VLAN configuration approach, correct or not ?

darkm4n · Tue Aug 27, 2019 11:52 am

Hi everyone,

I noticed a lot of people find somehow confusing configuring VLAN's/Bridged on Mikrotik, in relation to other hardware vendors. Mikrotik approach seems to be different, I am posting this setup because I want to understand if I am doing it how it should or I am wrong about it.

My current setups works as expected but as I said, I am not convinced it's the right way to do it, mainly I want to be sure I got it right.

My setup consists of 1 WAN connection and multiple VLAN on LAN.

- I have a bridge called br-wan where I put all ether ports I want to have direct wan access, for example now I have: ether1 and sfp1 ( because I don't know if I am going to use optics of ethernet for my wan connection ), then I have a IP address assiged to br-wan.

- For each LAN VLAN I have the following:
* A bridge called br-vlan100 ( for vlan 100 ), a bridge called br-vlan200 ( for vlan 200 ), and so on.
* On each LAN ether port I have a interface VLAN, named as following: eth1-vlan100, eth1-vlan200, eth2-vlan100, eth2-vlan200
* Now I add each vlan interface to the appropriate bridge I want.
* If I need to have "native vlan -- cisco like )" then I add the ether1 directly to the vlan bridge i want to have it as native vlan.

Config snippets:

add interface=ether2-master-local name=vl110-port2 vlan-id=110
add interface=ether3-master-local name=vl110-port3 vlan-id=110
add interface=ether4-master-local name=vl110-port4 vlan-id=110
add interface=ether5-master-local name=vl110-port5 vlan-id=110
add interface=ether6-master-local name=vl110-port6 vlan-id=110
add interface=ether7-master-local name=vl110-port7 vlan-id=110
add interface=ether8-master-local name=vl110-port8 vlan-id=110
add interface=ether9-master-local name=vl110-port9 vlan-id=110

add bridge=br-vl110-ruckus interface=vl110-port2
add bridge=br-vl110-ruckus interface=vl110-port3
add bridge=br-vl110-ruckus interface=vl110-port4
add bridge=br-vl110-ruckus interface=vl110-port5
add bridge=br-vl111-ruckus interface=vl111-port2
add bridge=br-vl111-ruckus interface=vl111-port3
add bridge=br-vl111-ruckus interface=vl111-port4
add bridge=br-vl111-ruckus interface=vl111-port5
add bridge=br-vl112-ruckus interface=vl112-port2
add bridge=br-vl112-ruckus interface=vl112-port3
add bridge=br-vl112-ruckus interface=vl112-port4
add bridge=br-vl112-ruckus interface=vl112-port5
add bridge=br-vl113-ruckus interface=vl113-port2
add bridge=br-vl113-ruckus interface=vl113-port3
add bridge=br-vl113-ruckus interface=vl113-port4

add address=10.10.12.1/24 interface=br-management-ruckus network=10.10.12.0
add address=10.150.0.1/16 interface=br-vl110-ruckus network=10.150.0.0
add address=10.151.0.1/16 interface=br-vl111-ruckus network=10.151.0.0
add address=10.152.0.1/16 interface=br-vl112-ruckus network=10.152.0.0
add address=10.153.0.1/16 interface=br-vl113-ruckus network=10.153.0.0

I wanna know your thoughts on how correct or wrong is this config.

Thanks!!

mkx · Tue Aug 27, 2019 1:51 pm

The new (since ROS version 6.41) approach is to have single VLAN-aware bridge spanning all LAN ports. Something in the line of following example:

/interface bridge
add name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=110 # example of access port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3  # example of trunk (tagged only) port
add bridge=bridge ingress-filtering=yes interface=ether4 pvid=111  # example of hybrid port: untagged member of VLAN 111 and tagged as well

/interface bridge  vlan
add bridge=bridge vlan-ids=110 tagged=bridge,ether3,ether4 untagged=ether2 # bridge is tagged member because router will be IP member of said VLAN
add bridge=bridge vlan-ids=111 tagged=ether3 untagged=ether4  # bridge is not member because device is only switch for this VLAN
add bridge=bridge vlan-ids=112 tagged=bridge,ether3  # to make IP configuration of the router more uniform, be sure to make bridge always tagged member of a VLAN

/interface vlan
add interface=bridge name=vl110 vlan-id=110
add interface=bridge name=vl112 vlan-id=112
# if bridge was untagged member of some VLAN, corresponding IP setup would be done directly on bridge "interface"

/ip address
add interface=vl110 address=<IP address of device in VLAN 110>
add interface=vl112 address=<IP address of device in VLAN 112>

Note that neither approach (the one with many bridges and this one with single bridge) is HW offloaded on vast majority of Routerboard devices. Exception is CRS3xx series of devices which can HW offload such config and most intra-VLAN traffic is thus done by switch chip, the rest of devices use main CPU also for shifting intra-VLAN traffic. The inter-VLAN is actually routing and is done by central CPU in any case.

