It led to me think that those who understand these concepts and topics (as many of you here do) have achieved something very special and difficult because this is very (very) difficult stuff.
I am still waiting for someone to come up with a way to explain these concepts (bridge, VLAN, etc.) better than we currently have.
(Kindly don’t state, or even imply, that the material exists or that I haven’t tried – lots of material exists, but none that is excellent at teaching this stuff, and I’ve spent many hundreds of hours trying to learn this stuff (and I’ve learned a lot of very complex/difficult things), and am still struggling.)
My God! Just read a book about Linux networking! Stop trying to understand basics via FAQ and Wiki. Or finish higher education, all in all, stop do “vibe networking” stuff. I'm just going crazy with this sort of topics.
Funny enough, “Cisco guy” thinking of the term bridge as a “a Layer 3 virtual”. This dude is maybe using Cisco devices in a way, but never attended any Cisco training. Otherwise he would perfectly knew the concept of a bridge already.
For people that have been using vlans for a long time, they don't remember when it "clicked". For them, it is like trying to remember when they learned their native language, it just seemed natural and obvious.
Are you struggling with the concept of what a vlan is, or the MikroTik implementation and commands for configuration? Possibly both?
Don't feel too bad, there are many people that don't really understand vlans, or think they understand until they try to use them from scratch.
It's easy to copy and paste a config, but if snippets of examples are just copied without understanding the why something is being done, things are often used inappropriately.
As you have pointed out before, the "jargon" is not obvious, and the context in which it is used can change the meaning.
How did you learn networking? Do you understand how ethernet works? It isn't necessary when most of the complexity is being hidden from you (by engineers that have made things much easier than they used to be). So when things are working well, things appear to be much simpler than they really are. Just take the new PC out of the box and plug in a cable to the LAN port on the computer and the other end into a LAN port of your router. It didn't used to be that way in the 1980's.
It is when things are not working that understanding how things work is important, especially for effective troubleshooting.
Have you used any equipment where vlans made sense to you? Or is your only exposure to vlans with MikroTik?
MikroTik is more complex than many other vendors because they give you so many knobs to turn, and few bladeguards (ROS will accept many things it arguably shouldn't). Very flexible, but the choice overload can lead to analysis paralysis. With vlans on the bridge, you have many parts to configure, there are whole threads that attempt to explain it, but as you are aware, they are't meant for the layman.
And vlans are complex; especially when hybrid links are involved, because one vlan is mapped to untagged traffic, that's per port. And you have to worry about the "internal" virtual hybrid link between the routing block in the CPU and the virtual switch (implemented either by hardware in a switch, or by software in the linux kernel). And the switch "personality" is in itself complex.
I don't think there is a simple explanation that is sufficient to be able to use for troubleshooting. You have to know how each of the individual peices works on it own, an also how they get connected together.
For every complex problem there is an answer that is clear, simple, and wrong. H. L. Mencken
That document is part of the problem, well meaning as it is. I took up your challenge and produced some improvements here
Yep, it only clicked for me recently. I am now OK with deciding on where and how to use a vLAN and can bash out the required vLAN. I hope I never forget the feeling of complete frustration I felt at the referenced document.
The thing which really helped me was being able to formulate a vLAN scheme as tables as exemplified here. This still leaves the problem of implementing the scheme from the table - it is still tricky, but doable.
With all due respect - while the idea of making a scheme in the form of a table is a nice one - without posting various examples and the corresponding configurations that come from them, explaining the symbology used, etc., it seems to me like a one-legged stool: https://lateralscience.blogspot.com/2014/10/scottish-nitroglycerin-one-legged-stools.html
a relevant part of the process, but only a tiny fraction of it.
The following has more details of what is happening under the hood, and gives a good hint as to where MikroTiks "new way" to configure vlans comes from.
Thanks for the reference to the one-legged stool, it was an interesting read. I am not sure how it applies to the the table, although it may be useful to read the docs while sitting on a one-legged stool.
The primary purpose of creating a table is that it acts as both a plan and as documentation.
I agree that a better explanaition of what the different columns/rows represent would help, but if you have worked with muliple vendor's vlan configurations, it should be somewhat self evident.
Here's a great video for a layman trying to configure vlans on consumer "smart" switches. It's sort of a VLAN Rosetta Stone for consumer "smart switches". But note how the paper documentation is the first thing that is prepared, after that it is just translation into the specific vendor's method of configuring vlans.
