VLAN's on CRS317

iredden · Sat Aug 07, 2021 5:59 am

I can't figure out why I can't get VLAN's to work properly on my CRS317. It works great on my CRS125! I've read several great articles on the forums, battled this for weeks but I always get the same result.... nothing accessible/pingable as soon as I turn on vlan filtering.

On my CRS125, I have a XS+DA0003 DAC plugged in which goes to the 'sfp-trunk/port16' port on the CRS125. The configuration for that on the CRS125 is:

/interface ethernet
set [ find default-name=sfp1 ] advertise=1000M-full auto-negotiation=no name=sfp1-trunk

/interface ethernet switch egress-vlan-tag
add comment="trunk port" tagged-ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk,switch1-cpu vlan-id=99
add comment="trunk port" tagged-ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=10
add comment="trunk port" tagged-ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=20
add comment="trunk port" tagged-ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=30
add comment="trunk port" tagged-ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=40
add comment="trunk port" tagged-ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=41
add comment="trunk port" tagged-ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=42
add comment="trunk port" tagged-ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=43

/interface ethernet switch ingress-vlan-translation
add comment="access ports" customer-vid=0 new-customer-vid=99 ports="ether1-ucs-server,ether2-sonos,ether3-tivo,ether4-vlan99-router,ether5-idrac-dell,ether6-doorbird-p2,ether7-envisalink-p3,ether8-ucs-mgmt,ether9,ether10,ether11-basement-ap,ether12-hu\
    e-hub,ether13-hikvision,ether14-samsung,ether15-outside-spare-p8,ether16-omni-p9,ether17-dell-server,ether18-kitchenap-p23"
add comment="access ports" customer-vid=0 new-customer-vid=10 ports=ether19-vlan10

/interface ethernet switch vlan
add ports=ether19-vlan10,ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=10
add ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=20
add ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=30
add ports="ether1-ucs-server,ether2-sonos,ether3-tivo,ether4-vlan99-router,ether5-idrac-dell,ether6-doorbird-p2,ether7-envisalink-p3,ether8-ucs-mgmt,ether9,ether10,ether11-basement-ap,ether12-hue-hub,ether13-hikvision,ether14-samsung,ether15-outside-sp\
    are-p8,ether16-omni-p9,ether17-dell-server,ether18-kitchenap-p23,ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk,switch1-cpu" vlan-id=99
add ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=41
add ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=42
add ports=ether20-trunk-upstairs-p1,ether21-trunk,ether22-trunk,ether23-trunk,ether24-trunk,sfp1-trunk vlan-id=43

Here is the configuration on my CRS317:

