Vlan – Configurating VLAN access and trunk ports on RouterOS/Mikrotik

bridgevlan

I have RouteBOARD RB951G-2HnD, RouterOS 6.34.2 and I am trying to achive a network configuration something like what is depict on the next picture. The picture is from Mikrotik Wiki http://wiki.mikrotik.com/wiki/Vlans_on_Mikrotik_environment.

Network configuration with three switches and two vlans

I'm trying to configure the router same way as SW3 on the picture. Two trunk port and one access port. I tried to configure the router as it is described on the wiki page and the access port is not working correctly. I was trying to find similar problem on the Internet but with no luck.

I'm missing something in the configuration. So, here are the steps that I used for configuration. The router have default configuration and I'm trying to configure next:

  • ether4 (on the picture same as SW3 eth3) and ether5 (on the picture same as SW3 eth4) are trunk ports
  • two vlans id, 100 and 200
  • ether3 (on the picture same as SW3 eth1) is access port for vlan 100

Steps

#Removing parts of default configuration
/interface ethernet set ether3 master-port=none
/interface ethernet set ether4 master-port=none
/interface ethernet set ether5 master-port=none

#Configuration for trunk ports
/interface bridge add name=bridge-trunk disabled=no
/interface bridge port add interface="ether3" bridge="bridge-trunk" disabled=no
/interface bridge port add interface="ether4" bridge="bridge-trunk" disabled=no

#configuration for the access port
/interface vlan add name="bridge-trunk-vlan100" vlan-id=100 interface=bridge-trunk disabled=no

/interface bridge add name=bridge-vlan100 disabled=no
/interface bridge port add interface="bridge-trunk-vlan100" bridge="bridge-vlan100" disabled=no
/interface bridge port add interface="ether3" bridge="bridge-vlan100" disabled=no

When I do these steps and connect my laptop to the ether3, any type of network connection to other network devices is not working. Trunk ports are working properly.

Correct me if I'm wrong, if I introduce the router configured this way into existing network, APR tables must refresh itself on other network devices because bridge have it's own MAC address.

I would be grateful if you can provide with hints, tutorials or books to read more about a bridging and VLANs.

Update 1

I found a way but I do not know if it is right way by the RouterOS methodology.

I added the filter rule for the bridges

/interface bridge filter add chain=forward mac-protocol=vlan vlan-id=100 action=accept

Also, I could run all VLAN traffic through IP Firewall with similar rule.

Update 2

Previous situation was done in a experimental environment on separate RouterBOARD. I wanted to apply this solution on the real device and it did not worked. The device is Cloud Router Switch CRS125-24G-1S. The moment when I add bridge-trunk-vlan100 interface to the bridge-vlan100 bridge, the traffic that is passing through bridge-trunk is dropped and new connections cannot be established.

Best Answer

I struggled with a similar setup on a RB2011U too and tried many different tutorials. Funnily, the simplest solution worked for me. Your device has a switch chip, which is way faster thant the CPU. You really should use it's capabilities.

Meta description:

  1. Just take the default Home-AP setup, where ports 3-5 are slave to eth2 and there is (probably) a bridge, where eth2 is member of (and therefore 3-5 too).
  2. create the vlans you need on that bridge and define addresses
  3. define the vlan IDs on the switch (and of course, select the ports where you need the vlans)
  4. Configure the ports on the switch port configuration:
  5. for trunk ports: set vlan mode to anything but disabled, header to "add if missing", default vlanid 1
  6. for access ports: vlan mode to anything but disabled, header to "always strip" and default vlanid to the vlan you want.
  7. if you have wifi stations on that device, create a bridge for the vlan, add the vlan and your wifi to it. don't forget to add "switch cpu" to your switch vlan configuration.

since all ports are in a master-slave configuration and the switch knows which vlan is on which port, the CPU does not have to be involved when routing traffic.

Configuration:

  • The device here has two switch chips, with 5 ports each.
  • eth2 and eth6 are master ports.
  • eth3-5 are slave to eth2, eth7-10 are slave to eth6.
  • We want to add two vlans: 100 and 200

I think you could even solve this without a bridge, since your device only has a single switch chip. (In theory) You could define the vlans on the master-port interface directly and skip adding a bridge. However, the config below uses a bridge.

# trunk bridge, probably already exists
/interface bridge add comment=defconf name=bridge

# the master ports are probably already member of that bridge
/interface bridge port add bridge=bridge comment=defconf interface=eth02-master
/interface bridge port add bridge=bridge interface=eth06-master

# create the vlans on the bridge
/interface vlan add interface=bridge name=vlan-guest-200 vlan-id=200
/interface vlan add interface=bridge name=vlan-int-100 vlan-id=100

# vlan port config on the switch
/interface ethernet switch vlan add ports=eth02-master,eth03,eth04,eth05,switch1-cpu switch=switch1 vlan-id=100 independent-learning=no
/interface ethernet switch vlan add ports=eth02-master,switch1-cpu switch=switch1 vlan-id=200 independent-learning=no

# if you have a device (like the RB2011U) with 2 switch chips, 
# you need to configure the second switch too:
/interface ethernet switch vlan add ports=eth06-master,eth07,eth08,eth09,switch2-cpu switch=switch2 vlan-id=100
/interface ethernet switch vlan add ports=eth06-master,eth07,eth10,switch2-cpu switch=switch2 vlan-id=200

# define the adresses of your vlans
/ip address add address=10.10.100.1/24 interface=bridge-vlan-int-100 network=10.10.100.0
/ip address add address=10.10.200.1/24 interface=bridge-vlan-guest-200 network=10.10.200.0

trunk port configuration

/interface ethernet switch port set 2 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure

access port configuration (for entry 3 and 10, which probably are eth3 and eth10):

/interface ethernet switch port set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 10 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure

If your device should integrate a wifi AP station, you need to bridge it into the vlans:

# create a bridge for each vlan you need
/interface bridge add name=bridge-vlan-guest-200

# add the vlan and wifi to the bridge
/interface bridge port add bridge=bridge-vlan-guest-200 interface=vlan-guest-200
/interface bridge port add bridge=bridge-vlan-guest-200 interface=wlan-guest-200