Basic VLANs with SwitchOS – Part 2


     MikroTik has produced 3 different products which run SwithOS instead of RouterOS, the RB250GS (End of Life), the RB260GS, and the RB260GSP. This tutorial will show you how to do basic VLAN management using the RB260 series switches. This tutorial is based upon SwtichOS version 1.17. The phone configuration will not be covered.


2nd Example – Using a switch to extend the number of Ethernet ports available to your router (some clients are tagging and some are not)

     In this example, we are going to look at a common scenario encountered with VOIP phones. Nearly all VOIP phones have the ability to join a VLAN and act as a 2 port switch. The need for this is frequently encountered when a VOIP phone system is being added to pre-existing network. It just so happens that the company will need a phone located at every, or almost every, workstation, but there is only one Ethernet cable provided. The network administrator will probably want the phones on a different network for any number of reasons such as QoS or possibly because the phones have their own Internet connection. In this example, we’re going to keep this simple and focus on the switch configuration. Please, see the diagram below:




The router config (only the VLAN specific settings will be shown):


The SFP port on both the router and the switch will carry the trunk. Three VLANs will be used, VLAN 10 for the phones, VLAN 20 for the PCs and everything else, and VLAN 2 for the switch administration. A DHCP server will configured on VLAN 10 and 20. 

To configure the VLANs goto Interfaces and select the VLAN tab:




Next, we will need to configure an IP addres on each VLAN interface. To do this, goto IP -> Addresses:





The last item is to configure is the DHCP servers on VLAN 10 & 20. Goto IP -> DHCP Server and use the DHCP Setup button:





The switch config (only the VLAN specific setting will be shown):

     Now we’ll cover the configuration of the switch. We need to allow VLAN 10 to pass through unobstructed on all ports and we also need to capture the untagged traffic from the local LAN and tag it with VLAN 20. VLAN 2 is used for the switch configuration. VLAN 2, 10, & 20 need to pass through the SFP port, which is acting as our trunk port. The phones should already be configured to use VLAN 10 and to allow all other traffic to flow through. Please, refer to the phone manufacturer’s setup guide for that configuration. This example may need some modification depending on the phones used. The switch’s IP address will be changed to since is used by default on all MikroTik products.



Step 1: Starting on the VLAN tab of the switch, the “VLAN Mode” for all 6 port will be set to “strict” so that all traffic coming into the the switch is compared against the VLAN Table on the VLANs tab. “VLAN Receive” will be set to “any” since we are matching both tagged and untagged traffic. The “Default VLAN ID” will be set to 20 for Ethernet ports 1-5 since that is the VLAN ID that we want the untagged traffic to be given. “Force VLAN ID” has to be unselected or else it will create problems with the tagged traffic from VLAN 10.

Step 2: On the Egress side of things, we are going to select “leave as is.” The options are “leave as is,” “always strip,” or “add if missing.” If we were to choice “always strip” it would strip all of the VLAN tags and the phones would never receive their traffic. The PCs would, but the phones would not. If we select “add if missing” nothing special will happen because the traffic headed towards the LAN side of the switch from the router has one of two tags already present. This setting would actually work, but it won’t be performing the action that is implied because there should not be any untagged frames headed out those ports. Note that the traffic arriving at the PCs will arrive without a VLAN tag. The switch will strip the VLAN ID that is present in the “Default VLAN ID” field. This can be verified with a packet capture or by using torch tool if that is available.




Step 3: The VLAN Table needs to be created in the VLANs tab. In this example, all of the fields will be set to “leave as is” meaning that the action taken for those VLANs on those ports will be determined by the settings on the VLAN tab.





Step 4: The final step is to assign a new IP address to the switch, set the Identity, and choose the VLAN that it will be available from. Alternatively, you may want to make it available from a specific subnet. Now its time to test the configuration. :-)

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>