大多的MikroTik硬件设备都集成交换芯片,因此可以实现硬件级的二层转发,在这些硬件中部分可以实现线速的二层VLAN交换,但不同硬件配置又有所不同,下面介绍下不同硬件的二层交换配置 :

首先通过一个案例,来对比不同交换机的配置,ether1作为trunk接口透传vlan20、vlan30和vlan99,ether2和ether3作为access接口,vlan99作为管理口配置192.168.99.1/24的管理IP地址。

提醒:以下配置都是基于RouterOS v6.41后的版本,该版本后对bridge做了大改动。

 

CRS3xx 系列

/interface bridge

add name=bridge1

/interface bridge port

add bridge=bridge1 interface=ether1 hw=yes

add bridge=bridge1 interface=ether2 hw=yes pvid=20

add bridge=bridge1 interface=ether3 hw=yes pvid=30

/interface bridge vlan

add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30

add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99

/interface vlan

add interface=bridge1 vlan-id=99 name=MGMT

/ip address

add address=192.168.99.1/24 interface=MGMT

/interface bridge

set bridge1 vlan-filtering=yes

 

CRS1xx/CRS2xx 系列

由于CRS1系列和CRS2系列芯片问题,因此需要通过switch菜单下完成

/interface bridge

add name=bridge1

/interface bridge port

add bridge=bridge1 interface=ether1 hw=yes

add bridge=bridge1 interface=ether2 hw=yes

add bridge=bridge1 interface=ether3 hw=yes

/interface ethernet switch ingress-vlan-translation

add ports=ether2 customer-vid=0 new-customer-vid=20 sa-learning=yes

add ports=ether3 customer-vid=0 new-customer-vid=30 sa-learning=yes

/interface ethernet switch egress-vlan-tag

add tagged-ports=ether1 vlan-id=20

add tagged-ports=ether1 vlan-id=30

add tagged-ports=ether1,switch1-cpu vlan-id=99

/interface ethernet switch vlan

add ports=ether1,ether2 vlan-id=20 learn=yes

add ports=ether1,ether3 vlan-id=30 learn=yes

add ports=ether1,switch1-cpu vlan-id=99 learn=yes

/interface vlan

add interface=bridge1 vlan-id=99 name=MGMT

/ip address

add address=192.168.99.1/24 interface=MGMT

/interface ethernet switch

set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3

 

其他集成交换芯片设备

警告: 不是所有MikroTik硬件设备都支持VLAN的硬件级转发,具体的支持列表可以参见https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction ,如果设备支持VLAN table,即可以通过集成芯片处理VLAN转发,查看你硬件的交换芯片命令通过/interface ethernet switch print

 

下面是查看RB750Gr3的交换芯片型号:

[admin@MikroTik] > /interface ethernet switch print

Flags: I – invalid

 #   NAME     TYPE             MIRROR-SOURCE    MIRROR-TARGET    SWITCH-ALL-PORTS

 0   switch1  MediaTek-MT7621  none             none           

 

下面的配置可以应用于RouterBOARD系列,包括RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP等

/interface bridge

add name=bridge1 protocol-mode=none

/interface bridge port

add bridge=bridge1 interface=ether1 hw=yes

add bridge=bridge1 interface=ether2 hw=yes

add bridge=bridge1 interface=ether3 hw=yes

/interface ethernet switch vlan

add ports=ether1,ether2 switch=switch1 vlan-id=20

add ports=ether1,ether3 switch=switch1 vlan-id=30

add ports=ether1,switch1-cpu switch=switch1 vlan-id=99

/interface vlan

add interface=bridge1 vlan-id=99 name=MGMT

/ip address

add address=192.168.99.1/24 interface=MGMT

/interface ethernet switch port

set ether1 vlan-mode=secure vlan-header=add-if-missing

set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20

set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=30

set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

 

其他没有集成交换芯片的设备

如果没有集成交换芯片,如基于PC的x86平台,处理二层转发和VLAN只能通过CPU完成,虽然有几种方法可以实现,但推荐处理VLAN使用以下配置:

/interface bridge

add name=bridge1

/interface bridge port

add bridge=bridge1 interface=ether1 hw=no

add bridge=bridge1 interface=ether2 hw=no pvid=20

add bridge=bridge1 interface=ether3 hw=no pvid=30

/interface bridge vlan

add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=20,30

add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99

/interface vlan

add interface=bridge1 vlan-id=99 name=MGMT

/ip address

add address=192.168.99.1/24 interface=MGMT

/interface bridge

set bridge1 vlan-filtering=yes