What are the Dynamic Entries in Bridge VLAN on the MikroTik Switch?

We are still having the same Lab scenario of the management VLAN. If we look at SW1 and SW2, we see on the VLAN under the bridge that a dynamic entry has been created having the interfaces bridge1 and Ether1 as untagged on VLAN 1.

Why is that? Because when we have added the interfaces to the bridge, both bridge1 and Ether1 had by default VLAN ID =1. This means what exactly? This means that if I connect my PC to the interface Ether1 on SW1 or SW2 then I will be able to access the Switch completely from Winbox. The reason why is because Ether1 and Bridge1 interfaces are both on VLAN1, which is the native VLAN. Did you get my point?

Maybe it’s a good practice to connect my PC to Ether1 of SW1 and then to SW2.

Let’s start by connecting my PC to Ether1 of SW1

As you see, directly SW1 has been shown on the Winbox because I am connecting to Ether1 which has VLAN ID of 1 the same as on the bridge1 interface, then I could see the Switch on Winbox and able to login into it and configure it.

Let me move my PC cable to SW2 interface Ether1 and see if I will have the same result.

[mepr-show rules=”319″ unauth=”message”]

I can also see SW2 when connecting to Ether1. Wow…. That’s not something we like to have, right? I know that some of you may be saying now that Ether1 is a trunk port, and normally no one physically is able to reach it. Well, that’s somehow true, but still, it is a point of weakness to keep it this way.

So, what is the solution here? Well, the solution is too easy: change the PVID on Ether1 or on bridge1 to another one. That means that Ether1 and bridge1 interfaces should not have the same PVID. Why do we that? Because once the 2 interfaces aren’t on the same PVID, then in case a PC is connected to Ether1 he won’t be able to have full access to the Switch. Got the idea?

Let me show you by changing PVID on the bridge1 interface on SW2 to 122 and see if my PC will still be able to reach the switch when connecting to Ether1.

If we look at the VLAN table on SW2, we will see that bridge1 is on VLAN 122 and Ether1 is on VLAN 1, which means they are on 2 different VLANs, and this has been dynamically shown in the entries.

I will put the cable again from my PC to SW2 interface Ether1 and see if I am still able to reach it from Winbox:

As you see, no entry is shown on SW2. Even if you try to put the MAC address of SW2 on Winbox and connect to it, you won’t be able to do it.

[/mepr-show]

Course Content

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

About