The way these switches are configured is similar to the way MikroTik does (i.e. pvid and ingress in one place), and vlan membership and egress tagging behavior in another).
It is worth watching if you have never configured vlans as it is a concrete example. And knowing how to configure more than a single vendors equipment will be useful if you expect to be working with networking.
Having a clear goal is a requirement (or as anav would say, requirements must be clearly specified). Too many people try to start with an example they don't understand but looks "cool", and then attempt to shoe-horn it into their network.
Also, many people don't understand what vlans really are, and assume that making a port a member of two vlans will allow a single interface (the entity with the ip address attached) to communicate with multiple vlans directly. It is like they are trying to use vlans to do what routing does and what the firewall can restrict. However using the router* requires separate subnets. *(the routing engine, not the all-in-one physical box often rerferred to as a "router" that may include many functions like ehternet adapters, firewall, nat, dhcp, dns, ntp, switch and possibly wifi and even modem)
That isn't the way vlans work. With VLANS it is much more like adding additional network-adapters (NIC) to the host (one for each subnet/NIC/LAN), and then the host will have access to the LANs and subnets those NIC cards are connected to.
An example is this post. Where the specific assumed solution was VLANs, but all devices in the same subnet.
VLANs are just what they are named after, virtual LANS. If you can't do it with extra wires, network interface adapters, and switches (and one or more "dumb" switch for each subnet/LAN/broadcast domain), then you won't be able to do it with vlans (in general, I am excluding pvlans from this discussion).
So if you can't do it with LANs you won't be able to do it with vlans. vlans just allow you to share resources (network interface adapters, switches, wires) in a more flexible way, just like virutal machines allow you to share server hardware to "appear to be" multiple independent servers.
Edited 2025-12-06 to fix typos and hopefully to make it a bit easier to follow.
I do note that many people over the years have talked about the "click" of understanding VLANS. I certainly have a tremendously greater understanding of VLANs than I did 3 years ago. In fact, I could probably (thanks to the enormous patience of people here) configure a basic MT VLAN consisting of a 5009, 326, ax3 enough to have it (basically) working with VLANs enabled. But, I would not describe my own path to this point as having a single, loud click. But that fact might not be significant. Or, maybe I simply have not had that click yet -- that is, maybe my "real" understanding is yet to come.
I understand the basics of the role and implementation of layers 2 and 3 config settings, trunk and access ports, etc.
My stumbing blocks along the way, and continuing through now, is the deeper level understanding of what is going on (X-facing-Y abstractions; vlan_id=1 (hard coded/default) behaviors, shorthand terminology such as tagged/untagged network/port/interface/etc., egress/ingress when referencing specific physical or abstrated components) inside. Equally important, how understanding what is going on inside helps design and implement systems that get more complex than a small and simple LAN of 5009/326/ax3.
Am I making this more difficult on myself? Probably, but that's a hard habit to break.
BTW, having clear, complete and identified requirements is a heck of a lot easier said than done.
I am old (nearly 70) and I have been using networks since 1980. So I have had a long time to learn, and networking is just a small part of my job. Before I ever used vlans, I had used other "multiplexing" protocols, (for RS-232 terminal connections between buildings), as well as frame relay for wide area networking, so the concept of having multiple virtual circuits per physical circuit was not a new concept when moving to vlans with ethernet. So moving from ethernet to vlans wasn't a big step, however with vlans there is also the possibility of untagged frames, so understanding how ethernet works, and how vlan tags are "inserted", and how the vlan-aware device is able to detect the presence or lack of a tag, is an important concept, especially if you ever want to be able to understand stacked vlan tags (Q-in-Q).
What devices do you have that you can use to experiment with? If you see someone make a claim on the forums, can you devise a way to verify or find a counter example that can be reproduced? These are things that a well structured networking class would cover in student exercises.
If you really want to learn, there are free or low cost resourses available online, and there may be a local college/university that you can audit classes for free. But at least for me, hands on - finding a situation that needs a solution, applying knowlege I have, to come up with a solution I think will work (predicting what will happen), implementing it and verifing that the change had the intended effect. Having a mentor you can work with can be very helpful.
But where are these mentors? MT where I live has such a small market share, definitely compared to Europe. And those would-be mentors tend to come in the form of consultants, who usually charge more per hour than most individuals could afford. Then, to find such a mentor who lives within 100km of you…
Don’t get me wrong, a worker is certainly worthy of his wage, but not when a small mortgage is required for the service.
