Advice RB3011 VLANS with switch chip

SamC · Mon Jul 30, 2018 12:36 am

I'm new to RouterOS, to test dedicated HW after using CHR I bought a RB3011.
I'm confused about the best way to handle this setup and the use of the two QCA 8337 switch chips.

I want to route 4 VLANS with internet access and some firewall rules, VPN... uplinked to a managed switch.

First thing that I don't know exactly how to handle with switch chip.
Internet Access: VLAN 832 and dhcp client to get public IP
Just use ETH1 as WAN:

add comment="WAN ORANGE FTTH - VLAN 832" interface=ether1 name=WAN-ORANGE-832 vlan-id=832

Then to use the ISP Router as ATA for VOIP, just set a DHCP server on VLAN 832 to the router to get access.

add comment="Set DHCP server to give the router an IP address " interface=ether10 name=VLAN-VOIP-LIVEBOX vlan-id=832

I'm getting my Public IP address of ETH1.832 and sending a dhcp 192.168.99.1/31 to ETH10.832

This are the same VLAN (but isolated) and different switch chip.

Now comes the guidance part that would be much apriecated.

The RB3011 enough ports...
I set up 4 bridges for each VLAN this way I can tag a trunk or interface to that bridge.
Let`s name them: OFFICE, SECURITY, GUEST, PUBLIC 100,200,300,400
I don't know if this is the best way but..

/interface bridge
add frame-types=admit-only-vlan-tagged igmp-snooping=yes name=OFFICE pvid=100 vlan-filtering=yes

NOTE: About the vlan-filtering on bridges (without switch chip), with it enabled got like 400-500 mbps vlan routing, with it disabled wirespeed.

For testing I'll use just two Bridges: SECURITY and OFFICE and for mixing things. ETH3 with untagged "OFFICE" and "SECURITY" tagged.
I add the VLAN 200 to the ETH3.

/interface vlan
add interface=ether3 name=VLAN_SECURITY_ETH3 vlan-id=200

Later add it to the SECURITY bridge.
I add ether6 untagged to the mix.

/interface bridge port
add bridge=OFFICE frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=SECURITY frame-types=admit-only-vlan-tagged interface=VLAN_SECURITY_ETH3 pvid=200 
add bridge=OFICINA interface=ether6 pvid=100
/interface bridge vlan
add bridge=SECURITY comment="VLAN FOR SURVEILLANCE" tagged=SECURITY,VLAN_SECURITY_ETH3 vlan-ids=200
add bridge=OFFICE comment="VLAN OFFICE" tagged=OFFICE untagged=ether3,ether6 vlan-ids=100

Then I just have DHCP server and Firewall rules to the Bridges to manage more easily what could be.

I upgraded to RC, to test LACP and add two nics and trunk the VLANS to the Switch. I want to have wirespeed to Surveillance VLAN so the two have good bandwidth, the rest would be tagged and shared. I can set this up different ways from trunks or untagged.

Then comes the use of the Switch CHIP, you can configure VLANS on different places , tagging bridges, vlan on bridges.. so I'm a little confused. And having the switch chip in conjunction with the same vlan-id for wan and a dhcp server but want both isolated.

Would be much appreciated some guidance for the best way to do things.

SamC · Thu Aug 02, 2018 3:13 pm

I'm trying to make little steps around switch chip.
Using just 1 switch chip.
I created two bridges with PVID 100 and 200
I'm using ether3 : untagged for VLAN100
tagged for VLAN 200

/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=check
set 2 default-vlan-id=100 vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=\
    200
add independent-learning=yes ports=ether1 switch=switch1 vlan-id=832
add independent-learning=yes ports=switch2-cpu switch=switch2 vlan-id=200
add independent-learning=yes ports=switch1-cpu,ether3 switch=switch1 vlan-id=\
    100
add independent-learning=yes ports=switch2-cpu switch=switch2 vlan-id=100

About the bridges:

/interface bridge
add igmp-snooping=yes name=OFFICE
add name=SECURITY
/interface bridge port
add bridge=OFICINA interface=ether3 pvid=100
#This interface VLAN_200_ETH3 is a VLAN200 I attached on interfaces to eth3 (Working on this)
add bridge=SECURITY frame-types=admit-only-vlan-tagged interface=\
    VLAN_200_ETH3 pvid=200
# Just another untagged interface added to the bridge
add bridge=OFFICE interface=ether6 pvid=100
# This part is what I'm confused when I add "VLANS" to the bridge 
# Tagging the another bridge (to use ether3 as tagged VLAN200)
add bridge=SECURITY comment="VLAN 200 on BRIDGE SECURITY" tagged=\
    SECURITY,VLAN_200_ETH3,OFFICE vlan-ids=200 
#tag the bridge OFFICE and set ether3 as untagged
add bridge=OFFICE comment="VLAN 100 OFFICE " tagged=OFFICE untagged=ether3 \
    vlan-ids=100

