Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

a basic (I think...) VLAN problem.

Post Reply
 
fxcd
just joined
Topic Author
Posts: 5
Joined: Tue Apr 23, 2024 11:35 pm

a basic (I think...) VLAN problem.

Tue Apr 23, 2024 11:58 pm

Hello there,

I am new to the MikroTik world and am a novice network engineer at best. I appreciate any advice in advance.

My setup:

I am working with 5 interfaces:
-SOURCE: ptp sync source from Grandmaster Clock
-TIMING: Port on Machine 1 for ptp sync
-SSH: Port on Machine 1 for ssh connection with Machine 2
-DPDK: Port that sends data to Machine 2
-RU: Machine 2

I would like to use two vlans:
-1588: ptp travels from grandmaster clock to both machine 1 and 2.
-5: packets sent between machine 1 and 2 (must be tagged)

Essentially I want the RU port to be a trunk port to allow both 1588 and 5 vlan traffic simultaneously. The TIMING and SOURCE interfaces can be 1588 access ports and the DPDK and SSH ports can 5 access ports.

I have included my configuration below:
Code: Select all
[admin@MikroTik] > export hide-sensitive 
# jan/02/1970 06:01:20 by RouterOS 7.8
# software id = **ELIDED**
#
# model = CRS326-24S+2Q+
# serial number = **ELIDED**
/interface bridge
add admin-mac= **ELIDED** auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] l2mtu=10218 mtu=10218 name=02-SOURCE
set [ find default-name=sfp-sfpplus9 ] l2mtu=10218 mtu=10218 name=09-TIMING
set [ find default-name=sfp-sfpplus10 ] l2mtu=10218 mtu=10218 name=10-RU
set [ find default-name=sfp-sfpplus11 ] l2mtu=10218 mtu=10218 name=11-DPDK
set [ find default-name=sfp-sfpplus12 ] l2mtu=10218 mtu=10218 name=12-SSH
/interface list
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=09-TIMING
add bridge=bridge comment=defconf interface=10-RU
add bridge=bridge comment=defconf interface=11-DPDK
add bridge=bridge comment=defconf interface=12-SSH
/interface bridge vlan
add bridge=bridge tagged=10-RU untagged=02-SOURCE,09-TIMING vlan-ids=1588
add bridge=bridge tagged=10-RU untagged=12-SSH,11-DPDK vlan-ids=5
/interface list member
add interface=ether1 list=WAN
add interface=02-SOURCE list=LAN
add interface=09-TIMING list=LAN
add interface=10-RU list=LAN
add interface=11-DPDK list=LAN
add interface=12-SSH list=LAN
/ip address
add address=192.168.20.33/24 comment=defconf interface=sfp-sfpplus1 network=192.168.20.0
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key

The Problem:

Using the current configuration, packets are not arriving to the Machine 2 (RU port) from Machine 1 (DPDK) port (and vise-versa). Does anyone know what might be going wrong? I have also tried just setting up all ports as trunk (i.e. not setting DPDK and SSH to access ports but as trunk ports like the RU) and saw the same results.
Last edited by tangent on Wed Apr 24, 2024 2:43 am, edited 1 time in total.
Reason: Elided PII
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11767
Joined: Thu Mar 03, 2016 10:23 pm

Re: a basic (I think...) VLAN problem.

Wed Apr 24, 2024 8:57 am

Traffic does not (and should) not leak from one VLAN to another. If traffic from one VLAN is intended to pass to another VLAN, then normally it should be routed. Config of switch you're showing doesn't include routing features.

IEEE1588 (PTP) is normally multicast from GM. And it's normally not routed. There are ways of getting multicasts passing boundary between different IP subnets, but I'm not sure how much that would be compatible with PTP protocol.
Top
 
fxcd
just joined
Topic Author
Posts: 5
Joined: Tue Apr 23, 2024 11:35 pm

Re: a basic (I think...) VLAN problem.

