For a small network (less than 20 devices) - I have identified a single set of clients that I want to be segregated from the rest of the network. Can I make a single VLAN for those ports/MACs - without configuring VLAN for the remainder of the network? Or once I start down the VLAN path…do I need to place everything in a VLAN (in this case, I’d have at least two, and possibly three if I want a dedicated management VLAN)?
There is the “port based VLAN” and the “tag based VLAN” approach (leaving “protocol based VLAN” aside).
If all the devices to be segregated are connected to the same switching device, a port-based VLAN is the easiest approach - you create a separate bridge and make the interfaces to which those devices are connected member ports of this dedicated bridge. So no configuration related to VLAN tagging and untagging at all.
If you need more than one switching device and you don’t want to spend one interconnection cable and a pair of ports per port-based VLAN, you have to use the “tag based VLAN” approach, but you can still attach the tagged ends of /interface vlan only to the interconnect interfaces and make their untagged ends member ports of the dedicated bridges.
If you want hardware forwarding within both VLANs, you also have to use the “tag based VLAN” approach, plus you have to configure VLAN handling on the switch chip, which may or may not be possible on your Routerboard model.
In short, if you need several separate subnets to go through a single port, vlans are a good path.
If you only have single subnets on ports, no need for vlans.
As Sindy pointed out decisions are also based on what else your router is connected to… (smart switch then all your devices for example, or something else).
Without knowing your requirements and the network infrastructure advice is limited.
Finally, to answer the title, no one can have a mix of vlans and non-vlans in a setup, see previous statement
Processing…
Processing…
Let me try re-phrasing to see if I’ve got this right. For any & all ports involved in VLAN, whether port-based or tag-based, all traffic passing through those ports is, by definition, VLAN traffic? And if the hardware supports it - ports not carrying VLAN traffic are not required to be VLAN.
For my use case, hEX S router, CRS-112-8P-4S switch, I’m still fighting the VoIP fight. I’m trying to segregate the VoIP from the main LAN - and because I have PC’s connected through VoIP phones I do not have the option of simple port-based VLAN. Probably part of my struggle to understand is my visualization - I want to process the VoIP traffic separate from the LAN so my initial (novice) thinking is I need a single “special” network. I’m inferring this is wrong - by splitting the network I am creating two independent networks which means I do have to categorize “regular” traffic in a VLAN, not just the VoIP traffic.
So now I come back to the original question but I’ll alter it slightly. Given:
- “Lots” of regular PC’s connected to the switch & router
- “Some” VoIP phones - some isolated to single ports and others shared with PC’s
Is it “better” (whether that means resource usage or good defensive admin practice) to place all the PC’s in a VLAN, whether or not they “need” it, or should I minimize the VLAN involvement and tag the minimum necessary for function?
Yes and no. At principial level, a VLAN is exactly a virtual LAN, i.e. one logically separated on the same physical device, no matter how it is technically implemented. In this sense, a port-based VLAN can be set up using some port isolation rules without any need to handle 802.1Q or 802.1ad tags on the frames. At daily technical level, the use of the term VLAN is often reduced to 802.1Q or 802.1ad tagging and untagging.
This way of describing it is much clearer than the one in the OP.
The following aspects are important:
- it is likely that the VoIP phones send media to each other directly, i.e. use of hardware switching will conserve the CPU resources otherwise needed to bridge the traffic
- some PCs are connected to phones acting as mini-switches and there’s the CRS between the hEX and the phones/PCs, so 802.1Q VLAN tagging has to be used if you want to separate the VoIP network and the regular PC network
What is more important than L2 traffic segregation when it comes to VoIP is QoS handling - VoIP traffic volume is relatively small (up to 80 kbit/s per call per direction unless the V means Video rather than Voice), but not only dropped packets but even delayed packets affect the user satisfaction. So a VoIP packet always has to have priority over, say, a file download packet. With traditional switches, and this includes CRS112, the QoS handling can be set up in hardware, and classification of traffic by VLAN ID may sometimes be a simpler way than to process the priority field of 802.1Q frames and/or the DSCP fields of the IP packets they carry, but sometimes it is an additional burden, and provisioning the phones to set the right DSCP/TOS and/or 802.1Q priority field values is simpler as the switch can respect them directly.
By the above I’m trying to say that L2 traffic segregation is more a tool to make the network more structured than something you would really need, that is, until we talk about tens or more switches with redundant interconnects and strict assignment of their ports to purposes and/or with 802.1X security.
