Mikrotik doesn’t have quite the same brand recognition as the bigger players in the SOHO networking space, so it’s a bit of a surprise that Mikrotik has some of the most feature-rich network appliances under $200. I’m not aware of anything else that acts a layer-3 switch, provides console access, and has the same granular control for the price.
However, the one and only downside of this is that they hide all of these features in the most counter-intuitive interface possible. There are no less than three unique sections to edit in order to successfully VLAN-tag an interface in the Mikrotik CLI, and it will silently fail if you omit one of them (!).
Ultimately, my goal is to trunk multiple VLANs between my existing Cloud Router switch in my basement to the five-port RB750Gr2 acting as a switch in my office, so I can move my NTP server (and subnet) upstairs next to the window with good GPS reception. In Mikrotik parlance a ‘trunk’ port is an aggregation port a la 802.3ad, so for clarity’s sake the instructions below are for creating dot1Q trunks.
– You should have an existing, working VLAN configuration on the switch.
– I’m using a RB750G configured as a simple switch on the other end, with no VLANs configured.
– CRS-125-24G connecting to RB750Gr2, Mikrotik RouterOS 6.40.1 on both devices
STEP 1: Take a backup!
[admin@MikroTik] /> /system backup save name=crs125-24G_20170817 Saving system configuration Configuration backup saved
a. Download this backup from the web GUI, in the ‘Files’ section
STEP 2: Configure free interface ‘ether24’ on the Cloud Router switch
a. Using ‘ether24’ as the interface in this example, make a comment so you know what the hell it is in six months.
/interface ethernet comment ether24 comment="upstairs. vlan10 vlan100 vlan123"
b. Ensure ‘network-port’ (default) is set for the port
[admin@MikroTik] /interface ethernet switch port> set ether24 vlan-type=network-port
c. Add egress-vlan-tag tagged-ports entries for ether24
[admin@MikroTik] /> /interface ethernet switch egress-vlan-tag print Flags: X - disabled, I - invalid, D - dynamic # VLAN-ID TAGGED-PORTS 0 100 ether1-master ether24 switch1-cpu 1 10 ether1-master ether24 2 200 ether2 3 299 ether2 4 999 ether2 5 123 ether1-master 6 D 4095 [admin@MikroTik] /> /interface ethernet switch egress-vlan-tag set numbers=0 tagged-ports=ether1-master,ether24,switch1-cpu [admin@MikroTik] /> /interface ethernet switch egress-vlan-tag set numbers=1 tagged-ports=ether1-master,ether24 [admin@MikroTik] /> /interface ethernet switch egress-vlan-tag set numbers=5 tagged-ports=ether1-master,ether24 [admin@MikroTik] /> /interface ethernet switch egress-vlan-tag print Flags: X - disabled, I - invalid, D - dynamic # VLAN-ID TAGGED-PORTS 0 100 ether1-master ether24 switch1-cpu 1 10 ether1-master ether24 2 200 ether2 3 299 ether2 4 999 ether2 5 123 ether1-master ether24 6 D 4095
d. Edit the interface to vlan-id mapping. Output looks like this:
[admin@MikroTik] /interface ethernet switch vlan> print Flags: X - disabled, I - invalid, D - dynamic # VLAN-ID PORTS SVL LEARN FLOOD INGRESS-MIRROR QOS-GROUP 0 10 ether1-master no yes no no none ether14 ether15 ether16
Use this command to edit the ‘#’ column in a nano-like editor, and add ‘ether24’ at the end. Ctrl+o to save and quit. Where ‘#’ column is ‘0’:
[admin@MikroTik] /interface ethernet switch vlan> edit 0 ports
Add ether24 to all vlan-ids required, using the above steps.
At this point the Cloud Router switch is ready to trunk via ether24! Now we have to set up the RB750G to accept and de-encapsulate the VLANs.
STEP 3: Configure the RB750G
This part is a bit tricky. I think it’s easiest to dump my working config so you can get an idea of what’s going on, and modify to suit your environment.
Note that I have my RB750G mgmt interface (switch1-cpu) tied to my management VLAN (vlan100), so it requires some magic to get working without a console connection. I set up two IP addresses and used a direct connection from a laptop to the RB750 to configure the second VLAN-enabled mgmt connection. Once you cut over the switch1-cpu port config to ‘secure’ VLAN type, you lose connectivity to the device if your configs are incorrect. Note to self: Get networking devices with a console connection.
Additionally, I stripped out all of the routing configs and reconfigured the ‘interface ethernet’ ports to all utilize ether1 as the master, renaming it from ‘ether1’ to ‘ether1-master’, and renaming ‘ether2-master’ to ‘ether2’.
Take backups often during configuration, as it is easy to lock yourself out without a console connection. If that happens, just restore default configs and restore the last good backup.
# aug/18/2017 23:36:18 by RouterOS 6.40.1 /interface ethernet set [ find default-name=ether1 ] name=ether1-master set [ find default-name=ether2 ] master-port=ether1-master set [ find default-name=ether3 ] master-port=ether1-master set [ find default-name=ether4 ] master-port=ether1-master set [ find default-name=ether5 ] master-port=ether1-master /interface vlan add interface=ether1-master name=ether1-vlan10 vlan-id=10 add interface=ether1-master name=ether1-vlan100 vlan-id=100 add interface=ether1-master name=ether1-vlan123 vlan-id=123 /interface ethernet switch port set 0 vlan-header=add-if-missing vlan-mode=secure set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure set 5 vlan-mode=secure /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /interface ethernet switch vlan add independent-learning=yes ports=ether1-master,ether5 switch=switch1 vlan-id=10 add independent-learning=yes ports=ether1-master,switch1-cpu switch=switch1 vlan-id=100 add independent-learning=yes ports=ether1-master,ether4 switch=switch1 vlan-id=123 /ip address add address=10.3.100.5/28 comment=vlan100_mgt interface=ether1-vlan100 network=10.3.100.0 /ip dns set servers=10.3.100.1 /ip route add distance=1 gateway=10.3.100.1 /system clock set time-zone-name=America/Detroit /system ntp client set enabled=yes primary-ntp=10.3.123.2
STEP 4: Take final backups
/system backup save