Wed Apr 24, 2024 6:15 pm

Traffic does not (and should) not leak from one VLAN to another. If traffic from one VLAN is intended to pass to another VLAN, then normally it should be routed. Config of switch you're showing doesn't include routing features.
I do not intend to pass traffic from one VLAN to another. Looks like I did not explain my issue very well. Here is a diagram of what I am trying to do for reference:

Image

I want the RU port to be a trunk port that accepts both the 1588 and 5 VLAN traffic; all other ports can be access ports on the corresponding vlans.
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3610
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: a basic (I think...) VLAN problem.

Wed Apr 24, 2024 8:31 pm

You should enable /system/ptp for the ethernet/SFP ports as a first step, as that allows you to configure the ports for PTP. See:
https://help.mikrotik.com/docs/display/ ... e+Protocol

Now whether PTP works on a VLAN on the CRS326, I don't know...
Top
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 896
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: a basic (I think...) VLAN problem.

Thu Apr 25, 2024 1:11 am

I would like to use two vlans:
-1588: ptp travels from grandmaster clock to both machine 1 and 2.
-5: packets sent between machine 1 and 2 (must be tagged)

Essentially I want the RU port to be a trunk port to allow both 1588 and 5 vlan traffic simultaneously. The TIMING and SOURCE interfaces can be 1588 access ports and the DPDK and SSH ports can 5 access ports.

excerpt from your configuration below:
Code: Select all
---snip---
/interface bridge
add admin-mac= **ELIDED** auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] l2mtu=10218 mtu=10218 name=02-SOURCE
set [ find default-name=sfp-sfpplus9 ] l2mtu=10218 mtu=10218 name=09-TIMING
set [ find default-name=sfp-sfpplus10 ] l2mtu=10218 mtu=10218 name=10-RU
set [ find default-name=sfp-sfpplus11 ] l2mtu=10218 mtu=10218 name=11-DPDK
set [ find default-name=sfp-sfpplus12 ] l2mtu=10218 mtu=10218 name=12-SSH
---snip---
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=09-TIMING
add bridge=bridge comment=defconf interface=10-RU
add bridge=bridge comment=defconf interface=11-DPDK
add bridge=bridge comment=defconf interface=12-SSH
/interface bridge vlan
add bridge=bridge tagged=10-RU untagged=02-SOURCE,09-TIMING vlan-ids=1588
add bridge=bridge tagged=10-RU untagged=12-SSH,11-DPDK vlan-ids=5
---snip---

The Problem:

Using the current configuration, packets are not arriving to the Machine 2 (RU port) from Machine 1 (DPDK) port (and vise-versa). Does anyone know what might be going wrong? I have also tried just setting up all ports as trunk (i.e. not setting DPDK and SSH to access ports but as trunk ports like the RU) and saw the same results.
In addition to the PTP config mentioned by @Amm0, you don't have the pvids specified in the /interface bridge port stanzas

Another thing, at least on 10-RU where there will be vlan tags, l2mtu should be at least 4 greater than mtu (ip mtu)
Ref: MTU in RouterOS
Why are you using jumbo frames? Are all the other devices willing to accept ip mtu of 10218? That's the max l2mtu possible on the sfp ports of the CRS326-24S+2Q+ (and the ether1 is limited to 2028).

If you want 10-RU to be tagged for both 1588 and 5, and the other ports to be access ports for a single vlan, this is the normal way
Ref: Basic VLAN switching
The green parts need to be added. The blue in the /interface bridge vlan are optional, some like it to be explicitly set (I used to), but it is one more thing to need to change if you reconfigure a port.

