Hi, I finally got the vlans to work from a cisco switch to a mikrotik router at wire speed following this fine write up by marcus:

What is nice about this setup is, that it does not use the bridge interface at all for the vlans and since I have placed the vlans on a physical ether 5 (made into a trunk), it achieves wire speed. After doing this, I made vlan1 as the default vlan and native vlan as well on the 3560 that feeds into this mikrotik router. The physical ports that are on vlan 100, 200, and 300 (all tagged packets) work fine when I connect clients on them. Port 1 on the 3560 is left for management and is on default vlan 1. I have also made vlan 1 as the native vlan on the trunk interface connecting to the router. When I physically connect a client on port 1 of the cisco 3560 switch, it does not get an ip address from the mikrotik. Can you pls help. thanks

tiker2916

\

cisco 3560 config:
Building configuration...

Current configuration : 3533 bytes
!
! Last configuration change at 23:54:27 UTC Tue Jan 3 2006
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname prswitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$E1sv$ngpseagVW92pWkAtL/5Mu/
!
no aaa new-model
system mtu routing 1500
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2259622656
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2259622656
revocation-check none
rsakeypair TP-self-signed-2259622656
!
!
crypto pki certificate chain TP-self-signed-2259622656
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323539 36323236 3536301E 170D3036 30313032 30303031
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32353936
32323635 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1B3 917C3961 D63FD062 4CA07887 695C5B4F D9E788EF 3AE4F5A3 338F44C9
8DC35CC3 49E63AEA 28229892 1298B8FE 3251F79F 89E07574 EA5A9C41 91F56A58
5FD6A6F3 95E52580 408011F2 69938C9C 3B436F6E CDEC2B84 B0CB9340 FE9CBEAD
13E19B8B 5C7BDD97 8390668A A76AFEBF 43C14C35 8D6FB718 FF9AB22D BBF68922
29770203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14ADC5F1 C0FD64FE AC3B3066 2409F8D4 1E851181 C9301D06
03551D0E 04160414 ADC5F1C0 FD64FEAC 3B306624 09F8D41E 851181C9 300D0609
2A864886 F70D0101 05050003 8181003F F8B984A3 62D566EE 577A8922 A1B87F60
D15E6BF6 BBAB7D96 C5719413 0D8C52EC 8C418D0B 55E903B9 06FFCC7B DFF0C3D0
02000542 47C519B7 7A88B2D5 D4814D1B C9083C0D 4F861C78 69D614F3 61B4EB93
D7580061 B60B99F1 A6001BB4 5A0109BF 3C6EACF3 15B7B49A AB2286D8 4F893FC6
529BF265 EE6E5AD4 82D77E4C EE0A5E
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/7
switchport access vlan 300
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 300
switchport mode access
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface Vlan1
ip address 192.168.88.100 255.255.255.0
!
interface Vlan100
no ip address
shutdown
!
interface Vlan200
no ip address
shutdown
!
interface Vlan300
no ip address
shutdown
!
ip default-gateway 192.168.88.1
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
!
banner motd ^C

Praveens Cisco 3560 Switch - Unauthorized access is prohibited!
**************************************************************^C
!
line con 0
exec-timeout 30 0
password 7 14141B180F0B
logging synchronous
login
line vty 0 4
exec-timeout 30 0
password 7 14141B180F0B
logging synchronous
login
line vty 5 15
exec-timeout 30 0
password 7 1511021F0725
logging synchronous
login
!
!
end

===========================================
mikrotik config:

