CCR2004 - MULTIPLE L2 SWITCHES

RouterOS General
1

HI,
so im trying to build the network below :

  • main router for internet is sophos
  • mikrotik wan port is 192.168.9.2
  • internet tested ok on mikrotik
  • mikrotik port 9 -10 -11- 12 will be used to connect 4 aruba switches ( switch 21 is 10.0.30.21 - switch 22 is 10.0.30.22 - switch 23 is 10.0.30.23 - switch 24 is 10.0.30.24 )
  • each aruba switch will have the same vlans - 5 - 40 - 50 - 60 - 70 - 90
  • each aruba switch has port 24 configured as trunk port to carry these vlans
  • mikrotik needs a vlan bridge for ports 9-10-11-12
  • vlan 5 is 10.0.30/x - vlan 40 is 10.10.40.x - vlan50 is 10.10.50.x - vlan 60 is 10.10.60.x - vlan 70 is 192.168.70.x - vlan 90 is 10.10.90.
  • vlan id respectively are vlan5 is 5 | vlan 40 is 40| vlan 50 is 50 |vlan 60 is 60 | vlan 70 is 70 and vlan 90 is 90
  • im lost somewhere in the bridge setup for vlans

below is the config so far

2023-06-26 10:52:31 by RouterOS 7.10

software id = P97J-M01E

model = CCR2004-16G-2S+

serial number = HEJ08XF680S

/interface bridge
add name=TRUNK_ARUBA_21
add name=bridge1
add name=bridge_4
/interface ethernet
set [ find default-name=ether8 ] name=ether8-WAN
set [ find default-name=ether9 ] name=ether9-SW21
set [ find default-name=ether10 ] name=ether10-SW22
/interface vlan
add interface=TRUNK_ARUBA_21 name=SW21_VLAN_5 vlan-id=5
add interface=TRUNK_ARUBA_21 name=SW21_VLAN_40 vlan-id=40
add interface=TRUNK_ARUBA_21 name=SW21_VLAN_50 vlan-id=50
add interface=TRUNK_ARUBA_21 name=SW21_VLAN_60 vlan-id=60
add interface=TRUNK_ARUBA_21 name=SW21_VLAN_70 vlan-id=70
add interface=TRUNK_ARUBA_21 name=SW21_VLAN_90 vlan-id=90
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool1 ranges=10.0.30.2-10.0.30.254
add name=dhcp_pool2 ranges=10.10.40.2-10.10.40.254
add name=dhcp_pool3 ranges=10.10.50.2-10.10.50.254
add name=dhcp_pool4 ranges=10.10.60.2-10.10.60.254
add name=dhcp_pool5 ranges=192.168.70.2-192.168.70.254
add name=dhcp_pool6 ranges=10.10.90.2-10.10.90.254
add name=dhcp_pool7 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge_4 lease-time=1h40m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge_4 interface=ether3
add bridge=bridge_4 interface=ether4
add bridge=TRUNK_ARUBA_21 interface=ether9-SW21 pvid=5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.4.1/24 comment=MANAGEMENT interface=bridge_4 network=
192.168.4.0
add address=212.31.106.201/31 comment="EX WAN PORT" interface=ether2 network=
212.31.106.200
add address=10.0.30.1/24 interface=TRUNK_ARUBA_21 network=10.0.30.0
add address=10.10.40.1/24 interface=TRUNK_ARUBA_21 network=10.10.40.0
add address=10.10.50.1/24 interface=TRUNK_ARUBA_21 network=10.10.50.0
add address=10.10.60.1/24 interface=TRUNK_ARUBA_21 network=10.10.60.0
add address=192.168.70.1/24 interface=TRUNK_ARUBA_21 network=192.168.70.0
add address=10.10.90.1/24 interface=TRUNK_ARUBA_21 network=10.10.90.0
/ip dhcp-client
add interface=ether8-WAN
/ip dhcp-server network
add address=10.0.30.0/24 comment="ADMIN VLAN" dns-server=
195.14.130.170,8.8.8.8,1.1.1.1 gateway=10.0.30.1 netmask=24
add address=10.10.40.0/24 comment="SERVERS40 VLAN" dns-server=
195.14.130.170,8.8.8.8,1.1.1.1 gateway=10.10.40.1 netmask=24
add address=10.10.50.0/24 comment="VLAN 50 USERS" dns-server=
195.14.130.170,8.8.8.8,1.1.1.1 gateway=10.10.50.1 netmask=24
add address=10.10.60.0/24 comment="SERVERS60 VLAN" dns-server=
195.14.130.170,8.8.8.8,1.1.1.1 gateway=10.10.60.1 netmask=24
add address=10.10.90.0/24 comment="VLAN 90 HYPERVISORS" dns-server=
195.14.130.170,8.8.8.8,1.1.1.1 gateway=10.10.90.1 netmask=24
add address=192.168.4.0/24 comment=
"NETWORK TO MANAGE MIKROTIK BRIDGE PORT 3 AND PORT 4" dns-server=
8.8.8.8,195.14.130.170,1.1.1.1,8.8.8.8 gateway=192.168.4.1
add address=192.168.70.0/24 comment="VLAN 70 SIP" dns-server=
195.14.130.170,8.8.8.8,1.1.1.1 gateway=192.168.70.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=195.14.130.170
/ip firewall address-list
add address=10.0.30.0/24 list=VLAN_5_ADMIN_LAN
add address=10.10.40.0/24 list=VLAN_40_SERVERS_40
add address=10.10.50.0/24 list=VLAN_50_USERS_
add address=10.10.60.0/24 list=VLAN_60_SERVERS_60
add address=192.168.70.0/24 list=VLAN_70_SIP
add address=10.10.90.0/24 list=VLAN_90_HYPERVISORS
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related"
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
log=yes log-prefix=invalid
add action=accept chain=input comment="default configuration"
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=accept chain=forward comment="ADMIN VLAN 5 RULES" in-interface=
TRUNK_ARUBA_21 log=yes log-prefix="wan access - vlan 5 rules"
out-interface=ether8-WAN src-address=10.0.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix=masq out-interface=
ether2
add action=masquerade chain=srcnat log=yes out-interface=ether8-WAN
/ip firewall service-port
set ftp disabled=yes
/ip route
add
add gateway=212.31.106.200
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Asia/Nicosia
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key


can you help me ?

what would be the logic behind the thing that i want to accomplish ?


thanks