/interface ethernet need to adjust mtu values?
set [ find default-name=sfp-sfpplus2 ] l2mtu=10218 mtu=10218 name=02-SOURCE
set [ find default-name=sfp-sfpplus9 ] l2mtu=10218 mtu=10218 name=09-TIMING
set [ find default-name=sfp-sfpplus10 ] l2mtu=10218 mtu=10218 name=10-RU
set [ find default-name=sfp-sfpplus11 ] l2mtu=10218 mtu=10218 name=11-DPDK
set [ find default-name=sfp-sfpplus12 ] l2mtu=10218 mtu=10218 name=12-SSH
---snip---
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 Is ether1 a typo?
add bridge=bridge comment=defconf interface=02-SOURCE pvid=1588 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge comment=defconf interface=09-TIMING pvid=1588 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge comment=defconf interface=10-RU frame-types=admit-only-vlan-tagged
add bridge=bridge comment=defconf interface=11-DPDK pvid=5 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge comment=defconf interface=12-SSH pvid=5 frame-types=admit-only-untagged-and-priority-tagged
/interface bridge vlan
add bridge=bridge tagged=10-RU untagged=02-SOURCE,09-TIMING vlan-ids=1588 optional
add bridge=bridge tagged=10-RU untagged=12-SSH,11-DPDK vlan-ids=5 optional
---snip---
Top
 
fxcd
just joined
Topic Author
Posts: 5
Joined: Tue Apr 23, 2024 11:35 pm

Re: a basic (I think...) VLAN problem.

Thu Apr 25, 2024 6:34 pm

In addition to the PTP config mentioned by @Amm0, you don't have the pvids specified in the /interface bridge port stanzas

Another thing, at least on 10-RU where there will be vlan tags, l2mtu should be at least 4 greater than mtu (ip mtu)
Ref: MTU in RouterOS
Why are you using jumbo frames? Are all the other devices willing to accept ip mtu of 10218? That's the max l2mtu possible on the sfp ports of the CRS326-24S+2Q+ (and the ether1 is limited to 2028).

If you want 10-RU to be tagged for both 1588 and 5, and the other ports to be access ports for a single vlan, this is the normal way
Ref: Basic VLAN switching
The green parts need to be added. The blue in the /interface bridge vlan are optional, some like it to be explicitly set (I used to), but it is one more thing to need to change if you reconfigure a port.

/interface ethernet need to adjust mtu values?
set [ find default-name=sfp-sfpplus2 ] l2mtu=10218 mtu=10218 name=02-SOURCE
set [ find default-name=sfp-sfpplus9 ] l2mtu=10218 mtu=10218 name=09-TIMING
set [ find default-name=sfp-sfpplus10 ] l2mtu=10218 mtu=10218 name=10-RU
set [ find default-name=sfp-sfpplus11 ] l2mtu=10218 mtu=10218 name=11-DPDK
set [ find default-name=sfp-sfpplus12 ] l2mtu=10218 mtu=10218 name=12-SSH
---snip---
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 Is ether1 a typo?
add bridge=bridge comment=defconf interface=02-SOURCE pvid=1588 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge comment=defconf interface=09-TIMING pvid=1588 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge comment=defconf interface=10-RU frame-types=admit-only-vlan-tagged
add bridge=bridge comment=defconf interface=11-DPDK pvid=5 frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge comment=defconf interface=12-SSH pvid=5 frame-types=admit-only-untagged-and-priority-tagged
/interface bridge vlan
add bridge=bridge tagged=10-RU untagged=02-SOURCE,09-TIMING vlan-ids=1588 optional
add bridge=bridge tagged=10-RU untagged=12-SSH,11-DPDK vlan-ids=5 optional
---snip---


