Problem changing the managment VLAN

SwOS
1

Hello, I am new user whit the mikrotik switches. Its a a nice device, but I have some troubles to configure the managment vlan. I hope someone can me give some input.

I have a verry simple szenario:
Hardware: 8 Port CSR210 Switch:

  1. Port 1 is mi uplink port to a firewall. The port on the firewall is tagged whit vlan 34 and vlan 35
  2. I want to make port 2 to 6 untagged VLAN34
  3. I want to make port 7 and 8 unttaged VLAN35
  4. I need to change the management IP from default 192.168.88.1/24 to 192.168.34.254/24
  5. The management ip must be reacable from the port 2 to 6 (untagged VLAN34) and from the firewall

This is are my steps: the vlans are working. the only problem ist the management IP and VLAN ( Step 4 and 5)

/interface ethernet
set ether2 master-port=ether1
set ether3 master-port=ether1
set ether4 master-port=ether1
set ether5 master-port=ether1
set ether6 master-port=ether1
set ether7 master-port=ether1
set ether8 master-port=ether1


/interface bridge
add name=bridge1 protocol-mode=none
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
´
/interface ethernet switch ingress-vlan-translation
add ports=ether2 customer-vid=0 new-customer-vid=34 sa-learning=yes
add ports=ether3 customer-vid=0 new-customer-vid=34 sa-learning=yes
add ports=ether4 customer-vid=0 new-customer-vid=34 sa-learning=yes
add ports=ether5 customer-vid=0 new-customer-vid=34 sa-learning=yes
add ports=ether6 customer-vid=0 new-customer-vid=35 sa-learning=yes
add ports=ether7 customer-vid=0 new-customer-vid=35 sa-learning=yes
add ports=ether8 customer-vid=0 new-customer-vid=35 sa-learning=yes

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=34
add tagged-ports=ether1 vlan-id=35


/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6 vlan-id=34 learn=yes
add ports=ether1,ether7,ether8 vlan-id=35 learn=yes

I hope someone can help me.

2

This is wrong:
add ports=ether6 customer-vid=0 new-customer-vid=35 sa-learning=yes
It should be 34 not 35.

On this you need to add switch1-cpu:
/interface ethernet switch vlan
add ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6 vlan-id=34 learn=yes

Add a VLAN interface:
/interface vlan
add interface=ether1 name=vlan34 vlan-id=34

and put an IP address on it:
/ip address
add address=192.168.34.254/24 interface=vlan34

You probably want to set vlan-mode=secure as well on “/interface ethernet switch vlan” once you’re all setup, tested and working (use Safe mode just in case you cut yourself off).

3

Hello thanks for the fast reply. But no chance to whit this config i have the same problem. The switch is not accessible on the untagges vlan 34 and not accessible from the firewall.

here is a export of my config:

[admin@MikroTik] > export

jan/02/1970 00:09:33 by RouterOS 6.28

software id = T11H-PR7D

/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local name=ether2-slave-local
set [ find default-name=ether3 ] master-port=ether1-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether1-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether1-master-local name=ether5-slave-local
set [ find default-name=ether6 ] master-port=ether1-master-local name=ether6-slave-local
set [ find default-name=ether7 ] master-port=ether1-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether1-master-local name=ether8-slave-local
set [ find default-name=sfp-sfpplus1 ] master-port=ether1-master-local name=sfp-sfpplus1-slave-local
set [ find default-name=sfpplus2 ] master-port=ether1-master-local name=sfpplus2-slave-local
/interface vlan
add interface=ether1-master-local l2mtu=1584 name=vlan34 vlan-id=34
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1-master-local
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1-master-local vlan-id=34
add tagged-ports=ether1-master-local vlan-id=35
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=34 ports=ether2-slave-local sa-learning=yes
add customer-vid=0 new-customer-vid=34 ports=ether3-slave-local sa-learning=yes
add customer-vid=0 new-customer-vid=34 ports=ether4-slave-local sa-learning=yes
add customer-vid=0 new-customer-vid=34 ports=ether5-slave-local sa-learning=yes
add customer-vid=0 new-customer-vid=35 ports=ether6-slave-local sa-learning=yes
add customer-vid=0 new-customer-vid=35 ports=ether7-slave-local sa-learning=yes
add customer-vid=0 new-customer-vid=35 ports=ether8-slave-local sa-learning=yes
/interface ethernet switch vlan
add ports=ether1-master-local,ether2-slave-local,ether3-slave-local,ether4-slave-local,ether5-slave-local vlan-id=34
add ports=ether1-master-local,ether6-slave-local,ether7-slave-local,ether8-slave-local vlan-id=35
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1-master-local network=192.168.88.0
add address=192.168.34.254/24 interface=vlan34 network=192.168.34.0
/romon port
add disabled=no
/system routerboard settings
set protected-routerboot=disabled

4

As mentioned above, you need to add switch1-cpu to the vlan definition and egress tag lines for each vlan that needs a routed interface.
This line:

/interface vlan
add interface=ether1-master-local l2mtu=1584 name=vlan34 vlan-id=34

adds a vlan interface for Routeros, but the switch can only interface to Routeros if switch1-cpu is added to switch vlan and egress-vlan-tag as below:


interface ethernet switch vlan
add ports=ether1-master-local,ether2-slave-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,switch1-cpu vlan-id=34


/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1-master-local,switch1-cpu vlan-id=34

Also, delete the bridge and bridge port. You don’t want to put ether1 on a bridge by itself; you have a vlan attached to it.

5

This was exact the solution. Thank you verry much. No it works

/interface ethernet
set ether2 master-port=ether1
set ether3 master-port=ether1
set ether4 master-port=ether1
set ether5 master-port=ether1
set ether6 master-port=ether1
set ether7 master-port=ether1
set ether8 master-port=ether1

/interface ethernet switch ingress-vlan-translation
add ports=ether2 customer-vid=0 new-customer-vid=34 sa-learning=yes
add ports=ether3 customer-vid=0 new-customer-vid=34 sa-learning=yes
add ports=ether4 customer-vid=0 new-customer-vid=34 sa-learning=yes
add ports=ether5 customer-vid=0 new-customer-vid=34 sa-learning=yes
add ports=ether6 customer-vid=0 new-customer-vid=34 sa-learning=yes
add ports=ether7 customer-vid=0 new-customer-vid=35 sa-learning=yes
add ports=ether8 customer-vid=0 new-customer-vid=35 sa-learning=yes

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1-master-local,switch1-cpu vlan-id=34
add tagged-ports=ether1 vlan-id=35

/interface ethernet switch vlan
add ports=ether1-master-local,ether2-slave-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,switch1-cpu vlan-id=34
add ports=ether1,ether7,ether8 vlan-id=35 learn=yes

/interface vlan
add interface=ether1-master-local l2mtu=1584 name=vlan34 vlan-id=34

/ip address
add address=192.168.34.254/24 interface=vlan3