Hi there.
I'm new to Mikrotik, but have been using Cisco etc.. for nearly 30 years.
I am however, stumped - for the life of me I cannot work out what I am doing wrong here. I simply want to be able to access the CRS309 which I have defined a Management VLAN on, (500) from another host on the Network, (in a different VLAN - 400).
Management VLAN is 500
I want to be able to manage the Mikrotik from VLAN 400 - which will be via the trunk, (ISL-GARAGE-SW01-2), or via a PC connected to sfp-sfpplus1 in VLAN 400.
Config is below:
# 1970-01-02 18:12:16 by RouterOS 7.11.3
# software id = JAXY-PZ10
#
# model = CRS309-1G-8S+
# serial number =
/interface bridge
add admin-mac=D4:01:C3:19:BE:EA auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=Management vlan-id=500
/interface bonding
add mode=802.3ad name=ISL-GARAGE-SW01-2 slaves=sfp-sfpplus7,sfp-sfpplus8
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=400
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge interface=Management pvid=500
add bridge=bridge interface=ISL-GARAGE-SW01-2
add bridge=bridge interface=sfp-sfpplus6
/interface bridge vlan
add bridge=bridge tagged=ISL-GARAGE-SW01-2,bridge vlan-ids=400
add bridge=bridge tagged=ISL-GARAGE-SW01-2,bridge untagged="sfp-sfpplus1,sfp-s\
fpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6" vlan-ids=500
/interface list member
add interface=bridge list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=ISL-GARAGE-SW01-2 list=LAN
add interface=Management list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.50.5/26 interface=Management network=10.10.50.0
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key
/system swos
set address-acquisition-mode=static allow-from-vlan=500 identity=OFFICE-SW-01 \
static-ip-address=10.10.50.5
TIA.
CRS309 - Management VLAN access
-
chicanedj
- just joined
- Posts: 3
- Joined: Mon May 13, 2024 11:45 am
-
anav
- Forum Guru
- Posts: 19785
- Joined: Sun Feb 18, 2018 10:28 pm
- Location: Nova Scotia, Canada
Re: CRS309 - Management VLAN access
A few comments.
This should be doable but may take a couple of stabs to get working.
(1) Bridge ports are for ports and wlans, ( not vlans ) and what is the role of ether1, you forgot about it in bridge vlans????
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=400
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge interface=Management pvid=500 { needs to be removed }
add bridge=bridge interface=ISL-GARAGE-SW01-2
add bridge=bridge interface=sfp-sfpplus6
(3) Bridge ports dont line up with bridge vlans.................... Modified.........
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admin-only-vlan-tagged interface=ether1 comment="trunk from router"
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus1 pvid=400
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus2 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus3 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus4 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus5 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus6 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admin-only-vlan-tagged interface=ISL-GARAGE-SW01-2 comment="trunk to garage"
(4) Bridge vlans missing ether1!!! Also note you use quotation marks (wrong, there should be NONE) in the untagged portion of vlan-ids=500
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ISL-GARAGE-SW01-2 untagged=sfp-sfpplus1 vlan-ids=400
add bridge=bridge tagged=bridge,ether1,ISL-GARAGE-SW01-2 untagged=sfp-sfpplus2,sfp-sfpplus3,\
sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=500
(5) Now to get to accessing the switch from elsewhere....
/interface vlan
add interface=bridge name=vlan400 vlan-id=400
Interface lists and members FIXED...... Single list entry only!
/interface list
add list=ManagementList
/interface list members
add interface=Management List=ManagementList
add interface=vlan400 List=ManagementList
/ip neighbor discovery-settings
set discover-interface-list=ManagementList
/tool mac-server mac-winbox
set allowed-interface-list=ManagementList
+++++++++++++++++++++++++++++++++++++++
Fix the above and see if any progress is made.
This should be doable but may take a couple of stabs to get working.
(1) Bridge ports are for ports and wlans, ( not vlans ) and what is the role of ether1, you forgot about it in bridge vlans????
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=400
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge interface=Management pvid=500 { needs to be removed }
add bridge=bridge interface=ISL-GARAGE-SW01-2
add bridge=bridge interface=sfp-sfpplus6
(3) Bridge ports dont line up with bridge vlans.................... Modified.........