I also find those who could be mentors in my country really don’t like sharing their knowledge, mainly because they perceive you as future competition. That’s purely speculative on my part.
This is why forums such as this are brilliant, and as such I’m truly thankful for.
Mikrotik guides are nice, but they can’t be used as tutorials for absolute newbies. You still need to understand how networks work. Some people believe, they can follow a guide to configure anything. Apparently, they can’t. There are plenty of classic books (i.e. TCP/IP illustrated), but I grasped it by reading book in my native language, and it was never translated to English.
What “clicked” me in VLANs (and other L2 magic) were Cisco books.
There was an ancient (25 years old) “CCIE professional development“ series. Despite its name, it was not about ios/catos only, but about network itself.
There were three books:
Cisco LAN Switching (L1-L2)
Routing TCP/IP Volume I (routing and all routing protocols inside AS)
Routing TCP/IP Volume II (BGP, inter-AS routing)
The first one is till available on some sites, and while it contains outdated information (who cares about collisions or token ring or ATM these days?) I still find it to be the best L2 tutorial.
I agree that the CCIE Professional Development books are good. But they are not light reading; they are weighty tomes that are only a bit easier to digest than the IEEE standards. But as mentioned, while they do cover Cisco stuff, there is still a lot of general networking standards based stuff that applies to any vendor following standards. And they do so in depth; i.e. their target audience is Network Engineers.
Someone that won't take the time to go through something like Ed Harmoush's Network Fundamentals youtube playlist won't get far through any of those CCIE books.
Yes, you are not likely to find a "MikroTik User Group", but you may be able to find some local Linux or even Cisco user group where you can find some people with similar interests that you can discuss issues with.
I take it from your handle that you are from New Zealand. If you are in a rural area, finding even a Linux user group may be hard.
And as you said the MikroTik forum, and reddit groups have interested users as well. One problem is that the flow in info in forums is very asymmetrical. And at least on this forum, it is hard to exchange contact info privately, since there is no Private Messaging allowed.
I learned more from others early in my career. We had local user groups (DECUS since I was working with VAX/VMS). I also spent a lot of time reading manuals and books (before internet), then dialup bullentin boards, then followed internet newsgroups, later forums and youtube, even did some online college courses (Coursera, EdX)
In general there is much more free learning resources available now than when I started working in 1979. Now, trying to find what is worth your time is the hard part.
Hole in one, bro. Great guess. Regional more than rural though. Might look into the Linux user group. ‘Tis a great idea. Thanks. Most of the Cisco stuff will be in the larger cities, Auckland|Wellington|Christchurch, a decent half day’s drive to the nearest one. But still worth checking out the Cisco user groups as well.
The biggest problem for me is that I learn best, not by reading or watching YT clips, but having someone beside me and writting stuff down. That with the added complexity that is MT, so far removed in the way networking is done from other vendors. I could go with other vendors who make life much easier, but where’s the challenge in that, right?
I wish there was a time limit on how long a YT video can be active for, especially for technology that is ramping up at such a huge rate. Videos released a year or two ago are now pretty much obsolete today - especially MT ones.
I have a second edition of a MT book (I forget the name of), which I bought only a couple of years ago which is largely useless now with the advent of WiFi6. Some of the fundamentals can be used still, but unless I want to stick to wireless, it’s a good door stop now.
Sorry for sounding ungrateful, it’s just disheartening when you don’t have the resourses at hand when you need them, and the means to understand them. I’m sure the MTCNA course would be a great help, but the NZ$1250 (+ travel and accomodation) price tag is prohibitive for me during this recession.
Thanks so much for your advice. I’ll follow your lead and hopefully I’ll find a ‘local’ user group.
Wow – I loved that story of Feynman’s Brazil experience. In fact, I shared it with my family. Thank you!
You’ve got a few years on me, but that many. I started and built/ran a network integration company in the very early 1990’s, so I remember some ancient technology like Netware, and even Lantastic. (I sold the company and never became the networking guru that you are, but I still dabble for fun – which is why I’m here.)
I have tons of MT equipment to play with — it’s the time that’s scarce. I’m getting there, just extraordinarily slowly.
This dude is maybe using Cisco devices in a way, but never attended any Cisco training. Otherwise he would perfectly knew the concept of a bridge already.
- while the idea of making a scheme in the form of a table is a nice one - without posting various examples and the corresponding configurations that come from them, explaining the symbology used, etc., it seems to me like a one-legged stool:
