Community discussions

MikroTik App
 
User avatar
tishri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sat Oct 03, 2009 4:13 pm
Location: Philippines
Contact:

CISCO route-map equivalent

Sun Feb 05, 2017 5:50 am

Hi,

In cisco routers there is a command that is called route-map. A command where you provide access-list of allowed subnets that is pointed to the next-hop router. Anything that doesn't match in the access-list will be discarded. This setup is targeted to huge number of VLAN's. Each VLAN interface has their own allowed subnets. I tried using ip-firewall but it looks messy because I have to define many rules per interface. Is there a simpler approach using ip-mangle?

I would like to know if there is something similar to this in mikrotik.

Please provide an optimized sample configuration having multiple allowed subnets per vlan interface.

Thanks,
TCC
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: CISCO route-map equivalent

Sun Feb 05, 2017 10:38 am

Hi, sorry but there is no equivalent of acl's or "routing groups" aka route-map in ros, you have to setup them up manually. I recommend scripting using address-lists and interface-lists for volume based number of vlans...
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: RE: CISCO route-map equivalent

Wed Feb 22, 2017 3:59 am

Hi,

In cisco routers there is a command that is called route-map. A command where you provide access-list of allowed subnets that is pointed to the next-hop router. Anything that doesn't match in the access-list will be discarded. This setup is targeted to huge number of VLAN's. Each VLAN interface has their own allowed subnets. I tried using ip-firewall but it looks messy because I have to define many rules per interface. Is there a simpler approach using ip-mangle?

I would like to know if there is something similar to this in mikrotik.

Please provide an optimized sample configuration having multiple allowed subnets per vlan interface.

Thanks,
TCC
Hello,

I suppose what you want to do is allow only specific subnets getting to or going out of a vlan. In case you have not done this yet you can use address lists and specify a subnet.

Say :

10.0.0.0/16
10.1.0.0/16

Are the only allowed subnets going towards vlan 443 interface (as in only traffic sourced from these can go through that interface) you could write a rule using address list like this:
 
ip firewall address-list add list=allowed443 address=10.0.0.0/16
ip firewall address-list add list=allowed443 address=10.0.0.0/16

ip firewall filter add chain=forward action=drop out-interface=vlan443 src-address-list=!allowed443



Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
 
User avatar
tishri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sat Oct 03, 2009 4:13 pm
Location: Philippines
Contact:

Re: RE: CISCO route-map equivalent

Fri Feb 24, 2017 11:10 am

Hi,

Thanks for the reply.

The cisco route map is controlling traffic via routing table. This means if a match is found it will be allowed to access a certain routing table. What you are actually trying to do is equivalent to cisco "cisco access group <ACL> in/out".

:)
Hi,

In cisco routers there is a command that is called route-map. A command where you provide access-list of allowed subnets that is pointed to the next-hop router. Anything that doesn't match in the access-list will be discarded. This setup is targeted to huge number of VLAN's. Each VLAN interface has their own allowed subnets. I tried using ip-firewall but it looks messy because I have to define many rules per interface. Is there a simpler approach using ip-mangle?

I would like to know if there is something similar to this in mikrotik.

Please provide an optimized sample configuration having multiple allowed subnets per vlan interface.

Thanks,
TCC
Hello,

I suppose what you want to do is allow only specific subnets getting to or going out of a vlan. In case you have not done this yet you can use address lists and specify a subnet.

Say :

10.0.0.0/16
10.1.0.0/16

Are the only allowed subnets going towards vlan 443 interface (as in only traffic sourced from these can go through that interface) you could write a rule using address list like this:
 
ip firewall address-list add list=allowed443 address=10.0.0.0/16
ip firewall address-list add list=allowed443 address=10.0.0.0/16

ip firewall filter add chain=forward action=drop out-interface=vlan443 src-address-list=!allowed443



Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
 
AldoJimenez
Trainer
Trainer
Posts: 30
Joined: Fri Feb 12, 2016 11:49 pm
Contact:

Re: CISCO route-map equivalent

Fri Feb 24, 2017 4:33 pm

You can use a combination of Routing Filters, Routing Rules and Mangle Rules to accomplish this with separate routing tables.

https://wiki.mikrotik.com/wiki/Manual:R ... ng_filters
https://wiki.mikrotik.com/wiki/Manual:R ... le_Matcher
 
User avatar
tishri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sat Oct 03, 2009 4:13 pm
Location: Philippines
Contact:

Re: CISCO route-map equivalent

Sat Feb 25, 2017 1:57 pm

This is a sample config from cisco website. Can you help me translate these instructions to mikrotik equivalent?


   interface Serial0
   ip address 172.16.5.1 255.255.255.0
   ip policy route-map Sally
  !

   access-list 1 permit 172.16.6.0 0.0.0.255
   access-list 2 permit 172.16.7.0 0.0.0.255
   !

   route-map Sally permit 10
    match ip address 1
    set ip next-hop 172.16.4.2
   !

   route-map Sally permit 15
    match ip address 2
    set ip next-hop 172.16.4.3
You can use a combination of Routing Filters, Routing Rules and Mangle Rules to accomplish this with separate routing tables.

https://wiki.mikrotik.com/wiki/Manual:R ... ng_filters
https://wiki.mikrotik.com/wiki/Manual:R ... le_Matcher
 
User avatar
shaoranrch
Member Candidate
Member Candidate
Posts: 184
Joined: Thu Feb 13, 2014 8:03 pm