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admin-only-vlan-tagged interface=ether1 comment="trunk from router"
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus1 pvid=400
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus2 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus3 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus4 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus5 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus6 pvid=500
add bridge=bridge ingress-filtering=yes frame-types=admin-only-vlan-tagged interface=ISL-GARAGE-SW01-2 comment="trunk to garage"
(4) Bridge vlans missing ether1!!! Also note you use quotation marks (wrong, there should be NONE) in the untagged portion of vlan-ids=500
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ISL-GARAGE-SW01-2 untagged=sfp-sfpplus1 vlan-ids=400
add bridge=bridge tagged=bridge,ether1,ISL-GARAGE-SW01-2 untagged=sfp-sfpplus2,sfp-sfpplus3,\
sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=500
(5) Now to get to accessing the switch from elsewhere....
/interface vlan
add interface=bridge name=vlan400 vlan-id=400
Interface lists and members FIXED...... Single list entry only!
/interface list
add list=ManagementList
/interface list members
add interface=Management List=ManagementList
add interface=vlan400 List=ManagementList
/ip neighbor discovery-settings
set discover-interface-list=ManagementList
/tool mac-server mac-winbox
set allowed-interface-list=ManagementList
+++++++++++++++++++++++++++++++++++++++
Fix the above and see if any progress is made.
-
chicanedj
- just joined
- Posts: 3
- Joined: Mon May 13, 2024 11:45 am
Re: CRS309 - Management VLAN access
Thanks so much for coming back to me - appreciated.
We are not quite there yet - I don't think I advised my intent clearly - Is there a way to not use ether1 at all? So all traffic for the Management VLAN 500 comes into the switch via the Trunk from the other Cisco Switches?
I can ping the management IP address from the other Cisco switches - (10.10.50.5), but not from vlan400 - and the host in vlan400 is permitted to anywhere on the Firewall.
I've been adding other VLANS so here's the modified config as discussed - its just a little longer than the first posted snippet.
# 2024-05-13 16:20:56 by RouterOS 7.11.3
# software id = JAXY-PZ10
#
# model = CRS309-1G-8S+
# serial number =
/interface bridge
add admin-mac=D4:01:C3:19:BE:EA auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment=removed-PC
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no comment=\
AP02-Office
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no comment=\
AP01-Kitchen
/interface vlan
add interface=bridge name=Hosting_DMZ vlan-id=77
add interface=bridge name=IoT vlan-id=79
add interface=bridge name=Kids_LAN vlan-id=10
add interface=bridge name=Legacy-LAN vlan-id=400
add interface=bridge name=Management vlan-id=500
add interface=bridge name=removed-Office vlan-id=200
add interface=bridge name=Server_DMZ vlan-id=76
add interface=bridge name=Storage vlan-id=502
add interface=bridge name=WAN vlan-id=50
add interface=bridge name=Wireless_Guest vlan-id=66
add interface=bridge name=Wireless_LAN vlan-id=5
add interface=bridge name=vMotion vlan-id=80
add interface=bridge name=vmWare-Management vlan-id=501
/interface bonding
add mode=802.3ad name=ISL-GARAGE-SW01-2 slaves=sfp-sfpplus7,sfp-sfpplus8
/interface list
add name=LAN
add name=ManagementList
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/snmp community
add addresses=::/0 name=removed
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether1
add bridge=bridge comment=removed-PC frame-types=\
admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=400
add bridge=bridge comment=Office-AP frame-types=admit-only-vlan-tagged \
interface=sfp-sfpplus2 pvid=500
add bridge=bridge comment=Kitchen-AP frame-types=admit-only-vlan-tagged \
interface=sfp-sfpplus3 pvid=500
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=sfp-sfpplus4
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=sfp-sfpplus5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=\
ISL-GARAGE-SW01-2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=sfp-sfpplus6
/ip neighbor discovery-settings
set discover-interface-list=ManagementList
/interface bridge vlan
add bridge=bridge comment="Legacy LAN" tagged=ISL-GARAGE-SW01-2,bridge,ether1 \
untagged=sfp-sfpplus1 vlan-ids=400
add bridge=bridge comment=Managemenrt tagged=\
ISL-GARAGE-SW01-2,bridge,sfp-sfpplus2,sfp-sfpplus3,ether1 untagged=\
sfp-sfpplus1 vlan-ids=500
add bridge=bridge comment=Wireless_LAN tagged=\
bridge,ISL-GARAGE-SW01-2,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=5
add bridge=bridge comment=Kids_LAN tagged=\
bridge,ISL-GARAGE-SW01-2,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=10
add bridge=bridge comment=WAN tagged=bridge,ISL-GARAGE-SW01-2 vlan-ids=50
add bridge=bridge comment=Wireless_Guest tagged=\
bridge,ISL-GARAGE-SW01-2,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=66
add bridge=bridge comment=Server_DMZ tagged=bridge,ISL-GARAGE-SW01-2 \
vlan-ids=76
add bridge=bridge comment=Hosting_DMZ tagged=bridge,ISL-GARAGE-SW01-2 \
vlan-ids=77
add bridge=bridge comment=IoT tagged=\
bridge,ISL-GARAGE-SW01-2,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=79
add bridge=bridge comment=vMotion tagged=bridge,ISL-GARAGE-SW01-2 vlan-ids=80
add bridge=bridge comment=vmWare-Management tagged=bridge,ISL-GARAGE-SW01-2 \
vlan-ids=501
add bridge=bridge comment=removed-Office tagged=bridge,ISL-GARAGE-SW01-2 \
vlan-ids=200
add bridge=bridge comment=Storage tagged=bridge,ISL-GARAGE-SW01-2 vlan-ids=\
502
/interface list member
add interface=Legacy-LAN list=ManagementList
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.50.5/26 interface=Management network=10.10.50.0
/snmp
set contact="removed removed" enabled=yes location="Office Desk" trap-community=\
removed
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.10.50.2
add address=10.10.50.3
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key
/system swos
set address-acquisition-mode=static allow-from-vlan=500 identity=OFFICE-SW-01 \
static-ip-address=10.10.50.5
/tool mac-server mac-winbox
set allowed-interface-list=ManagementList
Thanks Again. Cheers.
