I have the following configuration in mind. I know how to do it on a Cisco router but I am coming unstuck with the RB450G.

I have Port1 for WAN access, this be ignored, it is removed from the switch.

I would like:

Port2/4/5, vlan100 Untagged, No other vlans allowed
Port3, vlan100 Tagged, vlan200 Tagged
Both ports to be secure, if the frame doesn't match what is expect it should be dropped.

vlan100, 172.16.0.1/24
vlan200, 172.16.1.1/24

Thanks
Mecc

This is a router, not a switch, it does not have the concept of "tagged" and "untagged" ports. Every VLAN that is added to it is treated as it's own separate routed interface.

Your terminology is slightly off when you say no other VLANs allowed on ports 2,4,5, but what I am assuming you want to do is plug devices into ports 2,4,5 that will then have access to VLAN100, and that these devices are not VLAN aware. You can duplicate some of the VLAN functionality, but it's not very efficient as you have to use the bridge to do it. Set up VLAN100 on ehter3, and then bridge ether2,4,5 and VLAN100 together. Then set up VLAN200 on ehter3 as well, but don't bridge it with anything.

Set the IP and subnet for VLAN100 on the bridge, and the same for VLAN200. Then set up firewall filter rules to drop traffic between them.

You can use this manual page http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features for looking for answers on your questions.

It looks like the 8316 switch capable hardware is present in the 450G. I could assist you with setting the device up as a switch, but have not been able to figure out how to duplicate layer 3 switch functionality (IP routing policies). I'm sure I'm just missing something small, so perhaps someone could pipe in on how to add your IPs on VLAN100 and VLAN200.

To disallow VLANs you just set the port VLAN mode to secure. This means that if the VLAN is not present in the table for the applicable port, the frame is dropped. For your "access" port, you will need to strip the VLAN headers on egress, and for your "trunk" port, you will need to add tag if missing. You will also need to add VLAN 0 to the table for your "access" port if you set the VLAN mode to secure. From there, you just set up basic switching forwarding policies to tell it which ports to forward to given the presence of a particular VLAN tag. an example that may do what you are requesting, minus the IP's:
**remember that port-id 2 is actually ethernet 3 since the port-id's start at 0**

/interface ethernet switch port
set 1 vlan-header=always-strip vlan-mode=secure
set 2 vlan-header=add-if-missing vlan-mode=secure
set 3 vlan-header=always-strip vlan-mode=secure
set 4 vlan-header=always-strip vlan-mode=secure

/interface ethernet switch rule
add new-dst-ports=ether2,ether4,ether5 ports=ether3 switch=switch1 vlan=header-present vlan-id=100
add new-dst-ports=ether3 new-vlan-id=100 ports=ether2,ether4,ether5 switch=switch1 vlan-header=not-present

/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether5 switch=switch1 vlan-id=100
add ports=ether2,ether4,ether5 switch=switch1 vlan-id=0

What I'm guessing we are still missing, that unfortunately I don't know how to resolve as of yet is:
1. '/interface ethernet switch rule' that forwards VLAN 200 to some sort of routing interface.
2. '/interface ethernet switch vlan' that allows VLAN 200 on port 3 and whatever routing interface we determine
3. some way to add the IP. I have tried many different methods, but cannot get the L2 switch and IP router functions to work simultaneously. I wanted to get the IP routing working for management functionality myself, but gave up and used a Cisco switch when I got some resistance. Will probably post a question elsewhere so I don't hijack your thread. Hope this helped a little..

This is a router, not a switch, it does not have the concept of "tagged" and "untagged" ports. Every VLAN that is added to it is treated as it's own separate routed interface.

Your terminology is slightly off when you say no other VLANs allowed on ports 2,4,5, but what I am assuming you want to do is plug devices into ports 2,4,5 that will then have access to VLAN100, and that these devices are not VLAN aware. You can duplicate some of the VLAN functionality, but it's not very efficient as you have to use the bridge to do it. Set up VLAN100 on ehter3, and then bridge ether2,4,5 and VLAN100 together. Then set up VLAN200 on ehter3 as well, but don't bridge it with anything.

Set the IP and subnet for VLAN100 on the bridge, and the same for VLAN200. Then set up firewall filter rules to drop traffic between them.

YES - A Cisco router can act link a switch also.
Example - lets say you have a 3-Ethernet port router. You can have one port act like a normal port (non 802.1q) and two other ports running 802.1q. It is easy to configure all Vlans on one 802.1q ethernet port to show up on the other 802.1q port and.... also you can have the single non-802.1q port also show up as a vlan on the two 802.1q ports. All mac addresses can pass transparrently through the Cisco router.

All you have to do is configure and use BVIs. I do this all the time where I have an 802.1q port on my Cisco router connected to a Mikrotik ethernet port that is also an 802.1q port.

