/interface bridge port
add bridge=bridge-vlan100 interface=eth5-vlan100
add bridge=bridge-vlan100 interface=ether6
ether-5 is my trunk port and ether-6 is a untagged port to a device/part of network.
That create untagged VLAN to the port Ether-6 RIGHT?
All those 3 devices must have TRUNK ports.
3011 ether-5 as the trunk port to my primary switch (crs125)
crs125 ether-4 as the trunk port to the router (3011)
crs125 ether-3 as the trunk port to the last switch (crs108)
crs109 ether-2 as the trunk port to the primary switch (crs125)
So, VLANs can be done at least 3 ways in legacy RouterOS code. Additionally, you have to be certain your CRS devices are running RouterOS (I don’t use the CRS products but I believe some are capable of running SwitchOS).
The way you’re describing is using the software based bridging method which is in my opinion the simplest to understand. It all appears to be correct. You are right, a VLAN interface is used to tag traffic on a physical interface. Sadly, the CRS devices have switch chips and they likely are meddling with your use of software based bridges. Not to mention performance is drastically lower with software based bridging. You can use software based bridging by setting the master-port to none for the ones you want to use.
Alternatively, if you’re more brave and desiring hardware accelerated performance while not wanting to learn what I hope is a dying methodology (switch chip configuration). Try the newest RC code for RouterOS. It contains a new VLAN aware bridge. It’s also supposed to manage the hardware feature side as well. This would allow you to configure your devices similarly (like you did with software bridging) while retaining (or gaining) performance from the hardware available to the CRS units. Additionally, you may find VLANs easier to configure in the newest RC as well.
You’re overthinking it and not naming your interfaces and bridges very well. You don’t really need to include “eth5” in your vlan interface names. Nor do you need to add “vlan100” to your bridge name, it’s easy to get confused by doing that.
When you create a vlan interface and set interface=xxx, what you are saying is the vlan interface will ride on top of xxx as a tag. In Cisco land, this is called a “trunk”. Your eth5 has multiple vlan tags riding on it. Similar to “int eth5; switchport trunk allowed vlan 100,200,300”.
What you did with the bridge is bridge vlan 100 to the ethernet port ether6 so that the “native” vlan on ether6 (in Cisco talk) is now vlan 100. Whatever is in vlan 100 is bridged to ether 6. Ether6 is not tagged.
acruhl, thumps up to you, I like how you dont put people down by not knowing things and explain how to resolve the issue. I have a question, I have my RouterOS setup with pppoe, NO VLANS right now, but I want to make a new server using vlans. Now I know how to create a VLAN on a bridge I think if I delete the bridge and make all my interfaces be slaves of ether2 this will create the switch. Either way, I want to be able to have my pppoe on a vlan for my clientes that uses pppoe, dhcp on another vlan for my equipment and another vlan for my hotspots. I can do this, what I have not been able to create is like a MASTER VLAN. What I mean by this is like an Admin VLAN, where I connect my laptop to the network or my office computer to the network and am able to see all devices on all the VLANS.. I have seen this done before in a company I worked, they where using Mikoritk and Netronix switches. From reading around I think it has something to do with the VLAN1 but am not sure. Can you advice me on how to do this?
I’m not sure if this is the exact context you are thinking of, but what you are describing is generally known as a “management vlan” where there is a single subnet that you can reach all devices from.
I don’t know how to implement this in Mikrotik at the moment, I would have to think about it. In Cisco or Juniper, you just put that vlan tag on all the trunk interfaces going down to devices below. Then on each device you put an IP on the management vlan in the same subnet and there you go, a management network for all devices. You might want to put in firewall rules that ensure there is no layer 3 reachability between the management vlan and the “customer” vlan.
I don’t see any way to add a vlan to multiple routed interfaces in MikroTik at the moment.
Hopefully someone smarter than I am about MikroTik can reply.
It´s really simple to understand vlans, just start without any config and use winbox connected through mac-address.
RB3011 is a router, to add vlans on your router lets start with this:
ether5 is your trunk port
name vlan100 on ether5 like this: eth5.q100 ( the q comes from vlan 802.1q )
you add the vlan like this: /interface vlan add name=eth5.q100 vlan-id=100 interface=ether5
repeat the same for all the other vlans, then add IP/MASK, dhcp-server and so on to each vlan
Lets suppose you use ether24 as your trunk port to connect to RB3011 and ether23 as trunk port to connect to CRS109, you need to modify all interfaces and set ether24 as master-port. PS: please do not set the master-port on it-self.
Now go swtich->vlan->vlan and add vlan100 on every interface it should be used ( trunk and access )
Then go to next tab (switch-vlan->Eg.VLAN Tag) and add vlan100 on each interface you will use as trunk ( ether23, ether24 )
Now the only thing missing is to setup access-ports, go to switch->vlan->ingress-vlan-translation, add new rule: on “Ports” add all the interfaces you need as access, on the “Customer VID” tab set “0”, on the “New-Customer-VID” set “100” and voila… you have your switch working with vlans
Repeat all the above for the other vlans.
Now I see where you got your vlan and bridge interface names from, it came from this mess.
I guess I’m spoiled by Cisco and Juniper layer 2 devices. Once you add a vlan to a port, there is an implied bridge so you don’t have to make all these separate bridges and bridge vlans to physical interfaces, even though that’s probably what’s going on “under the covers”.
Honestly, I’ve only ever set up 1 LACP bonded interface with a few vlan tags going down to a Cisco switch. I’ve never tried to set up multiple trunked interfaces with the same set of vlans in them like these examples show, and I never would have figured this out on my own without reading these documents.
Hopefully the new bridge code in 6.40 solves all of this. I think it solves some of it at least, based on the 6.40 info in the top part of the forum.
I don’t know if I feel smarter or dumber after reading these VLAN wiki pages…
