Like this switch: https://www.alliedtelesis.com/sites/default/files/gs950_48pswebs111v100a_0.pdf
see “Port-based VLAN Overview” from page 151
In some cases it very useful!
I’m not sure if I get what you want but afaik ROS supports VLANs on switch chip level. I’m even using it lol.
You can find info on CRS page how to set this up but all those settings (or at least most of them) are available on my RB2011 so i guess it’s available everywhere where you have switch chip.
http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port_Based_VLAN
Configuration is a bit complex comparing to average ROS complexity but it should work just fine. I think you should be able to combine it with virtual interface level VLANs provided by ROS (this: http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN). In worst case using patch cable and tiny loop xD
i think you are referring to this too
And WTF?! level complex compared to usual managed switch, but maybe it’s just me. 
I meant that CLI for switch level VLANs in ROS feels goofy af. Especially in comparison with interface level VLANs config. And it’s not just me I saw other people saying that as well. It just feels a bit “different” comparing to other CLI sections that seem to be more user friendly. This one looks really low level. Maybe more than it should. I think it’s side effect of it being probably developed primarily with CRS in mind but still it’s imo area to improve legibility in ROS
No, currently routers with switch-chip can only Tagged Vlan (802.1Q).
My suggestion about port-based Vlan.
It two absolutely different types of Vlan.
There are 2 types of VLANs: port based and MAC based. and both are technically “tagged” because VLAN utilizes VLAN ID as some integral part. Everything else is abuse of VLAN term. If you mean just port isolation based on ports you can use master-port for that. You can create multiple “switch domains” by creating grups of ports with various master ports. lets say we have 5 port switch and we can create 2 isolated domains by setting:
ether1: master-port: none
ether2: master-port ether1
ether3: master-port: none
ether4: master-port ether3
ether5: master-port ether3
this way we created 2 “VLANs” one with ports 1,2 and second with ports 3,4,5. There’s no tags or anything but those 2 port groups will be isolated on switch level.
read first post link (“Port-based VLAN Overview” from page 151)
currently routers with switch-chip cannot do this.
I saw it they can. It’s what I just posted. If you really need those “names”/IDs for whatever reason (as they’re completely useless if you don’t export VLANs outside of switch) you can just rename master port interface eg
set numbers=ether1 name=vlan1-base-port
set numbers=ether3 name=vlan2-base-port
set numbers=ether2 master-port=vlan1-base-port
set numbers=ether4,ether5 master-port=vlan2-base-port
also you can assign VLAN tag on ingress and strip it on egress then all VLAN management is done internally and it also works like port-based VLAN. You’re asking for magical abstraction layer to make such setup easy. So in fact some “shortcut” in configuration to perform such setup. That’s pretty much what I referred to when I said MTK switch level VLANs API is goofy. If it wasn’t goofy config like this (assign on ingress, strip on egress) should be easy. But well it’s not really. It’s quite low level CLI. You need to use your brain.
I think you’re looking for this:
(everything assigned to one master-port)
/interface ethernet switch ingress-vlan-translation
add ports=ether2,ether6 customer-vid=0 new-customer-vid=200 sa-learning=yes
add ports=ether7,ether8 customer-vid=0 new-customer-vid=400 sa-learning=yes
/interface ethernet switch vlan
add ports=ether2,ether6 vlan-id=200 learn=yes
add ports=ether7,ether8 vlan-id=400 learn=yes
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether6,ether7,ether8
If i got it right it’ll create 2 port-based vlans and no trunk-port (no tagging going out of switch)
if you assure that currently switch-chip can, please show Winbox screenshots for this:
cpu?..
http://i.mt.lv/routerboard/files/RB3011UiAS-160307123613.png
http://i.mt.lv/routerboard/files/CCR1009-8G-1S-1Splus-160128140835.png
…
So packets incoming to port 3 or 4 should be assigned to… which VLAN? Because I’m afraid packet can be assigned only to 1 VLAN.
I think i see what you mean now by port-based VLANs and why you see it as something different from internal tagged vlans. I don’t know if it always works like this but in case you specified it can be converted to tag-compatible setup by introducing VLAN index 3 being sum of VLAN1 and VLAN2 (all ports assigned). Then packets incoming to port 3,4 are assigned to VLAN3 which makes them switchable to all ports like desired. I feel that complexity of such solution is going to grow exponentially with introducing more VLANs.
On the other hand i feel this design is terribly broken because it allows island jumping out of box. If machines in ports 3,4 get compromised your whole VLAN setup is gone so it’s significantly less realiable than non-overlapping VLANs. And remember it’s L2 so you have no firewall. You’re merging security domains on L2. It feels wrong and reckless by definition.
In fact I guess MTK switches don’t support it either.
https://community.hpe.com/t5/Switches-Hubs-Modems-Legacy/Overlapping-vlans/td-p/3652542
Here you can find some guy trying to do that on HP switch and it didn’t work as expected.
HP 2500 switches dont support full featured Port-based Vlan (cannot put one port to two group) and overlapping Vlans supports only with Tagged Vlan (802.1Q) mode.