Date: Fri, 29 Mar 2024 00:22:36 +0200 (EET) Message-ID: <1839000264.27.1711664556746@help.mikrotik.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_26_1950467583.1711664556743" ------=_Part_26_1950467583.1711664556743 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Standards: IEEE 802.1Q, IEEE
802.1ad
Virtual Local Area Network (VLAN) is a Layer 2 method that allows multip= le Virtual LANs on a single physical interface (ethernet, wireless, etc.), = giving the ability to segregate LANs efficiently.
You can use MikroTik RouterOS (as well as Cisco IOS, Linux, and other ro= uter systems) to mark these packets as well as to accept and route marked o= nes.
As VLAN works on OSI Layer 2, it can be used just like any other network= interface without any restrictions. VLAN successfully passes through regul= ar Ethernet bridges.
You can also transport VLANs over wireless links and put multiple VLAN i= nterfaces on a single wireless interface. Note that as VLAN is not a full t= unnel protocol (i.e., it does not have additional fields to transport MAC a= ddresses of sender and recipient), the same limitation applies to bridging = over VLAN as to bridging plain wireless interfaces. In other words, while w= ireless clients may participate in VLANs put on wireless interfaces, it is = not possible to have VLAN put on a wireless interface in station mode bridg= ed with any other interface.
The most commonly used protocol for Virtual LANs (VLANs) is IEEE 802.1Q.= It is a standardized encapsulation protocol that defines how to insert a f= our-byte VLAN identifier into the Ethernet header.
Each VLAN is treated as a separate subnet. It means that by default, a h= ost in a specific VLAN cannot communicate with a host that is a member of a= nother VLAN, although they are connected in the same switch. So if you want= inter-VLAN communication you need a router. RouterOS supports up to 4095 V= LAN interfaces, each with a unique VLAN ID, per interface. VLAN priorities = may also be used and manipulated.
When the VLAN extends over more than one switch, the inter-switch link h= as to become a 'trunk', where packets are tagged to indicate which VLAN the= y belong to. A trunk carries the traffic of multiple VLANs; it is like a po= int-to-point link that carries tagged packets between switches or between a= switch and router.
The IEEE 802.1Q standard has reserved VLAN IDs with special use cases, t= he following VLAN IDs should not be used in generic VLAN setups: 0, 1, 4095=
Original 802.1Q allows only one VLAN header, Q-in-Q on the other hand al= lows two or more VLAN headers. In RouterOS, Q-in-Q can be configured by add= ing one VLAN interface over another. Example:
/interface vlan add name=3Dvlan1 vlan-id=3D11 interface=3Dether1 add name=3Dvlan2 vlan-id=3D12 interface=3Dvlan1
If any packet is sent over the 'vlan2' interface, two VLAN tags will be = added to the Ethernet header - '11' and '12'.
Property | Description |
---|---|
arp (disa=
bled | enabled | local-proxy-arp | proxy-arp | reply-only; Default: |
Address Resolution Protocol setting=20
|
arp-timeout (= auto | integer; Default: auto)<= /td> | How long the ARP record is kept in the ARP table=
after no packets are received from IP. Value auto equals to the va=
lue of arp-=
timeout in IP/Settings, d=
efault is 30s. |
disabled (yes | no; Default: no) | Changes whether the bridge is disabled. |
interface ( |
Name of the interface on top of which VLAN will = work |
= mvrp (yes | no; Default:&= nbsp;no) | =
Specifies whether this VLAN should declare its attributes through Multiple =
VLAN Registration Protocol (MVRP) as an applicant. It can be used to regist=
er the VLAN with connected bridges that support MVRP. This property only has an effect wh=
en use-service-tag is dis=
abled. |
mtu (inte= ger; Default: 1500) | Layer3 Maximum transmission unit |
name (str= ing; Default: ) | Interface name |
use-service-tag (yes | no; Default: ) | IEEE 802.1ad compatible Service Tag |
vlan-id (= integer: 4095; Default: 1) | Virtual LAN identifier or tag that is used to di= stinguish VLANs. Must be equal for all computers that belong to the same VL= AN. |
MTU should be set to 1500 bytes same as on Ethernet interfaces. But this= may not work with some Ethernet cards that do not support receiving/transm= itting of full-size Ethernet packets with VLAN header added (1500 bytes dat= a + 4 bytes VLAN header + 14 bytes Ethernet header). In this situation, MTU= 1496 can be used, but note that this will cause packet fragmentation if la= rger packets have to be sent over the interface. At the same time remember = that MTU 1496 may cause problems if path MTU discovery is not working prope= rly between source and destination.
There are multiple possible configurations that you can use, but each co= nfiguration type is designed for a special set of devices since some config= uration methods will give you the benefits of the built-in switch chip and = gain larger throughput. Check the Basic= VLAN switching guide to see which configuration to u= se for each type of device to gain maximum possible throughput and compatib= ility, the guide shows how to setup a very basic VLAN trunk/access port con= figuration.
There are some other ways to setup VLAN tagging or VLAN switching, but t= he recommended way is to use Bridge VLAN Filtering. Make sure you h= ave not used any known Layer2 miscon= figurations.
Let us assume that we have several MikroTik routers connected to a hub. = Remember that a hub is an OSI physical layer device (if there is a hub betw= een routers, then from the L3 point of view it is the same as an Ethernet c= able connection between them). For simplification assume that all routers a= re connected to the hub using the ether1 interface and have assigned IP add= resses as illustrated in the figure below. Then on each of them the VLAN in= terface is created.
