Good day everyone,
Just signed up, and this is my first post.
We have been a Cisco and Cisco-equivalent shop for years (Cisco SG/CBS lines, Nexus, Dell PowerConnect and N-Series, etc).
Given global supply chain issues, we have had to pivot a bit in order to ensure we can complete projects in a timely fashion with gear that is equally stable and reliable.
I have been a Mikrotik fan for years, especially as it applies to the niche-space/ special-use; however, I have yet to fully engage and go full tilt with in in production environments. With the current situation, and the fact that Mikrotik has made significant in-roads over past several years (48-port PoE edge switching, hardware offload at both L2 and now L3, cost-effective 10 GB network at the core layer, including VRRP), we are finally considering it as a viable alternative.
Of course, given the completely different CLI (we have no intention of relying upon the Web or GUI options), it's going to take a few weeks for us to become completely acclimated. Already, we have made significant headway, practicing building out Mikrotik-equivalent builds to our standard Cisco builds and standards that we commonly roll out in production.
The networking knowledge is there, so the challenge, thankfully, it limited mostly to conquering the command-side of things.
Anyway, with that said, we have hit a couple of really inconvenient snags that perhaps some of you gurus can help us address. They are as follows:
1. Is there a means of efficiently deploying complex VLAN configuring to multiple port ranges? I am sure most of you are familiar with the "Interface range" command syntax in the Cisco world, so we are looking for something that can be comparable. Before answering, please consider that we have already embarked on using the "[find where ...]" statements and ":for i from=0 to=10 do" one-liners where it makes sense. For instance, using the ":for i" method works well when applying a new PVID to multiple ports in the interface/bridge/ports context. However, when it comes to assigning multiple untagged and tagged VLANs to various port ranges,, we have not yet been able to figure out a Cisco-equivalent. This is partly because with VLANs in the interface/bridge/vlans context, the interfaces need to be specified in comma-delimited fashion after the "tagged=" and "untagged=" options. My hope is that we are simply missing something, and that one of you has already figured out a quick and easy way to accomplish this.
2. In most cases, our deployments are customer-specific, and we do not require segmenting or routing multiple customer environments over the same hardware. However, I do like the idea of using vrf to create a sudo "out-of-band" dedicated management interface that is completely separate from the main bridge and only accessible via a special management network separate from the production customer environment(s). I have been able to create a vrf called "Mgmt", and a separate bridge called "Mgmt". I then add the appropriate port (i.e. ether49 on their 48-port model) to the Mgmt bridge. I realized this second bridge is CPU bound, not hardware offloaded, but it is dedicated only for management via a separate secure network. I then move all IP services off the 'Main' vrf over to the "Mgmt" vrf, create a separate "Mgmt" routing table, and bind it to the Mgmt vrf interface. Lastly, I create a separate default 0.0.0.0/0 route specifically for this vrf. Anyway, until now, I have NOT been able to get it to route properly --- I can access the Ip services when bound to the same broadcast domain, but the vrf is inaccessible across subnets. Furthermore, when configured in this fashion, I can no longer ping or run other IP tools from within RouterOS successfully (i.e. no route to host). I assume I am just missing something or incorrectly configuring a portion of it, but I have not been able to figure it out. I just want to confirm that what I am looking to do here is actually possible, which it seems to be, but I don't want to be kicking a dead horse so-to-speak. Of course, if I remove the Mgmt vrf, and move everything back to 'Main' including the IP services, management works across subnets and the Mikrotik appliance is able to access external resources (i.e. auto update, etc).
3. We normally deploy a combination of edge port, bpdu-protection, unknown unicast protection, broadcast protection, and loopback protection on all edge/workstation ports. Mikrotik seems to be able to accomplish most of what I am able to do on the Cisco-end... with the exception of a few items:
- On Cisco devices, I am able to setup an auto-recovery time-frame, where if a port is placed into an err-disable state due to say a loopback condition, the Cisco switch can be configured to auto-re-enable the port after say 25 mins, without requiring user intervention. This is not a deal breaker, but does Mikrotik have this capability (i.e. equivalent of err-disable recovery for bpdu protection, loopback protection, etc)?
- With respect to storm-control (unicast, broadcast, and multicast), am I able to setup the control on a percentage basis? For instance, on the Cisco appliances, I can set unicast storm control to 30% of the interface's capacity. Is there something similar on the Mikrotik side in terms of customizing when storm control will kick-in?
4. Seems like a stupid question, but I have not figured out yet how to easily check "active" ports from the cli? Someone on another forum provided a one-liner script that returns a value for checking individual interfaces, but this seems a bit ridiculous to me. If I want to get a complete view quickly in terms of what ports are currently active and in-use, I have had to thus far open the Web GUI to gain a clear picture. Please tell me I am missing something, and it's just a simple command to list all ports currently active from cli?
That's it for now.