We are not quite there yet - I don't think I advised my intent clearly - Is there a way to not use ether1 at all? So all traffic for the Management VLAN 500 comes into the switch via the Trunk from the other Cisco Switches?
I can ping the management IP address from the other Cisco switches - (10.10.50.5), but not from vlan400 - and the host in vlan400 is permitted to anywhere on the Firewall.
I've been adding other VLANS so here's the modified config as discussed - its just a little longer than the first posted snippet.
# 2024-05-13 16:20:56 by RouterOS 7.11.3
# software id = JAXY-PZ10
#
# model = CRS309-1G-8S+
# serial number =
/interface bridge
add admin-mac=D4:01:C3:19:BE:EA auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment=removed-PC
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no comment=\
AP02-Office
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no comment=\
AP01-Kitchen
/interface vlan
add interface=bridge name=Hosting_DMZ vlan-id=77
add interface=bridge name=IoT vlan-id=79
add interface=bridge name=Kids_LAN vlan-id=10
add interface=bridge name=Legacy-LAN vlan-id=400
add interface=bridge name=Management vlan-id=500
add interface=bridge name=removed-Office vlan-id=200
add interface=bridge name=Server_DMZ vlan-id=76
add interface=bridge name=Storage vlan-id=502
add interface=bridge name=WAN vlan-id=50
add interface=bridge name=Wireless_Guest vlan-id=66
add interface=bridge name=Wireless_LAN vlan-id=5
add interface=bridge name=vMotion vlan-id=80
add interface=bridge name=vmWare-Management vlan-id=501
/interface bonding
add mode=802.3ad name=ISL-GARAGE-SW01-2 slaves=sfp-sfpplus7,sfp-sfpplus8
/interface list
add name=LAN
add name=ManagementList
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/snmp community
add addresses=::/0 name=removed
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether1
add bridge=bridge comment=removed-PC frame-types=\
admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=400
add bridge=bridge comment=Office-AP frame-types=admit-only-vlan-tagged \
interface=sfp-sfpplus2 pvid=500
add bridge=bridge comment=Kitchen-AP frame-types=admit-only-vlan-tagged \
interface=sfp-sfpplus3 pvid=500
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=sfp-sfpplus4
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=sfp-sfpplus5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=\
ISL-GARAGE-SW01-2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=sfp-sfpplus6
/ip neighbor discovery-settings
set discover-interface-list=ManagementList
/interface bridge vlan
add bridge=bridge comment="Legacy LAN" tagged=ISL-GARAGE-SW01-2,bridge,ether1 \
untagged=sfp-sfpplus1 vlan-ids=400
add bridge=bridge comment=Managemenrt tagged=\
ISL-GARAGE-SW01-2,bridge,sfp-sfpplus2,sfp-sfpplus3,ether1 untagged=\
sfp-sfpplus1 vlan-ids=500
add bridge=bridge comment=Wireless_LAN tagged=\
bridge,ISL-GARAGE-SW01-2,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=5
add bridge=bridge comment=Kids_LAN tagged=\
bridge,ISL-GARAGE-SW01-2,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=10
add bridge=bridge comment=WAN tagged=bridge,ISL-GARAGE-SW01-2 vlan-ids=50
add bridge=bridge comment=Wireless_Guest tagged=\
bridge,ISL-GARAGE-SW01-2,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=66
add bridge=bridge comment=Server_DMZ tagged=bridge,ISL-GARAGE-SW01-2 \
vlan-ids=76
add bridge=bridge comment=Hosting_DMZ tagged=bridge,ISL-GARAGE-SW01-2 \
vlan-ids=77
add bridge=bridge comment=IoT tagged=\
bridge,ISL-GARAGE-SW01-2,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=79
add bridge=bridge comment=vMotion tagged=bridge,ISL-GARAGE-SW01-2 vlan-ids=80
add bridge=bridge comment=vmWare-Management tagged=bridge,ISL-GARAGE-SW01-2 \
vlan-ids=501
add bridge=bridge comment=removed-Office tagged=bridge,ISL-GARAGE-SW01-2 \
vlan-ids=200
add bridge=bridge comment=Storage tagged=bridge,ISL-GARAGE-SW01-2 vlan-ids=\
502
/interface list member
add interface=Legacy-LAN list=ManagementList