Configuration for R2 and R4 is shown below:
R2:
[admin@MikroTik] /interf= ace vlan> add name=3DVLAN2 vlan-id=3D2 interface=3Dether1 disabled=3Dno [admin@MikroTik] /interface vlan> print=20 Flags: X - disabled, R - running, S - slave=20 # NAME MTU ARP VLAN-ID INTERFACE = =20 0 R VLAN2 1500 enabled 2 ether1
R4:
[admin@MikroTik] /interf= ace vlan> add name=3DVLAN2 vlan-id=3D2 interface=3Dether1 disabled=3Dno [admin@MikroTik] /interface vlan> print=20 Flags: X - disabled, R - running, S - slave=20 # NAME MTU ARP VLAN-ID INTERFACE = =20 0 R VLAN2 1500 enabled 2 ether1
The next step is to assign IP addresses to the VLAN interfaces.
R2:
[admin@MikroTik] ip add= ress> add address=3D10.10.10.3/24 interface=3DVLAN2 [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.1.4/24 10.0.1.0 10.0.1.255 ether1 1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1 2 10.10.10.3/24 10.10.10.0 10.10.10.255 vlan2 [admin@MikroTik] ip address>
R4:
[admin@MikroTik] ip add= ress> add address=3D10.10.10.5/24 interface=3DVLAN2 [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.1.5/24 10.0.1.0 10.0.1.255 ether1 1 10.30.0.1/24 10.30.0.0 10.30.0.255 pc2 2 10.10.10.5/24 10.10.10.0 10.10.10.255 vlan2 [admin@MikroTik] ip address>
At this point it should be possible to ping router R4 from router R2 and= vice versa:
"Ping from R2 to R4:" [admin@MikroTik] ip address> /ping 10.10.10.5 10.10.10.5 64 byte ping: ttl=3D255 time=3D4 ms 10.10.10.5 64 byte ping: ttl=3D255 time=3D1 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max =3D 1/2.5/4 ms "From R4 to R2:" =20 [admin@MikroTik] ip address> /ping 10.10.10.3 10.10.10.3 64 byte ping: ttl=3D255 time=3D6 ms 10.10.10.3 64 byte ping: ttl=3D255 time=3D1 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max =3D 1/3.5/6 ms
To make sure if the VLAN setup is working properly, try to ping R1 from = R2. If pings are timing out then VLANs are successfully isolated.
"From R2 to R1:" [admin@MikroTik] ip address> /ping 10.10.10.2 10.10.10.2 ping timeout 10.10.10.2 ping timeout 3 packets transmitted, 0 packets received, 100% packet loss
If separate VLANs are implemented on a switch, then a router is required= to provide communication between VLANs. A switch works at OSI layer 2 so i= t uses only Ethernet header to forward and does not check IP header. For th= is reason, we must use the router that is working as a gateway for each VLA= N. Without a router, a host is unable to communicate outside of its own VLA= N. The routing process between VLANs described above is called inter-VLAN c= ommunication.
To illustrate inter-VLAN communication, we will create a trunk that will= carry traffic from three VLANs (VLAN2 and VLAN3, VLAN4) across a single li= nk between a Mikrotik router and a manageable switch that supports VLAN tru= nking.
Each VLAN has its own separate subnet (broadcast domain) as we see in fi= gure above:
VLAN configuration on most switches is straightforward, basically, we ne= ed to define which ports are members of the VLANs and define a 'trunk' port= that can carry tagged frames between the switch and the router.
Create VLAN interfaces:
/interface vlan add name=3DVLAN2 vlan-id=3D2 interface=3Dether1 disabled=3Dno add name=3DVLAN3 vlan-id=3D3 interface=3Dether1 disabled=3Dno add name=3DVLAN4 vlan-id=3D4 interface=3Dether1 disabled=3Dno
Add IP addresses to VLANs:
/ip address=20 add address=3D10.10.20.1/24 interface=3DVLAN2 add address=3D10.10.30.1/24 interface=3DVLAN3 add address=3D10.10.40.1/24 interface=3DVLAN4
In RouterOS, to create a point-to-point tunnel with addresses you have t= o use the address with a network mask of '/32' that effectively brings you = the same features as some vendors unnumbered IP address.
There are 2 routers RouterA and RouterB where each is part of networks 1= 0.22.0.0/24 and 10.23.0.0/24 respectively and to connect these routers usin= g VLANs as a carrier with the following configuration:
RouterA:
/ip address add address= =3D10.22.0.1/24 interface=3Dether1 /interface vlan add interface=3Dether2 vlan-id=3D1 name=3Dvlan1 /ip address add address=3D10.22.0.1/32 interface=3Dvlan1 network=3D10.23.0= .1 /ip route add gateway=3D10.23.0.1 dst-address=3D10.23.0.0/24
RouterB:
/ip address add address= =3D10.23.0.1/24 interface=3Dether1 /interface vlan add interface=3Dether2 vlan-id=3D1 name=3Dvlan1 /ip address add address=3D10.23.0.1/32 interface=3Dvlan1 network=3D10.22.0= .1 /ip route add gateway=3D10.22.0.1 dst-address=3D10.22.0.0/24