MIKROTIKS

SWOS AND VLAN CONFIGURATIONS

System-Routerboard-
Setting int speed/duplex/uptime and usage
BRIDGE
SFP
BRIDGE

Learn_more
Setting up a dedicated mgt port on RouterOS
This is to avoid cases of being dropped off during VLAN/Bridge configs(you remove your int
from a bridge/ filter your vlan from the connection):
-Blank mikrotiks have all interfaces enabled by default

INTERFACE LISTS
Interface lists in RouterOS provide a way to group interfaces together for easier management
and configuration. By using interface lists, you can apply settings, firewall rules, or other
configurations to a group of interfaces rather than configuring each interface individually.

Common Use Cases

● Firewall Rules: Apply firewall rules to all interfaces in a list.

● Traffic Shaping: Implement traffic shaping or bandwidth limitations on grouped
interfaces.
● Access Control: Control access to or from groups of interfaces.
● Network Policies: Apply consistent network policies across multiple interfaces.

Creating list
Adding interfaces to list created
 VLANS AND BRIDGES ON ROUTEROS
https://systemzone.net/mikrotik-vlan-and-bridge-configuration/

VLAN divides a physical interface into multiple logical interfaces. So, you can isolate your
network into multiple logical networks on a physical interface. On other hand, MikroTik Bridge
integrates multiple physical interfaces in a logical interface. So, you can extend your broadcast
domain on multiple physical interfaces and can extend your popular services such as PPPoE or
DHCP on multiple physical interfaces
Setup:

Router will do the inter-vlan routing(sub-ints/ints/vlan-interfaces assigned vlan gw{including mgt

vlan} interfaces).
VLAN config
● Login to your MikroTik router by winbox with your login credentials.
● Click on Interfaces menu from left menu bar and then click on VLAN tab.

● Click on PLUS SIGN (+)/Add_New to add new VLAN interface. A new window named
New Interface will appear.
● Put your VLAN name what you wish in Name input field.
● Put your VLAN id in VLAN ID input field. If you want to create VLAN for WAN
connection, your ISP will provide you the VLAN ID. If you want to create VLAN for your
network, provide an integer number between 1 to 4095 what you wish.
● Now choose your physical interface on which you want to create VLAN from Interface
dropdown menu.
● Click Apply and OK button.
Inter-vlan routing

https://systemzone.net/mikrotik-vlan-routing-configuration-with-manageable-switch/

Switch Configuration:??
https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching

https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

Creating bridge:(disable vlan-filtering to avoid being kicked out)

/interface bridge

Add name bridge=bridge1

Adding ports to bridge:

/interface bridge port

Add bridge=bridge1 interface=ether2 {no vlan-id want it to be trunk_port}

Add bridge=bridge1 interface=ether6 pvid=200 {port-vlan 200–access}

Add bridge=bridge1 interface=ether7 pvid=300

Add bridge=bridge1 interface=ether8 pvid=400

Specifying ports on which a port should be tagged or untagged

/interface bridge vlan

Add bridge=bridge1 tagged=ether1 untagged=ether6 vlan-ids=200

Add bridge=bridge1 tagged=ether1 untagged=ether7 vlan-ids=300

Add bridge=bridge1 tagged=ether1 untagged=ether8 vlan-ids=400

Re-enabling vlans filtering

/interface bridge set bridge1 vlan-filtering=yes

Example2: TRUNK AND HYBRID PORTS(untagged for some vlan and tagged for others)

A hybrid port refers to a port on a network device that can handle both tagged and untagged
VLAN traffic simultaneously. This capability allows the port to carry traffic from multiple VLANs in
different ways:

1. Tagged VLAN Traffic: The port can receive and transmit frames with VLAN tags. This
means it participates in VLAN trunking and can carry traffic for multiple VLANs, each
identified by a unique VLAN tag.
2. Untagged VLAN Traffic: The port can also carry traffic without VLAN tags. Frames
received on the port without VLAN tags are assumed to belong to a specific VLAN (often
configured as the "native VLAN" or "PVID" - Port VLAN ID).

