I currently have the following

1 x RB2011AHx2
3 x CRS125
1 x CSR326

I'm currently using Winbox on the PC (VLAN 100) and the nework is working as expected, I receive an IP from the DHCP on the router from the VLAN 100 interface. All is good.

But on Winbox I can only see the router on the Neighbors list, not the switches. I can however connect to them from Winbox using their IP address directly.

Strange thing is that the PC is physically connected through the switch in order to reach the router...

The IP Discovery setting on all routers/switches is set to ALL interfaces. If I run a Tools > Torch on any of the switches when I hit Refresh on the Winbox neighbors tab you can see the incming /outgoing broadcast, so I just don't get why the packet never reaches the PC.

If I connect to any of the switches using Winbox, and go to IP > Neighbors all switches and the router are displayed.

Any thoughts?

Thanks

James

It depends on whether you have configured VLAN interfaces with an IP address in VLAN 100 on all equipment.
Separating management and access has it advantages, but also disadvantages as you noticed...
Of course you can also connect to RoMON and see all devices that are in the same L2 network.

So on all switches I have a VLAN 99 interface which is attached to the bridge. the VLAN99 interface is then given an IP address on the switch, like 172.16.99.x

I do not have any firewall rules blocking inter-VLAN, so I would have though a broadcast from the PC running Winbox will be able to see all switches using MNDP...

Thanks

Yes, but your PC is on VLAN 100.
So you need to do that for VLAN 100 as well.
Or move the PC to VLAN 99.
Broadcast does not travel outside the VLAN.

So add a VLAN100 interface to all the switches too, and also give them all an IP in the VLAN 100 range? But then what is the point of the VLAN99 management interface to keep things separate?

Yes, of course the best thing is to put the PC in VLAN 99 (you want to do management, right?)
When you have separate management VLAN but routing between the management and access VLAN, it is of little value anyway.

Indeed, but this PC is not a dedicated PC just for accessing the management interface, and is gnerally on VLAN100 as the other devices are. I just want to be able to see the switches via Winbox, even though the PC is on VLAN100. I understand your point now about the broadcast only searching the VLAN100 subnet and thus it cannot see the switches on the different VLAN.

You can manually add the switches in the "Managed" tab of winbox, or you could see if RoMON is useful for you.

Indeed, but this PC is not a dedicated PC just for accessing the management interface, and is gnerally on VLAN100 as the other devices are. I just want to be able to see the switches via Winbox, even though the PC is on VLAN100.

Both MAC and IP access from WinBox to MT devices offer identical functionality from UI point of view so if connectivity over IP works for you, that's it. Just remember (write down, whatever) IP addresses of your switches and be done with it. Or, alternatively, configure DNS server with switch names. Whatever it is, DHCP client running on switch is more or less out of question, IMO LAN infrastructure devices must have IP addresses set statically (true static, typed in on each device separately).

There are two cases where MAC access has advantage over IP access:

1. discovery ... it displays devices available (inside same broadcast domain) so you don't have to remember IP addresses
2. access when MT device IP setup is non existing or incorrect
3. perhaps some other use case that I never run into ...

Use case #2 is kind of state of emergency and you should prepare for it by allocating a port which belongs to management VLAN and in such moment you will connect your PC to that (management) prot.

Use case #1 is comodity / laziness and if you really want to get away with it, you might want to reconsider your own ideas about LAN security.

Yes, the use of a management VLAN complicates things, and I think it is not very useful when you have routing between the user VLAN and the management VLAN anyway.
In a setup where you have customers that are out of control (like an ISP) it of course is a good idea to have management in a separate network, but then you would have no routing between them. A pathway between the normal network and the management network could be made using a VPN or a stepping stone host that is on both networks.

RoMON provides some ways to doing this, although of course it is not very secure. When you configure RoMON on all devices, you can "connect to RoMON" on a device you see (e.g. the router on VLAN 100) and then you see all devices that this devices sees on its other L2 networks (including the management VLAN) and you can connect to them.
Without IP configuration and without being in the same broadcast domain (VLAN). The router functions as a stepping stone host.

Thanks to both of you. I will indeed not worry bout the switches being "visible" on the network and just allow management via their static IP's from an allowed host.

Cheers