Mikrotik RB2011U vlanning

Question

I am having trouble getting port based vlanning/trunking working on a Mikrotik RB2011U. I have been following the guide located here: http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Example_-_802.1Q_Trunking_with_Atheros_switch_chip_in_RouterOS_v6 The features table at the top of the wiki indicates that this device should be capable of 802.1q vlanning.

I have followed the wiki verbatim, except that I have supplied my own interface names and vlan id numbers. When I plug a host into eth3 and assign it a static IP of 10.10.10.4 I am unable to ping 10.10.10.5 (the RB2011U); however plugging a second host into eth4 and assigning it a static IP of 10.10.10.6, I am able to ping 10.10.10.4 from 10.10.10.6 and vice versa. On the 10.10.10.4 and 10.10.10.6 side I can see that when I try to ping 10.10.10.5 I am getting the an ARP reply from the RB2011U.

The second problem is that my trunk port does not seem to be working properly either. It is wired back to a Mikrotik CRS125 which I have confirmed to be working properly. In this case, pinging the RB2011U(10.10.10.5) from the CRS125(10.10.10.2) and vice virsa also does not work, however ARP does not seem to be being relayed.

In searching for answers, I see a lot of other people using bridges instead of using the switch configuration. And I did manage to get that configuration working minus the trunk port; however I configured my CRS125 to do vlan tagging in the switch config and for consistency's sake I'd prefer to have the RB2011U do the same.

EDIT: (requested configuration information)

/interface ethernet
set [ find default-name=ether1 ] name=eth1
set [ find default-name=ether2 ] name=eth2
set [ find default-name=ether3 ] master-port=eth2 name=eth3
set [ find default-name=ether4 ] master-port=eth2 name=eth4
set [ find default-name=ether5 ] master-port=eth2 name=eth5
set [ find default-name=ether6 ] name=eth6
set [ find default-name=ether7 ] master-port=eth6 name=eth7
set [ find default-name=ether8 ] master-port=eth6 name=eth8
set [ find default-name=ether9 ] master-port=eth6 name=eth9
set [ find default-name=ether10 ] master-port=eth6 name=eth10

/interface ethernet switch port
set 2 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=0 vlan-header=always-strip vlan-mode=secure
set 11 vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=yes ports=eth2,eth3,eth4,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=eth2 switch=switch1 vlan-id=3
add independent-learning=yes ports=eth2 switch=switch1 vlan-id=4
add independent-learning=yes ports=eth2 switch=switch1 vlan-id=5

/interface vlan
add interface=eth2 l2mtu=1594 name=vlan1 vlan-id=1
add interface=eth2 l2mtu=1594 name=vlan3 vlan-id=3
add interface=eth2 l2mtu=1594 name=vlan4 vlan-id=4
add interface=eth2 l2mtu=1594 name=vlan5 vlan-id=5

/ip address
add address=10.10.10.5/24 interface=vlan1 network=10.10.10.0
add address=10.30.10.5/24 interface=vlan3 network=10.30.10.0
add address=10.40.10.5/24 interface=vlan4 network=10.40.10.0
add address=10.50.10.5/24 interface=vlan5 network=10.50.10.0

Please post your configuration. `/interface ethernet export` also `/interface vlan export` and `/ip address export` — Cha0s, Feb 07 '15 at 18:24
So, `eth2` is your trunk port, correct? What do you mean when you mention *When I plug directly into one of the access ports of a particular vlan and try to ping the IP address I assigned to the corresponding vlan interface I get no reply;* ? Can you please edit your post to reflect your configuration? For example '*When I connect a device to `eth2` I ping the IP `x.x.x.x` ...*'. It hard to understand what you have tried and what you connected where now. — Cha0s, Feb 07 '15 at 19:13
Yes, eth2 is supposed to be the trunk port. I apologize, I had typed the original post rather hastily without much thought. — alexander, Feb 07 '15 at 19:32
Thanks for the updates. By just looking at your configuration, I believe it's correct and it should be working. I am not sure about vlan id '1' though. Have you tried with a different vlan id? Some vendors use id 1 as the default vlan. I am not sure if that plays any role on MikroTik. Unfortunately I don't have any spare RBs to try your configuration out to confirm if that's the case (probably not). — Cha0s, Feb 08 '15 at 14:46
I did try with a different vlan id to no avail. Though I do have other Mikrotik gear (working properly) that uses vlan id 1 for non-management traffic. As far as I could tell from reading the Mikrotik wiki/forums they do not have a "native vlan" like Cisco does. I have only worked with Mikrotik's Cloud Router Switch series before and the way you configure vlans is different. But it is reassuring that there was not a glaring mistake in my configuration. I'll have to play around with the config some more. For now I have everything working by just bridging switch ports to vlan interfaces. Thanks. — alexander, Feb 08 '15 at 18:56

score 1 · Accepted Answer · answered Feb 09 '15 at 15:04

Ok, I managed to get my hands on a spare RB to try this configuration.

It turns out that I haven't read the documentation carefully. It states that you can only access the router itself (as in management access) only from the trunk port.

http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Management_IP_Configuration

Management IP Configuration

This example will show one of the possible management IP address configurations. Management IP will be accessible only through trunk port and it will have a separate VLAN with ID 99.

I went ahead and set up a test network and I was able to ping the RB on the trunk port but not on any of the access ports.

Also, I noticed that you have set the trunk port like this:

/interface ethernet switch port
set 2 vlan-header=add-if-missing vlan-mode=secure

This means that number 2 is eth3 and that will be the trunk port and not eth2 since the numbers start from 0.

Here's a sample output from my test RB.

[admin@MikroTik] > /interface ethernet switch port print 
Flags: I - invalid 
 #   NAME             SWITCH             VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1           switch1            disabled  leave-as-is               auto
 1   ether2           switch1            secure    add-if-missing            auto
 2   ether3           switch1            secure    always-strip                 1
 3   ether4           switch1            secure    always-strip                 1
 4   ether5           switch1            secure    always-strip                 1
 5   switch1-cpu      switch1            secure    leave-as-is               auto

As you can see, number 2 is ether3. I don't know if that's related to your second issue not being able to ping the router from CRS.

I can't believe I missed that. Your suggestions have worked without issue. Thanks again. — alexander, Feb 10 '15 at 23:39
After spending way too much time hunting this down, I'll mention another tidbit here. The critical sentence from the wiki is both informative and slightly misleading. The switch-cpu port must be connected to a trunk port even in the case where you don't want to have a separate management VLAN, but just want to assign the Mikrotik device an IP in the same VLAN. In other words, even if you have a single Mikrotik device, you can't make it accessible within its VLANs without making one actual port use VLAN tagging. — Josip Rodin, Apr 21 '16 at 21:17
Another probably obvious thing has to be done for things to work - the trunk port has to be up, it can't be just pro forma. If it goes down (unplugged cable or whatever), the switch-cpu port communication will no longer work. — Josip Rodin, Apr 22 '16 at 09:48
I guess you could overcome this by adding a bridge interface with no ports on it and assign an IP address. The bridge interface will always be in 'up' state so the IP will always work. Since there is no loopback interface on MikroTik, the manual suggests this method to implement loopback functionality interface. — Cha0s, Apr 23 '16 at 10:33

Mikrotik RB2011U vlanning

1 Answers1