@Buckeye & @Amm0, thank you for your replies. I updated the configuration per your advice:
Code: Select all
/interface bridge
add admin-mac=78:9A:18:B4:C0:3E auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] l2mtu=9600 mtu=9500 name=02-SOURCE
set [ find default-name=sfp-sfpplus9 ] l2mtu=9600 mtu=9500 name=09-TIMING
set [ find default-name=sfp-sfpplus10 ] l2mtu=9600 mtu=9500 name=10-RU
set [ find default-name=sfp-sfpplus11 ] l2mtu=9600 mtu=9500 name=11-DPDK
set [ find default-name=sfp-sfpplus12 ] l2mtu=9600 mtu=9500 name=12-SSH
/interface list
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
/system ptp
add name=PTP_SRS
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=02-SOURCE pvid=1588
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=09-TIMING pvid=1588
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=10-RU
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=11-DPDK pvid=5
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=12-SSH pvid=5
/interface list member
add interface=02-SOURCE list=LAN
add interface=09-TIMING list=LAN
add interface=10-RU list=LAN
add interface=11-DPDK list=LAN
add interface=12-SSH list=LAN
/ip address
add address=192.168.20.33/24 comment=defconf interface=sfp-sfpplus1 network=192.168.20.0
/system ptp port
add comment="ptp source" interface=02-SOURCE ptp=PTP_SRS
add comment="timing to DU" interface=09-TIMING ptp=PTP_SRS
add comment="timing to the RU" interface=10-RU ptp=PTP_SRS
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key

The 1588 (PTP Timing) VLAN seems to be working (at least it works on Machine 1). But now I cannot SSH (or even ping) Machine 2 from Machine 1 via VLAN 5. I have tried adding a VLAN to Machine 1 SSH interface and pinging through that and still was not able to reach Machine 2.

Machine 2 is a headless system with only one port so I cannot check if the 1588 VLAN is working there unless I SSH in. Is there something wrong with the configuration I've set?
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3610
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: a basic (I think...) VLAN problem.

Thu Apr 25, 2024 6:53 pm

This is an artifact of how RouterOS bridge works & a bit confusing initially. Under /interface/bridge/vlans, you need to have your VLANs listed, and – importantly for SSH – the bridge interface itself needs to be a tagged port . You don't need to add access ports (e.g. ports with frame-trype=allow-only-untagged... set) as untagged= under bridge/vlans, since setting a PVID will add them. But any tagged VLANs on ports, should be marked as tagged= on VLANs defined under /interface/bridge/vlans, in addition to the bridge also being listed as tagged=.

i.e., essentially, SSH is exposed via the bridge interface, otherwise all the /interface/bridge stuff is just L2 forwarded without access to RouterOS services.
Top
 
fxcd
just joined
Topic Author
Posts: 5
Joined: Tue Apr 23, 2024 11:35 pm

Re: a basic (I think...) VLAN problem.

Thu Apr 25, 2024 8:34 pm

This is an artifact of how RouterOS bridge works & a bit confusing initially. Under /interface/bridge/vlans, you need to have your VLANs listed, and – importantly for SSH – the bridge interface itself needs to be a tagged port . You don't need to add access ports (e.g. ports with frame-trype=allow-only-untagged... set) as untagged= under bridge/vlans, since setting a PVID will add them. But any tagged VLANs on ports, should be marked as tagged= on VLANs defined under /interface/bridge/vlans, in addition to the bridge also being listed as tagged=.

i.e., essentially, SSH is exposed via the bridge interface, otherwise all the /interface/bridge stuff is just L2 forwarded without access to RouterOS services.

