Thank you so much for nice comment, and thanks for watching the video!

I was just want write same comment. At last I fully understand vlans on mikrotik. Thank you

Indeed

Glad it was helpful!

This is not done by MikroTik, they are not endorsing me in any manner and have never reached out to me for any sort of publicity. This is my own personal project where I wanted to make information like this more accessible to everyone in the community. I will take this as a compliment though ^^ And feel free to leave any suggestions or comment on the work that I have done.

@@TheNetworkBerg Well in that case good on you. Shame Mikrotik still haven't woken up to this. Even when I wrote that I was thinking it was a bit of a shock to see them finally doing this - something they should have been doing for some time.

Hahaha they definitely can be, especially if you are a bit dyslexic.

Thank you very much!

That's basically what I did with mine since all the ports are attached to the bridge.

Plus having 2 bridges you end up not being able to use hardware offloading on one bridge, at least on my device.

Thanks you for the kind words, yeah I agree MikroTik is definitely something different when it comes to L2 networking. I've seen many people on Reddit or Facebook groups generally asking about VLANs because it seems to be the most confusing subject regarding MikroTik. My videos covering VLANs are also the most viewed on my channel so it's definitely something a lot of people look into that they feel they need help with.

Glad you like them!

Wow, thanks!

Thank you for the kind words, I do not currently have a video covering port spanning/mirroring but I will definitely consider it. I have thought about creating a video series covering more layer 2 concepts and reached out to my community on KZbin regarding it. I am just waiting to see if someone is willing to provide me with a couple of switches to better demonstrate things, but if not I may just use some small routeboards for the demonstrations as well :)

I totally agree and this was a whoopsie from my side ^^

Thank you very much David, it is definitely not expected but I do appreciate it very much!

Busy working on it :D!

You picked up words of my mouth.

Thank you for the comment and I agree with you if you are just going to be doing basic switching behind the MikroTik to a LAN/DMZ network. I actually covered ZeroTier back in December, it was one of my most viewed videos at the time. You can catch that video here: kzbin.info/www/bejne/m3esZmygf5eAg5o Although the video was made during v7 Beta the principles are still exactly the same, only bad thing is that ZT on MikroTik is a bit outdated :C

@@TheNetworkBerg Tnx, ill have a look.

Much appreciated!

Thank you for the kind words, I believe my third scenario illustrates how to setup a single bridge with multiple VLANs over it. Although I take it you are talking about creating multiple VLAN interface and just adding the interfaces to the same bridge like on the second scenario. That's definitely another viable option, similar to how you can create a VLAN interface and instead of binding it to a physical interface you bind it to the bridge and then any ports within the bridge will be tagged for all the VLANs inside of it. It's just kind of more ways how to accomplish the same thing on with different steps. I am still amazed at how many different and new ways that I wasn't even aware of before this video that you can also use to configure VLANs. Maybe MikroTik needs to revise how VLANs can be configured on their devices and standardize it to a single format for people to more easily understand and absorb. Although that might also take away some of the awesome custom solutions people come up with by using these different and unique ways of configuration.

@@TheNetworkBerg You definitely should've pointed out that the 3rd way is the optimal way of doing VLANs because it's the only way of preserving hardware offloading across all VLANs on devices with switch chip. It works for both switching CRS series and routing RB/CCR series of devices, obviously if said device has a switch chip, but even if it doesn't.

@@Soda88 I think what I want to make clear in the next video is that the scope of how VLANs are being covered in the MTCRE is not quite in the same light as what many people's expectations are. Which is to implement VLANs on their LAN/DC networks on a switching layer. The MTCRE focuses more on using VLANs as a way of extending the network and routing traffic between devices. To optimally understand VLANs and many L2 concepts like port mirroring, STP, etc I would suggest looking at the MTCSWE certification which focuses more on the aspect of using MikroTik for switching purposes. My ultimate goal after the next video is for a user to be able to add a VLAN on a Routerboard/CCR/CHR/x86 device to span a L2 service from an edge to a CPE to deliver IP services and route traffic.

@@Soda88 aha ! so 3rd way to preserve the hardware offloading, that was my question after watching this incredibly well explained material!

Sorry fabi, this is a netrunner channel 😁

Yes it is perfectly fine to go for the RE directly afterwards

You're welcome! Thank you for supporting the channel ^^!

Correct.

Hahahaaha dankie! Nee dit is 'n eerste :P!

Correct, most of the new hardware with the "Bridge" method with HW Offload and specifying /interface bridge ports is essentially telling the router to use the switch chip for which VLANs and which ports. This video is aimed at the MTCRE certification, and how to use VLANs on MikroTik routers. I really cannot comment on CAPsMAN or MikroTik APs as I do not use it or these devices. Perhaps in the future I will get a few APs and configure CAPsMAN to see if there is some reliance on setting tags up directly on the switch chip.

