Upgrading older hardware/systems to new Mikrotik systems.. (almost 15 year old Dell PowerConnect equipment..)
Then I came to some systems which had native vlans (for security) defined and when I looked those up.. and I think I started to lose my mind..
After much reading.. apparently I’ve created hybrid vlans.. which is not what I wanted..
/interface ethernet set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=1G-baseX
/interface vlan add interface=sfp-sfpplus3 name=vlan42 vlan-id=42
/interface vlan add interface=sfp-sfpplus3 name=vlan49 vlan-id=49
/interface vlan add interface=sfp-sfpplus3 name=vlan50 vlan-id=50
/interface vlan add interface=sfp-sfpplus3 name=vlan69 vlan-id=69
/interface vlan add interface=sfp-sfpplus3 name=vlan172 vlan-id=172
/interface vlan add interface=sfp-sfpplus3 name=vlan173 vlan-id=173
/interface vlan add interface=sfp-sfpplus3 name=vlan192 vlan-id=192
/interface vlan add interface=sfp-sfpplus3 name=vlan256 vlan-id=256
/interface vlan add interface=sfp-sfpplus3 name=vlan512 vlan-id=512
/interface vlan add interface=sfp-sfpplus3 name=vlan515 vlan-id=515
/interface vlan add interface=sfp-sfpplus3 name=vlan666 vlan-id=666
/interface vlan add interface=sfp-sfpplus3 name=vlan1000 vlan-id=1000
/interface vlan add interface=sfp-sfpplus3 name=vlan1024 vlan-id=1024
/interface vlan add interface=sfp-sfpplus1 name=vlan2069 vlan-id=2069
Found these: [Using RouterOS to VLAN your network @pcunite]
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
http://forum.mikrotik.com/t/unable-to-have-a-very-simply-vlan-between-two-ccr2116-working/168248/1
https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features
working all weekend and not having any real success..
Q: Do I need a bridge for each (trunk) collection of tagged ports?
I saw a ton of things with mktk and ‘vlan 0’ then I read this:
A word of caution if you are thinking of using VLAN 1 in your network design. Most vendors use VLAN 1 as the native VLAN for their hardware. MikroTik uses VLAN 0. If you try to create a VLAN 1 scenario with MikroTik, and expecting tagged frames, it will be incompatible with other vendors who default VLAN 1 as untagged. Therefore, unless you are prepared to change the default behavior in MikroTik and/or other vendors, it is simpler to use VLAN 2 and higher.
(mental note) also need to block vlan0 as well?
Hybrid seems to be what Unifi does as well.. where they just pass all vlan traffic, defined, known, or unknown..
Again given this:
flowcontrol off
description Trunk
spanning-tree portfast auto
switchport mode trunk
switchport trunk allowed vlan remove 1,3-171,173-4094
Denying vlan1, vlan3, etc from the trunk (which looks like a default allow with exceptions vs a default deny with exceptions..)
Q: how would I make a default deny all vlans except what I’ve defined on the ‘trunk/bridge’ ports?
I cannot seem to get the bridge, vlan-filtering, pvid, untagged, vlan-ids syntax correct at all.. for what I’m looking for..
When I add a second/multiple vlan things stop working..
The switch.rcs and router.rsc in post 2: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Q: at the end of this.. if it’s not defined will it be denied? It seems like it.. but no one seems to talk about that..
Also by default the 2216 and 2116 only do hardware offloaded bridges.. so no need to try and enable hw=on correct?
.. and after all this set the native vlan to 666 in case something gets somewhere it shouldn’t..
.. and it seems there is no tag/label for voice vlan traffic..
@mkx @sindy @pcunite Thank you for all your work/comments on those threads..
Attached is the unifi profile for the “trunks” and vlan1 is not included.. and the local device setting for management vlan 172..
Thank you in advance for taking the time to read this..
Greatly appreciated.
