Where am I going wrong? - Voice, and data required as well as mgmt

RouterOS Beginner Basics
1

Hi,

I bought a Mikrotik Hex PoE switch. Port 1 would be connected to our distribution switch, on VLAN 800, with an SVI of 10.22.0.31. VLAN 800 is our management VLAN. Anyone should be able to access this, including whoever is connected to this switch.

Ports 2 and 3 would be configured to access VLAN 798, and VLAN 803
Ports 4 and 5 would be configured to access VLAN 799, and VLAN 803

I’d like to access the 10.22.0.31 from VL798 too. The following config has been done:

[Ctrl+X]

/ip route
add distance=1 gateway=10.22.0.254
/interface bridge
add name=bridge
/interface bridge port
add bridge=bridge interface=ether1 hw=yes # adds ether1 to the bridge
add bridge=bridge interface=ether2 hw=yes # adds ether2 to the bridge
add bridge=bridge interface=ether3 hw=yes # adds ether3 to the bridge
add bridge=bridge interface=ether4 hw=yes # adds ether4 to the bridge
add bridge=bridge interface=ether5 hw=yes # adds ether5 to the bridge
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,switch1-cpu switch=switch1 independent-learning=yes vlan-id=798  # includes ether1 as uplink trunk port
add ports=ether1,ether4,ether5 switch=switch1 independent-learning=yes vlan-id=799  # includes ether1 as uplink trunk port
add ports=ether1,ether2,ether3,ether4,ether5 independent-learning=yes switch=switch1 vlan-id=803  # all ports have voice VLAN including ether1 as trunk port
add ports=ether1,switch1-cpu switch=switch1 independent-learning=yes vlan-id=800
/interface vlan
add interface=bridge vlan-id=800 name="SVI:: IDC - Network Management"
/ip address
add address=10.22.0.31/24 interface="SVI:: IDC - Network Management"
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=leave-as-is
set ether2 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=798 # default-vlan-id means switchport access vlan
set ether3 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=798 # untagged data vlan
set ether4 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=799 # untagged data vlan
set ether5 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=799 # untagged data vlan

Doing this, I get data, and the phone powers up, however, that’s about it. It just gets stuck there. I’ll check if that’s the phone.
It also means I can’t ping the switch’s management IP address, both from VLAN 798 and from VLAN 800 (ie: from the distribution switch it’s directly connected to)

Any help would be appreciated

2

Switch management interface is not “multi-homed” … its IP address is only directly accessible from one L3 subnet - with current config that should be VLAN 800 which is only available through trunk connection ether1. It can be accessible from elsewhere, but there has to be a router between VLAN 800 and the rest of networks.

BTW, are you sure that shown config was actually applied? The first thing shown in config is enablement of safe mode and config changes likely break management connection meaning config roll-back due to safe mode. With L2 reconfig you’ll likely hace to bite the bullet and apply config changes without enabling safe mode first. That’s not the only option, alternative would be gradual config changes and lots of management access changes (different physical ports used)…

3

Hi,

The distribution switch is a layer three switch, and that does the actual routing. A VLAN 800 IP can’t connect to the VLAN 800 management. I’ll commit to the changes, outside of safe mode, and let you know how I get on.

Is the config “fine” otherwise?

Thanks

4

On the first (and second) glance the config should be fine.