[admin@sw3] > export compact # oct/09/2019 09:55:04 by RouterOS 6.45.6 # software id = 9NJL-Q743 # # model = CRS305-1G-4S+ # serial number = AB5C0AA84802 /interface bridge add admin-mac=74:4D:28:C1:6E:B4 auto-mac=no comment=defconf name=bridge /interface ethernet set [ find default-name=sfp-sfpplus3 ] l2mtu=9216 mtu=9216 name=medusa-enp3s0f0 speed=10Gbps set [ find default-name=sfp-sfpplus2 ] l2mtu=9216 mtu=9216 name=odin-enp3s0f0 speed=10Gbps set [ find default-name=sfp-sfpplus4 ] l2mtu=9216 mtu=9216 speed=10Gbps set [ find default-name=ether1 ] l2mtu=9216 mtu=9216 name=sw0-24 speed=100Mbps set [ find default-name=sfp-sfpplus1 ] l2mtu=9216 mtu=9216 name=thor-enp3s0f0 speed=10Gbps /interface vlan <<< COMMENT: No VLAN1 defined so no way to bind mgmt to a defined VLAN 1... not a big deal>>> add interface=bridge name=Containerpriv vlan-id=103 add interface=bridge name=DMZ vlan-id=102 add interface=bridge name=Production vlan-id=100 add interface=bridge name=RED vlan-id=666 add interface=bridge name=Storage vlan-id=101 add interface=bridge name=VPN vlan-id=104 add interface=bridge name=wise_guest vlan-id=105 /interface ethernet switch set 0 name=sw03 /interface list add name=WAN add name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot <<< Question: This defined a logical "bridge" called "bridge" to create L2 repeat segment. Into this I place interfaces physical as well as VLAN logical ones..... I think....>>>> /interface bridge port add bridge=bridge comment=defconf interface=sw0-24 add bridge=bridge comment=defconf interface=thor-enp3s0f0 add bridge=bridge comment=defconf interface=odin-enp3s0f0 add bridge=bridge comment=defconf interface=medusa-enp3s0f0 add bridge=bridge comment=defconf interface=sfp-sfpplus4 /interface bridge vlan add bridge=bridge comment=100_105_VLANs tagged=Storage,VPN,DMZ,Containerpriv,wise_guest,RED untagged=Production vlan-ids="" /interface list member add comment="sw3-1 SFP to Port0 on 10Gb NIC" interface=thor-enp3s0f0 list=LAN add comment="sw3-2 SFP to Port0 on 10Gb NIC" interface=odin-enp3s0f0 list=LAN add comment="sw3-3 SFP to Port0 on 10Gb NIC" interface=medusa-enp3s0f0 list=LAN add interface=sfp-sfpplus4 list=LAN add interface=sw0-24 list=WAN <<<< COMMENT: this binds IPs for both managment and router interfaces to each VLAN. Seems the mgmt IP 172.16.100.250 which is the GUI mgmt IP to the first 10Gb port???? /ip address add address=172.16.100.250/24 comment=defconf interface=thor-enp3s0f0 network=172.16.100.0 add address=172.16.101.1/24 comment="Storage VLAN IP" interface=Storage network=172.16.101.0 add address=172.16.102.1/24 comment="DMZ IP" interface=DMZ network=172.16.102.0 add address=172.16.103.1/24 comment="Container Segment Private " interface=Containerpriv network=172.16.103.0 add address=172.16.104.1/24 comment="VPN Managment IP" interface=VPN network=172.16.104.0 add address=172.16.105.1/24 comment="wise_guest Wifi VLAN" interface=wise_guest network=172.16.105.0 /ip dns set servers=172.16.100.40,220.127.116.11 /ip route add distance=1 gateway=172.16.100.1 /ip smb set comment="sw3 " domain=sw3 /ip ssh set allow-none-crypto=yes forwarding-enabled=remote /routing rip network add network=172.16.101.0/24 add network=172.16.102.0/24 add network=172.16.103.0/24 add network=172.16.104.0/24 add network=172.16.105.0/24 /system clock set time-zone-name=America/New_York /system identity set name=sw3 /system routerboard settings set boot-os=router-os /system swos <<< QUESTION: Not sure what this is about. I think this is saying to use static to bind to tagged VLAN 100 172.16.100.250 but not sure what interface that binds to. I will eventually.>>> set address-acquisition-mode=static allow-from-vlan=100 identity=sw3 static-ip-address=172.16.100.250 [admin@sw3] >
In RouterOS there's no a-priori distinction between L3 interfaces (those with IP address bound) with regard to management access (or most of other functionalities for that matter). The difference is made by firewall filter rules (and bridge filter rules). Default setup uses two interface lists (WAN and LAN) and allows management access from LAN interface list. It's up to router admin to maintain interface list membership current. This approach is slightly simplistic (also other functionality is bound to LAN interface list) so you might want to introduce another interface list (named for example management) and construct appropriate firewall filter rules which will allow management access from interfaces members of that interface list (and don't forget about /tool mac-server settings). After that it's a fairly simple act of adding or removing interface to/from interface list which will enable or disable management via certain interface.Question: Is there a command to enable or disable mangment access on a given interface. Ex: bind IP to VLAN (as router interface then) is that by default capable of response to mgmt traffic?
