Port 1 would be connected to our distribution switch, and that would trunk VLANs 800, 798, 799, 803 (voice)
VL 800 would have an SVI of 10.22.0.31. VLAN 800 is our management VLAN. Anyone should be able to access this, including whoever is connected to this switch.
Ports 2 and 3 would be configured to access VLAN 798, and VLAN 803
Ports 4 and 5 would be configured to access VLAN 799, and VLAN 803
Ports 2-5 would be configured for PoE output as well. Port 1 would receive passive PoE
An access list would allow 10.22.0.1 to access this device
The NTP source would be VL800 with the IP being 10.22.0.1
The “Cisco way” is to do this:
access-list 99 permit 10.22.0.1
and:
ntp source Vlan800
ntp server 10.22.0.1 source Vlan800
For that, but not sure how it is here.
I’m not sure how you’d configure this? I’ve downloaded Winbox,and I’ve had a little play there. I’ve had a look at YouTube guides, and it talks about creating multiple bridges for different VLANs as well as nobody showing how you make voice AND data go across? I’d much rather reset, and make sure I do this “properly” and cleanly.
Have a look at this manual … section “Other devices with built-in switch chip”. It’s not exactly straight forward, if you get stuck come back with copy of (non-running) config and question …
I don’t know how you get the voice VLAN in there too? Each port should allow VLAN 803 for voice too. Essentially, the “Cisco way” for ether2 to ether5 is this:
I’d want to replicate that here, really. The bandwidth shaping doesn’t matter too much, nor does the logging stuff.
Also, what is the equivalent of a “show run” in Mikrotik land? Would you also know how we configure the equivalent of
access-list 99 permit 10.22.0.1
and
ntp source Vlan800
ntp server 10.22.0.1 source Vlan800
as well as SNMP traps? The main thing though is to get the switch actually working! The good thing is, that this is my “toy” from home, but it would be nice to make it work.
Regarding /interface vlan: if you don’t intend to have switch/RB interact with some VLAN, then you don’t need corresponding VLAN interface. These interfaces are only necessary if RB has IP address in that VLAN. OTOH, if you do need RB to interact with certain VLAN, then fi]switch1-cpu[/i] interface has to be member of that vlan in /interface switch vlan (you have it for VID 800).
I don’t know if cisco has some special treatment of “switchport voice vlan” … could be it’s a synonimous for “trunk”. AFAIK, usual IP phones (with PC access port) run voice VLAN tagged and data untagged over upstream connection. Which means the (merged variant) of the two lines I quoted at the top of this post already take care of voice VLAN on access ports.
The idea behind ROS way of doing VLANs:
in /interface ethernet switch vlan one has to define VLAN membership of all ethernet ports. It doesn’t matter if ports are access, hybrid (one or more tagged and one untagged VLANs) or trunk ports (tagged only), just membership. So make sure VoIP-enabled ports are listed twice, once in VoIP VLAN group and once in data VLAN group.
in /interface ethernet switch port one defines PVID (if any) … which only defines what happens for untagged packets on ingress (they get tagged with PVID if PVID is set) and on egress (VLAN header gets stripped if PVID is set). Mind that this setting does not define VLAN membership.
So for ether1 (the upstream trunk port) you don’t set any PVID (just the way you have it) and (this is security setting) have vlan-header=leave-as-is. You only list ether1 as member of multiple VLANs in /interface ethernet switch vlan config lines … which is not done yet in your config.
Mind that after you added combination with “switch=XXX vlan-id=YYY”, you can not add another, similar config (expecting that ROS will merge those two), you have to change the original config line using construct like set [ find switch=XXX vlan-id=YYY ] ports=.
Secure config would require vlan-mode=secure on all ether ports as well, but set this only after you’ve verified proper operation and enable safe mode before setting this (if this setting breaks your management connectivity, safe mode will revert to config state before enabling safe mode).
Equivalent of “show run” would be something like print or in absolute config tree /interface ethernet switch port print. Which applies also to [/i]/snmp[/i] …
Not exactly. If you start from blank configuration (and factory default has nothing about VLANs), then below is fixed config (rewrite of complete section /interface ethernet switch vlan, other sections seem fine as they are).
/interface ethernet switch vlan
add ports=ether1,ether2,ether3 switch=switch1 vlan-id=798 # includes ether1 as uplink trunk port
add ports=ether1,ether4,ether5 switch=switch1 vlan-id=799 # includes ether1 as uplink trunk port
add ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=803 # all ports have voice VLAN including ether1 as trunk port
add ports=ether1,switch1-cpu switch=switch1 vlan-id=800
You might want to add independent-learning=yes to all above config lines (normally this should not affect the functionality, but it’s a safe setting).
