I am currently using a RB3011UiAS-RM router and would like to achieve the below VLAN configuration setup.
I followed the Switch_Router manual and managed to achieve a slightly different setup which only allows tagged VLAN traffic rather than tagging it according to the assigned VLAN.
Commands used:
#Create a VLAN interface for each VLAN ID and assign an IP address on it
/interface vlan add comment="LAN" interface=bridge-VLAN name="VLAN 10 - LAN" vlan-id=10
/ip address add address=192.168.10.1/24 comment="LAN Gateway" interface="VLAN 10 - LAN"
#Setup a DHCP Server for each VLAN
/ip pool add name=LAN ranges=192.168.10.50-192.168.10.254
/ip dhcp-server add address-pool=LAN disabled=no interface="VLAN 10 - LAN" name=DHCP-LAN
/ip dhcp-server network add address=192.168.10.0/24 comment="LAN Network" dns-server=192.168.10.1,8.8.8.8 gateway=192.168.10.1
#Add each port to the VLAN table and allow these ports to access the CPU in order to make DHCP and routing to work
/interface ethernet switch vlan add independent-learning=yes ports=ether2,switch1-cpu switch=switch1 vlan-id=10
#Specify each port to be as an access port, enable secure VLAN mode on each port and on the switch1-cpu port
/interface ethernet switch port set ether2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
I believe i the misconfiguration relies on the last two commands but i have no clue how to edit them to achieve the desired VLAN setup, can perhaps some experienced user guide me in the right direction?
For me, access (untagged) VLAN port works with configuration similar to this one:
/interface ethernet switch port set ether2 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
I guess that vlan-header setting applies to ingress packets more than egress (but there it still applies in somehow inverse sense).
I also guess that configuration above would allow tagged VLAN (ID=10) ingress but would strip VLAN tag on egress and if port partner (e.g. VLAN enabled server) was actually configured to use tagged VLAN ethernet frames, traffic would fail in this case due to missing VLAN tags on direction RB->host.
Apparently i need to disable and enable the interface in particular for it to reflect the changes and work. The configuration I initially posted worked correctly, and even if i change the vlan-header to add-if-missing as suggested by mkx, it still works.
For future users who perhaps encounter this issue, below you can find the configuration that worked for me.
Yes, thanks for the heads up. Another question that comes to mind, since the router is doing all the work (Both switching and routing), who is the trunk in that case?
My bet is that the CPU is doing the work. Is this correct or something else acts like the trunk?
I would like to know this since i find it very confusing since everything works fine without actually setting a trunk port.
