Hardware VLAN with MikroTik Routerboards and RouterOS

The task

  1. connect two parts of my network over a fibre connection
  2. different layer 2 segments should be available on both ends of the fibre

The solution

  1. grab two RB2011
  2. grab two SFP modules and 30m fibre
  3. put that together and configure VLANs

The configuration

I'm going to describe a VLAN configuration with two RB2011. Doing so, you must consider some things:

  1. The configuration is done on RouterOS 6.40.5, starting from version 6.41, there are no more master ports but bridges with hardware acceleration
  2. The switch chips used in the RB2011 are Atheros 8327 and 8227
  3. Hybrid (tagged and untagged on same port) ports are not possible with these switch chips!

Okay, we start by configuring the switch (I only used the SFP and the five GBit ports). In my setup, I have two VLANs, VID 100 and VID 200. ether1, ether2 and ether3 should become access ports for VID 100 and ether4 and ether5 should become access ports of VID 200. sfp1 will be the VLAN trunk port.

/interface ethernet
set [ find default-name=ether1 ] master-port=sfp1
set [ find default-name=ether2 ] master-port=sfp1
set [ find default-name=ether3 ] master-port=sfp1
set [ find default-name=ether4 ] master-port=sfp1
set [ find default-name=ether5 ] master-port=sfp1

Next, we need to tell the switch chip what to do: Adding or removing VLAN tags on the specified ports:

/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure
set 11 default-vlan-id=100 vlan-header=always-strip vlan-mode=secure

"Port" 11 is the switch1-cpu. Read on to understand why I need this in my scenario.

Last step is defining the VLAN membership of the ports:

/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,sfp1,ether1,ether2,ether3 switch=switch1 vlan-id=100
add independent-learning=no ports=sfp1,ether4,ether5 switch=switch1 vlan-id=200

You propably noticed that I configured switch1-cpu as "port" in VLAN 100. Why did I so? I did so, because my management IP of the switch resides in VLAN 100. Now I can simply assign the management IP-Address to the switch's master-port and we're done.

The result / topology

The VLAN trunk is between SW-01 und SW-02 on the left side of the network map.

Conclusion

The VLAN functionality is a little limited but will be sufficient for most SOHO environments. Performance on the other hand is great. Full wire speed - nothing to complain about.

Maybe you're asking yourself why I don't use a CRS for that. I really like to and bought two CRS210, but I can't get the VLAN up and running. I already contacted the distributer as I cannot get them running as described in MikroTik's Wiki (https://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port_Based_VLAN).

If anyone has a clue, let me know!

Go back