Managment VLAN MikroTik

Managment VLAN MikroTik

This post will discuss different ways of setting up a Managment VLAN on your MikroTik router or switch. Bridging RouterOS on different MikroTik gear has always been troublesome due to the different ways of going about it. This post isn’t to discuss these differences, but to look specifically at ways to add a management IP to your device while using bridging to turn your router into a switch.

This will be the reference architecture I’ll use as a demonstration.

Network Diagram

Option 1 – Out-of-band Management/Spare port

Leave one port out of the bridge to use as a management port on each downstream switch. Obviously, this isn’t ideal as it eats up an extra port and requires uplinking to your router (which usually has limited ports), and isn’t very scalable. Though simple, this is usually not what happens in the real-world, unless you are building a completely out-of-band management solution. Here, the yellow represents the out of band management with a physically separate cable/port from each switch to a separate port on the router.

Out of band management

You could also use a separate switch to aggregate all your out-of-band management connections to one port on the router, but again, this requires additional ports, cables, and hardware.

Out of Band Management with Switch

Option 2

Set the PVID (Port VLAN ID) of the bridge interface to your management vlan. This isn’t always ideal because it breaks things like romon and mactelnet if you use those.

lan_bridge as access port (set PVID)

From the router, you wouldn’t be able to use rommon to connect to the downstream switches. This would be the configuration you’d use if vlan 3 is your management vlan.

/interface bridge
add ingress-filtering=no name=LAN_Bridge pvid=3 vlan-filtering=yes

This will untag all packets tagged with vlan 3 inbound to switch1 on the LAN_Bridge. This breaks romon because it’s layer 2 only. Untagged packets are going to be coming inbound from vlan 1 on the router by default, and won’t be forwarded to the LAN_Bridge port, where romon should be listening. So, while this is a perfectly acceptable solution, it’s maybe not the best solution for usability and security. This would be mostly equivalent to a “native vlan mismatch” in the Cisco world. While all your tagged vlan traffic will flow, romon won’t work.

Option 3

This is the preferred option, and the one listed in MikroTik documentation. Though I find their explanation a bit lacking so I’ll attempt to clarify further here. This method involves creating a vlan interface on the LAN_Bridge interface as a sub-interface. This will tag traffic from the CPU port on ingress, and ship it upstream over the trunk links to the router.

VLAN Interface

This leaves the native/untagged vlan as vlan 1, so that romon will work. Below is an example config.

Under /interface add a new vlan interface for vlan 3, with a parent interface of lan_bridge.

VLAN Interface Winbox

Under /interface bridge vlan add the lan_bridge interface as tagged for vlan 3.

Bridge VLAN Tag

CLI config:

/interface bridge
add ingress-filtering=no name=lan_bridge vlan-filtering=yes

/interface vlan
add comment="mgmt interface" interface=lan_bridge name=vlan3-mgmt vlan-id=3

/interface bridge vlan
add bridge=lan_bridge comment=management-vlan tagged=lan_bridge vlan-ids=3

Wrap-up

Hopefully this helps clarify management vlans on MikroTik devices for you. This seems to be a pretty confusing topic on these devices and so far I haven’t found a guide thourough enough to help new users. Especially folks who may have come from a Cisco background. Also see https://www.sisulink.com/post/cisco-vlans-to-mikrotik for more information on VLANs on MikroTik.

Leave a Reply

Your email address will not be published. Required fields are marked *