I have a RuggedCom managed switch, RSG2100, setup with 3 VLANs on various ports. I also have a PC connected to that switch, and it needs to send/receive UDP packets with devices on all 3 VLANs – however, it’s limited to having its port assigned to only a single VLAN.
In order to have the UDP packets travel back and forth from one VLAN to another, I attached a Mikrotik RB411 router.
I’m new to networking and have not yet succeeded at configuring the RB411, despite following the following MikroTik article which includes information on inter-VLAN communication: http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
I would appreciate insights from anyone about this.
I also have a PC connected to that switch, and it needs to send/receive UDP packets with devices on all 3 VLANs – however, it’s limited to having its port assigned to only a single VLAN.
That’s mutually exclusive. If the PC can only be on one VLAN, it can’t receive packets in three VLANs. A has to be on a broadcast domain in order to receive packets on that broadcast domain.
Aso, assigning /32s to VLAN interfaces on a router doesn’t make sense.
Hm… so what’s the point of “inter-VLAN communication” if devices cannot receive packets on multiple VLANs? Note that all the devices are on the same broadcast domain… 10.0.34.xx
I should add something I omitted earlier – the port to which the PC is connected is a trunk port, in case that makes any difference.
As for the 32s, I used Winbox to setup that configuration, and didn’t specifically try to use 32s.
VLANs are for separating broadcast domains. Each VLAN is its own broadcast domain, by definition. There’s no point in having three VLANs and expect all of them to have the same IP space because each VLAN is a different network, just as if it was a physically completely separate, unconnected network. The point of having inter-VLAN routing is to connect the different broadcast domains together via layer 3 routing. I think you’re confused as to what VLANs are. What are you actually trying to achieve? Going on what little information has been posted so far VLANs don’t seem to be the solution to whatever problem you’re trying to address.
When you add IP addresses in RouterOS and don’t specify a subnet mask it assumes you mean a /32 host address. In this case this saved your butt, because adding 10.0.32.1/24 on VLAN 501 and 10.0.32.2/24 on VLAN 502 would leave the router severely confused because you would have overlapping address space on two distinct networks. Where should it send traffic for 10.0.32.100? Out VLAN 501, or out VLAN 502?
I should have taken more time preparing to explain my problem prior to my first post. Apologies.
My system is a closed system, there is no internet access and there are no human users. All the devices are assigned static IP Addresses and each device is attached to a specific port on a layer-2 switch.
Please refer to the attached diagram as a reference for the following description: Inter-VLAN Communication.pdf (30.2 KB)
IED 1 and IED 3 continually communicate with each other by broadcasting a flood of UDP packets. They do not and cannot know each other’s IP Addresses. Only IED 1 and IED 3 are interested in these packets, and so a VLAN is setup that includes only the ports these two devices are connected to.
Likewise, IED 2 and IED 4 work together in the same way and have their own separate VLAN.
PC 1 needs to send TCP packets to IED 1, IED 2, and IED 5 and receive TCP packets in response. Each of these IED’s is on a different VLAN for isolation from the UDP packet floods.
Likewise, PC 2 needs to do the same thing with IED 3, IED 4, and IED 6.
My problem is: how can I get each of the PC’s to communicate with their respective IED’s given the above scenario?
And what operating system is that PC running? Is it running RouterOS?
If yes, you’re down the right track with VLANs. You configure a trunk on the switch, connect the RouterOS PC to it, and create VLAN interfaces attached to the physical interface connected to the switch. However, and this is potentially the tricky part, you cannot have overlapping IP addresses. You need one dedicated IP network for each VLAN. You need to assign IP addresses to the VLAN interfaces, and you need to assign them with the proper subnet mask (not a /32 - a /29 at minimum if the PC needs to connect to two devices per VLAN because that is the smallest subnet size that can accomodate 3 hosts. That may require you to re-IP the unicast IP addresses on the IED devices.