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.50.5/26 interface=Management network=10.10.50.0
/snmp
set contact="removed removed" enabled=yes location="Office Desk" trap-community=\
removed
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.10.50.2
add address=10.10.50.3
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key
/system swos
set address-acquisition-mode=static allow-from-vlan=500 identity=OFFICE-SW-01 \
static-ip-address=10.10.50.5
/tool mac-server mac-winbox
set allowed-interface-list=ManagementList
Thanks Again. Cheers.
-
anav
- Forum Guru
- Posts: 19785
- Joined: Sun Feb 18, 2018 10:28 pm
- Location: Nova Scotia, Canada
Re: CRS309 - Management VLAN access
Which port are all the vlans, from the main router, coming in on?
If not the router, then some other switch but which PORT??
Are you saying the bonded LINK, is where all the vlans are coming from then?
The BRIDGE DOES NOT GET AN IP address, we are using VLANS.
If you want to be able to reach the config separately from the bridge and vlans, what I call OFF BRIDGE access.
Then simply take one port of the bridge give it its own IP address, add it to the managment interface list as a member and then just plug in a computer to that port, change your ipv4 settings to be within the subnet you created, and you will be in.
Understood the CRS gets an IP on the management subnet of 10.10.50.5 ( on vlan of 500 ).
YOU SHOULD NOT Identify ANY other VLANS on the bridge, there is typically no need!!!
Remember the only VLAN associated with the router and assigned to the router is the 10.10.50.5, the rest simply come in from source port and go out exit ports and WLANS.
The only issue is you need for some reason folks or one folks etc, coming in on VLAN 400 to be able to config the router, or so it seems.
I am not quite sure how to accomplish this, but I do know on the main router, there will have to be a rule allowing that user or group of users on vlan of id 400 access to vlan of id 500. Has nothing to do with CRS switch.
FOR arguments sake will state the single host as 192.168.400.44
However, its a bit weird for sure.
a. CONFIRM on main router there is an existing rule like:
add chain=forward action=accept in-interface=vlan400 src-address=192.168.400.44 dst-address=10.10.50.5/32
b. CONFIRM on main router that the router knows how to route between vlan400 and vlan500. For example when one creates the interfaces on the MT router, the router automatically creates local routes for the vlans and thus knows where to send traffic bound for them.
Bridge ports still screwy
Finally before I proceed, what Access points are you using in kitchen and office. You state they are only taking tagged vlans (by frame types) but then have identified a PVID of 500 which states they are supposed to get vlan500 traffic untagged ( like access ports ) or is it a hybrid port????
Bridge ports still screwy
Look at your interface bridge vlans for both vlan-ids400 and 500, they both have sfp-sfpplus1 as UNTAGGED ????
To make this crystal clear
state what each port is going to, and state whether its a:
- dumb device (cannot read tags)
- smart device (can read tags)
- hybrid device ( expects single interface untagged and rest of vlans tagged )
Curious --> What were you doing with 192.168.88.0/24 subnet ???
If not the router, then some other switch but which PORT??
Are you saying the bonded LINK, is where all the vlans are coming from then?
The BRIDGE DOES NOT GET AN IP address, we are using VLANS.
If you want to be able to reach the config separately from the bridge and vlans, what I call OFF BRIDGE access.
Then simply take one port of the bridge give it its own IP address, add it to the managment interface list as a member and then just plug in a computer to that port, change your ipv4 settings to be within the subnet you created, and you will be in.
Understood the CRS gets an IP on the management subnet of 10.10.50.5 ( on vlan of 500 ).
YOU SHOULD NOT Identify ANY other VLANS on the bridge, there is typically no need!!!
