How to set up MikroTik RouterOS bridge VLAN filtering
Many network engineers find that there is very little that MikroTik RouteOS cannot do –from full-on core network configurations to edge networking through to last-mile CPE. With the right network knowledge or a quick Google search or two, you can create, implement, and troubleshoot very complex networks, ranging from a basic flat/Layer2 network to MPLS, BGP, OSPF and so much more. MikroTik RouterOS is a very intuitive piece of equipment once you have a grasp on the basics.
In this Tech-Tip we will show you just how straight forward it is to create VLAN on a Network bridge with both Tagged and Untagged ports in a basic environment. (Configurations based on ROS v6.41)
From RouterOS v6.41, VLAN filtering was introduced on the bridge. It provides VLAN aware Layer 2 forwarding and VLAN tag modifications within the bridge. With this new feature, the bridge operates more like a normal Ethernet switch and addresses past compatibility issues.
In figure 1, you will notice the main setting is VLAN-filtering on a bridge interface, which controls THE VLAN-awareness and tag processing in the bridge. If VLAN-filtering is disabled, the bridge ignores all VLAN tags and works in a Shared-VLAN-Learning (SVL) and can’t add or remove tags on the bridge or interfaces within the bridge.
(Figure 1)
With VLAN-filtering enabled, all bridge VLAN related functionality is enabled and works in an Independent-VLAN-Learning (IVL) mode. With this function, the bridge interface can modify tags (add and remove) and forwards or denies traffic to specific VLANs. The bridge not only joins Layer 2 interfaces for forwarding packets, but the bridge itself is also an interface and has its own Port VLAN ID (PVID).
Figure 2 shows the bridge VLAN table and how to add VLANs to the bridge on specific interfaces. The bridge VLAN table represents per-VLAN port mapping with an egress (outgoing) VLAN tag action. This allows the following:
- Tagged ports send out frames with a learned VLAN ID tag. (This is for trunk ports).
- Untagged ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port PVID (this is for access ports).
(Figure 2)
Please note: On this interface, the VLAN-ids parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are trunk ports. Should multiple VLANs be specified for access ports, the tagged packets might get sent out as untagged packets through the wrong access port, regardless of the PVID value.
In Figure 3 you will see the Bridge Host table. This table allows you to monitor learned MAC addresses and when VLAN-filtering is enabled, it shows learned VLAN IS’s as well.
(Figure 3)
Note: When using VLAN-filtering, add all desired interfaces to the bridge and configure the VLANs before you enable the VLAN-filtering function. If done incorrectly, you may lose access to your device
Example:
- Add your bridge interface and do-not enable VLAN-filtering.
- Add the bridge ports/interfaces and specify the pvid for the VLAN access ports to assign untagged traffic to the intended VLAN. Remember Ether2 is the trunk port, do not add a pvid.
- Add the bridge VLAN entries and specify the tagged and untagged ports.
- Lastly, when all VLAN configurations are done, enable VLAN-filtering.
For this example, we configured the trunk port on Ether2 and the access port on Ether6, 7 and 8.
With MikroTik the networking possibilities are virtually endless and adding VLANs to the mix, you can seamlessly grow your network.. There are numerous scenarios where VLANs can prove effective in a network, and in today’s internet-driven society, VLANs are more common.
To find out more about MikroTik and how it can improve your network, join our Certified MikroTik training.
Click here to view our upcoming training and book your seat today!