After a day of trying to figure out how to configure VLAN on a Mikrotik Cloud Router Switch, I finally got it to work!
So, first thing’s first, VLAN (Virtual Local Area Network) is a neat feature on Layer 2 devices (a.k.a. switch) that offers virtual segmentation on a physical switch. In other words, we are able to segregate different networks on one physical port of the switch. This is particularly helpful when you are trying to segregate departments but don’t have enough physical ports to do so.
There are two types of ports that VLAN uses: access and trunk. Access ports are used to connect to the end-devices, whereas, the trunk ports are used to connect different VLANS.
Now, back to the post. I was trying to segregate the intranet from the local network, so VLAN came to the rescue. We were trying to figure out how to do VLANs on our Netgear switch to the Cyberoam router, however, we realized that our Netgear switch doesn’t have the capability to do VLAN routing, which allows VLANs to communicate with one another on a Layer 3 scale. So, after doing our research, we found out that Mikrotik Cloud Router Switch has the feature to do VLAN routing.
For testing purposes, here is my topology:
Cloud Router Switch:
- Port 1 is connected to the Cyberoam router (192.168.88.2/24)
- Port 9-16 (IT) is VLAN 20 (192.168.20.0/24)
- Port 17-24 (SALES) VLAN 30 (192.168.30.0/24)
- Port E is connected to the CRS (192.168.88.1/24)
- Port E.20 (192.168.20.248/24)
- Port E.30 (192.168.30.248/24)
Okay, let’s get started with the configuration:
- Configure the “slave” ports (the ports that are connected to the end devices) to talk to the “master” port. In our case, the master port will be our trunk port (port 1), the port that will communicate to the router and will seperate the VLANs.
set [ find default-name=ether1 ] name=ether1-TRUNK
set [ find default-name=ether9 ] master-port=ether1-TRUNK name=ether9-IT
set [ find default-name=ether10 ] master-port=ether1-TRUNK name=ether10-IT
set [ find default-name=ether11 ] master-port=ether1-TRUNK name=ether11-IT
set [ find default-name=ether12 ] master-port=ether1-TRUNK name=ether12-IT
set [ find default-name=ether13 ] master-port=ether1-TRUNK name=ether13-IT
set [ find default-name=ether14 ] master-port=ether1-TRUNK name=ether14-IT
set [ find default-name=ether15 ] master-port=ether1-TRUNK name=ether15-IT
set [ find default-name=ether16 ] master-port=ether1-TRUNK name=ether16-IT
set [ find default-name=ether17 ] master-port=ether1-TRUNK name=ether17-SALES
set [ find default-name=ether18 ] master-port=ether1-TRUNK name=ether18-SALES
set [ find default-name=ether19 ] master-port=ether1-TRUNK name=ether19-SALES
set [ find default-name=ether20 ] master-port=ether1-TRUNK name=ether20-SALES
set [ find default-name=ether21 ] master-port=ether1-TRUNK name=ether21-SALES
set [ find default-name=ether22 ] master-port=ether1-TRUNK name=ether22-SALES
set [ find default-name=ether23 ] master-port=ether1-TRUNK name=ether23-SALES
set [ find default-name=ether24 ] master-port=ether1-TRUNK name=ether24-SALES
- Add VLAN 20 and 30 to the trunk port
add interface=ether1-TRUNK name=vlan20 vlan-id=20
add interface=ether1-TRUNK name=vlan30 vlan-id=30
- Configure the master port to accept both VLAN 20 and 30 tags
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1-TRUNK,switch1-cpu vlan-id=20
add tagged-ports=ether1-TRUNK,switch1-cpu vlan-id=30
- Configure the ports to read their respected VLAN tag
/interface ethernet switch egress-vlan-translation
add customer-vid=20 customer-vlan-format=untagged-or-tagged new-customer-vid=0 \
add customer-vid=30 customer-vlan-format=untagged-or-tagged new-customer-vid=0 \
- Configure the ports to wrap the packet with the respected VLAN tag
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=”ether9-IT,ether10-IT,ether11-IT,et\
add customer-vid=0 new-customer-vid=30 ports=”ether17-SALES,ether18-SALES,ether1\
- Configure the ports to accept respected VLAN tags
/interface ethernet switch vlan
- Configure IP address for VLANs and trunk port
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.88.2/24 interface=ether1-TRUNK network=192.168.88.0
- Configure gateway (Cyberoam)
add distance=1 gateway=192.168.88.1
For the Cyberoam Router, I will configure port E with the IP address of 192.168.88.1/24 and add VLAN 20 (192.168.20.0/24) and VLAN 30 (192.168.30.0/24).
And voila! Devices on VLAN 20 are able to communicate with one another, however, it will not be able to communicate with VLAN 30, and vice versa.