I have a network running 4 LAN ip subnets, with DHCP server provision from a Mikrotik RB2011 router. ROS 6.40.9
Traffic between the subnets is seperated by firewalling, but I am not currently using VLANS because some of the switches were not VLAN compatible.

I wish to start to migrate the network to VLANS, but want to do so in stages.

First I wish to migrate the Voip network on 192.168.20.0/24 to turn it into a VLAN network.

I plan to use a Cisco 200 24P smart switch that is VLAN capable, but it is currently connected to one of the Ethernet interfaces on the RB2011, and through that interface currently services a Data LAN of subnet 192.168.10.0/24 with no VLAN configuration on either the switch or the Mikrotik at this point, only DHCP provided through the interface link to that LAN.

My question is whether I can connect a second port on the Cisco switch to a free Ethernet interface on the RB2011 and set a VLAN trunk up on that for the Voice network but without causing a loop with the existing traffic.
i.e. can I have two ports on the Cisco switch connected to two interfaces on the RB2011, One VLAN trunked (VLAN20 : 192.168.20.0/24) and one with no VLAN settings (192.168.10.0/24), but without this causing some kind of tragic loop issue.

Will this work? what do I need to consider when setting up the second trunk port to avoid problems. (or can I just change the existing connection between Cisco switch and the router to a VLAN Trunk and it will serve both VLAN and non VLAN traffic of all the subnets?)

You can connect a extra cable from MT to Cisco that you will use for VLAN.

But I would rather use the one you have connected from MT to Cisco.
Create all needed vlan name on Cisco.
Change the port that connects MT to Cisco to a trunk port on the Cisco
Than add VLAN tagged on the MT port connecting to to Cisco.

Thanks for reply. I would prefer to change the existing connection to a Trunk as you suggest. I think my concern is that some traffic will stop going through the connection or that it may impact traffic on the switches that do not support VLAN elsewhere in the network.

So to be clear, if I change the existing connection between MT and Cisco to a trunk, this wont stop the existing non-VLAN traffic from passing between the two devices on that connection?

Don't connect two cables because that will easily cause a loop or spanning tree issues.
You have to decide if you want a true trunk (everything tagged) or a hybrid (one VLAN tagged and the other untagged) on your link.
Both of them work OK but when you want to do a migration a hybrid is probably smoother.
So you just add a VLAN interface on the MikroTik side and a VLAN in the switch with the same tag number.
Don't put the MikroTik-side VLAN interface in a bridge.

You have to decide if you want a true trunk (everything tagged) or a hybrid (one VLAN tagged and the other untagged) on your link.
...
Don't put the MikroTik-side VLAN interface in a bridge.

For clarity the hybrid will allow multiple VLANS and untagged as well, or only x1 VLAN and untagged traffic?
and why would there be an issue using VLAN in a bridge on the router side when using a hybrid?

When you have some different VLANs and an external switch there should be no need to have the MikroTik-side VLAN interfaces in a bridge.
Just configure your different subnets (addresses) on the VLAN interface directly and you can define the member of the network on the switch.

The issue is that there may be a conflict with spanning tree.
When you turn off spanning tree on the mikrotik (bridge protocol none) and on the cisco switch it will work OK.
When you want working spanning tree you need to configure a new style bridge (RouterOS >= 6.42, one single bridge with VLANs on it, bridge vlan filtering on)
and that means you lose VLAN switch-like hardware accelleration on the MikroTik.

Yes you can have many VLANs on the port, and untagged as well. You can also choose to have only VLANs (and not use the bare interface) so it is a real trunk.

On the RB2011 there is still the option of using the switch menu (on ether1-5 and the SFP, i.e. the gigabit switch) to configure everything at hardware level.
Vlan tagging, trunked or hybrid ports etc can all be done. But it is unclear if that will remain as the new VLAN-aware bridge is completed.

When you have some different VLANs and an external switch there should be no need to have the MikroTik-side VLAN interfaces in a bridge.
Just configure your different subnets (addresses) on the VLAN interface directly and you can define the member of the network on the switch.

.
OK that makes sense for wired connections, but I was under the impression that Wireless VLANS would have to use a bridge on the Mikrotik in order to provision DHCP to devices coming in via the wifi and for the wifi to connect with the VLAN? (I have a wifi subnet and also a hotspot subnet both serviced through an AP with CAPSMAN in the current setup that would both need to migrate to VLAN ID eventually)
.

The issue is that there may be a conflict with spanning tree.
When you turn off spanning tree on the mikrotik (bridge protocol none) and on the cisco switch it will work OK.
When you want working spanning tree you need to configure a new style bridge (RouterOS >= 6.42, one single bridge with VLANs on it, bridge vlan filtering on)
and that means you lose VLAN switch-like hardware accelleration on the MikroTik.

On the RB2011 there is still the option of using the switch menu (on ether1-5 and the SFP, i.e. the gigabit switch) to configure everything at hardware level.
Vlan tagging, trunked or hybrid ports etc can all be done. But it is unclear if that will remain as the new VLAN-aware bridge is completed.

.
I had seen that there was a new bridge feature for VLANS in the later RouterOS but I am wary of upgrading at this time incase it impacts other areas of the production network.
I run the latest bugfixes, but upgrades to later versions have caught me out before with big changes of underlying methodology, so for now I will probably stay with ROS 6.40. Though in tests at my home office, I didnt need a bridge for the VLAN to work except with the wifi VLAN, as mentioned.

Is there a good way to know spanning tree has a problem quite quickly, or is it just a case of seeing the network starting to deteriorate as traffic increases, and then figuring it out from an elimination process?

thanks for the info so far it has been of great help.

OK that makes sense for wired connections, but I was under the impression that Wireless VLANS would have to use a bridge on the Mikrotik in order to provision DHCP to devices coming in via the wifi and for the wifi to connect with the VLAN? (I have a wifi subnet and also a hotspot subnet both serviced through an AP with CAPSMAN in the current setup that would both need to migrate to VLAN ID eventually)

Be aware that VLANs do not normally work over wireless.
VLANs used in association with wireless normally terminate (get untagged) at the wireless access point.
Every SSID or every connection get tagged with the used VLAN and sent on to the wired side.
The only way to get VLANs transmitted over wireless is in pseudobridge mode, usually in point-to-point or wds setups.

Is there a good way to know spanning tree has a problem quite quickly, or is it just a case of seeing the network starting to deteriorate as traffic increases, and then figuring it out from an elimination process?

Normally spanning tree issues become apparent within a few seconds. Interfaces do not come up or come up and go down immediately.

Be aware that VLANs do not normally work over wireless.
VLANs used in association with wireless normally terminate (get untagged) at the wireless access point.
Every SSID or every connection get tagged with the used VLAN and sent on to the wired side.

.
Not a problem, it's just for wired side traffic I dont need it for the wireless itself, but in tests it required a bridge to connect the VLAN with the Wireless interface on the Mikrotik to work. Maybe there is a way to do it with the switch option, I will have another test.

also found this article last night on the latest bridging filter for VLAN viewtopic.php?t=13593
and from what I can tell it's probably better for me to wait until Mikrotik R&D have really worked out where they are going with VLAN bridging, before upgrading to >ROS 6.42