Remember the only VLAN associated with the router and assigned to the router is the 10.10.50.5, the rest simply come in from source port and go out exit ports and WLANS.
The only issue is you need for some reason folks or one folks etc, coming in on VLAN 400 to be able to config the router, or so it seems.
I am not quite sure how to accomplish this, but I do know on the main router, there will have to be a rule allowing that user or group of users on vlan of id 400 access to vlan of id 500. Has nothing to do with CRS switch.
FOR arguments sake will state the single host as 192.168.400.44
However, its a bit weird for sure.
a. CONFIRM on main router there is an existing rule like:
add chain=forward action=accept in-interface=vlan400 src-address=192.168.400.44 dst-address=10.10.50.5/32
b. CONFIRM on main router that the router knows how to route between vlan400 and vlan500. For example when one creates the interfaces on the MT router, the router automatically creates local routes for the vlans and thus knows where to send traffic bound for them.
Bridge ports still screwy
Finally before I proceed, what Access points are you using in kitchen and office. You state they are only taking tagged vlans (by frame types) but then have identified a PVID of 500 which states they are supposed to get vlan500 traffic untagged ( like access ports ) or is it a hybrid port????
Bridge ports still screwy
Look at your interface bridge vlans for both vlan-ids400 and 500, they both have sfp-sfpplus1 as UNTAGGED ????
To make this crystal clear
state what each port is going to, and state whether its a:
- dumb device (cannot read tags)
- smart device (can read tags)
- hybrid device ( expects single interface untagged and rest of vlans tagged )
Curious --> What were you doing with 192.168.88.0/24 subnet ???
-
chicanedj
- just joined
- Posts: 3
- Joined: Mon May 13, 2024 11:45 am
Re: CRS309 - Management VLAN access
Hi again,
Yes so the ISL-GARAGE-SW Trunk is the trunk that carries all these vlans up to the Mikrotik.
I suppose what I am trying to achieve is have the Mikrotik behave like the rest of the Cisco devices on the network and be accessible from hosts in vlan400 - specifically my management host, and the NMS for snmp graphs/monitoring without having to use a port - ether1 in this case specifically for management purposes.
I can confirm the Router - (OPNSense in this case) - is configured to allow access from specific vlan 400 hosts to 10.10.50.0/26. I can also confirm that the Router is able to route between these subnets/vlans, and all other hosts in this subnet outwith the Mikrotik are pingable and accessible.
The access points are Unifi AP's - and I've only patched them into the switch today - again - their management addresses are in vlan 500 so in order to manage from the UniFi Controller in vlan 400 i had to append vlan 500 to the PVID on the interface, (sfp-sfpplus2 and sfp-sfpplus3). I lost access to the AP's management without this set.
The equivalent cisco config that achieved the necessary with these AP's was:
interface GigabitEthernet1/0/4
description AP02-OFFICE
switchport trunk allowed vlan 5,10,66,79,500
switchport mode trunk
end
Thanks again for taking the time - its appreciated
I'll answer the other questions shortly too
Yes so the ISL-GARAGE-SW Trunk is the trunk that carries all these vlans up to the Mikrotik.
I suppose what I am trying to achieve is have the Mikrotik behave like the rest of the Cisco devices on the network and be accessible from hosts in vlan400 - specifically my management host, and the NMS for snmp graphs/monitoring without having to use a port - ether1 in this case specifically for management purposes.
I can confirm the Router - (OPNSense in this case) - is configured to allow access from specific vlan 400 hosts to 10.10.50.0/26. I can also confirm that the Router is able to route between these subnets/vlans, and all other hosts in this subnet outwith the Mikrotik are pingable and accessible.
The access points are Unifi AP's - and I've only patched them into the switch today - again - their management addresses are in vlan 500 so in order to manage from the UniFi Controller in vlan 400 i had to append vlan 500 to the PVID on the interface, (sfp-sfpplus2 and sfp-sfpplus3). I lost access to the AP's management without this set.
The equivalent cisco config that achieved the necessary with these AP's was:
interface GigabitEthernet1/0/4
description AP02-OFFICE
switchport trunk allowed vlan 5,10,66,79,500
switchport mode trunk
end
Thanks again for taking the time - its appreciated
I'll answer the other questions shortly too
-
anav
- Forum Guru
- Posts: 19785
- Joined: Sun Feb 18, 2018 10:28 pm
- Location: Nova Scotia, Canada
Re: CRS309 - Management VLAN access
Okay the APs are hybrid ports, but you cannot have TWO untagged vlans at a hybrid port, ONLY ONE can come in untagged.