Just a recommendation: when you create a software interface (e.g. VLAN interface), give it a name without white spaces (and possibly other special characters, such as colons) … although they are valid names, dealing with such names is a pain (one has to remember to always put quotes around name) … which BTW explains why the “more or less” in first paragraph of this post …
The other change is: “independent-learning=yes” should be included in all add ports=… vlan-id=XX lines, it’s a per-VLAN setting, not general one.
If you need some additional description to certain config items, you can always add a comment=“this is a comment” on config line.
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes # adds ether1 to the bridge
add bridge=bridge1 interface=ether2 hw=yes # adds ether2 to the bridge
add bridge=bridge1 interface=ether3 hw=yes # adds ether3 to the bridge
add bridge=bridge1 interface=ether4 hw=yes # adds ether4 to the bridge
add bridge=bridge1 interface=ether5 hw=yes # adds ether5 to the bridge
/interface ethernet switch vlan
independent-learning=yes
add ports=ether1,ether2,ether3 switch=switch1 vlan-id=798 # includes ether1 as uplink trunk port
add ports=independent-learning=yes ether1,ether4,ether5 switch=switch1 vlan-id=799 # includes ether1 as uplink trunk port
add ports=independent-learning=yes ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=803 # all ports have voice VLAN including ether1 as trunk port
add ports=independent-learning=yes ether1,switch1-cpu switch=switch1 vlan-id=800
/interface vlan
add interface=bridge1 vlan-id=800 name="SVI:: XXX - Network Management"
/ip address
add address=10.22.0.31/24 interface="SVI:: XXX - Network Management"
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=leave-as-is
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=798 # untagged data vlan
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=798 # untagged data vlan
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=799 # untagged data vlan
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=799 # untagged data vlan
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
I see what you mean about the white space, and no colons however that’s exactly how it is configured across 10 other devices, and that’s what documentation refers to it as. I’d much rather keep it uniform
Under /interface ethernet switch port you should change vlan-header=always-strip to vlan-header=leave-as-is for ether2-5.
From the note in https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Port_Settings
QCA8337 and Atheros8327 switch chips ignore the vlan-header property and uses the default-vlan-id property to determine which ports are access ports. The vlan-header is set to leave-as-is and cannot be changed while the default-vlan-id property should only be used on access ports to tag all ingress traffic.
The first one. The interface ethernet switch ports default-vlan-id= setting is equivalent to the Cisco switchport access vlan.
Mikrotiks don’t have any specific voice related capabilities such as LLDP-MED and voice VLAN. You are providing the VLAN tagged on ether2-5 as hybrid ports rather than the Cisco way of providing a voice specific VLAN on an access port.
Thanks. On a Cisco small business switch, in the past I’ve used the “switchport mode trunk” and “switchport trunk allowed vlan x, y,z” command where you couldn’t do that
So I guess I’ll apply this:
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes # adds ether1 to the bridge
add bridge=bridge1 interface=ether2 hw=yes # adds ether2 to the bridge
add bridge=bridge1 interface=ether3 hw=yes # adds ether3 to the bridge
add bridge=bridge1 interface=ether4 hw=yes # adds ether4 to the bridge
add bridge=bridge1 interface=ether5 hw=yes # adds ether5 to the bridge
/interface ethernet switch vlan
independent-learning=yes
add ports=ether1,ether2,ether3 switch=switch1 vlan-id=798 # includes ether1 as uplink trunk port
add ports=independent-learning=yes ether1,ether4,ether5 switch=switch1 vlan-id=799 # includes ether1 as uplink trunk port
add ports=independent-learning=yes ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=803 # all ports have voice VLAN including ether1 as trunk port
add ports=independent-learning=yes ether1,switch1-cpu switch=switch1 vlan-id=800
/interface vlan
add interface=bridge1 vlan-id=800 name="SVI:: XXX - Network Management"
/ip address
add address=10.22.0.31/24 interface="SVI:: XXX - Network Management"
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=leave-as-is
set ether2 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=798 # default-vlan-id means switchport access vlan
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=798 # untagged data vlan
set ether4 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=799 # untagged data vlan
set ether5 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=799 # untagged data vlan
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
And hope it works. I guess I could then use winbox, to add in one access list, SNMP traps, and an NTP source?