Re: CISCO route-map equivalent

Sat Feb 25, 2017 2:17 pm

You could do something like this:
 
/ip route add gateway=172.16.4.2 routing-mark=list1

/ip route add gateway=172.16.4.3 routing-mark=list2

/ip firewall mangle add chain=prerouting src-address=172.16.6.0/24 in-interface=serial0 action=mark-routing new-routing-mark=list1 

/ip firewall mangle add chain=prerouting src-address=172.16.7.0/24 in-interface=serial0 action=mark-routing new-routing-mark=list2
There may be errors with the sintax but that's the general idea



Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
 
User avatar
tishri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sat Oct 03, 2009 4:13 pm
Location: Philippines
Contact:

Re: CISCO route-map equivalent

Sun Feb 26, 2017 1:38 pm

Thanks..:)
You could do something like this:
 
/ip route add gateway=172.16.4.2 routing-mark=list1

/ip route add gateway=172.16.4.3 routing-mark=list2

/ip firewall mangle add chain=prerouting src-address=172.16.6.0/24 in-interface=serial0 action=mark-routing new-routing-mark=list1 

/ip firewall mangle add chain=prerouting src-address=172.16.7.0/24 in-interface=serial0 action=mark-routing new-routing-mark=list2
There may be errors with the sintax but that's the general idea



Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk
 
AldoJimenez
Trainer
Trainer
Posts: 30
Joined: Fri Feb 12, 2016 11:49 pm
Contact:

Re: CISCO route-map equivalent

Mon Feb 27, 2017 6:29 pm

I can't improve on @shaoranrch.

Here is an alternate if you want to use VLANs and VRF's on the same router. The last two routes are for redistributing into your IGP and from there you can use Route Filters to do any further manipulation of route information. Obviously there are a few different ways to accomplish what you want to do depending on complexity, your specific design, etc.

Again if what you are trying to accomplish mirrors the cisco config that you pasted below then @shaoranrch post will be the best solution.

Hope this helps and best of luck!
/ip address
add address=172.16.6.1/24 interface=vlan200 network=172.16.6.0
add address=172.16.7.1/24 interface=vlan300 network=172.16.7.0

/ip route vrf
add export-route-targets=200:0 import-route-targets=200:0 interfaces=vlan200 route-distinguisher=200:0 routing-mark=VLAN200
add export-route-targets=300:0 import-route-targets=300:0 interfaces=vlan300 route-distinguisher=300:0 routing-mark=VLAN300

/ip route
add distance=1 gateway=172.16.4.2@main routing-mark=VLAN200
add distance=1 gateway=172.16.4.3@main routing-mark=VLAN300
add distance=1 dst-address=172.16.6.0/24 gateway=vlan200
add distance=1 dst-address=172.16.7.0/24 gateway=vlan300




[quote="tishri"]This is a sample config from cisco website. Can you help me translate these instructions to mikrotik equivalent?


   interface Serial0
   ip address 172.16.5.1 255.255.255.0
   ip policy route-map Sally
  !

   access-list 1 permit 172.16.6.0 0.0.0.255
   access-list 2 permit 172.16.7.0 0.0.0.255
   !

   route-map Sally permit 10
    match ip address 1
    set ip next-hop 172.16.4.2
   !

   route-map Sally permit 15
    match ip address 2
    set ip next-hop 172.16.4.3
 
User avatar
tishri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Sat Oct 03, 2009 4:13 pm
Location: Philippines
Contact:

Re: CISCO route-map equivalent

Mon Mar 06, 2017 9:52 am

thanks @AldoJimenez
I might try using VRF.
I can't improve on @shaoranrch.

Here is an alternate if you want to use VLANs and VRF's on the same router. The last two routes are for redistributing into your IGP and from there you can use Route Filters to do any further manipulation of route information. Obviously there are a few different ways to accomplish what you want to do depending on complexity, your specific design, etc.

Again if what you are trying to accomplish mirrors the cisco config that you pasted below then @shaoranrch post will be the best solution.

Hope this helps and best of luck!
/ip address
add address=172.16.6.1/24 interface=vlan200 network=172.16.6.0
add address=172.16.7.1/24 interface=vlan300 network=172.16.7.0

/ip route vrf
add export-route-targets=200:0 import-route-targets=200:0 interfaces=vlan200 route-distinguisher=200:0 routing-mark=VLAN200
add export-route-targets=300:0 import-route-targets=300:0 interfaces=vlan300 route-distinguisher=300:0 routing-mark=VLAN300

/ip route
add distance=1 gateway=172.16.4.2@main routing-mark=VLAN200
add distance=1 gateway=172.16.4.3@main routing-mark=VLAN300
add distance=1 dst-address=172.16.6.0/24 gateway=vlan200
add distance=1 dst-address=172.16.7.0/24 gateway=vlan300



This is a sample config from cisco website. Can you help me translate these instructions to mikrotik equivalent?


   interface Serial0
   ip address 172.16.5.1 255.255.255.0
   ip policy route-map Sally
  !

   access-list 1 permit 172.16.6.0 0.0.0.255
   access-list 2 permit 172.16.7.0 0.0.0.255
   !

   route-map Sally permit 10
    match ip address 1
    set ip next-hop 172.16.4.2
   !

   route-map Sally permit 15
    match ip address 2
    set ip next-hop 172.16.4.3

Who is online

Users browsing this forum: No registered users and 13 guests