Many users still find it difficult to implement Mikrotik trunk and access port configuration on Mikrotik routers and switches. The importance of VLAN to network security can never be over-stated even as port type configuration remains a must-known for its successful implementation.
The two major port types required for the implementation of network segmentation using VLAN are trunk and access ports. While the trunk port is used for tagged and multiple VLAN traffic across a link, an access port is used for untagged traffic, delivered specifically to an end user.
Mikrotik trunk and access port configuration is not as straight forward a configuration like you would find on Cisco and Huawei devices. This is because the use of “trunk” and “access” are not parts of the required configuration commands, although they can be used as interface names.
Mikrotik trunk and access port configuration
Remember I said it is not a straightforward process? Here is what I meant. Unlike other vendors, the use of trunk and access as parts pf the commands are not necessary. To configure a trunk port, first we create a bridge and add a physical port that will serve as our trunk port to the bridge. We then create VLANs whose traffic will be carried on the trunk and add the vlans to the trunk. See configs below.
int bridge add name=trunk int bridge port add bridge=trunk interface=ether1 int vlan add name=Operations vlan-id=100 interface=trunk int vlan add name-IT vlan-id=200 interface=trunk
We simply create a vlan and assign a physical port to the vlan as part of the requirements to configure an access port on a Mikrotik device. See commands below.
int vlan add name=Test vlan-id=300 interface=ether4
Ensure that your cable connectedness is done properly and you are good to go.
Note that there are many ways to implement vlan on Mikrotik. To learn about the router-on-a-stick method, read here and how to implement vlan on a Mikrotik Cloud smart switch.
For more on Mikrotik trunk and access port configuration, kindly see the official documentation from Mikrotik here.
If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also subscribe to my YouTube channel, like my Facebook page and follow me on Twitter.
One aspect that’s not clear to me is untagged traffic. If I have two Mikrotik routers (or switches) connected via ether1 and I’ve set the bridge and vlan on each as described above, traffic from any interface added to VLAN 100 or 200 will travel over ether1 between the devices. Traffic from ether4 will not. What about traffic from untagged interfaces?
Untagged interfaces are like access ports. Traffics out these ports are forwarded to the devices attached to the ports. Traffics coming into untagged ports are only tagged if they will traverse a trunk port and will get untagged as they are forwarded out an access port. I hope this works.