Use Cases for Hybrid Ports:

● Connecting to End Devices: Hybrid ports are often used to connect to end devices that
do not support VLAN tagging. For example, a computer or IP phone typically sends and
receives untagged traffic in a specific VLAN.
● Trunking to Other Switches or Devices: Hybrid ports can also be used to trunk VLANs
between switches or devices that require different VLAN configurations. For instance,
connecting switches together where some VLANs are tagged and others are untagged.

Hence a tagged port cab connect to both end devices and

Create bridge

/interface bridge

Add name=bridge

Add ports and specify their untagged traffic

/interface bridge port

Add bridge=bridge1 interface=ether2

Add bridge=bridge1 interface=ether6 pvid=200

Add bridge=bridge1 interface=ether7 pvid=300

Add bridge=bridge1 interface=ether8 pvid=400

Specifying tagged/untagged vlans on ports

Add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200

Add bridge=bridge1 tagged=ether2,ether6,ether8 untagged=ether7 vlan-ids=300

Add bridge=bridge1 tagged=ether2,ether6,ether7 untagged=ether8 vlan-ids=400

Re-enabling vlans filtering

/interface bridge set bridge1 vlan-filtering=yes

MANAGEMENT CONFIGURATION

Worked Solution 1
Creating bridge..incase dont exist

/interface bridge

add name=bridge1 vlan-filtering=no

Configuring ip for bridge

/ip address
add address=192.168.99.1/24 interface=bridge1

Making sure you can access from all(tagged/untagged) ports on bridge/ adding the
bridge to vlan

/interface vlan

add interface=bridge1 name=MGMT vlan-id=99

Same ip as bridge // assigning ip to vlan

/ip address

add address=192.168.99.1/24 interface=MGMT

For example, if you want to allow access to the router/switch from access ports ether3,
ether4 and from trunk port sfp-sfpplus1, then you must add this entry to the VLAN table:

// adding interfaces to bridge

/interface bridge vlan

add bridge=bridge1 tagged=bridge1,ether3,ether4,sfp-sfpplus1 vlan-ids=99

Adding ports to bridge/ eg if i am connecting the pc and assigning it ip on port 4(adding

it as a trunk port)

/interface bridge port

Add bridge=bridge1 interface=ether4

??? try with access port??

/interface bridge set bridge1 vlan-filtering=yes

Solution 2: Not Tested

In case VLAN filtering is used and access from trunk and/or access ports with untagged
traffic is desired

To allow untagged traffic to access the router/switch, start by creating an IP address on

the bridge interface.

/ip address
add address=192.168.88.1/24 interface=bridge1

It is required to add VLAN 1 to ports from which you want to allow the access to the
router/switch, for example, to allow access from access ports ether3, ether4 add this
entry to the VLAN table:

/interface bridge vlan

add bridge=bridge1 untagged=ether3,ether4 vlan-ids=1

Make sure that PVID on the bridge interface matches the PVID value on these ports:

/interface bridge set bridge1 pvid=1

/interface bridge port set ether3,ether4 pvid=1

After that you can enable VLAN filtering:

/interface bridge set bridge1 vlan-filtering=yes

Inter-vlan routing is simple, just create vlan.. Attach them to physical interface then configure
their ips as the Vlan_ subnet gw

https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN#Layer2_VLAN_examples
SWOS
MGT configuration

VLAN CONFIGURATION
VLAN FILTERING

ALL VLANS MUST BE SEEN ON SFP since it is acting like a trunk, here we dont have the
service vlan all we see is the mgt vlan hence send to trm

Should be like this

IGMP Groups

SNMP

ACL
SYSTEM MGT CONFIG

ERRORS
STATISTICS

RSTP
FORWARDING

SFP STATS
LINK

FORESTMALL IPMUX