StubArea51 · Wed Aug 28, 2019 7:46 pm

I actually wrote an article to help people who have learned Layer 2 in Cisco migrate to MikroTik VLAN configuration.

https://www.stubarea51.net/2019/02/06/c ... and-vlans/

anav · Thu Aug 29, 2019 1:19 am

Here is a decent thread with examples............
viewtopic.php?f=13&t=143620

Also some good stuff after digesting that, here
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

ksteink · Fri Aug 30, 2019 2:05 am

There are multiple ways to configure VLANs in a Mikrotik. To keep it simple for you we have to separate them in 3 categories depending on the Model of the device that you have:

(1) VLANs configured at the Router chip (Software based): This is the most universal way to configure VLANs but you will be forcing the Routing chip to behave as a L3 switch with inter-VLAN routing. This method works on any Mikrotik device (Switch or Router alike) and requires you to configure 1 VLAN in a separate bridge (1 VLAN = 1 Bridge)

(2) VLANs configured at the Switch Chip for RB series only: This is the recommended path if you have a switch chip setup in which you configure in 1 single Bridge interface all your VLANs and with that you will be enabling your switch chip. For example The RB2011 has two Swich chips (AR8327 for the Gigabit interfaces or ports SFP, 1 to 5 and AR8227 for the Fast Ethernet interfaces or ports 6 to 10). These chips are VLAN aware and you can do HW off-loading for your inter-VLAN routing inside of the only 1 Bridge interface.

Other models like the RB4011 has a poor switch chip and they have less capabilities for switching compared with the RB2011 and the RB3011.

Last but not least, in the same example of the RB2011 has better switch chip than other more recent RB models like the RB4011 it's not a full switch. That means if you enable some specific features such as IGMP snooping or VLAN filtering all the HW off-loading will be disabled automatically so be aware what features you need vs the penalty to not be able to get wired speeds here.

The way I learned how to configure VLANs with HW off-loading using switch chip was through this Wiki: https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

(3) VLANs configured at the Switch Chip for CRS Series: These are Mikrotik Switches line and they have Gen 1.x / 2.x and Gen 3.x. Gen 3.x Will get you all available features at wired speed including VLAN filtering, IGMP snooping etc. Similarly for non-RB devices there are 2 links that provides input how to configure VLANs with HW off-loading on CRS 1.x/2.x Gen and CRS 3.x

Link for how to configure VLANs with HW off-loading for CRS 1.x/2.x --> https://wiki.mikrotik.com/wiki/Manual:C ... es#Summary
Link for how to configure VLANs with HW off-loading for CRS 3.x --> https://wiki.mikrotik.com/wiki/Manual:C ... s#Features

mkx · Fri Aug 30, 2019 8:39 am

(1) VLANs configured at the Router chip (Software based): This is the most universal way to configure VLANs but you will be forcing the Routing chip to behave as a L3 switch with inter-VLAN routing. This method works on any Mikrotik device (Switch or Router alike) and requires you to configure 1 VLAN in a separate bridge (1 VLAN = 1 Bridge)

Not true. This might be true on ROS < 6.41, but on recent ROS versions the variant of the above goes like this: configure VLAN-aware bridge bridging all ports and containing all VLANs. Then it behaves much like a regular managed VLAN-capable switch, only difference is that it's done in software.

If configured in either of variants it also isn't behaving as a L3 switch with inter-VLAN routing (that's entirely separate function which is on all MT devices done by router's CPU in any of 3 variants described in previous post). Rather it's behaving as a bridge/switch because frame forwarding is done based on MAC addresses - just like on any ordinary switch - so no L3 operations are actually involved.

Regarding variant 2) (configuring VLANs on switch chip): while poster might recommend it, that's not recommendation by Mikrotik ... I believe MT introduced the new VLAN-aware bridge with a few goals in their mind, one of them is to (finally) offer unified VLAN configuration interface for all of their devices (switch chip config interface varies according to HW capabilities), another goal is to offer same level of VLAN functionality on all devices, even those that don't have decent switch chip or even don't have one. Due to this, I'd recommend to go with bridge-based VLAN config for ROS newbies. It does, however, come with performance hit compared to the method, described by poster ... hence advanced ROS admins might go this way if they see fit (again, I'd not recommend it to just everybody).

VLAN configuration approach, correct or not ?

VLAN configuration approach, correct or not ?

Re: VLAN configuration approach, correct or not ?

Re: VLAN configuration approach, correct or not ?

Re: VLAN configuration approach, correct or not ?

Re: VLAN configuration approach, correct or not ?

Re: VLAN configuration approach, correct or not ?

Who is online