So you can choose your approach starting from simple and messy (keep the PCs and the phones in a single common IP subnet), through using a different IP subnet for each device category but still using a single common (V)LAN for both, up to the “defensive” and structured way of dedicating a VLAN to each subnet; within the latter, you may even put the PCs of the commercial department to a dedicated VLAN and subnet so that you could use firewall rules on the router to prevent other departments from accessing the PCs of the commercial department directly on L2, i.e. bypassing the router and hence the firewall. But even if you decide not to use VLANs, you still have to handle QoS.
And if you do choose the VLAN approach, then yes, it must be an 802.1Q tag based one because you have to send multiple VLANs on the single cable between the hEX and the CRS and also on the single cables between the CRS and the phones with PCs connected to their other ports. On the CRS, it definitely has to be the single bridge approach; on the hEX, you may use both the “one common bridge for all VLANs” approach as well as the “one bridge per each VLAN” one depending on how you use its individual Ethernet interfaces. If it acts only as a router, attaching /interface vlan to the Ethernet interface to which the CRS is connected and attaching IP configuration to that /interface vlan may be sufficient. But even on the hEX you need to take care about priority - if the PBX is connected to the hEX rather than directly to the CRS, all the egress traffic from hEX towards the CRS, regardless the VLAN tag, must share the same parent queue and have different priority within that queue.
Having a combo device (voip phone and PC) is tricky and in the new vlan method of Vlan filtering on bridge is possible as a hybrid port setup.
Basically the pc gets the untagged vlan traffic and the voip phone get the tagged vlan traffic
the port looks like a trunk port on the ingress side (bridge ports) but on the egress side (bridge vlans) one identifies the untagged port appropriately.
I’m almost, almost, almost there (theoretically - not functionally) - but I’m still lost on the actual config. So I will ask this:
Given CRS112-8P-4S:
ether1 - VoIP phone, MAC 00:a8:59:f6:b2:de, IP 192.168.11.141 - also a PC with 192.168.0.x
ether4 - VoIP and VoIP DHCP server 192.168.11.1 MAC 00:E0:6F:12:80:06
sfp12 - hex S router
Other ports have a mix of devices. All VoIP devices for network are on this CRS.
All CRS ports in bridge, bridge IP’s 192.168.0.9/24 & 192.168.11.9/24 (dunno if the 11 is needed).
hEX S has IP’s 192.168.0.1/24 and 192.168.11.10/24
How can I place all VoIP devices in VLAN-30 based on their MAC? I’ve got as far as:
/interface ethernet switch mac-based-vlan
add new-customer-vid=30 src-mac-address=00:E0:6F:12:80:06
add new-customer-vid=30 src-mac-address=00:A8:59:F6:B2:DE
and then I assume I need:
/interface ethernet switch port
set ether1 allow-fdb-based-vlan-translate=yes
set ether4 allow-fdb-based-vlan-translate=yes
pause here - I assume I only need to set this for VoIP connected ports.
And now…I’m stuck. Egress/Ingress tags & translation - I don’t know what to do. And then do I need some kind of default processing to place all traffic not matched by MAC’s into the “primary” VLAN? I’m lost here - I can’t find any examples, much less theory discussion, for this kind of setup (at least none that I’ve understood).
What has made you choose MAC-based VLAN? All the VoIP phones equipped with two Ethernet ports normally support vlan tagging and untagging, so you can configure them what VLAN ID to use for signalling (SIP), media (RTP) and the PC port, and which of them to send/expect tagless on the uplink port.
Two reasons:
- That will require additional config on the phones, and the VoIP server, and I don’t know that I have control over that (actually, I do, I just would rather not fight it with my current provider).
- Then only way to learn is to do - and I bought this Mikrotik equipment specifically to be able to support such configuration.
And I still need to learn VLAN either way - this is “simply” adding the MAC-specific processing (which I really do want to implement). Can you please show me the required rules?
It doesn’t require any additional config at the VoIP PBX (server) unless you need it to have several VLANs on the same physical interface. If it uses a single IP subnet on each interface, you can provide the tagging/untagging on the switch port to which it is connected. The phones are another story, they act as switches themselves, so yes, there you need to configure this part.
I cannot unfortunately, as all my experience is based on the hXY devices and CHRs - I’ve never seriously configured a CRS, let alone this extreme way.