Community discussions

MikroTik App
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

CRS125 and simple VLAN setup problem

Fri Jun 13, 2014 12:58 pm

Hello,

I need to setup a CRS 125 switch with half the ports in VLAN1 and the other half in VLAN2. Ports in the same vlan must be able to communicate among them with untagged packets but must be isolated from ports in the other VLAN. VLAN2 will have a lot of multicast traffic that could easely saturate devices in VLAN1. CPU port should be connected to VLAN1, so I can assign an IP to eth1 and manage the CRS.

I have read some posts and the documentation and I'm still unable to get this working as if it where a classic switch with a couple of vlans. I'm using 6.12/.13/.14/.15 with the same results.

Has anyone managed to get this simple setup working?
Thank you.
 
User avatar
lordkappa
Member Candidate
Member Candidate
Posts: 133
Joined: Wed May 16, 2012 1:53 pm
Location: Vancouver, Canada

Re: CRS125 and simple VLAN setup problem

Sun Jun 15, 2014 10:09 pm

If you're not using VLAN Tags or trunking (You didn't say that you were) and only require that the 2 segments are seperated, you could just set them as 2 groups with different master ports and treat them as 2 different switches; forget VLAN entirely.

Just set ports 2-12 as master-port=ether-1 and ports 14-24 master-port=ether-13. Then just apply your IP addressing to Ether-1 and away you go.
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: CRS125 and simple VLAN setup problem

Mon Jun 16, 2014 2:49 pm

Thats the easy way: ruling out VLAN's and use just port isolation...

But even I don't need a tunk port ATM, I may need to use different VLAN tags in the same ether port and tag packets in the servers. And of course I want them to be isolated among them, even if they come to the same ether port.

I'm working in a configuration that seems mostly functional, I'll post the config when I'm sure it works as expected.
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: CRS125 and simple VLAN setup problem

Tue Jun 17, 2014 3:46 pm

1.- Choose a master port and enslave the ports you need to be in the same switch group. Switch groups are completely isolated among them, as if they where 2 separate switches. No port can be in more than one switch group.
/interface ethernet
set ether2 master-port=ether1
set ether3 master-port=ether1
...
set etherN master-port=ether1
2.- Define which ports will belong to each VLAN. Link switch1-cpu port to one VLAN to be able to reach the switch's CPU and manage it.
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,switch1-cpu \
    vlan-id=1
add ports=ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 \
    vlan-id=2
3.- You must define "VLAN Tagging", even if no port is going to be tagged (leave tagged-ports empty). If some ports are to be tagged, define them in the rule. The ports belonging to that VLAN (as defined in 1.-) that are not listed here will be untagged. This is how the switch knows which VLAN the packet belongs to depending on which port it is going out.
/interface ethernet switch egress-vlan-tag
add vlan-id=1
add tagged-ports=ether20 vlan-id=2
4.- Define an ingress Vlan Translation, so the switch knows which VLAN the packet belongs to depending on which port it comes from. Leave one independent rule for switch1-cpu port, even if it belongs to the same VLAN as other ports: that way you wont loose management access if you need to disable and/or modify the other ports rule.
/interface ethernet switch ingress-vlan-translation
add customer-vlan-format=untagged-or-tagged new-customer-vid=1 ports=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12 sa-learning=yes \
    service-vlan-format=untagged-or-tagged
add customer-vlan-format=untagged-or-tagged new-customer-vid=2 ports=\
    ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 \
    sa-learning=yes service-vlan-format=untagged-or-tagged
add customer-vlan-format=untagged-or-tagged new-customer-vid=1 ports=switch1-cpu sa-learning=yes \
    service-vlan-format=untagged-or-tagged
Now each port will get only the traffic it is intended for, but if you want to make sure that no VLAN traffic from VIDs not definend in the switch flow through it, set forward-unknown-vlan=no (defaults to yes).
/interface ethernet switch
set forward-unknown-vlan=no

Who is online

Users browsing this forum: No registered users and 8 guests