[admin@mikrotik-2011-RM] > /export compact

jul/08/2016 00:17:31 by RouterOS 6.35.4

software id = E5ED-QXG8

/interface bridge
add admin-mac=4C:5E:0C:77:B6:25 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] name=ether5-trunk
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface vlan
add interface=ether5-trunk name=vlan100 vlan-id=100
add interface=ether5-trunk name=vlan200 vlan-id=200
add interface=ether5-trunk name=vlan300 vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool-vlan100 ranges=10.0.1.10-10.0.1.254
add name=dhcp-pool-vlan200 ranges=10.0.2.10-10.0.2.254
add name=dhcp-pool-vlan300 ranges=10.0.3.10-10.0.3.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp-pool-vlan100 disabled=no interface=vlan100 name=
dhcp-vlan100
add address-pool=dhcp-pool-vlan200 disabled=no interface=vlan200 name=
dhcp-vlan200
add address-pool=dhcp-pool-vlan300 disabled=no interface=vlan300 name=
dhcp-vlan300
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.0.50/24 interface=ether1 network=192.168.0.0
add address=10.0.1.1/24 interface=vlan100 network=10.0.1.0
add address=10.0.2.1/24 interface=vlan200 network=10.0.2.0
add address=10.0.3.1/24 interface=vlan300 network=10.0.3.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=8.8.8.8,4.2.2.2 domain=mynet100 gateway=
10.0.1.1
add address=10.0.2.0/24 dns-server=8.8.8.8,4.2.2.2 domain=mynet200 gateway=
10.0.2.1
add address=10.0.3.0/24 dns-server=8.8.8.8,4.2.2.2 domain=mynet300 gateway=
10.0.3.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN"
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
out-interface=ether1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=mikrotik-2011-RM
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
/tool sniffer
set filter-interface=bridge filter-stream=yes streaming-enabled=yes
streaming-server=10.0.1.254

There is no DHCP server configured for vlan1 on ether5…

ether5 is not member of the bridge. So the untagged portion of ether5 goes nowhere.
-Chris

Thank you *pe1chl and Chris. I somehow assumed that it would automagically forward it to the bridge Just did not think the whole thing through. Appreciate your help. So, in this case would it work if I use the same dhcp server that I am using for the bridge and tie it to ether2-trunk so that any untagged dhcp discover requests are answered or should I create another dhcp server? reason I ask is, I would like to have the same IP handed out to all other clients that are outside of the tagged ones. Again, thank you for pointing to a glaring error. appreciated.

tiker2916
*

OK, I tried to fix the condition by creating a dhcp-server on the "ether5-trunk" interface to catch all the untagged traffic on ether5-trunk, which is a trunk from a cisco 3560 switch. It did not like that and would list the dhcp server in red. Also when I did "/ip address print", it did not print the newly created dhcp-server. So I thought that I had assigned the dhcp-server to physical interface that was carrying trunks to/from the cisco switch. So I created a vlan on the Mikrotik (vlan 1) to match the default/native vlan on the cisco switch. I then move the dhcp-server (dhcp-server-untag) to the newly created vlan 1 interface. The rb2011 still thinks there is an error in assignment and leaves the text in red. Also, when I move the PC to switchport 1 on the cisco switch, it does not get an IP. Other ports with vlans 100, 200, and 300 are just fine. I have attached the config from both the MT and the cisco switch. Kinda frustrating that I cannot see what the problem is. Please help.

Thanks
tiker2916

------------------------------------------------MT config

[admin@mikrotik-2011-RM] > /export compact

jul/10/2016 12:15:35 by RouterOS 6.35.4

software id = E5ED-QXG8

/interface bridge
add admin-mac=4C:5E:0C:77:B6:25 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] name=ether5-trunk
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface vlan
add comment="Default/native VLAN from the 3560 switch." interface=
ether5-trunk name=vlan1 vlan-id=1
add interface=ether5-trunk name=vlan100 vlan-id=100
add interface=ether5-trunk name=vlan200 vlan-id=200
add interface=ether5-trunk name=vlan300 vlan-id=300
/ip neighbor discovery
set vlan1 comment="Default/native VLAN from the 3560 switch."
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool-vlan100 ranges=10.0.1.10-10.0.1.254
add name=dhcp-pool-vlan200 ranges=10.0.2.10-10.0.2.254
add name=dhcp-pool-vlan300 ranges=10.0.3.10-10.0.3.254
add name=dhcp_pool_untag ranges=10.0.4.10-10.0.4.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp-pool-vlan100 disabled=no interface=vlan100 name=
dhcp-vlan100
add address-pool=dhcp-pool-vlan200 disabled=no interface=vlan200 name=
dhcp-vlan200
add address-pool=dhcp-pool-vlan300 disabled=no interface=vlan300 name=
dhcp-vlan300
add address-pool=dhcp_pool_untag disabled=no interface=vlan1 name=
dhcp-server-untag
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.0.50/24 interface=ether1 network=192.168.0.0
add address=10.0.1.1/24 interface=vlan100 network=10.0.1.0
add address=10.0.2.1/24 interface=vlan200 network=10.0.2.0
add address=10.0.3.1/24 interface=vlan300 network=10.0.3.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=8.8.8.8,4.2.2.2 domain=mynet100 gateway=
10.0.1.1
add address=10.0.2.0/24 dns-server=8.8.8.8,4.2.2.2 domain=mynet200 gateway=
10.0.2.1
add address=10.0.3.0/24 dns-server=8.8.8.8,4.2.2.2 domain=mynet300 gateway=
10.0.3.1
add address=10.0.4.0/24 dns-server=8.8.8.8,4.2.2.2 domain=mynetUntag gateway=
10.0.4.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN"
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
out-interface=ether1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=mikrotik-2011-RM
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
/tool sniffer
set filter-interface=bridge filter-stream=yes streaming-enabled=yes
streaming-server=10.0.1.254
[admin@mikrotik-2011-RM] >

