Mixed VLANs in switch

bmann · Fri Dec 27, 2019 10:43 pm

Hello guys,

I want to use hAP lite as simple switch with tagged and untagged traffic (possibly with port isolation),
but the configuration is little bit cryptic for me.

I've followed
- https://wiki.mikrotik.com/wiki/Manual:B ... _switching
Other devices with built-in switch chip

- https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

Design:
router --- tagged vlan 10 --- [ether2]
pc3 ------ untagged ------- [ether3](hAP lite)[ether1] --- untagged and vlan 10 traffic --- (router)
pc4 ------ untagged ------- [ether4]

I want to use hw offloading so just basic configuration as in example above and no vlan filtering.

Ether2 and switch1-cpu are in 'secure' vlan mode and this seems ok.
Ether3 and ether4 has to be in 'fallback' or 'disabled' mode as other modes blocks untagged traffic.

But from description it seems that if I send packet on ether3 with vlan 10 tag then it will be forwarded to ether2.
Is my understanding right or wrong?
Does anyone of you example configuration for this scenario?

Thanks.

config snippet:

/interface vlan
add interface=bridge name=mgmt vlan-id=10

/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 default-vlan-id=10 vlan-mode=secure
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 4 default-vlan-id=10 vlan-mode=secure

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether1

/interface ethernet switch vlan
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=10

pe1chl · Fri Dec 27, 2019 11:04 pm

The switch chip used in the hAP lite cannot do hybrid switchports (tagged and untagged on the same port), so you can only do this in the bridge and thus without hw acceleration.

huntah · Sun Dec 29, 2019 12:19 pm

hmm... I think this should work..
It works at least for me.. Correct me if i Am wrong:
ether1-uplnik -> tagged 15,21 in untagged 0 (Native VLAN - for HP Procurve it translates to VLAN1 unttager --- hybrid port)
ether2-Management -> unttaged 15 - access port
ether3-PC+Voip -> unttaged 0 (PC) + tagged 21
ether4-Voip -> tagged 21

You could also disable/remove switch1-cpu from VLAN15, 21 if you do not need Management VLAN interface (DHCP-Client)

/interface bridge
add admin-mac=74:4D:28:3C:7E:98 auto-mac=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether1-uplink
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether2-management
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether3-PC+VoIP
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether4-VoIP
/interface vlan
add interface=bridge1 name=vlan15-Management vlan-id=15
add interface=bridge1 name=vlan21-VoIP vlan-id=21
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=15 vlan-header=always-strip vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1-uplink
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether3-PC+VoIP
add bridge=bridge1 interface=ether4-VoIP
add bridge=bridge1 interface=ether2-management
/interface ethernet switch vlan
add ports=switch1-cpu,ether1-uplink,ether2-management switch=switch1 vlan-id=15
add ports=switch1-cpu,ether1-uplink,ether3-PC+VoIP switch=switch1
add ports=switch1-cpu,ether1-uplink,ether3-PC+VoIP,ether4-VoIP switch=switch1 vlan-id=21
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan15-Management
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan21-VoIP

pe1chl · Sun Dec 29, 2019 12:52 pm

hmm... I think this should work..
It works at least for me..

What type of router do you have? It depends on the switch chip if it works or not.
(unfortunately when you attempt it on a switch chip that does not support it, there is no real error message but it just fails to work properly)

huntah · Sun Dec 29, 2019 2:14 pm

I Tried this config on hAP-Lite and it works.
I removed for test switch1-cpu from all VLANs (it will lock you out of management! So do have wlan1 enabled or you will need to reset via button).

It works as it should!
For hybrid ports you need to leave it as is ..
Tried and please post back..

The big problem is native VLAN (Mikrotik VLAN0 and Procurve and Cisco have VLAN1 for Native VLAN..)
I posted about that few years back about that.. it was still on 6.40.x version or earlier...

viewtopic.php?f=2&t=118086
and
viewtopic.php?f=2&t=115115&p=571100&hilit=procurve+vlan

mkx · Sun Dec 29, 2019 3:19 pm

Native vlan is nothing more than untagged over wire and tagged on ingress using PVID (and untagged on egress)... whether it's done using explicit configuration (in my LAN, native VLAN is 42) or by implicit rules (BTW, it's VID 1 in ROS as well, VLAN 0 setting is not available on some/most MT devices and VLAN ID 0 is invalid value for VLAN, when seen in ethernet frame headers it denotes untagged VLAN, but the header is present to carry priority/QoS information).

huntah · Sun Dec 29, 2019 4:33 pm

@mkx:

I agree that you can set native vlan as you like (your case 42) but I had had always problem when using VLAN1.. MT devices would only work as they should when untagged VLAN1 through (Cisco, Procurve switches) if they had VLAN0 set..
I do not know if it is a bug or not but it works. This is why in most cases I avoid using VLAN1.

If it is tagged VLAN1 it works...

from my expirience it is valid for switch configs in most MT devices (RB951, hap lite, hap, hapac2..)
but is not valid if you use it in new bridge and vlan filtering..and if you have CCR you do not have switch menu thus you implement it via interface VLAN and there you cannot set it to 0.

I am not saying it is the right way it just works as it should. At least for me.

I am sad that MT team for years and years cannot make a simple and unified setup.
Even in 6.44.6 the recommendation for most of low cost devices to set up VLANs in Switch chip if the have it.
Don't even let me start for CRX1xx/CRS2xx.series.. which have yet another way of settings VLANs..

BTW I do not want to start another rant about MT configs...
I thought I just share my experience and original poster had the same hap lite as did I on my test table so I did a quick config and test and it works..

bmann · Sun Dec 29, 2019 6:07 pm

Thanks for feedbacks, I got some time for testing and got kind of working configuration, at least for me.
I did not verify all possible aspects, but below is my config.

VLAN tab:

vlan 10 on ether1, ether2 and switch1-cpu ports

vlan 0 on ports ether1, ether3 and ether4

Port tab:

VLAN header set to 'leave as is' on all ports

VLAN mode se to 'secure' on all ports

default vlan 0 for ether1, ether3 and ether4

default vlan 999 for ether2 and switch1-cpu

I've found that I need to stick with vlan 0 (as no vlan probably). If I change it to another number, then this logic does not work.
I've tested that client on ether3/ether4 can't reach devices in vlan 10 (own hAP and device on ether2) even if the client tags packets with vlan id 10. So that's what I wanted.

The above I did on hAP lite (RouterBOARD 941-2nd) with Atheros 8227.

Mixed VLANs in switch

Mixed VLANs in switch

Re: Mixed VLANs in switch

Re: Mixed VLANs in switch

Re: Mixed VLANs in switch

Re: Mixed VLANs in switch

Re: Mixed VLANs in switch

Re: Mixed VLANs in switch

Re: Mixed VLANs in switch

Who is online