Adding the bridge as a tagged port does not resolve the ping issue:
Code: Select all
/interface bridge
add admin-mac=78:9A:18:B4:C0:3E auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] l2mtu=9600 mtu=9500 name=02-SOURCE
set [ find default-name=sfp-sfpplus9 ] l2mtu=9600 mtu=9500 name=09-TIMING
set [ find default-name=sfp-sfpplus10 ] l2mtu=9600 mtu=9500 name=10-RU
set [ find default-name=sfp-sfpplus11 ] l2mtu=9600 mtu=9500 name=11-DPDK
set [ find default-name=sfp-sfpplus12 ] l2mtu=9600 mtu=9500 name=12-SSH
/interface list
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/system ptp
add name=PTP_SRS
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=02-SOURCE pvid=1588
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=09-TIMING pvid=1588
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=10-RU
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=11-DPDK pvid=5
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=12-SSH pvid=5
/interface bridge vlan
add bridge=bridge tagged=10-RU,bridge untagged=09-TIMING,02-SOURCE vlan-ids=1588
add bridge=bridge tagged=10-RU,bridge untagged=12-SSH,11-DPDK vlan-ids=5
/interface list member
add interface=02-SOURCE list=LAN
add interface=09-TIMING list=LAN
add interface=10-RU list=LAN
add interface=11-DPDK list=LAN
add interface=12-SSH list=LAN
/ip address
add address=192.168.20.33/24 comment=defconf interface=sfp-sfpplus1 network=192.168.20.0
/system ptp port
add comment="ptp source" interface=02-SOURCE ptp=PTP_SRS
add comment="timing to DU" interface=09-TIMING ptp=PTP_SRS
add comment="timing to the RU" interface=10-RU ptp=PTP_SRS
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key
I tried the configuration both with and without adding the access ports as untagged on /interface bridge port and still am not able to reach Machine 2.
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3610
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: a basic (I think...) VLAN problem.

Thu Apr 25, 2024 8:48 pm

Sorry, I thought sfpplus1 was one of your VLANs... Basically as config stands, SSH only be available from sfp-sfpplus1 via 192.168.20.33, from a host in that subnet & connect directly (or via some switch connected sfpplus1). Since sfpplus1 is not connect on this router to the VLANs, and there are no Layer3 VLAN interface configured for SSH to use.

Assuming issue SSH from the 5 or/and 1588 VLANs. Basically RouterOS needs SOME Layer3 interface for that. So steps be:

1. Add /interface/vlan with vlan id of 1588 (and/or another /interface/vlan with id of 5), using bridge as the parent interface.
2 (a). Then add an /ip/address setting the interface= to the VLAN 5/1588 in the respective subnet.
2 (b). If the VLAN have DHCP server on them already... Instead of adding IP address as 2(a)... add new /ip/dhcp-client on the VLAN interface so router get it's address from far-end DHCP server (if one).
Top
 
fxcd
just joined
Topic Author
Posts: 5
Joined: Tue Apr 23, 2024 11:35 pm

Re: a basic (I think...) VLAN problem.

Thu Apr 25, 2024 11:57 pm

Thanks for your replies, @Amm0 @Buckeye & @mkx.

I'm having a hard time understanding why I would even need to set up L3 VLAN settings in the first place. Every configuration I have tried (including the L3 option @Amm0 just proposed) doesn't work.

Going back to the basics, I reset the switch and implemented the "VLAN Example - Trunk and Hybrid Ports" as shown here: https://help.mikrotik.com/docs/display/ ... NFiltering

I made the RU port the only trunk port, then the Source, Timing, DPDK, and SSH as Hybrid ports.