Think about it this way - this doesn’t reflect your network topology: If you have device 1 and 2 as 10.0.0.2/24 and 10.0.0.3/24 on VLAN 2 and device 3 and device 4 as 10.0.0.4/24 and 10.0.0.5/24 on VLAN 3 that’s fine as long as those VLANs don’t connect to one another. Once you have a PC with RouterOS connected to both and assign it 10.0.0.1/24 on VLAN 2 and 10.0.0.6/24, what interface should it use to send a packet to 10.0.0.2? Both VLAN interfaces connect to the network containing that IP address. That’s why you can’t use overlapping IP space. It’s impossible to make a decision on where to send a unicast packet (which is only sent once) when there’s two possible interfaces to send it out of.
Those PC’s are running Windows CE, actually. That diagram doesn’t include any device running RouterOS; I have a MikroTik RB411 that I’m hoping to utilize in order to resolve my problem.
An RB411 would make an extraordinarily poor choice as the switch device in your diagram because it’s an AP/router, not a switch. You should buy a VLAN capable switch, which is the exact device perfectly suited for that task.
However, I don’t think Windows CE is VLAN capable. If you can’t put VLAN interfaces on the Windows CE PC, the entire project is moot. Your first step should be figuring out whether the Windows CE PC can be used in the way you’re planning to - but this forum isn’t a good place for that as this forum is about RouterOS. Then you’d buy any VLAN capable switch. You could possibly use an RB250GS for that, running SwOS (not RouterOS).
The switch in my diagram is a level-2 device, a RuggedCom RSG2100. The PC is an industrial PC running Windows CE. The IED’s are all proprietary devices manufactured by the company I work for.
The RSG2100’s are configured with VLANs as I described earlier, and those VLANs are working perfectly – communications work as expected between IEDs.
The part that doesn’t work is for the PC to communicate with the IEDs that are on a different VLAN than the PC. I think that what I need is for a VLAN tag to be inserted where it needs to be in order for the RSG2100 to route packets to the appropriate IED. But, apparently Windows CE can’t do it… at least I haven’t been able to find a way. Windows CE does not support VLAN tagging, which is what led me to investigate the MikroTik products.
I’m trying to figure out a way to use an RB411 to effectively provide the appropriate routing for packets between the PC and the IEDs, even though the PC and those IEDs are on different VLANs. I have a great deal of flexibility as far as assignment of IP Addresses – I can pretty much use whatever addresses I want for all the devices.
Can you suggest a scheme that might better resolve my issue? Am I far off the mark in thinking that the RB411 could provide what I need?
I can’t think of anything that would help you resolve that problem, whether it’s RouterOS based or something else. The crucial thing is that the PC that has to talk to multiple VLANs has to be capable of VLAN interfaces if you need to maintain separation between VLANs, which you do.
Why would you put PC1 and PC2 on a trunk port? I did a quick look at the switch specs and it looks like you can have multiple VLANS on a port. You should untag / remove trunking from the PC 1 and 2 ports and just add the appropriate VLAN to those ports that correspond with the IED’s
I changed my network configuration to be as follows:
VLAN 501 includes two IED’s at IP addresses 10.0.34.1 and 10.0.63.2.
VLAN 502 includes two IED’s at IP addresses 10.0.34.2 and 10.0.62.1.
I observed the following network behavior:
Each pair of IED’s that are on the same VLAN successfully send/receive UDP broadcast packets. Just to be clear, because I’m new at networking, by this I mean IP address 255.255.255.255. These broadcasts are restricted within the VLAN, that is, they don’t propagate to the IED’s on the other VLAN.
So even though two IED’s reside on different subnets, they are able to communicate via UDP broadcast as long as they’re on the same VLAN.
This is part of the network behavior that I’m striving to achieve.
The part I haven’t got working yet is for the PC to be able to communicate with each of those IED’s despite the fact that the PC and the IED’s reside on different VLANs. (new readers please refer to diagram attached to earlier post)
you need UDP broadcast? => everything should be in one VLAN!
you have one big bridge with everything, Switch1 and Switch2 being RouterOS devices? => you can do everything you want with Bridge Filter rules! just allow necessary traffic and then deny all the rest…