======================================== cisco config follows

Building configuration...

Current configuration : 3523 bytes
!
! Last configuration change at 12:12:40 UTC Fri Jan 6 2006
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname prswitch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$E1sv$ngpseagVW92pWkAtL/5Mu/
!
no aaa new-model
system mtu routing 1500
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2259622656
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2259622656
revocation-check none
rsakeypair TP-self-signed-2259622656
!
!
crypto pki certificate chain TP-self-signed-2259622656
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323539 36323236 3536301E 170D3036 30313032 30303031
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32353936
32323635 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1B3 917C3961 D63FD062 4CA07887 695C5B4F D9E788EF 3AE4F5A3 338F44C9
8DC35CC3 49E63AEA 28229892 1298B8FE 3251F79F 89E07574 EA5A9C41 91F56A58
5FD6A6F3 95E52580 408011F2 69938C9C 3B436F6E CDEC2B84 B0CB9340 FE9CBEAD
13E19B8B 5C7BDD97 8390668A A76AFEBF 43C14C35 8D6FB718 FF9AB22D BBF68922
29770203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14ADC5F1 C0FD64FE AC3B3066 2409F8D4 1E851181 C9301D06
03551D0E 04160414 ADC5F1C0 FD64FEAC 3B306624 09F8D41E 851181C9 300D0609
2A864886 F70D0101 05050003 8181003F F8B984A3 62D566EE 577A8922 A1B87F60
D15E6BF6 BBAB7D96 C5719413 0D8C52EC 8C418D0B 55E903B9 06FFCC7B DFF0C3D0
02000542 47C519B7 7A88B2D5 D4814D1B C9083C0D 4F861C78 69D614F3 61B4EB93
D7580061 B60B99F1 A6001BB4 5A0109BF 3C6EACF3 15B7B49A AB2286D8 4F893FC6
529BF265 EE6E5AD4 82D77E4C EE0A5E
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/7
switchport access vlan 300
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 300
switchport mode access
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface Vlan1
ip address 10.0.4.2 255.255.255.0
!
interface Vlan100
no ip address
shutdown
!
interface Vlan200
no ip address
shutdown
!
interface Vlan300
no ip address
shutdown
!
ip default-gateway 10.0.4.1
ip forward-protocol nd
ip http server
ip http secure-server
!
!
!
!
!
!
line con 0
exec-timeout 30 0
password 7 14141B180F0B
logging synchronous
login
line vty 0 4
exec-timeout 30 0
password 7 14141B180F0B
logging synchronous
login
line vty 5 15
exec-timeout 30 0
password 7 1511021F0725
logging synchronous
login
!
!
end

prswitch#

Remove the vlan ID1 from ether5 - no need to add this (FYI, you’re now tagging that VLAN with id=1 instead of being untagged).
You haven’t set an address on ether5, so better add it:

/ip address
add interface=ether5-trunk address=10.0.4.1/24 network=10.0.4.0

And it should work.
-Chris

Thank you so much, Chris. That did it!!!
Kind folks like you make this router even more enjoyable and appreciate the power of what it can do!

Thanks
tiker2916

Glad to hear it works and that I was able to help.
It’s always the same in forums: qualified questions lead to qualified answers
-Chris