Difference between revisions of "Manual:Basic VLAN switching"

From MikroTik Wiki
Jump to: navigation, search
(Other devices with built-in switch chip)
(Other devices with built-in switch chip)
 
(12 intermediate revisions by one other user not shown)
Line 7: Line 7:
 
Many MikroTik devices come with a built-in switch chips that usually have an option to do VLAN switching on a hardware level, this means that you can achieve wire-speed performance using VLANs if a proper configuration method is used. The configuration method changes across different models, this guide will focus on setting up a basic trunk/access port setup with a management port from the trunk port using different devices with the right configuration to achieve best performance and to fully utilize  the available hardware components.
 
Many MikroTik devices come with a built-in switch chips that usually have an option to do VLAN switching on a hardware level, this means that you can achieve wire-speed performance using VLANs if a proper configuration method is used. The configuration method changes across different models, this guide will focus on setting up a basic trunk/access port setup with a management port from the trunk port using different devices with the right configuration to achieve best performance and to fully utilize  the available hardware components.
  
 +
[[File:basic vlan switching.png|700px|thumb|center|alt=Alt text|Basic VLAN switching]]
  
 
=CRS3xx series switches=
 
=CRS3xx series switches=
Line 17: Line 18:
 
add bridge=bridge1 interface=ether3 hw=yes pvid=30
 
add bridge=bridge1 interface=ether3 hw=yes pvid=30
 
/interface bridge vlan
 
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30
+
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20
 +
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30
 
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
 
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
 
/interface vlan
 
/interface vlan
Line 27: Line 29:
 
</pre>
 
</pre>
  
 +
More detailed examples can be found [[Manual:Interface/Bridge#Bridge_VLAN_Filtering | here]].
  
 
=CRS1xx/CRS2xx series switches=
 
=CRS1xx/CRS2xx series switches=
Line 37: Line 40:
 
add bridge=bridge1 interface=ether3 hw=yes
 
add bridge=bridge1 interface=ether3 hw=yes
 
/interface ethernet switch ingress-vlan-translation
 
/interface ethernet switch ingress-vlan-translation
add ports=ether2 new-customer-vid=20 sa-learning=yes
+
add ports=ether2 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether3 new-customer-vid=30 sa-learning=yes
+
add ports=ether3 customer-vid=0 new-customer-vid=30 sa-learning=yes
 
/interface ethernet switch egress-vlan-tag
 
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=200
+
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=300
+
add tagged-ports=ether1 vlan-id=30
 
add tagged-ports=ether1,switch1-cpu vlan-id=99
 
add tagged-ports=ether1,switch1-cpu vlan-id=99
 
/interface ethernet switch vlan
 
/interface ethernet switch vlan
Line 54: Line 57:
 
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3
 
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3
 
</pre>
 
</pre>
 +
 +
More detailed examples can be found [[Manual:CRS1xx/2xx_series_switches_examples#VLAN | here]].
  
 
=Other devices with built-in switch chip=
 
=Other devices with built-in switch chip=
Line 60: Line 65:
 
<pre>
 
<pre>
 
/interface bridge
 
/interface bridge
add name=bridge1 protocol-mode=none
+
add name=bridge1
 
/interface bridge port
 
/interface bridge port
 
add bridge=bridge1 interface=ether1 hw=yes
 
add bridge=bridge1 interface=ether1 hw=yes
Line 79: Line 84:
 
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
 
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
 
</pre>
 
</pre>
 +
 +
More detailed examples can be found [[Manual:Switch_Chip_Features#Setup_Examples | here]].
  
