October 21, 2016 at 12:23Mikrotik: VLAN using a switching chip
- Tutorial
Mikrotik equipment is rich in capabilities, but unfortunately, developers do not always have time to keep the Wiki with documentation up to date, sometimes the information refers to an outdated version of RouterOS or it does not reveal small subtleties. Today I want to supplement the official Wiki a bit by talking about setting up the built-in switching chip to work with VLAN. As experimental subjects we have: RB951Ui-2HnD and CRS125-24G-1S-2HnD. Everything is done on RouterOS 6.37.1
So, there are many articles around where I work with the VLAN on the CPU (they announce the VLAN on the interface and put it in Bridge). Such a bundle has the right to life, but in its work we consume a CPU resource, which can be very valuable. Two different devices represent different tuning mechanisms for the switching chip, since they are very different in technical terms.
We will implement some examples from the official Wiki :
Let’s explain the picture: Tagged packets arrive on the ether2 port (trunk port), and branded packets go off the ether6-ether8 ports (access ports are client ports).
I will take the configuration from a really working device, so there will be no full correspondence with the picture.
Configuration: Tagged packets come to ether1 (VID: 4,5,6,10, 603), stripped VID: 10 go from ether2-ether4 ports, stripped VID: 5 goes from ether5, VID: 603 is not used now, and a special port switch1-cpu accepts any packets.
First, create a switching group, for this, set the master port on all interfaces (ether2-master by default), thereby we will give these ports to the control of the switch.
Similarly for everyone else. Without delaying, on the master port (this is how we get access to this VLAN from the CPU, in fact we associate it with switch1-cpu) we suspend the VLANs we need:
Next, we set the policy for processing packets on ports (the default VLAN number), what to drop, what to undress, and where to tie the scarf:
You can read about the parameters in the Wiki in the Vlan table section .
Next, we will create a VLAN table according to which the chip will work with tags:
That's all, now VLANs are served on a switching chip, unfortunately, RB951Ui-2HnD has not very large capabilities, for example, it will not be able to make a hybrid port, then you will have to build a forest of crutches on the bridge.
Here the switching chip is completely different, and can do more,
let's proceed: Configuration: Tagged packets come to ether24 (VID: 4,5,6,7,16), stripped VID: 16 and dressed VLAN: 7 go from ether1-ether23 ports (there will be for the second example), and the special switch1-cpu port accepts any packets.
First, create a switching group, for this, set the master port on all interfaces (ether2-master by default), thereby we will give these ports to the control of the switch.
Similarly for everyone else. We will hang the VLANs we need on the master port:
Next, we will create a VLAN table according to which the chip will work with tags:
Next, we set the policy for processing packets on ports, everything is richer here, the policy is set separately.
Define the ports on which the corresponding VLAN will be clothed upon exit:
Now, on which ports should you strip the outgoing VLAN:
Literally, this is described as follows: if VID: 16, port 1 to 23, set a new VID: 0 (strip).
Now, on which ports, the incoming packet must be put on the VLAN:
Literally, this is described as follows: if VID: 0 (the package is stripped), port 1 to 23, install a new VID: 16 (put on).
That’s all.
Here we will consider only the CRS125-24G-1S-2HnD, unfortunately, the RB951Ui-2HnD is no longer able to do this on the switching chip.
So, we will take completely a konf from the previous example, and we will add such rule:
Introduction
So, there are many articles around where I work with the VLAN on the CPU (they announce the VLAN on the interface and put it in Bridge). Such a bundle has the right to life, but in its work we consume a CPU resource, which can be very valuable. Two different devices represent different tuning mechanisms for the switching chip, since they are very different in technical terms.
We will implement some examples from the official Wiki :
Port Based VLAN
Let’s explain the picture: Tagged packets arrive on the ether2 port (trunk port), and branded packets go off the ether6-ether8 ports (access ports are client ports).
I will take the configuration from a really working device, so there will be no full correspondence with the picture.
RB951Ui-2HnD
Configuration: Tagged packets come to ether1 (VID: 4,5,6,10, 603), stripped VID: 10 go from ether2-ether4 ports, stripped VID: 5 goes from ether5, VID: 603 is not used now, and a special port switch1-cpu accepts any packets.
First, create a switching group, for this, set the master port on all interfaces (ether2-master by default), thereby we will give these ports to the control of the switch.
