLAN_600 list=VLAN
add interface=VLAN_700 list=VLAN
add interface=VLAN_800 list=VLAN
add interface=VLAN_900 list=VLAN
add interface=VLAN_1000 list=VLAN
add interface=VLAN_1100 list=VLAN
add interface=VLAN_1200 list=VLAN
add interface=VLAN_1300 list=VLAN

 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB3011 - VLAN - Untagged

Wed Nov 23, 2022 10:17 pm

You have an interesting mix of settings, /interface bridge vlan rows do not correspond to /interface ethernet switch vlan rows.

If you had vlan-filtering set to yes, to change ether5 to access port to VLAN 100, you would
  • remove ether5 from the tagged list for vlan-ids=100 in /interface bridge vlan
  • set pvid to 100 on the row for interface=ether5 in /interface bridge port
If you want to use vlan filtering in hardware, you have to
  • add ether5 to the ports list on the row for vlan-id=100 under /interface ethernet switch vlan
  • set default-vlan-id to 100 for ether5 in /interface ethernet switch port
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: RB3011 - VLAN - Untagged

Thu Nov 24, 2022 9:21 am

I tested a lot, why the chaos.

I thought the 3011 with the chipset QCA8337 doesn't work with VLAN filtering?
https://help.mikrotik.com/docs/display/ ... NFiltering
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB3011 - VLAN - Untagged

Thu Nov 24, 2022 9:43 am

On 8337, vlan-filtering=yes disables "hardware accelerated bridging", i.e. direct forwarding of traffic among the switch chip ports without involving the CPU. It's not clear from your OP whether you are interested in switch chip forwarding.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: RB3011 - VLAN - Untagged

Thu Nov 24, 2022 9:55 am

I always prefer hardware. That's faster than software, isn't it?
That means I can't turn on VLAN filtering for hardware VLAN, right?

or what would you recommend to me?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB3011 - VLAN - Untagged

Thu Nov 24, 2022 12:27 pm

Forwarding in hardware is definitely faster than forwarding in software; the question is whether you indeed have a significant amount of traffic that is forwarded between devices in the same VLAN. If not, i.e. if most of the traffic is routed from one VLAN to another or between the VLANs and the internet, it doesn't matter much whether L2 forwarding is done in hardware or software because to get routed, the packets must get to the CPU anyway. On the other hand, if you do have a lot of traffic within the same VLAN, a device whose primary function is switching may be a better choice for you than the 3011.

The vlan-filtering setting of the bridge is in fact necessary to allow tagging on ingress and untagging on egress on the software bridge and other functionality (like MSTP); vlan handling on the switch chip, as controlled in the /interface ethernet switch configuration subtree, may be sufficient if you don't care about STP, port isolation/horizon and other advanced functions the 8337 cannot handle.

So to recommend something, I need to know your traffic pattern and functional requirements.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: RB3011 - VLAN - Untagged

Sun Nov 27, 2022 12:51 pm

We usually have little traffic between the individual VLANs.

But it can happen that we take the backup from a server into its own VLAN, for example. Then we have several terabytes of data between the VLANs. So I would like to do it right with the hardware.
That means I have to switch on VLAN-filtering in the 3011 and set it up

add ether5 to the ports list on the row for vlan-id=100 under /interface ethernet switch vlan
set default-vlan-id to 100 for ether5 in /interface ethernet switch port
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB3011 - VLAN - Untagged

Sun Nov 27, 2022 1:51 pm

But it can happen that we take the backup from a server into its own VLAN, for example. Then we have several terabytes of data between the VLANs. So I would like to do it right with the hardware.

This is case for routing (L3) and no amount of VLAN (L2) offloading will help.
Switch chip offloading (which does L2) would help if your backup server would be in same VLAN as devices performing backups ... but connected to different ethernet port.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB3011 - VLAN - Untagged

Sun Nov 27, 2022 2:15 pm

Before venturing into configuration of vlan filtering by switch chip, make sure you create a backup of your current configuration in the non-volatile part of the disk of the router (I don't know whether 3011 has a flash/ partition or whether all files survive reboot) and download it to an external storage. The thing is that you may have to tinker also with the cpu-facing ports of the switch "chips" (at least one of them may actually be a functional block of an SoC), and if you break something there, you cut the network access to the CPU. And after reset to factory default configuration, you can restore the backup from the internal disk. As you have a 3011, it is highly recommended to only tamper with one switch chip at a time (which is a luxury that is not available on 5-port devices with 8337 chips), or to configure and test console access (directly to the RJ-45 serial port or via an USB-to-serial adaptor) in advance.