diddie17 · Fri Aug 03, 2018 7:44 pm

I haven't tried it, but just as another option, check out dasiu's post in the following thread which if I've understood it correctly would give you up to 8 wirespeed ports with VLAN's

viewtopic.php?f=3&t=136530&p=673668&hil ... ch#p673668

SamC · Tue Aug 07, 2018 12:10 am

I just bought a switch: CRS326-24G-2S+RM (rOS 6.38). And then it had the infamous "switch" with VLANs options as the RB3011.
But upgrade it to 6.43rc51 to get rid of the "master port". And then...
There's no longer VLAN and port config on Switch TAB
RB3011 rOS 6.43.rc51

/interface ethernet switch>
host  port-isolation  vlan  export  print           set
port  rule            edit  find    reset-counters

And the CRS326:

/interface ethernet switch> 
host  port  port-isolation  rule  edit  export  find  print  reset-counters  set

So my main concern on the RB3011 disappear on the Switch:

Note: Since RouterOS v6.41 all switching related parameters are moved to the bridge section. On CRS3xx series devices VLAN switching must be configured under the bridge section as well, this will not limit the device's performance, CRS3xx is designed to use the built-in switch chip to work with bridge VLAN filtering, you are able to achieve full non-blocking wire-speed switching performance while using bridges and bridge VLAN filtering. Make sure that all bridge ports have the "H" flag, which indicates that the device is using the switch chip to forward packets.

So I just configure this on BRIDGEs! That's much simpler.

But what about the RB3011? three places to configure vlans... two switch chips..
Interfaces/Bridge/Switch

diddie17 · Tue Aug 07, 2018 12:38 am

Yep, as per https://wiki.mikrotik.com/wiki/Manual:S ... p_Features, the CRS3xx is the only switch/router to maintain HW offload on the bridge when configuring VLAN filtering on the bridge. You would configure the CRS326 using VLAN filtering on the bridge, but for the RB3011, if you want VLAN switching with HW offload, then you will need to continue to configure the RB3011 using the switch chip/VLAN commands.

You can configure the RB3011 through VLAN Filtering on the bridge, but if you need any switching rather than routing, this will use the CPU rather than the switch chip. This results in increased CPU load and lower switching performance.

Routing (including between VLAN's) is always done using the CPU, so maybe the best option now would be to use the CRS326 for all switching and the RB3011 only for routing, then you can configure the VLAN's on the bridge on the CRS326 and you won't have to use the switch menu on the RB3011 to configure VLAN's as no switching is required. All this can be done without any performance penalty from bypassing the switch chip..

SamC · Tue Aug 07, 2018 1:46 am

Yep, as per https://wiki.mikrotik.com/wiki/Manual:S ... p_Features, the CRS3xx is the only switch/router to maintain HW offload on the bridge when configuring VLAN filtering on the bridge. You would configure the CRS326 using VLAN filtering on the bridge, but for the RB3011, if you want VLAN switching with HW offload, then you will need to continue to configure the RB3011 using the switch chip/VLAN commands.

The problem I'm having I just wanted to have rules for "vlans" which correspond to a subnet, I create the bridge "bridge_vlan100" then add the ports I want be untagged or tagged port so I can use the uplink and have ports on the RB3011 ready to plug something.
So the "bridge" aka this particular VLAN is the interface I use in the firewall or routing. Instead of treating the subnet. (Devices on another VLAN using IP of another range).

You can configure the RB3011 through VLAN Filtering on the bridge, but if you need any switching rather than routing, this will use the CPU rather than the switch chip. This results in increased CPU load and lower switching performance.

When vlan filtering was enabled, the performance dropped for vlan routing, less than 600Mbit. And both cpus at very high loads. Then I realized that this option isn't for the RB3011.

Routing (including between VLAN's) is always done using the CPU, so maybe the best option now would be to use the CRS326 for all switching and the RB3011 only for routing, then you can configure the VLAN's on the bridge on the CRS326 and you won't have to use the switch menu on the RB3011 to configure VLAN's as no switching is required. All this can be done without any performance penalty from bypassing the switch chip..

Yes that's why I want to maximize performance having the main routing take place between the two switches chipsets (if that's the fastest way). The CRS236 would not be coupled with the RB3011, but the RB3011 is uplinking to another switch that has all the VLANS configured so, the RB3011 function is to route the vlans / firewall /

Wich is the best way to handle vlans on the RB3011 to route them?

Advice RB3011 VLANS with switch chip

Advice RB3011 VLANS with switch chip

Re: Advice RB3011 VLANS with switch chip

Re: Advice RB3011 VLANS with switch chip

Re: Advice RB3011 VLANS with switch chip

Re: Advice RB3011 VLANS with switch chip

Re: Advice RB3011 VLANS with switch chip