/interface ethernet set ether1 master-port=ether2-master
Similarly for everyone else. Without delaying, on the master port (this is how we get access to this VLAN from the CPU, in fact we associate it with switch1-cpu) we suspend the VLANs we need:
/interface vlan
add interface=ether2-master \
name=V-210 vlan-id=10
add interface=ether2-master \
name=V-MNGR vlan-id=4
add interface=ether2-master \
name=V-PR1 vlan-id=603
add interface=ether2-master \
name=V-WL vlan-id=5
add arp=enabled arp-timeout=auto disabled=no interface=ether2-master \
loop-protect=default loop-protect-disable-time=5m \
loop-protect-send-interval=5s mtu=1500 name=V-WLG use-service-tag=no \
vlan-id=6
Next, we set the policy for processing packets on ports (the default VLAN number), what to drop, what to undress, and where to tie the scarf:
/interface ethernet switch port
set ether1 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
set ether2-master default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether5 default-vlan-id=5 vlan-header=always-strip vlan-mode=secure
set switch1-cpu default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
You can read about the parameters in the Wiki in the Vlan table section .
Next, we will create a VLAN table according to which the chip will work with tags:
/interface ethernet switch vlan
add ports=ether1,ether2-master,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add ports=ether1,switch1-cpu switch=switch1 vlan-id=4
add ports=ether1,ether5,switch1-cpu switch=switch1 vlan-id=5
add ports=ether1,switch1-cpu switch=switch1 vlan-id=6
add ports=ether1,switch1-cpu switch=switch1 vlan-id=603
That's all, now VLANs are served on a switching chip, unfortunately, RB951Ui-2HnD has not very large capabilities, for example, it will not be able to make a hybrid port, then you will have to build a forest of crutches on the bridge.
CRS125-24G-1S-2HnD
Here the switching chip is completely different, and can do more,
let's proceed: Configuration: Tagged packets come to ether24 (VID: 4,5,6,7,16), stripped VID: 16 and dressed VLAN: 7 go from ether1-ether23 ports (there will be for the second example), and the special switch1-cpu port accepts any packets.
First, create a switching group, for this, set the master port on all interfaces (ether2-master by default), thereby we will give these ports to the control of the switch.
/interface ethernet set ether1 master-port=ether2-master
Similarly for everyone else. We will hang the VLANs we need on the master port:
/interface vlan
add interface=ether2-master \
name=V-MNGR vlan-id=4
add interface=ether2-master \
name=V-WL vlan-id=5
add interface=ether2-master \
name=V-WLG vlan-id=6
Next, we will create a VLAN table according to which the chip will work with tags:
/interface ethernet switch vlan
add learn=yes ports="ether24,switch1-cpu" vlan-id=4
add learn=yes ports="ether24,switch1-cpu" vlan-id=5
add learn=yes ports="ether24,switch1-cpu" vlan-id=6
add learn=yes ports="ether1,ether2-mast\
er,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether1\
2,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,\
ether22,ether23,ether24,switch1-cpu" vlan-id=7
add learn=yes ports="ether1,ether2-mast\
er,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether1\
2,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,\
ether22,ether23,ether24,switch1-cpu" vlan-id=16
Next, we set the policy for processing packets on ports, everything is richer here, the policy is set separately.
Define the ports on which the corresponding VLAN will be clothed upon exit:
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24,switch1-cpu vlan-id=4
add tagged-ports=ether24,switch1-cpu vlan-id=5
add tagged-ports=ether24,switch1-cpu vlan-id=6
add tagged-ports=ether24,switch1-cpu vlan-id=16
Now, on which ports should you strip the outgoing VLAN:
/interface ethernet switch egress-vlan-translation
add customer-vid=16 new-customer-vid=0 ports="ether1,ether2-master,ether3,ether4,ether5,ether6\
,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ethe\
r16,ether17,ether18,ether19,ether20,ether21,ether22,ether23"
Literally, this is described as follows: if VID: 16, port 1 to 23, set a new VID: 0 (strip).
Now, on which ports, the incoming packet must be put on the VLAN:
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=16 \
ports="ether1,ether2-master,ether3,ether4,ether5,ether6,ether7,ether8,ethe\
r9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18\
,ether19,ether20,ether21,ether22,ether23"
Literally, this is described as follows: if VID: 0 (the package is stripped), port 1 to 23, install a new VID: 16 (put on).
That’s all.
Example 2 (Trunk and Hybrid ports)
Here we will consider only the CRS125-24G-1S-2HnD, unfortunately, the RB951Ui-2HnD is no longer able to do this on the switching chip.
So, we will take completely a konf from the previous example, and we will add such rule:
/interface ethernet switch egress-vlan-tag
add tagged-ports="ether1,ether2-master,ether3,ether4,ether5,ether6\
,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ethe\
r16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24" \
vlan-id=7