Thanks @mkx
I took the switch config from the "Switch with a separate router" example and re-wrote it. Can I get a sanity check before I go about deploying it?
The only thing I have to figure out is if my Cisco switch will pass the native VLAN packets over the trunk port to the Mikrotik with a VLAN 1 tag or untagged. I'm assuming that it will tag even the native VLAN traffic on a trunk port.
Two additional questions:
- How can I reset the device / regain access to the console if I mess up my connectivity since these don't seem to have a physical console/serial port?
- How do you rename interfaces? The default names of "sfp-sfpplus1" are bulky, I'd prefer to name them just "sfp1"
###############################################################################
# Device: Jon-Mikrotik-5p-1
# RouterOS: 6.44.5 (long-term)
# Date: 2020-03-03
# Notes: Start with a reset (/system reset-configuration)
#
# 2020-03-03 JW Initial Configuration
###############################################################################
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="Jon-Mikrotik-4p-1"
#######################################
# VLAN Overview
#######################################
# 1 = Base/Main VLAN
# 2 = Storage VLAN
# 3 = Guest Wifi VLAN
# 9 = Connectivity VLAN
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# sfp-sfpplus1 untagged VLAN 9 to Win 10 Box
add bridge=BR1 interface=sfp-sfpplus1 pvid=9
# egress behavior
/interface bridge vlan
# sfp-sfpplus1 untagged VLAN 9 to Win 10 Box
add bridge=BR1 untagged=sfp-sfpplus1 vlan-ids=9
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Trunk Port - ether1 to Cisco Gigabit Switch
add bridge=BR1 interface=ether1
# Trunk Port - sfp-sfpplus2 to vCenter
add bridge=BR1 interface=sfp-sfpplus2
# Trunk Port - sfp-sfpplus3 to FreeNAS
add bridge=BR1 interface=sfp-sfpplus3
# Trunk Port - sfp-sfpplus4 to pfSense
add bridge=BR1 interface=sfp-sfpplus4
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 [find vlan-ids=2]
set bridge=BR1 tagged=ether1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 [find vlan-ids=3]
set bridge=BR1 tagged=ether1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 [find vlan-ids=9]
add bridge=BR1 tagged=BR1,ether1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=1
#######################################
# IP Addressing & Routing
#######################################
# LAN facing Switch's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=1
/ip address add address=172.30.42.222/24 interface=BASE_VLAN
# The Router's IP this switch will use
/ip route add distance=1 gateway=172.30.42.225
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=sfp-sfpplus1]
# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus4]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes