Managment VLAN MikroTik
This post will discuss different ways of setting up a Managment VLAN on your MikroTik router or switch. Bridging RouterOS on different MikroTik gear has always been troublesome due to the different ways of going about it. This post isn’t to discuss these differences, but to look specifically at ways to add a management IP to your device while using bridging to turn your router into a switch.
This will be the reference architecture I’ll use as a demonstration.
Option 1 – Out-of-band Management/Spare port
Leave one port out of the bridge to use as a management port on each downstream switch. Obviously, this isn’t ideal as it eats up an extra port and requires uplinking to your router (which usually has limited ports), and isn’t very scalable. Though simple, this is usually not what happens in the real-world, unless you are building a completely out-of-band management solution. Here, the yellow represents the out of band management with a physically separate cable/port from each switch to a separate port on the router.
You could also use a separate switch to aggregate all your out-of-band management connections to one port on the router, but again, this requires additional ports, cables, and hardware.
Option 2
Set the PVID (Port VLAN ID) of the bridge interface to your management vlan. This isn’t always ideal because it breaks things like romon and mactelnet if you use those.
From the router, you wouldn’t be able to use rommon to connect to the downstream switches. This would be the configuration you’d use if vlan 3 is your management vlan.
/interface bridge add ingress-filtering=no name=LAN_Bridge pvid=3 vlan-filtering=yes
This will untag all packets tagged with vlan 3 inbound to switch1 on the LAN_Bridge. This breaks romon because it’s layer 2 only. Untagged packets are going to be coming inbound from vlan 1 on the router by default, and won’t be forwarded to the LAN_Bridge port, where romon should be listening. So, while this is a perfectly acceptable solution, it’s maybe not the best solution for usability and security. This would be mostly equivalent to a “native vlan mismatch” in the Cisco world. While all your tagged vlan traffic will flow, romon won’t work.
Option 3
This is the preferred option, and the one listed in MikroTik documentation. Though I find their explanation a bit lacking so I’ll attempt to clarify further here. This method involves creating a vlan interface on the LAN_Bridge interface as a sub-interface. This will tag traffic from the CPU port on ingress, and ship it upstream over the trunk links to the router.
This leaves the native/untagged vlan as vlan 1, so that romon will work. Below is an example config.
Under /interface add a new vlan interface for vlan 3, with a parent interface of lan_bridge.
Under /interface bridge vlan add the lan_bridge interface as tagged for vlan 3.
CLI config:
/interface bridge add ingress-filtering=no name=lan_bridge vlan-filtering=yes /interface vlan add comment="mgmt interface" interface=lan_bridge name=vlan3-mgmt vlan-id=3 /interface bridge vlan add bridge=lan_bridge comment=management-vlan tagged=lan_bridge vlan-ids=3
Wrap-up
Hopefully this helps clarify management vlans on MikroTik devices for you. This seems to be a pretty confusing topic on these devices and so far I haven’t found a guide thourough enough to help new users. Especially folks who may have come from a Cisco background. Also see https://www.sisulink.com/post/cisco-vlans-to-mikrotik for more information on VLANs on MikroTik.
0 thoughts on “Managment VLAN MikroTik”
I must show my love for your kind-heartedness in support of those people that need help on the issue. Your very own dedication to passing the solution across appeared to be amazingly good and has in every case made regular people just like me to achieve their goals. Your amazing useful recommendations entails so much to me and far more to my fellow workers. Regards; from each one of us.