Hi there!
As subject says. Can't I have both untagged and tagged (trunked) ports on the same unit?

Config will follow, but in short terms.

Bridge called "BridgeTRUNK" created
Added interface 2-3 there.

5 vlans, all terminated on "BridgeTRUNK"

1 DHCP for each clan, terminated on the clan-interface.

All this works as it should.

BUT.

When I try to connect an computer directly to port 5 I get troubles.

Config for that.
New bridge called BridgeADMIN
interface 5 and the admin-vlan added to bridge

Then the clan get's in "slave"-mode and the dhcp goes down. Can't I do like this?

Thanks in advance!

##CONFIG##
[user@AP1] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R 1-WAN ether 1500 1600 4076 D4:CA:6D:F2:21:92
1 S 2-TRUNK ether 1500 1598 2028 D4:CA:6D:F2:21:93
2 S 3-TRUNK ether 1500 1598 2028 D4:CA:6D:F2:21:94
3 X 4-SHUTDOWN ether 1500 1598 2028 D4:CA:6D:F2:21:95
4 RS 5-untagged ether 1500 1598 2028 D4:CA:6D:F2:21:96
8 R BridgeAdmin bridge 1500 1598 D4:CA:6D:F2:21:96
9 R BridgeTRUNK bridge 1500 1598 D4:CA:6D:F2:21:94
10 R vlan20-MGMT vlan 1500 1594 D4:CA:6D:F2:21:94
11 R vlan30-ADMIN vlan 1500 1594 D4:CA:6D:F2:21:94
12 R vlan40-GUEST vlan 1500 1594 D4:CA:6D:F2:21:94
13 R vlan50-KONFERENS vlan 1500 1594 D4:CA:6D:F2:21:94
14 R vlan60-HYRESGAST vlan 1500 1594 D4:CA:6D:F2:21:94

[user@AP1] /interface vlan> print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLA
0 R vlan20-MGMT 1500 enabled
1 R vlan30-ADMIN 1500 enabled
2 R vlan40-GUEST 1500 enabled
3 R vlan50-KONFERENS 1500 enabled
4 R vlan60-HYRESGAST 1500 enabled

[user@AP1] /interface bridge> print
Flags: X - disabled, R - running
0 R name="BridgeAdmin" mtu=1500 l2mtu=1598 arp=enabled mac-address=D4:CA:6D:F2:21:96 protocol-mode=rstp priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
1 R name="BridgeTRUNK" mtu=1500 l2mtu=1598 arp=enabled mac-address=D4:CA:6D:F2:21:94 protocol-mode=rstp priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m


Thanks in advance.

I've tried to disabled clan on the switch aswell.

[user@AP1] /interface ethernet switch port> print
Flags: I - invalid
# NAME SWITCH VLAN-MODE VLAN-H
0 2-TRUNK switch1 fallback leave-
1 3-TRUNK switch1 fallback leave-
2 4-SHUTDOWN switch1 fallback leave-
3 5-untagged switch1 disabled leave-
4 switch1-cpu switch1 fallback leave-

If the vlan is put into a bridge, the DHCP server should be on the bridge too.

Ok. I'll try that when I get home.

Thanks!

Hi again.
I didn't get it to work.

Can't I both have an clan tagged and untagged on an RB951-2n?

I'm terminating all the vlans in the same box, I have the DHCP etc on the same box aswell.
And out from it I wanna have 3 TRUNK/TAGGED ports that transport all the vlans (6) to the other RB951-2n
And 1 untagged port with vlan30 to connect the computer in the same room..

I'm from the "Ciscoworld" where you just put trunk or accessmode on the port. What am I doing wrong? Sounds so easy in my ears but I just can't get it to work

Thanks in advance.

Unfortunately Mikrotik config isn't quite as abstracted as the major vendors config is. Here is how to do what you desire in hardware using the switch chip. A bridge will cause all the traffic to hit CPU which will mean less than line rate L2 packet forwarding.

A good way to compare Mikrotik switchchip vlan management is like a Cisco device that doesn't have the "switchport access vlan" command and everything had to be configured with "switchport trunk vlan <vlan id list>" and "switchport trunk native vlan <vlanID>".

• 1. Remove the bridge interface
  2. Create VLAN interfaces for each VLAN ID you wish to terminate on the device. This is similar to creating a L3 SVI on a Cisco (int vlan X; ip address blabla)
  3. In the switch menu go to the port tab. Configure the VLAN security on each port to something other than disabled. On the ports you wish to be access ports set the default VLAN as needed. Also change the VLAN header to strip[\b] in the case of a access port. In the case of a trunk port leave it set to leave as is[\b]
  4. In the switch menu go to the VLAN tab. Add all of the VLAN IDs you want to work with and the ports they should be allowed on. This is similar to (switchport trunk vlan <VLANID>). When it comes to the CPU make sure it contains all of the VLAN that may terminate on it including VLAN 0. This is important or you may loose communication with the device.
  5. Setup your DHCP server on the VLAN Interface you wish it to be on.

There is a good example of what I attempted to explain above at the wiki link below.

http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features

Argh!

What am I doing wrong? Just can't get it to work.
The tagged ports work just as it should, but I can't get the untagged port to work

Tried to change from bridge to switch now as recommended. But I get the same issue.

The tagged port work, but not the untagged one.

Please help.

What version of ROS are you running 5.x or 6.x?

Also you may want to turn on Independent learning on your vlan 30. Don't forget to add the other VLANs as well.

I'll see if I can't test your config on my 951-2n

You have to add the vlan on the switch chip and assign the ports

ros code

/interface ethernet switch vlan
add switch=switch1 ports=ether2,ether5 vlan-id=30

If done, ether5 should be an untagged port for VLAN30

[EDIT]
Sorry, misread your configuration. I see you already have the VLAN.
But the trunk port must also be configured there.

Hi again.
I'm running 6.12 and 3.10 firmware.

I'll add the other vlans when I have 1 up and running. This is not production atm as I can't get it to work..

I've added the masterport now aswell. But the tagged ones worked anyway?