Debug config, Trying to do 'vlan' isolation, using mikritik as router.

symgryph · July 16, 2015, 6:30pm

This is just my ‘basic’ startup where I am trying to define a ‘management’ network. I can’t ping my ‘management’ interface, even though I have an ingress/egress tagging filter set. I also am using ‘sfp-sfpplus1’ as my ‘trunked’ port going to vmware server. I did look at another posting, but eventually I would like to add four more vlans (and route between them using the mikrotik). Any help would be greatly appreciated. I am trying to avoid the use of bridges, and use switch chip as much as possible. Or is this completely dumb, since I need to route, and have to access the cpu anyway? I tried to base it off of http://www.breekeenbeen.nl/2014/12/11/mikrotik-vlan-switching-without-bridging/

Looks like this:

vlan 104=management
master port is sfp-sfpplus1
subordinate ports: ether1-ether10
Subnet for management 192.168.3.0/24

My default gateway is 192.168.3.2 (which I can’t ping) which is attached to ethernet1.

Here is my config:

# jan/02/1970 18:55:28 by RouterOS 6.30.1
# software id = 7D1K-Q7HZ 
/interface vlan
add interface=sfp-sfpplus1 l2mtu=1584 name=management vlan-id=104

/interface ethernet
set [ find default-name=ether1 ] master-port=sfp-sfpplus1
set [ find default-name=ether2 ] master-port=sfp-sfpplus1
set [ find default-name=ether3 ] master-port=sfp-sfpplus1
set [ find default-name=ether4 ] master-port=sfp-sfpplus1
set [ find default-name=ether5 ] master-port=sfp-sfpplus1
set [ find default-name=ether6 ] master-port=sfp-sfpplus1
set [ find default-name=ether7 ] master-port=sfp-sfpplus1
set [ find default-name=ether8 ] master-port=sfp-sfpplus1
set [ find default-name=ether9 ] master-port=sfp-sfpplus1
set [ find default-name=ether10 ] master-port=sfp-sfpplus1
set [ find default-name=ether11 ] master-port=sfp-sfpplus1
set [ find default-name=ether12 ] master-port=sfp-sfpplus1
set [ find default-name=ether13 ] master-port=sfp-sfpplus1

/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,sfp-sfpplus1 vlan-id=104

/interface ethernet switch ingress-vlan-translation
add new-customer-vid=104 ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10

/interface ethernet switch vlan
add ports="switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,sfp-sfpplus1" vlan-id=104

/ip address
add address=192.168.3.1/24 interface=management network=192.168.3.0

/ip route
add distance=1 gateway=192.168.3.2

/system routerboard settings
set boot-device=nand-only

/tool romon port
add

symgryph · July 17, 2015, 9:52pm

I figured it out. “Ingress” is for stuff inside the switch. “Egress” is for things 'leaving the switch. I was assigning tag ports to my access ports, and wondering why everything was foobared. “Egress” is ‘intra’ router, and ‘ingress’ in inter router (within).

Thomas