Syed Jahanzaib Personal Blog to Share Knowledge !

June 2, 2015

Mikrotik with Cisco VLAN made easy

Filed under: Cisco Related, Mikrotik Related — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 3:16 PM


~!~ Mikrotik with Cisco VLAN made easy ~!~
 ~!~ For Beginners ~!~

Virtual LANs (VLANs) are a solution to allow you to separate users into individual network segments for security and other reasons. VLAN membership can be configured through software instead of physically relocating devices or connections. VLANs allow you to break up devices on your network regardless of their location.

The main advantage of VLAN are

  • Broadcast Control
  • Security / Client Isolation
  • DMZ
  • Controlled Network Management
  • Costing

It is very useful for any network including large/small offices, ISP’s, Cable.Internet services providers etc. The main problem of any large network is broadcast and specially for network operators when any single user swap his wan router LAN cable to wan cable thus broadcast his router DHCP to operator network, or single user effected with virus/trojans broadcast to whole network. VLAN can help you in many situations like these or others.



To avoid broadcasting/flooding and above all for better better management +security and monitoring, we want to break the network in smaller segments.


Consider the following scenario

We have Mikrotik Router which is acting as a DHCP and PPPoE Server as well. and we want to isolate the different network areas by breaking them in smaller segments. Each area will get different IP series from the mikrotik dhcp server.

In this example following ports are used for

  • Mikrotik = Port 1 [as TRUNK port]
  • Dealer-1 = Port 2
  • Dealer-2 = Port 3
  • Dealer-3 = Port 4

Hardware Used in this Guide:

  1. Mikrotik RB2011
  2. Cisco 3750-E Series
  3. Two Laptops for testing

As showed in the image below …

2015-06-02 15.16.32



# Create VLAN Interfaces and provide them name and VLAN#ID
/interface vlan
add interface=LAN l2mtu=1594 name=DEALER-1 vlan-id=10
add interface=LAN l2mtu=1594 name=DEALER-2 vlan-id=20
add interface=LAN l2mtu=1594 name=DEALER-3 vlan-id=30

# Assign IP addresses to the interfaces
/ip address
add address= interface=LAN network=
add address= interface=DEALER-1 network=
add address= interface=DEALER-2 network=
add address= interface=DEALER-3 network=

# Create DHCP Server and assign different Pools for the dealers
# You can DHCP wizard as well if CLI is a bit hectic
/ip dhcp-server
add address-pool=DEALER-1-POOL disabled=no interface=DEALER-1 lease-time=6h name=dhcp1
add address-pool=DEALER-2-POOL disabled=no interface=DEALER-2 lease-time=6h name=dhcp2
add address-pool=DEALER-3-POOL disabled=no interface=DEALER-3 lease-time=6h name=dhcp3

/ip dhcp-server network
add address= dns-server= gateway=
add address= dns-server= gateway=
add address= dns-server= gateway=

Some screenshots for the reference purpose …



Done. Now we have to create VLANs at CISCO Switch…


I assume that you have Cisco switch with any IP address for the management purposes.

Telnet to the switch


# Enter your Cisco switch password
User Access Verification
Password: xxxxxx

# Switch to change mode
Password: xxxxxxxxx

# Enter in Config mode
config t

# Select Port number which will be connected with the Mikrotik and change encapsulation method

interface gigabitEthernet 1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk

switchport trunk allowed vlan all
switchport nonegotiate

#Create VLAN id and name for dealers/areas
vlan 10
name DEALER-1
vlan 20
name DEALER-2
vlan 30
name DEALER-3

# Now Select Dealer1 interface , like port 2 and assign it with the vlan id

interface gigabitEthernet 1/0/2
# OR RANGE like interface range gigabitEthernet 1/0/1-4 (Port Range 1 to 4)
switchport mode access
switchport access vlan 10

interface gigabitEthernet 1/0/3
switchport mode access
switchport access vlan 20

interface gigabitEthernet 1/0/4
switchport mode access
switchport access vlan 30


# SAVE the configuration you just made above

Some screenshots for reference…



3-vlan ports






Now connect your PC with the port 2 and port3 , 4

You will get different IP in each port.
As showed in the image below from mikrotik dhcp server’s



Test From Dealer-1 System


Dealer-1 have receive 192.168.10.x series ip, exactly the one we configured in mikrotik.

Now try to ping any dealer-2 series and to the internet as well. You will see that you will be able to ping the internet and mikrotik LAN ip, but not with dealer-2 subnet or likewise.

ping result

NOTE: For the client isolation / to block communication between all VLAN’s , you must create FILTER rule as explained in TIP’s n TRICK section below …



1- Block communication between all or specific VLAN Subnet

It is usually required to block all communication between specific or all VLAN subnets for security or other reasons. By default mikrotik will allow communications between all vlan. You can block them by creating FILTER rules. Example is we want that users of all vlans can access internet via WAN interface but should not be able to communicate with any other VLAN subnet. use following as an example

Note: there are many other ways to achieve this either at switch level or mikrotik, i am showing just an example only here.

/ip firewall filter
add chain=forward comment="Accept traffic from VLAN subnets to WAN" out-interface=WAN

add action=reject chain=forward comment="Block Communication between all vlan subnets" reject-with=icmp-net-prohibited src-address=\

# Masquerade rule to allow internet , wan link interface
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN


Snapshots of Working VLAN config with pppoe server




Pending work:

– Add pppoe or hotspot configuration
– Firewall configuration for isolation in pppoe/hotpost
– Few more tips n tricks with VLAN


Syed Jahanzaib


  1. Dear Jahanzaib,
    How can we make sure that on mikrotik side the port is in the trunking mode. Is there any specific commands ? or is it by default that the ethernet interfaces on mikrotik are in the trunking mode ??

    Comment by Khizer — June 2, 2015 @ 11:29 PM

  2. love it

    Comment by mushhood — June 2, 2015 @ 11:51 PM

  3. But what about mikrotik to mikrotik foe example Rb2011 to Rb750 rb2011 have two networks pppoe and hotspot going through 1 trunk and in remote area there is 750 from connections are distributed although it is also possible to have both pppoe and hotspot on same lan but i am generating a scenario a vice versa..

    Comment by UmmarHussain — June 3, 2015 @ 1:02 AM

  4. How to Dial Multiple and more PPPOE Client Over Single WAN Interface in Mikrotik

    Comment by ramanji — June 3, 2015 @ 3:26 PM

  5. dear sir , How to Dial Multiple PPPOE Client Over Single WAN Interface in Mikrotik?
    I got 2 ports on my mikrotik router
    1xWAN & 1xLAN port
    I need to dial 2 or more pppoe clients and load balance over the single wan port
    actually i create a multiple 1mbps pppoe clients in my mikrotik the both connections are showing connected and
    i use adeel uploaded load balancing settings in my mikrotik.when i check in speedtest its showing sometimes 1mbps and sometimes 2mbps.
    pls help me…..

    Comment by ramanji neyuluk — June 4, 2015 @ 11:22 AM

    • As far as i know, You cannot dial multiple PPPoE client over one interface. why not use manageable switch with vlans to do the job ?

      Comment by Syed Jahanzaib / Pinochio~:) — June 9, 2015 @ 9:04 AM

  6. nice work >>> having on question …i have rb 2011 with 1 switch cisco L3 and 3 rb 1100….in rb 2011 making 3 vlan’s and 3 user pppoe client >>in cisco also same 3 vlan’s …RB 1100 each router taking one user pppoe client how can separate between them “meaning user 1 is working on first router but not working one other routers ” second and third router 1100″ ?

    Comment by Laith Adnan — June 9, 2015 @ 12:26 AM

    • perhaps a network diagram will help to understand the issue.

      Comment by Syed Jahanzaib / Pinochio~:) — June 9, 2015 @ 9:02 AM

      • i upload simple diagram …the idea is isolate users pppoe client on the same router…meaning …there is Main router ( cloud core ) having 2 user pppoe A and B …and there is two routers ( Router 1 and Router 2 ) connected directly to main router ( cloud core ) …i wanna user A is connected only to Router 1 and not connected to Router 2 and user B connected to Router 2 and not connected to Router 1

        Comment by Laith Adnan — June 9, 2015 @ 8:24 PM

      • still waiting for answer

        Comment by Laith Adnan — June 13, 2015 @ 3:35 PM

      • any idea?

        Comment by Laith Adnan — June 21, 2015 @ 11:15 PM

  7. dear you need to use policy based routing as far as destination end routing is concern , in which you can configure for user A to user R1, and User B to R2.

    Comment by Jack — June 22, 2015 @ 4:32 PM

    • how can i use that policy ?

      Comment by Laith Adnan — June 24, 2015 @ 5:38 AM

      • use google to implement PBR in MT

        Comment by Jack — June 29, 2015 @ 10:19 AM

  8. Dear Mr.Jahanazib ,
    Could you please tell me which cisco switch are able to tagged/trunked with mikrotik .My model is 1100 ahx2

    Comment by sohag — July 2, 2015 @ 12:01 PM

    • In general all Cisco base manageable switch are capable of doing vlan.
      I used Cisco 3750 giga bit switch at various places and found it very stable🙂 cisco 2960 or likewise are also good choices. but it all depends on availability and budget as well.

