So we already know what the VLAN is from this article, and also aware VLAN is just a layer-2 technology that enables flexibility of partitioning your network. With VLAN, you can partition your switch logically using a web or command-line interface. The next question arises, so what Mikrotik Routerboard does to support VLAN? Mikrotik roles on VLAN?
Routerboard as a router that does inter-VLAN routing
In this role, Routerboard is acting as a traditional router that forwards traffic between network segments. the implementation could be
- Based on physical interfaces
In this case, you just assign an IP address to interfaces that connect to networks. Make sure there is no overlap on your IP address block, otherwise traffic to a portion of that subnet is unreachable.
- Based on VLAN interfaces
The second approach is done by using VLAN interfaces on MikroTik. And because we use virtual VLAN interfaces, we can just use a single physical interface (which is very good, saving physical interface). The VLAN tags on frames can be easily recognized by the router and the switch because they use the same protocol. see picture below
Routerboard as a switch that provides access port and trunk port
As default configuration, Mikrotik is designed to be a layer-3 device (router), not a layer-2 switch. However, depends on hardware capability we could configure the routerboard to become a switch that supports VLAN. (Mikrotik roles on VLAN)
- If you use a normal routerboard router.
here are the steps- First, define the access port and trunk port. e.g. ether2 and ether3 are access, ether4 is trunk
- create a bridge. e.g. bridge1. CLI: /interface add bridge
- create a vlan interface on ether4 (e.g. vlan10).
- put ether2, ether3 and vlan10 into bridge1
With this configuration, incoming frame from ether3 will be converted to vlan frame when the frame is forwarded to trunk port (ether4).
unfortunately, this method has drawback:- its not possible to add more than 1 trunk port as vlan interface can only be assigned to one physical interface.
- performance is low because bridge uses CPU a lot
- If you use mikrotik Layer2 switch like CRS or CSS that uses ROS.
Using these devices will make your life easier because they have physical chip that is designed to do that job. therefore you do not need to create bridge like the method above. article title: Mikrotik roles on VLAN. the steps are:- First define the access port and trunk port. e.g. ether2 and ether3 are access port, ether4 is trunk. this means ether2,3, and 4 are belong to the same switch group.
- Configure ether2,3, and 4 into the same switch group where ether4 as master port:
/interface ethernet set ether2 master-port=ether4
/interface ethernet set ether3 master-port=ether4 - Configure the access port (ingress means for incoming frame):
/interface ethernet switch ingress-vlan-translation add ports=ether2 customer-vid=0 new-customer-vid=10 sa-learning=yes
/interface ethernet switch ingress-vlan-translation add ports=ether3 customer-vid=0 new-customer-vid=10 sa-learning=yes - Configure trunk port (egress means for outgoing frame that goes into the trunk line):
/interface ethernet switch egress-vlan-tag add tagged-ports=ether4 vlan-id=10 - Configure vlan membership to provide proper isolation on vlan. This means vlan10 is only available on ether2,3,4 and nothing else.
/interface ethernet switch vlan add ports=ether2,ether3,ether4 vlan-id=10 learn=yes
- If you use mikrotik Layer2 switch like CSS or RB260 that uses SWOS
SWOS has web interface where you can configure VLAN. just understand the VLAN concept above, and you should be fine. some port mode on SWOS that you need to know:- disabled – VLAN table is not used. Switch ignores VLAN tag part of tagged packets
- optional – Handle packets with VLAN tag ID that is not present in VLAN table just like packets without VLAN tag
- enabled – Drop packets with VLAN tag ID that is not present in VLAN table. Packets without VLAN tag are treat as tagged packets with Default VLAN ID
- strict – Same as enable, but also checks VLAN support for inbound interface (drop packets with VLAN tag ID and ingress port that are not present in VLAN table)
OK thats all, now you should be understand Mikrotik roles on VLAN, able to configure VLAN on mikrotik. 🙂
yay! I am now can configure VLAN on my CCR. Thanks a alo!!!…
thank you for visiting us
i’m wondering, why on access port, we don’t have to do stripping vlan tag explicitly using egress vlan translation for outgoing packet frame
on access port, there is no tag, its just a plain port.
That’s why its called access port, which is connected to end-devices, where end-devices are simple device no need to put tags or other complex settings.
What about native vlan 🙂
can you elaborate wha you mean by native vlan?
how we do command on access port and trunk port for untagged vlan ?
e.g. untagged vlan 1 on trunk port and access port
please understand the difference between access port and trunk port here: https://mikrotik.tips/what-is-vlan/