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether1 hw=yes # adds ether1 to the bridge
add bridge=bridge interface=ether2 hw=yes # adds ether2 to the bridge
add bridge=bridge interface=ether3 hw=yes # adds ether3 to the bridge
add bridge=bridge interface=ether4 hw=yes # adds ether4 to the bridge
add bridge=bridge interface=ether5 hw=yes # adds ether5 to the bridge
/interface ethernet switch vlan
add ports=ether1,ether2,ether3 switch=switch1 independent-learning=yes vlan-id=798 # includes ether1 as uplink trunk port
add ports=ether1,ether4,ether5 switch=switch1 independent-learning=yes vlan-id=799 # includes ether1 as uplink trunk port
add ports=ether1,ether2,ether3,ether4,ether5 independent-learning=yes switch=switch1 vlan-id=803 # all ports have voice VLAN including ether1 as trunk port
add ports=ether1,switch1-cpu switch=switch1 independent-learning=yes vlan-id=800
/interface vlan
add interface=bridge vlan-id=800 name="SVI:: IDC - Network Management"
/ip address
add address=10.22.0.31/24 interface="SVI:: IDC - Network Management"
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=leave-as-is
set ether2 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=798 # default-vlan-id means switchport access vlan
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=798 # untagged data vlan
set ether4 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=799 # untagged data vlan
set ether5 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=799 # untagged data vlan
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
I was plugged into ether2 when making changes, and when connected “locally” ie: my laptop, it disconnected me as soon as I made the command set ether2 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=798
Then I appeared to have lost management connectivity too, despite routing being well..there, so whilst port 2 certainly put me on VL798, I couldn’t manage the switch any longer (when I connected this to our distribution switch) I connected a phone to one of the ports on the hex switch too, and it didn’t provide it any power, so I couldn’t test.
I didn’t make the change set ether5 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=799 either, given I wanted at least one to “work” whilst I was working on it. As soon as I added set switch1-cpu vlan-header=leave-as-is vlan-mode=secure, I lost the ability to manage it any more too..
I also couldn’t add ports to the bridge as it already existed, so I didn’t actually create another bridge.
Issues:
No PoE available
No mgmt available after “default-vlan-id” or “switch1-cpu vlan header…” command is applied
No config can, therefore, be made on ether5
Winbox no longer sees it, despite actually connected through VL798 on ether2
The PSU supplied with the RB960PGS is 24V, as historically Mikrotik have used 24V passive PoE. The device itself will work with supplies between 12 and 57V but it does not convert voltages. From the website “Ethernet ports 2-5 can power other PoE capable devices with the same voltage as applied to the unit.” and " It can power at/af mode B (4,5+)(7, compatible devices, if 48-57 input voltage is used."
The switch vlan configuration add independent-learning=yes ports=ether1,switch1-cpu switch=switch1 vlan-id=800 only permits VLAN 800 to the CPU. If you wish direct access from VLAN 798 with Winbox then switch1-cpu should be added to the add … vlan-id=798 line.
You don’t have a default route configured, so the only accessibility is from a 10.22.0.x address tagged with VLAN 800 via ether1.
most probably phones need standard IEEE 802.3af/at PoE. hEX PoE unit can provide that if it is powered with 48V power supply. The supplied power adapter is 24V and is no good for standard PoE.
when configuring L2 stuff (e.g. VLANs), one can not rely on L3 management connection. Which leaves L2 management connection which is available when using winbox and connect via MAC address. Further more, L2 reconfigurations can affect L2 connectivity, specially so as MAC management is restricted and by default it’s restricted to interfaces members of interface list LAN. When doing L2 reconfiguration, it is wise to disable this restriction (at least temporarily) by setting /tool mac-server set allowed-interface-list=all and /tool mac-server mac-winbox set allowed-interface-list=all.
I’ve already mentioned use of “safe mode” in my post #4 above (in penultimate paragraph). It is advisable to enable safe mode most of times when changing L2 configuration … unless one is 100% sure that change about to be made is correct and that it will (temporarily) break management connection.
the third and the fourth bullet are direct consequence of second bullet.
If you’re using winbox, then I believe there’s a button somewhere near upper-left corner with nice friendly letters on it “Safe Mode” … when enabled, that button is darker than the surrounding area. Click it again to exit safe mode.
I’m not sure webfig actually supports safe mode …
If you’re using CLI, you can enable safe mode by pressing CTRL+X (to disable press CTRL-X again) … when enabled, command prompt changes (it includes ) …
As you already have
add ports=ether1,ether2,ether3 switch=switch1 independent-learning=yes vlan-id=798
change it to
add ports=ether1,ether2,ether3**,switch1-cpu** switch=switch1 independent-learning=yes vlan-id=798
Also, how do you go about setting routes?
/ip route
add distance=1 gateway=10.22.0.X # where X is your management gateway (typically 1 or 254)
compatible devices, if 48-57 input voltage is used."