Hello,
I hope you are well.
I'm setting up my first MikroTik switch/router. I tried to pay as much attention as possible. That being said, being new here, I might have missed something. Kindly correct me if I'm wrong.
Among others I've read the following articles viewtopic.php?f=13&t=143620, https://help.mikrotik.com/docs/display/ ... +Switching and https://help.mikrotik.com/docs/display/ ... Offloading.
To simplify the setup and the question, let's dedicate one port to WAN, all the other ports to LAN (two in the example) - like a regular home router - and some of the LAN ports (only one in the example) should bridge to WAN when ingress is tagged as expected.
Approach 1 - explicit VLAN
Approach 2 - Native(?) VLAN
As far as I understand, functionally both approaches are similar unless I'm missing some edge cases.
In the Native VLAN approach, pvid=1 is implied for bridge1 and its ports sfp-sfpplus2 and sfp-sfpplus3. I understand this as untagged traffic for these interfaces has VID=1 internally. However, this contradicts viewtopic.php?f=13&t=143620 which says
What are the conceptual, security (I don't like frame-types=admit-all on bridge1 in the Native VLAN approach but I cannot pin exactly what bothers me), and hardware offloading (the model in question is CRS309-1G-8S+-IN so the capabilities are quite vast) differences between the two setups? Am I missing any functional differences?
I hope you are well.
I'm setting up my first MikroTik switch/router. I tried to pay as much attention as possible. That being said, being new here, I might have missed something. Kindly correct me if I'm wrong.
Among others I've read the following articles viewtopic.php?f=13&t=143620, https://help.mikrotik.com/docs/display/ ... +Switching and https://help.mikrotik.com/docs/display/ ... Offloading.
To simplify the setup and the question, let's dedicate one port to WAN, all the other ports to LAN (two in the example) - like a regular home router - and some of the LAN ports (only one in the example) should bridge to WAN when ingress is tagged as expected.
Approach 1 - explicit VLAN
Code:
/interface bridge add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes/interface vlan add interface=bridge1 name=lan1 vlan-id=2/interface vlan add interface=bridge1 name=wan1 vlan-id=3/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=3/interface bridge port add bridge=bridge1 frame-types=admit-all interface=sfp-sfpplus2 pvid=2/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus3 pvid=2/interface bridge vlan add bridge=bridge1 tagged=bridge1 vlan-ids=2# untagged=sfp-sfpplus2,sfp-sfpplus3 implied above/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp-sfpplus2 vlan-ids=3# untagged=sfp-sfpplus1 implied above/ip address add address=192.168.88.1/24 interface=lan1 network=192.168.88.0Approach 2 - Native(?) VLAN
Code:
/interface bridge add frame-types=admit-all name=bridge1 vlan-filtering=yes/interface vlan add interface=bridge1 name=wan1 vlan-id=3/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=3/interface bridge port add bridge=bridge1 frame-types=admit-all interface=sfp-sfpplus2/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus3/interface bridge vlan add bridge=bridge1 vlan-ids=1# untagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 implied above/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp-sfpplus2 vlan-ids=3# untagged=sfp-sfpplus1 implied above/ip address add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0As far as I understand, functionally both approaches are similar unless I'm missing some edge cases.
In the Native VLAN approach, pvid=1 is implied for bridge1 and its ports sfp-sfpplus2 and sfp-sfpplus3. I understand this as untagged traffic for these interfaces has VID=1 internally. However, this contradicts viewtopic.php?f=13&t=143620 which says
Do I misunderstand? Or does it mean that despite MikroTik seeing these packets as VID=1 internally they will be egressed with VID=0 by default while other vendors see them with VID=0 even internally so they allow using VID=1 as an explicit tag and not as implied behaviour for untagged traffic? (Which I think is opposite to what it says.)A word of caution if you are thinking of using VLAN 1 in your network design. Most vendors use VLAN 1 as the native VLAN for their hardware. MikroTik uses VLAN 0. If you try to create a VLAN 1 scenario with MikroTik, and expecting tagged frames, it will be incompatible with other vendors who default VLAN 1 as untagged. Therefore, unless you are prepared to change the default behavior in MikroTik and/or other vendors, it is simpler to use VLAN 2 and higher.
What are the conceptual, security (I don't like frame-types=admit-all on bridge1 in the Native VLAN approach but I cannot pin exactly what bothers me), and hardware offloading (the model in question is CRS309-1G-8S+-IN so the capabilities are quite vast) differences between the two setups? Am I missing any functional differences?
Statistics: Posted by tryrtryrtryrt — Sat Jan 13, 2024 2:40 am