Thank you for the kind words. I think my third example currently illustrates this where I have configured a single bridge with VLAN10/VLAN20 being done at a Layer 2 level on MikroTik 2 and MikroTik 3.

how you think,if after router i put Cisco 3750x or cisco 4948 and trunk all vlans to swich and delete bridges,then cpu use can down to 40-60 ?i now bridge use from cpu but i think cpu can up to 100% when i will ad 5-6 bridge((

(I'm using the 'Bridged VLAN' method)

i have a same question about this

If you have a L3 device configured with both vlans in the same routing table they will be able to communicate. You need to add Firewall Forward rules to restrict traffic between the VLANs

@@TheNetworkBerg Ah okay. So by default the 'Mikrotik1' (who assign IP address using DHCP, to both VLAN) allow it to be communicating each other. So I have to add the Firewall Forward rules in the the 'Mikrotik1'. Am I right? Thank you

Most probably, which is sort of what the third scenario in the video covers. I am also covering the MTCRE which treats VLANs a bit in a different light as we use it as a means for extending networks and spanning L2/L3 services while working on RouterBoards/CCRs/CHRs/x86's etc If you want to get more into best practices for how to configure a MikroTik as a switch on platforms like the CRS and implementing this in a LAN or DC then there is a completely different track covering that which is called the MTCSWE (MikroTik Certified Switching Engineer)

For a school network or general campus/dc setups I would highly suggest using the single bridge method. This is considered "The correct way" this documentation on MT's site really helped me get a better understanding of the setup: help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features

Very understandable statement, I know of quite a few people who tend to get frustrated when it comes to switching on MikroTik. Personally I do not use MikroTik for my core switching. Simple VLAN tags under an interface on my uplinks are more than enough for me. I do LOVE MikroTik for all of the core features on a routing layer it brings and at the price range it is at though.

In the new video kzbin.info/www/bejne/inKqiJKOeNZ2nNU I cover how to setup ACLs for Inter-Vlan routing, give it a watch. There should be a timestamp for it too :)

@@TheNetworkBerg oh yes, I see. Very useful as a start. Anyway, I hope you're going to delve a bit deeper into that with a dedicated tutorial. Thank you very much indeed.

I will definitely consider a dedicated tutorial about the subject :)!

@@TheNetworkBerg Thanks

Hi there, depending on what emulator you use, you can add additional interfaces on the emulator itself. With EVE-NG when you import the nodes the default is set to 4 interfaces. You can change this to something different. I tend to either do 10, 12 or 24 interfaces.

@@TheNetworkBerg, Thank you so much! I am glad it was something simple to change in the import.

Yes, adding multiple bridges will have that type of impact and performance will be degraded. Adding a single bridge and doing your tagging/untagged on that bridge would be the best solution for hardware offloading and the best performance.

@@TheNetworkBerg I appreciate your reply, I tried doing it with a single bridge, but because these are slave interfaces I keep getting dhcp server cannot be set on slave interface message. I love that mikrotik has several ways of doing the same thing, but it is sometimes very confusing as well :)

Thank you! I am using a network emulator, which is called EVE-NG. It allows you to add virtual equipment like CHRs to add into topologies and configure equipment. Which is awesome because this is REAL equipment on a virtual level so you get hands on experience without having to buy a physical MikroTik or even other devices.

@@TheNetworkBerg Just About to ask the same thing abt ths. thanx

Best performance would be creating a bridge and having the switch chip manage all the VLANs, but when it comes to the routing world and routing packets you will typically see and use software defined VLANs between networks. It's more about what you want to use VLANs for, if it's just on a LAN network or a Data Center then a single software bridge with all VLANs is the most ideal setup for max performance.

@@TheNetworkBerg Thank you. I don't have plans on routing, I just need it to switch at L2

mine too, how did you manage that?

Firewall rules, you could in essence just drop all forward traffic between VLANs and only set Src=IT Dst=All other VLANs to be allowed. The firewall is stateful so return traffic will be allowed automatically.

It is called EVE-NG a network emulator

The third option is what you want to make use of where you will configure a bridge and do the VLAN tagging through the bridge. So your configuration should look something like this: /interface bridge add name "Switch-Bridge" vlan-filtering=yes /interface bridge port add interface=ether2 bridge=Switch-Bridge /interface bridge port add interface=ether3 bridge=Switch-Bridge pvid=10 /interface bridge port add interface=ether4 bridge=Switch-Bridge pvid=20 /interface bridge vlan add interface=ether2 tagged=10,20 /interface bridge vlan add interface=ether3 untagged=10 interface bridge vlan add interface=ether4 untagged=20 You can also do this through the GUI obviously by just adding a bridge there, enabling VLAN filtering and then adding your bridge ports and bridge VLANs. This should in theory make ether2 a trunk port that will send VLAN10 & VLAN20 to the remote device as tagged frames while untagging ether3 for VLAN10 and ether4 for VLAN20.

@@TheNetworkBerg I got it now! I missed the obvious which you said so clearly "We are not going to set interfaces here when doing it as switch mode.." Waardeer jou antwoord baie.

When you use the bridge method and you add /interface bridge ports the configuration is actually injected into the Switch chip to handle hardware offloading and achieving higher speeds as this could potentially work at wire speeds. It's definitely not a requirement though. Especially if you want to do stuff like firewalling with your VLANs as that traffic will then need to be handled by the CPU regardless. So it sort of depends on your requirements and what you want to do with the VLANs

@@TheNetworkBerg thanks for the clear explanation!

Hello there, I am creating a playlist which will have all of the videos in a structure order to watch :)

Because this is for the MTCRE and not the MTCSWE, it's just another method of using VLANs to route with and that traffic will most likely be used in the CPU.

Sorry it was a bit hard Peter, I have been working on labeling equipment in all my videos. Thank you for suggestion!

As far as I know you still need to go to a trainer for your initial certification, however, I have read and heard about people who recertify are able to arrange to do that remotely with their trainer. I would check up on the MikroTik forums regarding this.