Community discussions

MikroTik App
User avatar
Topic Author
Posts: 313
Joined: Tue Mar 31, 2015 4:32 pm
Location: IL, USA

6.41 and VLANs - what is the proper an most performant way to do that now?

Thu Dec 28, 2017 2:36 am


I'm a little bit confused with options given in 6.41 regarding VLANs. After playing in the lab I know less than I knew before doing so... To put in a simple terms in general we're talking about 3 configs where you have VLAN=45 which has to be accessible via an access port and has to be available as a part of trunk.

I was playing with following three solutions:
Config #1:
- ether7 added to bridge-vlan45
- ether7 set in switch as VLAN Mode=Disabled
- bridge1 created from old master port config has several VLAN pseudointerfaces like sw1-vlan45, sw1-vlan130 etc
- bridge-vlan45 contains ports: ether7 and VLAN pseudo-intefaces sw1/sw2-vlan45

Config #2:
- ether7 added directly to bridge1 created from old master port configuration
- ether7 set in switch as VLAN Mode=secure; VLAN Header=always strip; Default VLAN ID=45
- bridge1 created from old master port config has several VLAN pseudointerfaces like sw1-vlan45, sw1-vlan130 etc
- bridge-vlan45 contains just VLAN-pseudointerfaces sw1/sw2-vlan45

Config #3 (not tested):
- ether7 added to bridge-vlan45
- ether7 set in switch as VLAN Mode=Disabled
- bridge-vlan45 VLAN Filtering enabled with PVID=45
- ???
1. So where should you add VLANs pseudo-interfaces? Add them under a bridge? Or maybe I should setup a bridge with PVID set?
2. Where the VLAN tags should be added/removed? /switch or a bridge with VLAN pseudo-interfaces?
3. Should I even have something like 6.41 created: bridge1 with multiple vlans pseudo-interfaces? Now since bridges are accelerated I will just create vlan ifaces under physical ports and just add the e.g. ether7-vlan45 to bridge-vlan45 directly.
4. I'm lost and feel like a stupid ;)

I will be really glad if someone can give me a hint on such setups. Thanks.
Member Candidate
Member Candidate
Posts: 273
Joined: Tue Oct 06, 2015 7:28 am

Re: 6.41 and VLANs - what is the proper an most performant way to do that now?

Fri Dec 29, 2017 1:32 am

This is what's been working for me.

For most switch chips except the newer CRS3XX series, you want to be closer to config 2.

Put all ports from the switch(s) directly under a single bridge.

Do NOT use the vlan section under bridges and leave VLAN filtering unchecked in the bridge options.

Add all needed management and routable VLANS under interfaces/vlans with the new bridge as the parent interface.

Set up your vlan tables and ports under /interfaces/switch with fallback,check or secure. Be sure to include the swtich_cpu ports with any VLANS needing management or routing.

Here's a working config from my RB2011 (acting as a switch) with multiple VLANS, trunked on Ether1 with others as access ports.
# dec/28/2017 15:28:05 by RouterOS 6.41
# software id = AD6T-JK3F
# model = 2011UAS
# serial number = XXXXXXXXXXXXXX
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
set [ find default-name=ether2 ] name=ether2-Cams
set [ find default-name=ether3 ] name=ether3-36Dog
set [ find default-name=ether4 ] name=ether4-Servers
set [ find default-name=ether5 ] name=ether5-CapMan
set [ find default-name=ether8 ] name=ether8-Cams
set [ find default-name=ether9 ] name=ether9-Servers
set [ find default-name=ether10 ] name=ether10-Management
/interface bridge
add admin-mac=XX:XX:6D:97:XX:XX auto-mac=no comment=defconf name=bridge \
/interface vlan
add interface=bridge name=vlan99-Management vlan-id=99
/interface ethernet switch port
set 0 default-vlan-id=1 vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=8 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=1 vlan-mode=secure
set 7 default-vlan-id=99 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=8 vlan-header=always-strip vlan-mode=secure
set 9 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 10 default-vlan-id=99 vlan-header=always-strip vlan-mode=secure
set 11 vlan-header=add-if-missing vlan-mode=secure
set 12 vlan-header=add-if-missing vlan-mode=secure
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-Cams
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge interface=sfp1
add bridge=bridge interface=ether1-trunk
add bridge=bridge interface=ether3-36Dog
add bridge=bridge interface=ether4-Servers
add bridge=bridge interface=ether5-CapMan
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8-Cams
add bridge=bridge interface=ether9-Servers
add bridge=bridge interface=ether10-Management
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface ethernet switch vlan
add independent-learning=no ports=ether1-trunk,switch1-cpu switch=switch1 \
add independent-learning=no ports=ether1-trunk,ether5-CapMan switch=switch1 \
add independent-learning=no ports=ether1-trunk,ether2-Cams,switch1-cpu \
    switch=switch1 vlan-id=8
add ports=ether8-Cams,switch2-cpu switch=switch2 vlan-id=8
add independent-learning=no ports=ether1-trunk,ether3-36Dog switch=switch1 \
add independent-learning=no ports=ether1-trunk,ether4-Servers,switch1-cpu \
    switch=switch1 vlan-id=4
add independent-learning=no ports=ether1-trunk switch=switch1 vlan-id=5
add ports=ether10-Management,switch2-cpu,ether7 switch=switch2 vlan-id=99
add ports=ether9-Servers,switch2-cpu switch=switch2 vlan-id=4
/interface list member
add interface=sfp1 list=discover
add interface=ether2-Cams list=discover
add interface=ether3-36Dog list=discover
add interface=ether4-Servers list=discover
add interface=ether5-CapMan list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8-Cams list=discover
add interface=ether9-Servers list=discover
add interface=ether10-Management list=discover
add interface=bridge list=discover
add interface=vlan99-Management list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add list=mac-winbox
add interface=vlan99-Management list=mac-winbox
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlan99-Management
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface=ether1-trunk
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=RB2011
/system package update
set channel=bugfix
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], robertkjonesjr, Semrush [Bot] and 66 guests