 
{{ Note | This type of configuration should be used on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices. }}
 
{{ Note | This type of configuration should be used on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices. }}
 +
 +
{{ Note | By default, the bridge interface is configured with <var>protocol-mode</var> set to <code>rstp</code>. For some devices, this can disable hardware offloading because specific switch chips do not support this feature.  See the [[Manual:Interface/Bridge#Bridge_Hardware_Offloading | Bridge Hardware Offloading]] section with supported features. }}
 +
 +
{{ Note | For devices that have multiple switch chips (for example, RB2011, RB3011, RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering will not work on a hardware level between ports that are on different switch chips, this means you should not add all ports to a single bridge if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use [[Manual:Basic_VLAN_switching#Other_devices_without_a_built-in_switch_chip | Bridge VLAN Filtering]], but it disables hardware offloading (and lowers the total throughput). }}
  
 
=Other devices without a built-in switch chip=
 
=Other devices without a built-in switch chip=
Line 92: Line 103:
 
add bridge=bridge1 interface=ether3 hw=no pvid=30
 
add bridge=bridge1 interface=ether3 hw=no pvid=30
 
/interface bridge vlan
 
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30
+
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20
 +
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30
 
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
 
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
 
/interface vlan
 
/interface vlan
Line 101: Line 113:
 
set bridge1 vlan-filtering=yes
 
set bridge1 vlan-filtering=yes
 
</pre>
 
</pre>
 +
 +
More detailed examples can be found [[Manual:Interface/Bridge#Bridge_VLAN_Filtering | here]].
  
 
[[Category:Bridging and switching]]
 
[[Category:Bridging and switching]]
 
[[Category:Case Studies]]
 
[[Category:Case Studies]]

Latest revision as of 14:05, 10 January 2019

Version.png

Applies to RouterOS: v6.41 +

Introduction

Many MikroTik devices come with a built-in switch chips that usually have an option to do VLAN switching on a hardware level, this means that you can achieve wire-speed performance using VLANs if a proper configuration method is used. The configuration method changes across different models, this guide will focus on setting up a basic trunk/access port setup with a management port from the trunk port using different devices with the right configuration to achieve best performance and to fully utilize the available hardware components.

Alt text
Basic VLAN switching

CRS3xx series switches

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes pvid=20
add bridge=bridge1 interface=ether3 hw=yes pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface bridge
set bridge1 vlan-filtering=yes

More detailed examples can be found here.

CRS1xx/CRS2xx series switches

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
/interface ethernet switch ingress-vlan-translation
add ports=ether2 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether3 customer-vid=0 new-customer-vid=30 sa-learning=yes
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=30
add tagged-ports=ether1,switch1-cpu vlan-id=99
/interface ethernet switch vlan
add ports=ether1,ether2 vlan-id=20 learn=yes
add ports=ether1,ether3 vlan-id=30 learn=yes
add ports=ether1,switch1-cpu vlan-id=99 learn=yes
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3

More detailed examples can be found here.

Other devices with built-in switch chip

Icon-warn.png

Warning: Not all devices with a switch chip are capable of VLAN switching on a hardware level, check the supported features for each switch chip, the compatibility table can be found Here. If a device has VLAN table support, then it is capable of VLAN switching using the built-in switch chip. You can check the device's switch chip either in the provided link or by using /interface ethernet switch print


/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20
add ports=ether1,ether3 switch=switch1 vlan-id=30
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=30
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

More detailed examples can be found here.

Icon-note.png

Note: This type of configuration should be used on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices.


Icon-note.png

Note: By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the Bridge Hardware Offloading section with supported features.


Icon-note.png

Note: For devices that have multiple switch chips (for example, RB2011, RB3011, RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering will not work on a hardware level between ports that are on different switch chips, this means you should not add all ports to a single bridge if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use Bridge VLAN Filtering, but it disables hardware offloading (and lowers the total throughput).


Other devices without a built-in switch chip

It is possible to do VLAN filtering using the CPU, there are multiple ways to do it, but it is highly recommended by using bridge VLAN filtering.

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=no
add bridge=bridge1 interface=ether2 hw=no pvid=20
add bridge=bridge1 interface=ether3 hw=no pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=20
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=30
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface bridge
set bridge1 vlan-filtering=yes

More detailed examples can be found here.