Thanks for the details @mkx
Just zu clarify regarding the bridge as interface: Both ways can be used:
- Define L3 on the bridge, add pvid for desired VLAN on the bridge and add the bridge as untagged member of designated VLAN in /interface bridge vlan
- Create VLAN-Device by "/interface vlan add interface=BRIGDGENAME name=VLAN_interface_name vlan-id=SOMEVLAN", add the bridge as tagged member to "/interface bridge vlan" while the L3 configuration then is done in the VLAN_interface_name interface.
a) Both ways serve the same purpose and the difference is basically the consistency in the way one does the configuration. Yes, this gets messy, but did I get it right? Actually, assuming there is no real difference, I would prefer the first approach, as this would be, at least in my mind, be analogue to an ether-Interface that is included in the bridge-vlan. Ether has a wire a to a device and a logical link to the bridge, the bridge is "virtually wired" to the RouteOS and also linked logically to the vlan-bridge....messy....forget the last sentence.
Now my final questions on how I concrete plan to migrate the network to VLANs:
I got three CRS326 spread in the house and one RB3011. Switch 1 is the core-switch to whom switch 2 and 3 connect. I am connected with my PC to switch3. Currently no VLANs, so on the CRS all (physical) ports are member of a bridge named bridge with pvid=1, just as the default-config has set it up. The RB3011 has no bridge, port 1 and 2 connect to the wan-router and port 10 to switch1. The following picture shows it,leaving out the WAN-Part.
Basic Structure.png
Instead of a big bang and locking myself out again as I tried with pcunites scripts, I want to migrate step by step. Basically I want to configure a VLAN separated Network with all VLANs configured, trunks established but in a first step having all Devices (=Accessports) on VLAN 1 and the ROS-Devices on VLAN 99. When that worked, meaning everything functions as today and is reachable, I will start to transfer (reconfigure) Accessports to other VLANs.
1. Step: On the Router, Create a bridge and add ether5 as a trunk port. Create the 8 VLAN-Interfaces for all 8 VLANs to create the L3/IP configuration points (IP Addressing, DHCP) for all VLANs. Run vlan-filtering=yes on the bridge. Also connect ether10 with switch1 to keep connectivity for the time being, as Ether5 (Trunkport) will not work. (ether10 is currently configured as gateway for the LAN, so nothing changes and thinking of it, I should not IP-config the VLAN-Interface for VLAN1 on ether5 just yet)
2. Step: Switch2 (furthest away from my PC) gets port 1 configured as trunk with all 8 VLANs, including VLAN 1 tagged, all other ports get defined as untagged VLAN 1 ports (Accessports). Additionaly create a VLAN-device for the bridge and add it to VLAN=99. When activating "/interface bridge set bridge vlan-filtering=yes" I'm sure my SSH-Connection gets terminated and all devices attached to the CRS will be not reachable for the time being.
3. Step: Same as the first step, but on the coreswitch (Switch1) except that I configure not 1 but 3 Trunk Ports, one to each Switch and one to the Router (ether5 on the router). After activating vlan-filtering, I shouldn't have access any more to switch1, switch2 and the router.
4. Step: Repeat Step2 on switch3 with one trunk port that connect to switch1. After activating vlan-filtering the ssh-connection might break or not. But latest after reconnecting my PC should be a device within VLAN1 from the vlan-seperated network. Within VLAN1 I can connect to the other devices (Server, Printer) as all should be on VLAN1. I should also be able to connect to the Switches and the router as the traffic from vlan1 to vlan99 should be routed by default on the router (currently no firewall settings) based on the IP-Adressing.
My final questions:
a) Does that way of migration make sense or did I overlook something or miss any caveats?
b) I wouldn't set "ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged" for the time being, as I'm not sure yet what the filtering does exactly. But when it is not activated, could it be, that even after setting vlan-filtering=yes on switch2, that the trunk ports accepts traffic from switch1 and tags it (ingress) as VLAN1 which makes it a hybrid port? On the way back, the traffic leaving the switch2 towards switch1 again, gets or stays tagged as vlan1 (egress), whereas switch1, still having vlan-filtering=no doesn't care about the tag and is happy to share the packets with all ports as usual? That would mean, devices on switch2 would still be reachable throughout the migration.
c) After I transfered all devices from VLAN 1 to their respective target VLAN by changing the configuration of the accessports, I would keep all other (currently unused) ports in VLAN 1 as a catch-all VLAN and set the firewall on the router to deny any traffic (src=IP-Range of VLAN1). This way, anybody pluging a device into a network socket in the house, will get an IP but nothing else and complain ;-) and based on the IP I can conclude that he/she landed in VLAN1 and then can transfer his/her accessport to the right VLAN. Any reason speaking against this approach?
d) After migration I would like to install the two Mikrotik APs and try Capsman. One gets connected to switch1 and the other to switch3. The APs shall radio 2-3 WLANs which in turn are associated with 2-3 different VLANs. I would then need to transform the two ports where the APs are connected into trunk-ports, right?
Looking forward to your response. I'm anxious to start and already run through the house, taking notes which device is plugged into which port....
You do not have the required permissions to view the files attached to this post.