      Comment by Syed Jahanzaib / Pinochio~:) — July 2, 2015 @ 12:11 PM

  9. Hello Brother Assalamu alikum,
    This is Nahid from Bangladesh. I have a new problem at hand. Recently i add a new Cisco Catalyst 2960 TCS with my network, Using Mikrotik CCR-1016 for Routing, When I add This new switch with mikrotik interface, getting some packet loss, Like If i ping my gateway its showing Replay from 2ms or sometime 30ms+, also miss 1 packet after 15-20 replay from gateway. I have another old Catalyst 2960TCL which is ok no ping loss from gateway, If i connect my new Catalyst 2960 with old Catalyst 2960TCL, then no packet loss also getting ping from gateway <1ms-2ms.
    From Mikrotik I connected to Giga Ethernet port to switch with Machine made Cable. In Mikrotik Auto Port Negotiation is on also selected 100 full, 1000full, I changed MSS in firewall.
    If i Reboot my Mikrotik or change port then there is no Ping loss or getting good ping time for only 5 minute then again its starts to loss after every 20 replay.
    Mikrotik Configuration: All user connect with DHCP, No Filter Rules, NAT set to Masquerade, In mangle only rules for FTP servers,
    Please Anyone solve this issue, Thanks in Advance

    Comment by MD. Nahid — July 30, 2015 @ 4:29 PM

  10. Dear,
    i have mikrotik working ok with cisco vlan configured and working ok.
    now i want to use mikrotik in vmware but in vmware vlan not working. what to do now?

    Comment by SunStar — August 17, 2015 @ 2:53 PM

  11. Dear Syed Jahanzaib,
    i want to use vlans for Security / Client Isolation in the hostpot

    i wnant to create 250 vlans each user tack one ip from different rang (different vlan)

    is it passibal in mikrotik

    what are the process ??

    Comment by Alaa Abdulsalam Al-thobhani — December 29, 2015 @ 3:32 AM

  12. Dear Syed Jahanzaib,
    i want to use vlans for Security / Client Isolation in the hostpot

    i wnant to create 250 vlans each user take one ip from different rang (different vlan)

    is it passibal in mikrotik

    what are the process ??

    Comment by Alaa Abdulsalam Al-thobhani — December 29, 2015 @ 3:38 AM

  13. Dear Syed Jahanzaib,
    i want to use vlans for Security / Client Isolation in the hostpot
    i wnant to create 250 vlans each user tack one ip from different rang (different vlan)
    is it passibal in mikrotik
    what are the process ??

    Comment by M Anees — February 15, 2016 @ 10:41 AM

  14. Salam

    What if want to createT TRUNK between Cisco 2960 switch and mikrotik crs125-24g-1s-2hnd-in,

    Cisco 2960
    #switchport mode trunk
    #no shut

    VLAN 1 - – Management ip address.

    mikrotik crs125-24g-1s-2hnd-in

    Ether 24 trunk.
    Ether 24 – IP address (I dont’ have any idea here)
    default gateway –

    Ether 1- VLAN 126
    Ether 2- 10 VLAN 30

    /interface ethernet
    set ether1 master-port=ether24
    set ether2 master-port=ether24
    set ether3 master-port=ether24
    set ether4 master-port=ether24
    set ether5 master-port=ether24
    set ether6 master-port=ether24
    set ether7 master-port=ether24
    set ether8 master-port=ether24
    set ether9 master-port=ether24
    set ether10 master-port=ether24

    /interface ethernet switch egress-vlan-tag add tagged-ports=ether24,switch1-cpu vlan-id=30 add tagged-ports=ether24 vlan-id=126

    /interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=30 ports=\
    ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,switch1-cpu \
    /interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=126 ports=\
    ether1,switch1-cpu \


    Problem is i can access see access and trunk configuration is working perfectly.
    but issue is i can’t access (mokrotik switch IP address) from cisco network .

    I can’t ping vlan1 trunk ip address of Mikrotik switch.

    Please explain where i am doing wrong.

    Comment by Abbas — March 20, 2016 @ 2:02 PM

  15. Any Idea for mikrotik vlans with Rocket M2 and Nano M5 Vlans connect configration

    Comment by Muhammad Azam Ghouri — May 7, 2016 @ 12:29 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: