Another important topic is the Management VLAN. You may have noticed that once you put a switch port on a VLAN then the PC connected to it will not be able to log into winbox of that switch. What if we have 80 MikroTik CRS3xx switches in our network, how will I be able to login to them to configure them? The best way is to use a Management VLAN.

The concept is very simple. You create a Management VLAN on each Switch under the bridge interface, you give an IP address to it then you advertise it on the VLAN as a trunk port on all the switch ports. From the PC side, you need to use the same VLAN on your network card (some old Network Interface Cards do not allow to add a VLAN ID on it), you put an IP address from the same range as you have put on the Management VLAN, then you will be able to gain access to the Switch(es) again.

I think you are lost now, right? No problem. Let’s do a LAB and with LAB you will understand it better.

LAB: Management VLAN

As you can see, I have 2 MikroTik CRS3xx switches connected to each other on the Ether1 interfaces. They have trunk ports. Then I have R1 (which is an end device) connected from its interface Ether2 to the Ether2 of SW2 which is on VLAN20.

This configuration is already done, and I will not repeat it because I have already explained how you can do trunk and access ports. Now the idea is that R1 will not see any more SW2 and SW1to be able to configure them (remember that R1 is like a PC). To be sure of that, I will put my PC in place of R1, and you will see SW1 will not be shown. In case I try to connect to SW2 then it won’t work.

Imagine you have a lot of switches in your network, and you have a problem with one of them that you should connect to it to solve the problem, but you cannot. This is not the best thing I would say, do you agree?

So, what options do we have here? Well, we need to create a Management VLAN on each of the switches which we will use when we want to connect to the switches.

Let’s start creating the Management VLAN on SW1 and SW2 and give them an IP from the range of 192.168.1.x/24

Let’s start with SW1:

As you see, I have created a VLAN for management under the interface bridge1 and I have used VLAN ID 99.

Now we need to give it an IP address:

[mepr-show rules=”319″ unauth=”message”] 

Let’s do the same on SW2, creating a VLAN for management and give it an IP from the same range.

Excellent!!!

The next step is to allow the VLAN99 to pass on the trunk port between SW1 and SW2 because my idea is that from my PC I need to be able to reach SW1. Let’s do that on SW1.

We needed to add Eth1 and Bridge1 to the tagged ports because we have initially created the VLAN 99 under the bridge1 interface and the Switch sees this interface as a normal interface.

We have to do the same on SW2 but in addition, I should say that interface Ether2 which is connected to the end device is also a trunk for VLAN 99

This way, SW1 and SW2 should be able to ping each other on the VLAN management IP. Let’s try from SW2 to ping the IP of the Management VLAN of SW1 which is 192.168.1.1

Excellent, they can ping each other. Now it is time to see if we can from the end device reach SW2 and SW1 on their management VLANs. For this, you need to create a VLAN99 on your PC. Some NICs allow you to add a VLAN ID to your PC. If this applies to you, you just need to go to the advanced option on your NIC and add VLAN 99 on it, then put an IP address to it from the range of 192.168.1.x/24, then try to connect on Winbox to SW1 and SW2 and you will see it will be successful.

Unfortunately, my NIC on my PC doesn’t allow adding a VLAN ID, that’s why I have put a router so I can create the VLAN ID on the router and assume that this router is just an end device. Then I will see from the R1 if he can see SW1 and SW2 on their Management IP addresses.

Let’s first create a VLAN 99 on R1 under the Ether2 interface and give it an IP address of 192.168.1.3/24

Let’s check from R1 the IP neighbors to see whether R1 can see the 2 switches on their management IP address:

Look!!!! He can see them on the VLAN99 interface. Excellent. Let’s try to ping both IP’s from R1 so we are sure we have reachability:

As you can see, the Router can reach both IP addresses, which means if you have a PC machine in place of the Router then you would be able to connect to the 2 Switches using Winbox on their IP addresses without any issue.

That’s the end of the management VLAN on the CRS3xx series Switches, hope you liked it.

[/mepr-show]