Community discussions

MikroTik App
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1743
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Manual:Bridge VLAN Filtering with Visio figures (6.41+)

Tue Nov 13, 2018 10:00 am

This is just a copy from the manual. It shows how to setup VLAN using 6.41+ Bridge VLAN Filtering.
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

If you find any error, please let me now so that I can correct it.
I will add more example with configuration and Visio later

VLAN Example #1 (Trunk and Access Ports)
Portbased-vlan1.png
Create a bridge with disabled vlan-filtering to avoid losing access to the router before VLANs are completely configured.
/interface bridge
add name=bridge1 vlan-filtering=no
Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic to the intended VLAN.
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400
Add Bridge VLAN entries and specify tagged and untagged ports in them.
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400
In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.
/interface bridge set bridge1 vlan-filtering=yes
Warning: The PVID value is set to all traffic that enters the bridge and adds the port dynamically to the bridge VLAN table for VLAN ID that matches the PVID value. If you are trying to isolate tagged traffic from untagged traffic, then make sure you have set a PVID to a bridge port that is different from the bridge's PVID value, otherwise these ports will be dynamically added to the bridge VLAN table and will be able to forward traffic from untagged ports.
.
Manual - Bridge VLAN Filtering Example1.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Tue Nov 13, 2018 4:00 pm, edited 2 times in total.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1743
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Manual:Bridge VLAN Filtering with Visio figures

Tue Nov 13, 2018 10:03 am

VLAN Example #2 (Trunk and Hybrid Ports)
Portbased-vlan2.png
Create a bridge with disabled vlan-filtering to avoid losing access to the router before VLANs are completely configured.
/interface bridge
add name=bridge1 vlan-filtering=no
Add bridge ports and specify pvid on hybrid VLAN ports to assign untagged traffic to the intended VLAN.
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400
Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example egress VLAN tagging is done on ether6,ether7,ether8 ports too, making them into hybrid ports.
/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400
In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.
/interface bridge set bridge1 vlan-filtering=yes
Warning: The PVID value is set to all traffic that enters the bridge and adds the port dynamically to the bridge VLAN table for VLAN ID that matches the PVID value. If you are trying to isolate tagged traffic from untagged traffic, then make sure you have set a PVID to a bridge port that is different from the bridge's PVID value, otherwise these ports will be dynamically added to the bridge VLAN table and will be able to forward traffic from untagged ports.
.
Manual - Bridge VLAN Filtering Example2.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1743
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Manual:Bridge VLAN Filtering with Visio figures

Tue Nov 13, 2018 10:05 am

VLAN Example #3 (InterVLAN Routing by Bridge)
Bridge-vlan-routing.png
Create a bridge with disabled vlan-filtering to avoid losing access to the router before VLANs are completely configured.
/interface bridge
add name=bridge1 vlan-filtering=no
Add bridge ports and specify pvid for VLAN access ports to assign their untagged traffic to the intended VLAN.
/interface bridge port
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400
Add Bridge VLAN entries and specify tagged and untagged ports in them. In this example bridge1 interface is the VLAN trunk that will send traffic further to do InterVLAN routing.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=bridge1 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=bridge1 untagged=ether8 vlan-ids=400
Configure VLAN interfaces on the bridge1 to allow handling of tagged VLAN traffic at routing level and set IP addresses to ensure routing between VLANs as planned.
/interface vlan
add interface=bridge1 name=vlan200 vlan-id=200
add interface=bridge1 name=vlan300 vlan-id=300
add interface=bridge1 name=vlan400 vlan-id=400

/ip address
add address=20.0.0.1/24 interface=vlan200 network=20.0.0.0
add address=30.0.0.1/24 interface=vlan300 network=30.0.0.0
add address=40.0.0.1/24 interface=vlan400 network=40.0.0.0
In the end, when VLAN configuration is complete, enable Bridge VLAN Filtering.
/interface bridge set bridge1 vlan-filtering=yes
.
Manual - Bridge VLAN Filtering Example3.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1743
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Manual:Bridge VLAN Filtering with Visio figures

Tue Nov 13, 2018 10:09 am

Management port #1
(This is based on previous configutatin)

There are multiple ways to setup management port on a device that uses bridge VLAN filtering. Below are some of the most popular approaches to properly enable access to a router/switch. Start by creating a bridge without VLAN filtering enabled:
/interface bridge
add name=bridge1 vlan-filtering=no
In case VLAN filtering will not be used and access with untagged traffic is desired
The only requirement is to create an IP address on the bridge interface.
/ip address
add address=192.168.99.1/24 interface=bridge1
After that you can enable VLAN filtering:
/interface bridge set bridge1 vlan-filtering=yes
.
Manual - Bridge VLAN Filtering MGMT1.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1743
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Manual:Bridge VLAN Filtering with Visio figures

Tue Nov 13, 2018 10:11 am

Management port #2
In case VLAN filtering is used and access from trunk and/or access ports with tagged traffic is desired
In this example VLAN 99 will be used to access the device, a VLAN interface on the bridge must be created and an IP address must be assigned to it.
/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
/ip address
add address=192.168.99.1/24 interface=MGMT
This is missing for the manual and need to be added so the interface do communicate with the bridge
/interface bridge port
add bridge=bridge1 interface=ether3 pvid=1
add bridge=bridge1 interface=ether4 pvid=1
add bridge=bridge1 interface=sfp pvid=1
For example, if you want to allow access to the router/switch from access ports ether3,ether4 and from trunk port sfp-sfpplus1, then you must add this entry to the VLAN table:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-ids=99
After that you can enable VLAN filtering:
/interface bridge set bridge1 vlan-filtering=yes
.
Manual - Bridge VLAN Filtering MGMT2.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Tue Nov 13, 2018 10:20 am, edited 2 times in total.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1743
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Manual:Bridge VLAN Filtering with Visio figures

Tue Nov 13, 2018 10:13 am

Management port #3
In case VLAN filtering is used and access from trunk and/or access ports with untagged traffic is desired
To allow untagged traffic to access the router/switch, start by creating an IP address on the bridge interface.
/ip address
add address=192.168.88.1/24 interface=bridge1
It is required to add VLAN 1 to ports from which you want to allow the access to the router/switch, for example, to allow access from access ports ether3,ether4 add this entry to the VLAN table:
/interface bridge vlan
add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1
Make sure that PVID on the bridge interface matches the PVID value on these ports:
/interface bridge set bridge1 pvid=1
/interface bridge port set ether3,ether4 pvid=1
After that you can enable VLAN filtering:
/interface bridge set bridge1 vlan-filtering=yes
.
Manual - Bridge VLAN Filtering MGMT3.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1743
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Manual:Bridge VLAN Filtering with Visio figures (6.41+)

Wed Nov 14, 2018 8:26 pm

Manual:Basic VLAN switching

Other devices without a built-in switch chip. https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip
It is possible to do VLAN filtering using the CPU, there are multiple ways to do it, but it is highly recommended by using bridge VLAN filtering.
Here the MT is configured as a switch with VLAN 20,30 and 99 Tagged on Port 1. VLAN 20 untagged on Port 2. VLAN 30 untagged on Port 3.
Basic_vlan_switching.png
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=no
add bridge=bridge1 interface=ether2 hw=no pvid=20
add bridge=bridge1 interface=ether3 hw=no pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface bridge
set bridge1 vlan-filtering=yes
Manual - Bridge VLAN Filtering Switch.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 

Who is online

Users browsing this forum: Google [Bot] and 59 guests