Here is the configuration I set mimicking the "VLAN Example - Trunk and Hybrid Ports". I have included the whole export in case I'm missing something.
Code: Select all
/interface bridge
add admin-mac=78:9A:18:B4:CB:BD auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] name=02-SOURCE
set [ find default-name=sfp-sfpplus9 ] name=09-TIMING
set [ find default-name=sfp-sfpplus10 ] name=10-RU
set [ find default-name=sfp-sfpplus11 ] name=11-DPDK
set [ find default-name=sfp-sfpplus12 ] name=12-SSH
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/system ptp
add name=ptp_srs
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=qsfpplus1-1
add bridge=bridge comment=defconf interface=qsfpplus1-2
add bridge=bridge comment=defconf interface=qsfpplus1-3
add bridge=bridge comment=defconf interface=qsfpplus1-4
add bridge=bridge comment=defconf interface=qsfpplus2-1
add bridge=bridge comment=defconf interface=qsfpplus2-2
add bridge=bridge comment=defconf interface=qsfpplus2-3
add bridge=bridge comment=defconf interface=qsfpplus2-4
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=02-SOURCE pvid=1588
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7
add bridge=bridge comment=defconf interface=sfp-sfpplus8
add bridge=bridge comment=defconf interface=09-TIMING pvid=1588
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=10-RU
add bridge=bridge comment=defconf interface=11-DPDK pvid=5
add bridge=bridge comment=defconf interface=12-SSH pvid=5
add bridge=bridge comment=defconf interface=sfp-sfpplus13
add bridge=bridge comment=defconf interface=sfp-sfpplus14
add bridge=bridge comment=defconf interface=sfp-sfpplus15
add bridge=bridge comment=defconf interface=sfp-sfpplus16
add bridge=bridge comment=defconf interface=sfp-sfpplus17
add bridge=bridge comment=defconf interface=sfp-sfpplus18
add bridge=bridge comment=defconf interface=sfp-sfpplus19
add bridge=bridge comment=defconf interface=sfp-sfpplus20
add bridge=bridge comment=defconf interface=sfp-sfpplus21
add bridge=bridge comment=defconf interface=sfp-sfpplus22
add bridge=bridge comment=defconf interface=sfp-sfpplus23
add bridge=bridge comment=defconf interface=sfp-sfpplus24
/interface bridge vlan
add bridge=bridge tagged=02-SOURCE,09-TIMING,10-RU vlan-ids=1588
add bridge=bridge tagged=10-RU,11-DPDK,12-SSH vlan-ids=5
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=02-SOURCE list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=09-TIMING list=LAN
add interface=10-RU list=LAN
add interface=11-DPDK list=LAN
add interface=12-SSH list=LAN
add interface=sfp-sfpplus13 list=LAN
add interface=sfp-sfpplus14 list=LAN
add interface=sfp-sfpplus15 list=LAN
add interface=sfp-sfpplus16 list=LAN
add interface=sfp-sfpplus17 list=LAN
add interface=sfp-sfpplus18 list=LAN
add interface=sfp-sfpplus19 list=LAN
add interface=sfp-sfpplus20 list=LAN
add interface=sfp-sfpplus21 list=LAN
add interface=sfp-sfpplus22 list=LAN
add interface=sfp-sfpplus23 list=LAN
add interface=sfp-sfpplus24 list=LAN
add interface=qsfpplus1-1 list=LAN
add interface=qsfpplus1-2 list=LAN
add interface=qsfpplus1-3 list=LAN
add interface=qsfpplus1-4 list=LAN
add interface=qsfpplus2-1 list=LAN
add interface=qsfpplus2-2 list=LAN
add interface=qsfpplus2-3 list=LAN
add interface=qsfpplus2-4 list=LAN
/ip address
add address=192.168.20.33/24 comment=defconf interface=sfp-sfpplus1 network=192.168.20.0
/system ptp port
add interface=02-SOURCE ptp=ptp_srs
add interface=09-TIMING ptp=ptp_srs
add interface=10-RU ptp=ptp_srs
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key

After setting this up, I still cannot ping or ssh from machine 1 to machine 2 via the VLAN 5. I am starting to wonder if there is an issue with the switch or the firmware thereon?
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3610
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: a basic (I think...) VLAN problem.

Fri Apr 26, 2024 12:46 am

The docs show assigning an IP address to VLANs and tagged= INCLUDING the bridge interface:
Add Bridge VLAN entries and specify tagged ports in them. In this example bridge1 interface is the VLAN trunk that will send traffic further to do InterVLAN routing. Bridge ports with frame-types set to admit-only-untagged-and-priority-tagged will be automatically added as untagged ports for the pvid VLAN.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=200
add bridge=bridge1 tagged=bridge1 vlan-ids=300
add bridge=bridge1 tagged=bridge1 vlan-ids=400

Configure VLAN interfaces on the bridge1 to allow handling of tagged VLAN traffic at routing level and set IP addresses to ensure routing between VLANs as planned.
/interface vlan
add interface=bridge1 name=VLAN200 vlan-id=200
add interface=bridge1 name=VLAN300 vlan-id=300
add interface=bridge1 name=VLAN400 vlan-id=400

/ip address
add address=20.0.0.1/24 interface=VLAN200
add address=30.0.0.1/24 interface=VLAN300
add address=40.0.0.1/24 interface=VLAN400

Without an IP address on the VLAN, you cannot use SSH or ping or anything, /interface/bridge really just does Layer2 MAC/VLAN things. It's the IP address, and bridge interface is tagged= that get Layer3 services from RouterOS to VLAN.
Top
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 896
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: a basic (I think...) VLAN problem.

Fri Apr 26, 2024 7:45 am

The 1588 (PTP Timing) VLAN seems to be working (at least it works on Machine 1). But now I cannot SSH (or even ping) Machine 2 from Machine 1 via VLAN 5. I have tried adding a VLAN to Machine 1 SSH interface and pinging through that and still was not able to reach Machine 2.

Machine 2 is a headless system with only one port so I cannot check if the 1588 VLAN is working there unless I SSH in. Is there something wrong with the configuration I've set?
and
I'm having a hard time understanding why I would even need to set up L3 VLAN settings in the first place. Every configuration I have tried (including the L3 option @Amm0 just proposed) doesn't work.
I agree that if you are not trying to SSH from the CRS or to the CRS (i.e. the CRS isn't involved in SSH), then you don't need a vlan interface on the CRS. A vlan interface is just to allow the CPU on the CRS to connect to the corresponding vlan on the 98DX8322 switch ASIC in the CRS. In addtion to a vlan interface, you need to configure the "internal trunk link" between the CPU and the switch ASIC. This is a post by @sindy worth reading RouterOS bridge mysteries explained. Also see the CRS326-24S+2Q+ block diagram. Traffic within the same vlan (after the 98DX8322 switch ASIC configuration has been completed) will not traverse the 1 Gbs link to the CPU.

Are you able to ssh to machine 2 if you connect a host with a standard untagged ethernet adapter (e.g. a standard laptop's ethernet port)? If so then machine 2 ssh server is expecting untagged ethernet frames.

Are you sure that machine 2 is expecting tagged ethernet frames? If it isn't then it will most likely just ignore the packets (because they will have 0x8100 in the ethertype field. See IEEE802.1Q for examples of standard and tagged ethernet frame layouts.

Do the three interfaces on machine 1 all have unique ip addresses?

Are there two ip addresses associated with the port on machine 2?

Perhaps you should step back a a bit, and explain the problem you are trying to solve. Are you sure vlans are the solution? I'm just trying to avoid an xy problem.

Perhaps machine 2 is expecting its management to be done via untagged frames. If that's the case, you can make the 10-RU bridge-port a hybrid with "native" vlan 5 (i.e. pvid 5) and tagged 1588. Unfortunately, there isn't a "Hybrid and access ports" example in the doc link.

Before doing the configurations, you really need to know what the configuration needs to do. And what the equipment on the other end of the cable is expecting.

Your latest config has new inconsistencies. You are telling ROS that 02-SOURCE (pvid 1588), 09-TIMING (pvid 1588), 11-DPDK (pvid 5), and 12-SSH (pvid 5) are receiving untagged packets into the vlans specified by the pvid in the /interface bridge port stanza, but then you are telling it that those ports should send the packets tagged in the /interface bridge vlan stanza.

Which is it? tagged or untagged?

If you want 10-RU to be a trunk port carrying vlans 5 and 1588 with vlan 5 native (untagged), then change the following parts:

/interface bridge port
add bridge=bridge comment=defconf interface=10-RU pvid 5 remove the frame-type filtering
/interface bridge vlan
add bridge=bridge tagged=10-RU vlan-ids=1588
add bridge=bridge untagged=10-RU,11-DPDK,12-SSH vlan-ids=5 blue optional because untagged will be added dynamically for ports from the pvid in the /interface bridge port stanza
Top
Post Reply

Who is online

Users browsing this forum: reachit, Valerio5000 and 34 guests
  4. RouterOS
  5. Beginner Basics