Personally I don't have experience with xSTP ... but other members of this forum shared the knowledge which goes approximately like this: when using bridge vlan-filtering way of configuring VLANs, xSTP works correctly over VLANs. Contrast this to old school (dumb bridge and VLANs set on switch hardware) where bridge is unaware of VLANs and xSTP works using untagged frames (which apparently is not the right way).Question this does bring up is do BDPUs for this switch still get pinned to VLAN 1 or are they per VLAN?
This should work as expected ... bridges are independent of each other and it should be just fine to run VLAN with same VID on several bridges, those should still be separated. However, none of Routerboards can run HW accelerated more than single bridge per switch chip. Meaning the second (and third and ...) bridge on your CRS will not be HW accelerated and all data between ports belonging to same bridge (even same VLAN) will pass CPU. Which will become a major bottleneck.1) What will this do for VLANs I had already defined and have bound to bridge "bridge"?
DHCP server doc There are DHCP options that are configurable in a "user friendly" way, the rest can be configured the dhcp-option ... but that's messy.2) I am glad DHCP is a service offering on this switch, but is there a link to when I need to pass more advanced options such as bootp / NTP parameters? A link to example documentation is likly all I need.
Indeed.3) This switch does not seem to have a function of apply to running vs boot. AKA.. all commands are real time and if I scew it up I am finding a paper clip to do a hard reset (vs power cycle back to last saved configuration state.
I've no idea about simulators, perhaps some other user can shed a light?I saw that there is a OVS of a virtual machine switch simulator. I assume that this would be a good place to run testing /simulations with but how close can I match hardware.. Is there a good site / documentation on how to set these up. I searched site / youtube about that and did not find much.
The configuration script would be a series of CLI commands, written in plain text file and usual name extension is .rsc. You can push a script file to the routerboard and then execute /import <filename>. Actually output of /export is exactly such a script and if it was imported after device was reset with no defaults, this script would, more or less, regenerate your current config (resulting script doesn't contain usernames and passwords nor does it contain SSL certificates).It has a quazi directory structure so I can't just write script and past and it applies (unless there is some mode I am missing)
Vast majority of things can be set up through both GUI and CLI. GUI (both Webfig and winbox) more or less follows the CLI hierarchical structure. Just look around GUI and you'll probably find what you're looking for.I can't see how to get the GUI to defined each inteface to bind to a list of VLANs.. so this is CLI only work...which is fine.
Most probably the command above fails because there's already defined list of ports for given combination of bridge and vlan-ids. (It is possible to have plenty of such stanzas per bridge as long as bridge&vlan-ids property combination is unique). However, if there's already such a list and you want to add or remove interfaces, you can always use set like this:Goal:Define for interface "bridge" for VLAN tagged a list of all physical interfeaces for "vlan 105"
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,ether1 vlan-ids=105
That would work if no "bridge" existed. But it does... and I need to learn how to edit not just wipe / rebuild
set [ find bridge=bridge and vlan-ids=105 ] tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,ether1,ether2
set 5 tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,ether1,ether2
Use CTRL-x to toggle safe mode on/off ... when safe mode is enabled, the command prompt changes (it gets "<SAFE>" at the end of prompt prefix).Second question:
When I set switch in "safe mode" by selecting the button in the GUI.. and I export the current configuration in the CLI, I see no difference. I don't trust GUI buttons (especially java). Is there a CLI means to set / unset this?
The easiest way of creating static leases is to let device obtain a dynamic one. Then convert it to static (while in /ip dhcp-server lease by using make-static <number> ... and you can replce <number> by a construct something like [ find address=<dynamic address of the device> ] or something like that). After that you can change things (such as assigned address) using set ... command.Third Question:
DHCP option to set static reservations. I read that page and good for the basics but typical tech docmentation, no examples. I have to believe somone has some example of a basic DHCP server with a set of static mac based reservations.
vlan-ids should be either single value or value list (comma-separated), not a quoted string. In short: don't use (double) quotes to enclose list of values.[admin@sw3] > set bridge=bridge comment="Bridge With All VLANs" tagged=Production,Storage,DMZ,VPN,wise_guest,RED,thor-enp3s0f0,odin-enp3s0f0,medusa-enp3s0f0,sfp-sfpplus4,sw0-24 vlan-ids="100,101,102,103,104,105,666"
syntax error (line 1 column 5)