Model: 750GL
RouterOS: v6.47.8 (stable)
I've configured this device as follows:
ether1 - physically connected to a second mikrotik, this interface is routed, configured as the default route (the second mikrotik is connnected to the internet)
ether3 - assigned an IP for management
ether5 - physically connected to a managed switch, configured as a trunk port for a router-on-a-stick setup
Configure the VLANs on the switch chip:
Code: Select all
/interface ethernet switch
set 0 name="Atheros 8327"
/interface ethernet switch vlan
add independent-learning=no ports="ether5(Trunk)(ManagedSW),Atheros 8327-cpu" switch="Atheros 8327" vlan-id=4
add independent-learning=no ports="ether5(Trunk)(ManagedSW),Atheros 8327-cpu" switch="Atheros 8327" vlan-id=5
add independent-learning=no ports="ether5(Trunk)(ManagedSW),Atheros 8327-cpu" switch="Atheros 8327" vlan-id=7
add independent-learning=no ports="ether5(Trunk)(ManagedSW),Atheros 8327-cpu" switch="Atheros 8327" vlan-id=6
add independent-learning=no ports="ether5(Trunk)(ManagedSW),Atheros 8327-cpu" switch="Atheros 8327" vlan-id=8
add independent-learning=no ports="ether5(Trunk)(ManagedSW),Atheros 8327-cpu" switch="Atheros 8327" vlan-id=9
add independent-learning=no ports="ether5(Trunk)(ManagedSW),Atheros 8327-cpu" switch="Atheros 8327" vlan-id=254
add independent-learning=no ports="ether5(Trunk)(ManagedSW),Atheros 8327-cpu" switch="Atheros 8327" vlan-id=2
add independent-learning=no ports="ether5(Trunk)(ManagedSW),Atheros 8327-cpu" switch="Atheros 8327" vlan-id=3
VLAN Interfaces and IP Addresses:
Code: Select all
/interface vlan
add interface="ether5(Trunk)(ManagedSW)" name="vlan4(Routed)(LAN4)" vlan-id=4
add interface="ether5(Trunk)(ManagedSW)" name="vlan5(Routed)(LAN5)" vlan-id=5
add interface="ether5(Trunk)(ManagedSW)" name="vlan6(Routed)(LAN6)" vlan-id=6
add interface="ether5(Trunk)(ManagedSW)" name="vlan254(Routed)(Management)" vlan-id=254
/ip address
add address=192.168.4.1/24 comment=LAN4 interface="vlan4(Routed)(LAN4)" network=192.168.4.0
add address=192.168.5.1/24 comment=LAN5 interface="vlan5(Routed)(LAN5)" network=192.168.5.0
add address=192.168.6.1/24 comment=LAN6 interface="vlan6(Routed)(LAN6)" network=192.168.6.0
add address=192.168.254.2/24 comment=Management interface="vlan254(Routed)(Management)" network=192.168.254.0
add address=192.168.2.2/24 comment="Internet LAN" interface="ether1(Routed)(Internet)" network=192.168.2.0
add address=192.168.88.1/24 comment="Console Port" interface="ether3(Access)(LAN)" network=192.168.88.0
/ip route
add distance=1 gateway=192.168.2.1
I then set the switch chip interfaces as follows:
Code: Select all
/interface ethernet switch port
set 3 vlan-mode=secure
set 5 vlan-mode=secure
Here's the output for the switch port section
Code: Select all
# NAME SWITCH VLAN-MODE VLAN-HEADER DEFAULT-VLAN-ID
0 ether2(Access)(LAN) Atheros 8327 disabled leave-as-is auto
1 ether3(Access)(LAN) Atheros 8327 disabled leave-as-is auto
2 ether4(Access)(LAN) Atheros 8327 disabled leave-as-is auto
3 ether5(Trunk)(ManagedSW ) Atheros 8327 secure leave-as-is auto
4 ether1(Routed)(Internet) Atheros 8327 disabled leave-as-is auto
5 Atheros 8327-cpu Atheros 8327 secure leave-as-is auto
So with the cpu port set to 'secure', why am I able to plug into Ether3 and access the device on 192.168.88.1? At the very least the return traffic from the CPU should be blocked by the 'secure' setting on the CPU port?