Why I mention all this is that I don't remember whether you can keep the CPU-facing port of the switch chip in its default configuration or whether you must change its vlan-mode. I also hazily remember that tagless frames did get tagged with VID 0, not 1, on ingress through the switch chip ports if no default-vlan-id value was set, so you had to make the CPU-facing port, as well as the other ports through which the "bridge" interface should be accessible tagless, members of VLAN 0. Without vlan-filtering=yes on the bridge, the ability of the bridge (as in "virtual switch) to tag and untag frames while forwarding them is disabled, so you do need tagless frames to be forwarded between the physical ports and the CPU port "tagless" (actually, tagged with VID 0, which is a special treatment) if you want to attach the IP configuration directly to the bridge (as in "virtual switch facing port of the router").

But maybe @mkx has understood you better than me? I was reading "backup from a server into its own VLAN" as if both the source and the destination of the backup file were in the same VLAN; as you have also mentioned terabytes of data between VLANs, I'm now in doubt which of the two statements is correct?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB3011 - VLAN - Untagged

Sun Nov 27, 2022 7:07 pm

You didnt provide the full config.........
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: RB3011 - VLAN - Untagged

Wed Nov 30, 2022 10:36 pm

You didnt provide the full config.........
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
I thought you shouldn't do that at all. Why should you do that?
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: RB3011 - VLAN - Untagged

Wed Nov 30, 2022 10:40 pm

Before venturing into configuration of vlan filtering by switch chip, make sure you create a backup of your current configuration in the non-volatile part of the disk of the router (I don't know whether 3011 has a flash/ partition or whether all files survive reboot) and download it to an external storage. The thing is that you may have to tinker also with the cpu-facing ports of the switch "chips" (at least one of them may actually be a functional block of an SoC), and if you break something there, you cut the network access to the CPU. And after reset to factory default configuration, you can restore the backup from the internal disk. As you have a 3011, it is highly recommended to only tamper with one switch chip at a time (which is a luxury that is not available on 5-port devices with 8337 chips), or to configure and test console access (directly to the RJ-45 serial port or via an USB-to-serial adaptor) in advance.

Why I mention all this is that I don't remember whether you can keep the CPU-facing port of the switch chip in its default configuration or whether you must change its vlan-mode. I also hazily remember that tagless frames did get tagged with VID 0, not 1, on ingress through the switch chip ports if no default-vlan-id value was set, so you had to make the CPU-facing port, as well as the other ports through which the "bridge" interface should be accessible tagless, members of VLAN 0. Without vlan-filtering=yes on the bridge, the ability of the bridge (as in "virtual switch) to tag and untag frames while forwarding them is disabled, so you do need tagless frames to be forwarded between the physical ports and the CPU port "tagless" (actually, tagged with VID 0, which is a special treatment) if you want to attach the IP configuration directly to the bridge (as in "virtual switch facing port of the router").

But maybe @mkx has understood you better than me? I was reading "backup from a server into its own VLAN" as if both the source and the destination of the backup file were in the same VLAN; as you have also mentioned terabytes of data between VLANs, I'm now in doubt which of the two statements is correct?
Thank you for your detailed answer. :D
Why isn't it actually from Mikrotik itself, just 2-3 examples per device? Wouldn't that be easier if there was a site where you could download 2-3 examples PER device?
I'll test it myself now. But it's always so difficult.
RJ45 cable on console with test device everything is there.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB3011 - VLAN - Untagged

Thu Dec 01, 2022 2:28 pm

Just do vlan filtering it works and is simple to setup. Then if unhappy with performance look at alternatives but I doubt once its up and running you would want to switch (haha pun intended).

And yes, if folks here ask for the config they mean the complete config minus the serial number of the router and any public WANIP information.
If you dont want to, then ask the person who is advising otherwise to help you................ as there are others requiring assistance that understand cooperate.

Who is online

Users browsing this forum: No registered users and 81 guests