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus10 ] comment="Bell Fibe (VLAN 10 Access Port)" name=access-vlan10
set [ find default-name=sfp-sfpplus11 ] comment="Bell Fibe (VLAN 99 Access Port)" name=access-vlan99
set [ find default-name=sfp-sfpplus16 ] auto-negotiation=no name=sfp-trunk
set [ find default-name=sfp-sfpplus3 ] disabled=yes name=sfp3
set [ find default-name=sfp-sfpplus4 ] disabled=yes name=sfp4
set [ find default-name=sfp-sfpplus7 ] disabled=yes name=sfp7
set [ find default-name=sfp-sfpplus8 ] disabled=yes name=sfp8
set [ find default-name=sfp-sfpplus9 ] disabled=yes name=sfp9
set [ find default-name=sfp-sfpplus12 ] disabled=yes name=sfp12
set [ find default-name=sfp-sfpplus13 ] disabled=yes name=sfp13
set [ find default-name=sfp-sfpplus14 ] disabled=yes name=sfp14
set [ find default-name=sfp-sfpplus15 ] disabled=yes name=sfp15
set [ find default-name=sfp-sfpplus6 ] auto-negotiation=no name=trunk-dell-ix0 speed=10Gbps
set [ find default-name=sfp-sfpplus5 ] auto-negotiation=no name=trunk-dell-ix1 speed=10Gbps
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no name=trunk-ucs-vmnic2 speed=10Gbps
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=trunk-ucs-vmnic3 speed=10Gbps
/interface vlan
add interface=BR1 name=vlan99 vlan-id=99
/interface lte apn
set [ find default=yes ] ip-type=ipv4-ipv6
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=trunk-ucs-vmnic3
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-trunk
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=trunk-ucs-vmnic2
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=trunk-dell-ix0
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=trunk-dell-ix1
add bridge=BR1 interface=access-vlan10 pvid=10
add bridge=BR1 interface=access-vlan99 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=sfp-trunk,trunk-ucs-vmnic2,trunk-ucs-vmnic3,trunk-dell-ix0,trunk-dell-ix1 vlan-ids=10
add bridge=BR1 tagged=sfp-trunk,trunk-ucs-vmnic2,trunk-ucs-vmnic3,trunk-dell-ix0,trunk-dell-ix1 vlan-ids=20
add bridge=BR1 tagged=sfp-trunk,trunk-ucs-vmnic2,trunk-ucs-vmnic3,trunk-dell-ix0,trunk-dell-ix1 vlan-ids=30
add bridge=BR1 tagged=sfp-trunk,trunk-ucs-vmnic2,trunk-ucs-vmnic3,trunk-dell-ix0,trunk-dell-ix1 vlan-ids=40
add bridge=BR1 tagged=BR1,sfp-trunk,trunk-ucs-vmnic2,trunk-ucs-vmnic3,trunk-dell-ix0,trunk-dell-ix1 vlan-ids=99
add bridge=BR1 tagged=sfp-trunk,trunk-ucs-vmnic2,trunk-ucs-vmnic3,trunk-dell-ix0,trunk-dell-ix1 vlan-ids=41
add bridge=BR1 tagged=sfp-trunk,trunk-ucs-vmnic2,trunk-ucs-vmnic3,trunk-dell-ix0,trunk-dell-ix1 vlan-ids=42
add bridge=BR1 tagged=sfp-trunk,trunk-ucs-vmnic2,trunk-ucs-vmnic3,trunk-dell-ix0,trunk-dell-ix1 vlan-ids=43
add bridge=BR1 tagged=sfp-trunk,trunk-ucs-vmnic2,trunk-ucs-vmnic3,trunk-dell-ix0,trunk-dell-ix1 vlan-ids=44
/ip dhcp-client
add disabled=no interface=vlan99
/system clock
set time-zone-name=America/Toronto
/system identity
set name=fibre-switch

He's a pretty picture of my network topology:

network.png

mkx · Sat Aug 07, 2021 9:32 am

You've got it mostly wrong. Read through this tutorial, that's the way it should be done (and is HW offloaded on your CRS317).

iredden · Sun Aug 08, 2021 7:11 am

You've got it mostly wrong. Read through this tutorial, that's the way it should be done (and is HW offloaded on your CRS317).

How do I have it mostly wrong? I got the commands FROM that tutorial. If you read that tutorial, look at the router.rsc, you'll see the similarities in the VLAN numbering.

How do I have it mostly wrong?

mkx · Sun Aug 08, 2021 7:52 pm

On trunk ports you have frame-types=admit-only-untaged-and-priority-taged ...

iredden · Mon Aug 09, 2021 4:59 am

Does this look better?

#  Trunk Ports 1,2,5,6,16
# Access Ports 10,11
#

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="fibre-switch"

#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

/interface ethernet
set [ find default-name=sfp-sfpplus16 ] auto-negotiation=no

#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# VLAN 10
add bridge=BR1 interface=sfp-sfpplus10 pvid=10

# VLAN 99
add bridge=BR1 interface=sfp-sfpplus11 pvid=99

# egress behavior, handled automatically


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=sfp-sfpplus1
add bridge=BR1 interface=sfp-sfpplus2
add bridge=BR1 interface=sfp-sfpplus5
add bridge=BR1 interface=sfp-sfpplus6
add bridge=BR1 interface=sfp-sfpplus16

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus16 [find vlan-ids=10]
set bridge=BR1 tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus16 [find vlan-ids=20]
set bridge=BR1 tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus16 [find vlan-ids=30]
set bridge=BR1 tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus16 [find vlan-ids=40]
set bridge=BR1 tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus16 [find vlan-ids=41]
set bridge=BR1 tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus16 [find vlan-ids=42]
set bridge=BR1 tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus16 [find vlan-ids=43]
set bridge=BR1 tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus16 [find vlan-ids=44]
set bridge=BR1 tagged=BR1,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus16 vlan-ids=99

#######################################
# IP Addressing & Routing
#######################################

# LAN facing Switch's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99

#######################################
# IP Services
#######################################
# We have a router that will handle this. Nothing to set here.


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=sfp-sfpplus10]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=sfp-sfpplus11]

# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus16]

#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

VLAN's on CRS317

VLAN's on CRS317

Re: VLAN's on CRS317

Re: VLAN's on CRS317

Re: VLAN's on CRS317

Re: VLAN's on CRS317