Here is a sample clip-it of the configuration you need to put in on the Cisco router (note I removed my IP addresees from the config):

!
bridge irb
!
!
interface FastEthernet0/0
description a fast ethernet to one of my old cisco routers
no ip address
duplex full
!
interface FastEthernet0/0.1
description Native Vlan 1 (under interface GigabitEthernet0/2)
encapsulation dot1Q 1 native
!
interface FastEthernet0/0.101
description used for some stuff
encapsulation dot1Q 101
bridge-group 101
!
interface FastEthernet0/0.152
encapsulation dot1Q 152
bridge-group 152
!
interface FastEthernet0/0.717
encapsulation dot1Q 717
bridge-group 17
!
interface FastEthernet0/0.800
description also used for some stuff
encapsulation dot1Q 800
bridge-group 80
!
interface GigabitEthernet0/1
description Washington to Idaho microwave link using media converters
ip address a.d.f.g 255.255.255.252
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2
description connected up to a media converter
no ip address
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2.1
encapsulation dot1Q 1 native
!
interface GigabitEthernet0/2.32
encapsulation dot1Q 32
bridge-group 32
!
interface GigabitEthernet0/2.101
encapsulation dot1Q 101
bridge-group 101
!
interface GigabitEthernet0/2.102
encapsulation dot1Q 102
bridge-group 102
!
interface GigabitEthernet0/2.152
encapsulation dot1Q 152
bridge-group 152
!
interface GigabitEthernet0/2.717
encapsulation dot1Q 717
bridge-group 17
!
interface GigabitEthernet0/2.800
encapsulation dot1Q 800
bridge-group 80
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface BVI17
description used to bridge some stuff
no ip address
!
interface BVI32
description used for my vlan 32
ip address 10.1.81.2 255.255.255.252
!
interface BVI80
description This BVI80 is used to bridge stuff for my private back-door wan
no ip address
!
interface BVI101
description this BVI101 (BVI 101) is used as the WAN between c and d
no ip address
!
interface BVI102
description WAN location a and b
no ip address
!
interface BVI152
description used to bridge vlan 152
no ip address
!
!
ip route 0.0.0.0 0.0.0.0 x.y.z.a name Default_Route
ip route a.b.c.d 255.255.255.240 Null0 100 name This_IP_Range_No_Longer_used
ip route m.n.o.p 255.255.255.0 s.t.u.v
!
!
bridge 17 protocol ieee
bridge 17 route ip
bridge 32 protocol ieee
bridge 32 route ip
bridge 80 protocol ieee
bridge 80 route ip
bridge 101 protocol ieee
bridge 101 route ip
bridge 102 protocol ieee
bridge 102 route ip
bridge 152 protocol ieee
bridge 152 route ip
!

One thing - a note - when using a multi-ethernet port Cisco router as a layer2/layer3 switch, you can have Vlan 100 on one ethernet 802.1q port pop out on Vlan 213 on a different 802.1q ethernet port.
Also - for those who use T1 point to point stuff - you can change over to Frame-Relay on the T1 and then pass all of your Vlans through a T1.

Now if you really want to get fancey - you can also use VRFs mixed with BVIs and make it so that it looks like many different routers on different networks where nothing crosses between the virtual VRF routers. So you end up with what looks like more than one router and more than one switch - all inside a simple Cisco router.

Tom Jones

Anyone know the method behind the madness for managing a mikrotik with the 8316 switch chipset? The OP essentially asked the same thing as he wanted to assign an IP to a VLAN interface hanging off of a port.

Anyone know the method behind the madness for managing a mikrotik with the 8316 switch chipset? The OP essentially asked the same thing as he wanted to assign an IP to a VLAN interface hanging off of a port.

why do you need a switch chip at all? why not just use VLAN interface in RouterOS?

Anyone know the method behind the madness for managing a mikrotik with the 8316 switch chipset? The OP essentially asked the same thing as he wanted to assign an IP to a VLAN interface hanging off of a port.

why do you need a switch chip at all? why not just use VLAN interface in RouterOS?

Reading the OP again, it does appear that is what he wants to do. Suppose I will post my question on a new thread. As far as the OP's request, is this what you were hinting at?

/interface vlan add name=vlan100 vlan-id=100 interface=ether3
/interface vlan add name=vlan200 vlan-id=200 interface=ether3
/interface bridge add name=bridge1
/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge port add bridge=bridge1 interface=ether4
/interface bridge port add bridge=bridge1 interface=ether5
/interface bridge port add bridge=bridge1 interface=vlan100
/ip address add address=172.16.0.1/24 netmask=255.255.255.0 broadcast=172.16.0.255 interface=vlan100
/ip address add address=172.16.1.1/24 netmask=255.255.255.0 broadcast=172.16.1.255 interface=vlan200

Hi Mecc,

I recently brought a RB450G (not sure what version running on the device, ver5.5 i guess) and would like create something quite similar (2 Vlan with 1 untagged port on each VLAN) as what you outlined on last post however when I enter the following command on either interface 3,4,5 an error message appeared "failure: device already enslaved". Any idea?

/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridge1 interface=ether4
/interface bridge port add bridge=bridge1 interface=ether5

Your RB450G likely still has the Mikrotik default configuration, which is mostly useless.
In Terminal enter and you'll have a blank router to start with.

The version number is in the titlebar of the winbox window.

Thanks for your kind assistance dog, you are wonderful. Cheers.