Community discussions

MikroTik App
 
sirnef
just joined
Topic Author
Posts: 19
Joined: Sat Dec 07, 2019 4:52 pm

Lost "Management VLAN" access to switches

Tue May 17, 2022 6:19 pm

Hi,

I am trying to configure VLANs on a network. Currently the network diagram looks as follows:
Image

On the CRS326 switches, I have this configuration for VLANs:

switch1:
/system identity
set name=switch1

/interface bridge
add name=BR1 protocol-mode=none

/interface ethernet
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=ether17 ] disabled=yes
set [ find default-name=ether18 ] disabled=yes
set [ find default-name=ether19 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether21 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes

/interface bridge port
add bridge=BR1 interface=ether1 pvid=10
add bridge=BR1 interface=ether2 pvid=30
add bridge=BR1 interface=ether3 pvid=50
add bridge=BR1 interface=ether22
add bridge=BR1 interface=ether23
add bridge=BR1 interface=ether24

/interface bridge vlan
add bridge=BR1 tagged=ether24,ether22,ether23 untagged=ether1 vlan-ids=10
add bridge=BR1 tagged=ether24,ether22,ether23 untagged=ether2 vlan-ids=30
add bridge=BR1 tagged=ether24,ether22,ether23 untagged=ether3 vlan-ids=50
add bridge=BR1 tagged=BR1,ether24,ether22,ether23 vlan-ids=99

/ip address
add address=192.168.99.2/24 interface=VLAN_99_MANAGEMENT network=192.168.99.0

/tool romon
set enabled=yes

/interface bridge set BR1 vlan-filtering=yes
switch2:
/system identity
set name=switch2

/interface bridge
add name=BR1 protocol-mode=none

/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=ether17 ] disabled=yes
set [ find default-name=ether18 ] disabled=yes
set [ find default-name=ether19 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether21 ] disabled=yes
set [ find default-name=ether22 ] disabled=yes
set [ find default-name=ether23 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes

/interface vlan
add interface=BR1 name=VLAN_99_MANAGEMENT vlan-id=99

/interface bridge port
add bridge=BR1 interface=ether1 pvid=10
add bridge=BR1 interface=ether24

/interface bridge vlan
add bridge=BR1 tagged=ether24 untagged=ether1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether24 vlan-ids=99


/ip address
add address=192.168.99.3/24 interface=VLAN_99_MANAGEMENT network=192.168.99.0


/tool romon
set enabled=yes

/interface bridge set BR1 vlan-filtering=yes

switch3:
/system identity
set name=switch3

/interface bridge
add name=BR1 protocol-mode=none

/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=ether17 ] disabled=yes
set [ find default-name=ether18 ] disabled=yes
set [ find default-name=ether19 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether21 ] disabled=yes
set [ find default-name=ether22 ] disabled=yes
set [ find default-name=ether23 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes

/interface vlan
add interface=BR1 name=VLAN_99_MANAGEMENT vlan-id=99

/interface bridge port
add bridge=BR1 interface=ether1 pvid=10
add bridge=BR1 interface=ether24

/interface bridge vlan
add bridge=BR1 tagged=ether24 untagged=ether1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether24 vlan-ids=99


/ip address
add address=192.168.99.4/24 interface=VLAN_99_MANAGEMENT network=192.168.99.0

/tool romon
set enabled=yes

/interface bridge set BR1 vlan-filtering=yes

My router is pfSense. There I have set up VLANs on the LAN interface:
Image
Their addresses are:
Image

The only problem for now is that from PC1 (VLAN10) I cannot access the switches. In fact, on pfSense I don't see the swiches visible in the ARP table at all. Winbox doesn't detect them for me either. It looks like they have no IP addresses set. Can you guys help? Additionally, I have no problem to connect from PC1 (192.168.10.2) to pfSense (192.168.99.1). For all VLANs I temporarily set up a firewall to pass all traffic for each protocol.
 
akakua
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Mon Apr 06, 2020 4:52 pm

Re: Lost "Management VLAN" access to switches

Tue May 17, 2022 6:52 pm

Routes on switches?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Lost "Management VLAN" access to switches

Tue May 17, 2022 10:12 pm

It looks like they have no IP addresses set
They don't.

Your management VLAN is 99 and not VLAN 10.
For testing, set the PVID on the port of PC1 to 99, and then check again.. Do the switches have an IP now ?
 
sirnef
just joined
Topic Author
Posts: 19
Joined: Sat Dec 07, 2019 4:52 pm

Re: Lost "Management VLAN" access to switches  [SOLVED]

Thu May 19, 2022 4:02 pm

@akakua @Zacharias I found it. I forgot:
/interface vlan
add interface=BR1 name=VLAN_99_MANAGEMENT vlan-id=99
in my config for the first switch. Now I got access to all of them even when I 'm in the VLAN10, because as I said, I pass all the traffic between VLANs on the pfSense.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Lost "Management VLAN" access to switches

Thu May 19, 2022 4:08 pm

Now I got access to all of them even when I 'm in the VLAN10, because as I said, I pass all the traffic between VLANs on the pfSense.
That makes your whole "Management VLAN" exercise a bit pointless, doesn't it?
 
sirnef
just joined
Topic Author
Posts: 19
Joined: Sat Dec 07, 2019 4:52 pm

Re: Lost "Management VLAN" access to switches

Thu May 19, 2022 4:44 pm

I tried to configure VLANs. In the next steps I plan to add rules to the firewall that will block most of the traffic.

I just don't know what approach makes the most sense:
1) leave one free port on the switch that handles my Management VLAN 99 and go through it and do the configuration if necessary
2) use firewall to allow traffic from one Admin host, which is in different VLAN, to VLAN99
3) or maybe some other solution is more reasonable?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Lost "Management VLAN" access to switches

Thu May 19, 2022 5:06 pm

It depends a bit on local policies and your requirements, there are people who believe that only a physically separate management network is good enough, and others that think that a separate VLAN is good.
But a management network that is routed to the main network is of course no extra value, unless you can limit that routing to e.g. another VLAN that has only a very limited number of workstations or "jump hosts".

Who is online

Users browsing this forum: No registered users and 16 guests