MikroTik Switch – Setup VLANs

I had purchased a MikroTik RB260GS (product link) to allow me to setup vlans for about $40 and later be able to setup a fiber run for a few remote devices.The MikroTik RB260GS is able to handle 802.1Q VLAN tags with 5 Gigabit Ethernet Ports and a single SPF cage. It can be powered by PoE (Power over Ethernet) on the 1st port and has a small form factor of 4 7/16 x 5 1/2 x 1 1/8 inches or 133 x 139 x 28 mm. There are larger and different models to choose from as well and should be considered depending on your needs.

From the beginning of trying to setup the VLANs, I had a hard time with this switch and a learning curve ahead of me for this solution. I hope this will assist those whom are having difficulties as well.

Port – Trunk

A trunk port is where multiple VLANs share the same physical connection and is used for the network backbone infrastructure up to the Access Level Switches.

Also, consider the amount of VLANs and traffic going through this port, it will be limited to 1 Gigabit and shared amongst all the VLANs going through it. Sometimes, it might be a better idea to have the SPF port be the trunk port with a 10 Gb fiber module. It would use less power, faster, lower latency, and electrically isolated from the other end of the trunk on this connection.

For this switch, it’s best for the trunk port to be port 1, especially if PoE is being delivered from another switch, or the SPF port. Below is how to configure the trunk port and can be any port on the switch.

  1. Navigate to VLAN tab
  2. Configure the port’s Ingress settings as listed:
    • VLAN Mode: Enabled
    • VLAN Recieve: Any
    • Default VLAN ID: 1
    • Force VLAN ID: Unchecked
  3. Configure the port’s Egress settings as listed:
    • VLAN Header: Add If Missing
  4. Navigate to VLANS tab , Add the VLAN numbers here.
  5. Make sure the Trunk port has all of the VLANs settings are set to Leave as is

Access Ports

These ports only have a single VLAN associated to them and is normally used at the Access Switch Level when end devices plug into.

  1. Navigate to VLAN tab
  2. Configure the port’s Ingress settings as listed:
    • VLAN Mode: Strict
    • VLAN Recieve: only untagged
    • Default VLAN ID: <Your VLAN ID here>
    • Force VLAN ID: Unchecked
  3. Configure the port’s Egress settings as listed:
    • VLAN Header: always strip
  4. Navigate to VLANS tab
  5. Make sure the Access port has all of the VLANs settings are set to Not a Member, except for the VLAN ID you’ve entered in step 2. It would be set to the value Always strip.

Multi-VLAN Ports

Sometimes there is a need where a port may need multiple VLANs going across it to a device, like a wireless access point. See below settings

  1. Navigate to VLAN tab
  2. Configure the port’s Ingress settings as listed:
    • VLAN Mode: Strict
    • VLAN Recieve: any
    • Default VLAN ID: <Your Default VLAN ID here, usually management VLAN ID>
    • Force VLAN ID: Unchecked
  3. Configure the port’s Egress settings as listed:
    • VLAN Header: always strip
  4. Navigate to VLANS tab
  5. Make sure this port has all of the VLANs settings are set to Leave as is except for the VLAN ID you’ve entered in step 2. This would be set to the value Always strip. The non-allowed VLANS on that port should be set to Not a Member

Testing your config

It’s best practice to test each port to see if the configuration is correct when doing this the 1st few times. Wireshark (link) will be your friend or even a simple checking of the IP range you receive will work for the most part. There are plenty of online tutorials with working with Wireshark and I will not cover them.

Nate15329's Blog