I’m following the doc here: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples on the RB2011/3011. I have a rough start. What I am struggling with is how is the switch VLAN gets a DHCP server. Do I still add the VLAN to the bridge so I can attach the DHCP Server, like so:
/interface vlan is about how ROS (the software running on main CPU) can interact with the network … and has (almost) nothing to do with the way you configure L2 on the device (either on HW directly or on bridge with vlan-filtering enabled).
BTW, your L2 config in /interface ethernet switch vlan is missing setting up interface switch1-cpu as trunk port for all VLANs with which CPU is supposed to interact.
Yeah. I’m not fully understanding the switch1-cpu. It’s there is some examples but not others. Is it the same idea as the bridge being the trunk for the VLANs in the other mode?
I added the DHCP servers but still no IPs on either port. Would the switch1-cpu have something to do with it?
Switch chip port switch1-cpu is yet another port on the switch chip, incidentally connected to router’s CPU. From switch chip point of view, the logic about configuring is is exactly the same as when configuring ether ports: do(es) device(s) connected to that port need to communicate with the rest of certain VLAN? So if CPU needs to communicate with VLAN X, then switch1-cpu interface has to become a tagged member of VLAN X (in /interface ethernet switch vlan) and at the same time one needs to create vlan interface (in /interface vlan bound to appropriate CPU interface, in your case to interface bridge). If CPU doesn’t need to communicate with certain VLAN (because device is only used as a switch for that VLAN), then interface switch1-cpu doesn’t have to be member of that VLAN (and CPU vlan interface doesn’t have to be created).
It is essentially the same as when one uses bridge with vlan-filtering enabled … in this case it’s bridge interface which has to be tagged member of appropriate VLANs. The need for /interface vlan interface is exactly the same in both cases.
To your problem: change the section in your config to this
/interface ethernet switch port
set switch1-cpu vlan-mode=secure
but before doing it, enable safe-mode (in CLI it’s CTRL-X, in GUI there’s appropriate button). If, after doing it, you still have management connectivity, leave safe mode by re-doing same operation.
BTW, if ether2 is supposed to be trunk port, then you should set vlan-header=leave-as-is … in case of hybrid ports (tagged and untagged allowed) or access ports with setting vlan-header=add-if-missing it needs to have default-vlan-id set …
Thanks. Let me try this out. I’m not really focused on implementing my specific setup. I’m just trying to get something going that I can build from. In this case yes, ether2 is a trunk port and ether3/4 are access ports.
I’m falling back to even simpler case, I think, ether2/3 untagged VLAN100 and ether4 untagged VLAN200. I don’t seem to get an IP till I add this line in but it doesn’t do what I expected. When I add this in, I can get a VLAN200 address on ether4 but nothing on ehter2/3.
set 10 default-vlan-id=100 vlan-mode=secure
Full config:
/interface bridge
add admin-mac=64:D1:54:9D:88:62 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/interface ethernet switch port
set 1 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure
set 10 default-vlan-id=100 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.1.100.100-10.1.100.199
add name=dhcp_pool2 ranges=10.1.200.200-10.1.200.250
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan100 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan200 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,switch1-cpu switch=switch1 vlan-id=100
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=200
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=10.1.200.1/24 interface=vlan200 network=10.1.200.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.100.0/24 gateway=10.1.100.1
add address=10.1.200.0/24 gateway=10.1.200.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Ok, I got it. Atheros8327 port ether2,3,4,5 untagged VLAN100 and ether5 tagged VLAN200. I have no idea what was preventing the DHCP server from kicking in before on VLAN100. Not sure if I want