Dirty notes on setup mikrotik with VLANs, trunk and switch1-cpu

Blah

  • ether1 : trunk to Edge-Router-X
  • ether2 to ether16 : Vlan LAN
  • ether18,ether20,ether22,ether24 : Vlan Guest
  • ether17,ether19,ether21,ether23 : Vlan IOT

post-v6.41 bridge hw-offload configuration:

/interface bridge
add name=bridge1 igmp-snooping=no  protocol-mode=none
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
...

Add initial VLAN assignments (PVID) to VLAN access ports:

/interface ethernet switch ingress-vlan-translation
add ports=ether2 customer-vid=0 new-customer-vid=110 sa-learning=yes
... to ...
add ports=ether16 customer-vid=0 new-customer-vid=110 sa-learning=yes
...
add ports=ether18 customer-vid=0 new-customer-vid=120 sa-learning=yes
add ports=ether20 customer-vid=0 new-customer-vid=120 sa-learning=yes
add ports=ether22 customer-vid=0 new-customer-vid=120 sa-learning=yes
add ports=ether24 customer-vid=0 new-customer-vid=120 sa-learning=yes
...
add ports=ether17 customer-vid=0 new-customer-vid=130 sa-learning=yes
add ports=ether19 customer-vid=0 new-customer-vid=130 sa-learning=yes
add ports=ether21 customer-vid=0 new-customer-vid=130 sa-learning=yes
add ports=ether23 customer-vid=0 new-customer-vid=130 sa-learning=yes
  • Add VLAN 200, VLAN 300 and VLAN 400 tagging on ether2 port to create it as VLAN trunk port. Egress-VLAN-Tag entry is mandatory for every VLAN to make VLAN access ports work. If VLAN trunk port has not been chosen yet, Egress-VLAN-Tag entry has to be added with tagged-ports="".

we only want switch1-cpu to be accessible through VLAN ID 110 (LAN):

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1,switch1-cpu vlan-id=110
add tagged-ports=ether1 vlan-id=120
add tagged-ports=ether1 vlan-id=130
  • VLAN membership definitions in the VLAN table are required for proper isolation. Adding entries with VLAN id and ports makes that VLAN traffic valid on those ports.
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,...,ether16 vlan-id=110 learn=yes
add ports=ether1,ether18,ether20,ether22,ether24 vlan-id=120 learn=yes
add ports=ether1,ether17,ether19,ether21,ether23 vlan-id=130 learn=yes
  • After valid VLAN configuration unknown/invalid VLAN forwarding can be disabled in global switch settings.
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6,ether7,ether8
  • Define IP for switch1-cpu thingy
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=110
/interface vlan
add name=VlanLan interface=bridge1 vlan-id=110
/ip address
add address=192.168.10.9/24 interface=VlanLan
/ip dns
set servers=192.168.10.1
/ip route
set gateway=192.168.10.1