Community discussions

MikroTik App
 
User avatar
thn80
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jan 24, 2023 8:25 pm
Location: Germany

Completely confused about VLANs

Thu Feb 02, 2023 10:05 am

Hello,

I am new to MikroTik and currently starting with a hAP ac² (Atheros8327 switch chip).
What I want to do is creating some VLANs in RouterOS but I am absolutely lost with all the different ways of configuring them.

A lot of examples create one Bridge per VLAN. However, what I understood so far is, that this should be avoided on simple routers because they can only handle a single bridge via hardware offloading.

So the next way is to configure a single bridge and to connect all VLANs to this single bridge. For my current understanding this should run fine with activated "Hardware Offloading".
This seems also to be used in the example at https://help.mikrotik.com/docs/display/ ... LANrouting where also my switch chip Atheros8327 is mentioned.

I also found the way about configuring VLANs in the "Switch" menu of RouterOS. One tutorial I have seen tells that this is an old way of configuring it and it shall not be used anymore. However, on https://help.mikrotik.com/docs/display/ ... switchchip exactly this is done.
Is MikroTik only going the "Switch menu" way in this example because only a Switch and not a Router shall be configured in the example?

As you can see, I am really confused.
  • Shall I configure the VLANs via the Switch menu in my hAP ac² or will using a single Bridge with hardware offloading activated reach the same performance on the hAP ac²?
  • What is the difference between using the Switch menu and using the configuration directly on a Bridge?
  • Is the Switch menu only a simplified configuration options for the case that only switching (without routing) is the use-case and for more complex scenarios (with routing) a bridge with HW-Offloading shall be used? But if so, what is the difference of using the Switch menu and binding this switch to the CPU port for additional routing capapbilty?
If important: My device currently runs under the latest version of RouterOS 6. (Would there be any benefit or drawback with an upgrade to RouterOS 7?)

Thanks a lot in advance,

Thomas
 
ConradPino
Member
Member
Posts: 337
Joined: Sat Jan 21, 2023 12:44 pm
Contact:

Re: Completely confused about VLANs

Fri Feb 03, 2023 7:40 am

Hi Thomas,

IMO you know more already than you're giving yourself credit. Sharing your privacy redacted exported configuration can help us better help you.

I favor "Inter-VLAN routing" path (single bridge with hardware offload option) as it has options for CPU process like fancy routing or firewall rules.
Some value devices can't route (Layer 3) at wire speed and use cases where firewall is unwanted will benefit from a switch level (Layer 2) solution.
The full answer to your questions are it depends upon your exact requirements and the compromises that must be made to fulfill them.

Best regards,
Conrad
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Completely confused about VLANs

Fri Feb 03, 2023 8:58 am

Here are some to read:

viewtopic.php?t=143620

viewtopic.php?t=171307

Here you see my struggle to learn:
viewtopic.php?f=2&t=138232


----------------------------------------------------------------------------------------
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
Last edited by Jotne on Sun Feb 12, 2023 9:49 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Completely confused about VLANs

Fri Feb 03, 2023 9:07 am

We've all been there :lol:

Bridge VLAN is for most the way to go.

The links Jotne provided are very good material. Be careful, it might take you more then one read to understand how it should be working.
Also, examples in that first link were made with ROS6 as base (Wifiwave 2 wasn't even there yet for ROS), things can be slightly different in ROS7 (which does not mean the concept changed, just some commands or settings).

For what I need, especially that first reference helped me a lot.
But you have to apply patience and a bit of a flexible mind when something doesn't work from the first attempt.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Completely confused about VLANs

Fri Feb 03, 2023 10:07 am

If important: My device currently runs under the latest version of RouterOS 6. (Would there be any benefit or drawback with an upgrade to RouterOS 7?)
I have only a hEX S (RB760iGS based on MT7621 Soc with CPU and switch ASIC) so I use v7 and the vlan-filtering bridge.
For the hAP ac² with the Atheros8327, I don't think there is currently hardware support for vlan-filtering bridge, even in v7. So if you want the best performance (why not?) then using the config in the first link you posted (which uses bridge, but then configures vlans using the switch chip) is the way to go. Note that the main difference between the two links you posted, is that in the first the CPU is "connected" to both vlans on the switch chip, where in the second the device is configured only as a switch, and there is only a single vlan "connected to the switch".

From first link: Note both vlan 10 and 20 are "connected" to the vlan interfaces in the CPU. This allows the CPU to route between vlans the switch-ports are connected to.
Add each port to the VLAN table and allow these ports to access the CPU in order to make DHCP and routing work:

/interface ethernet switch vlan
add independent-learning=yes ports=ether2,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=20
/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN20 vlan-id=20
----------
Where in the second link: Note only a single vlan interface is created (MGMT) and that is the only vlan with a "connection" to the CPU's vlan interface.
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20
add ports=ether1,ether3 switch=switch1 vlan-id=30
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Completely confused about VLANs

Fri Feb 03, 2023 5:28 pm

Be aware that if you only have one [bridge/switch]-port in each configured vlan, then the traffic between the ports will need to be routed. And if the traffic is routed, then it is going through the CPU anyway, so whether the vlans are hw offloaded or not isn't going to make a measurable difference in performance.

But if you have multiple ports that are in the same vlan, then it doesn't need to be routed, and you will see a difference in performance if it is switched by the switch ASIC vs being "bridged in software" by the CPU.

I know of no downside to configuring it so the switch chip is handling the vlan operations even when the CPU is involved, other than the configuration complexity. The "advantage" of using the vlan-filtering bridge is that it is the new "standard" way to do things, and if you then move the config to another device there will be less changes. But on the hAP ac², if you use the vlan-filtering bridge setup, the "switch like" behavior will all be done in software on the CPU, and it will not be as fast (and will use more CPU if you have multiple ports in the same vlan).

Who is online

Users browsing this forum: SMARTNETTT and 40 guests