Hi,
I spent the last few days trying to figure out how to configure my CRS and I think I finally got it.
The goal was to use the CRS as basic switch on ports ehter1, ether3, ether4 and ether5. The ports ether7 and ether8 should be assigned to a separated VLAN with VID=200 (guest network). Port ether1 is my trunk port going to the router.
CRS-VLAN.jpg
The challenge (at least for me) was that ether1 had to be a hybrid trunk port carrying tagged and untagged traffic.
The key hint was in this thread (http://forum.mikrotik.com/t/how-to-create-a-hybrid-vlan-port-on-the-crs-125/79487/1). There someone suggested to use an internal VLAN (that never leaves the CRS) to work with the untagged traffic. I chose VLAN 100 to be that internal VLAN.
So my setup is now as follows:
#
# Create a group of switched ports.
#
/interface ethernet
set ether3 master-port=ether1
set ether4 master-port=ether1
set ether5 master-port=ether1
set ether7 master-port=ether1
set ether8 master-port=ether1
#
# Untagged traffic received on ports 1,3,4 and 5 will be tagged with VLAN=100 as they enter the router.
# Untagged traffic received on ports 7 and 8 will be tagged with VLAN=200 as they enter the router.
#
/interface ethernet switch ingress-vlan-translation
add ports=ether1,ether3,ether4,ether5 customer-vid=0 new-customer-vid=100 sa-learning=yes
add ports=ether7,ether8 customer-vid=0 new-customer-vid=200 sa-learning=yes
#
# Allow packets to leave ether1 tagged with VLAN=200
#
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=200
#
# Remove the VLAN tags again before the traffic gets sent to the clients.
# We didn't remove the VLAN=200 from ether1 (we want those packets to leave the router tagged).
#
/interface ethernet switch egress-vlan-translation
add ports=ether1,ether3,ether4,ether5 customer-vid=100 new-customer-vid=0
add ports=ether7,ether8 customer-vid=200 new-customer-vid=0
#
# Allow ether1,ether3,ether4 and ether5 to take part in the VLAN=100.
# Allow ether1,ether7 and ether8 to take part in the VLAN=200.
#
/interface ethernet switch vlan
add ports=ether1,ether3,ether4,ether5 vlan-id=100 learn=yes
add ports=ether1,ether7,ether8 vlan-id=200 learn=yes
#
# Unknown VLANs should be disabled after valid VLAN membership configuration
#
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether3,ether4,ether5,ether7,ether8
Can someone confirm that this is the correct setup?
If there is an easier or more secure method I would really appreciate a correction.
Best regards,
Lui