VLAN Configuration

panitaxx · March 15, 2016, 8:38pm

Hello,

I am new with mikrotik router. I have a RB1100ahx2 with OS 6.34. I am not really understanding vlan configuration. Where should I configure it because there are some vlan settings on the switch /interface ethernet switch and also on the /interface vlan. In what way does this two differ ?

tuxtlequino · March 16, 2016, 12:31am

What are you planning to accomplish? I am very new at this, but I might be able to help. You router has two switch chips to do some of the VLANs through them. When you use the chip instead of using bridges, you gain some speed and the router is not loaded as much. The first chip is connected to the first five ethernet ports, and the other chip is connected to the next five ports. There is a diagram of some of the special chips your router has in the router you have.

http://i.mt.lv/routerboard/files/rb1100ug.pdf

So. I am going to give you an example of how you should use the switch chip to create and manage some VLANs.

Let’s say that you want to create four VLANs. VLAN10-40. For the sake of an easy example, the IP range of the VLANs will be something like, 10.10.10.0/24, 10.10.20.0/24, etc. and the vlan-id’s will be 10-40.

The first thing you do is pick a master port, and then add slaves. This master port will be enable the switch chip and make your router work more like a switch.

/interface ethernet
set [ find default-name=ether1 ] comment="Some Trunk - VLAN 10,30,40"
set [ find default-name=ether2 ] comment="Other Trunk - VLAN 10,20,30" master-port=ether1
set [ find default-name=ether3 ] comment="Direct - VLAN20" master-port=ether1
set [ find default-name=ether4 ] comment="Direct - VLAN40" master-port=ether1
set [ find default-name=ether5 ] comment="Direct - VLAN10" master-port=ether1

Then, you need to create your VLANs. For the sake of clarity, the names will be very simple. Notice how the interface of the VLANs have to be the master port of your ports. This doesn’t mean that all you VLANs are in ether1, but that all of your VLANs are in the switch. You will later see how you decide what goes and doesn’t go in ether1.

/interface vlan
add interface=ether1 name=VLAN10-Example vlan-id=10
add interface=ether1 name=VLAN20-Example vlan-id=20
add interface=ether1 name=VLAN30-Example vlan-id=30
add interface=ether1 name=VLAN40-Example vlan-id=40

I would probably give my VLANs a descriptive name, so instead of VLAN10-Example, I would name it something like VLAN10-Management. Your switch chip (AR8327) uses this configuration to set the switching.

/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure

Here is where you first start to assign what happens in what port. In this you see that your trunks need to have the “vlan-header=add-if-missing” and the direct connections to your VLANs need to have the vlan-id. What might throw you out of whack is the fact that the switch chip needs to have the configuration “vlan-mode=secure”. Anyway, the next thing will be to set up is the switch VLAN instructions.

/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether5,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether2,ether3,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=yes ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=yes ports=ether1,ether4,switch1-cpu switch=switch1 vlan-id=40

Notice that switch1-cpu is included. This is the chip in charge of the first five ports. If you are using the other switch, you need to change it to switch2-cpu. The switch1-cpu needs to be included here because you are going to be managing this VLANs through this router. If you do not include those, you are going to have a hard time assigning IP addresses and other things needed. In this, you just need to include the ports for every VLAN you have. In our imaginary case, we had the following

/interface ethernet
set [ find default-name=ether1 ] comment=“Some Trunk - VLAN 10,30,40”
set [ find default-name=ether2 ] comment=“Other Trunk - VLAN 10,20,30” master-port=ether1
set [ find default-name=ether3 ] comment=“Direct - VLAN20” master-port=ether1
set [ find default-name=ether4 ] comment=“Direct - VLAN40” master-port=ether1
set [ find default-name=ether5 ] comment=“Direct - VLAN10” master-port=ether1

So that, we know that VLAN10 is going to be present in ether1,ether2 and ether5. Therefore, you write the following,

/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether5,switch1-cpu switch=switch1 vlan-id=10

It is kind of obvious once you figure it out. Finally, you need to get some IP addresses, and set up the DHCP servers for your VLANs. I recommend using openDNS to block certain things to your users, but if you prefer another DNS server, you can change your VLAN DNS’ here.

/ip address
add address=10.10.10.1.1/24 interface=VLAN10-Example network=192.168.1.0
add address=10.10.20.1/24 interface=VLAN20-Example network=10.10.20.0
add address=10.10.30.1/24 interface=VLAN30-Example network=10.10.30.0
add address=10.10.40.1/24 interface=VLAN40-Example network=10.10.40.0

/ip pool
add name=vlan10 ranges=10.10.10.10-10.10.10.200
add name=vlan20 ranges=10.10.20.20-10.10.20.200
add name=vlan30 ranges=10.10.30.10-10.10.30.200
add name=vlan40 ranges=10.10.40.20-10.10.40.200

/ip dhcp-server
add address-pool=vlan10 disabled=no interface=VLAN10-Example lease-time=3d name=vlan10
add address-pool=vlan20 disabled=no interface=VLAN20-Example lease-time=3d name=vlan20
add address-pool=vlan30 disabled=no interface=VLAN30-Example lease-time=3d name=vlan30
add address-pool=vlan40 disabled=no interface=VLAN40-Example lease-time=3d name=vlan40

/ip dhcp-server network
add address=10.10.10.0/24 dns-server=208.67.222.222,208.67.222.220 gateway=10.10.10.1
add address=10.10.20.0/24 dns-server=208.67.222.222,208.67.222.220 gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=208.67.222.222,208.67.222.220 gateway=10.10.30.1
add address=10.10.40.0/24 dns-server=208.67.222.222,208.67.222.220 gateway=10.10.40.1

If you want them access to the internet, or to limit what they see or do not see, you just configure that according to the IP addresses you assigned, or the VLAN interface. So you could do a masquerade for VLAN10 like this,

/ip firewall nat
add action=masquerade chain=srcnat disabled=yes src-address=10.10.10.0/24

Or using your VLAN. Anyway. I hope this was helpful. It took me a couple of days to figure it out, but once you get it, it is quite easy. You can still use bridges, but the processor and memory penalty is a lot greater that when using the chip. For the sake of illustration, lets say that you also want ether6 to be in VLAN10. You just need to create a bridge named something like “vlan10-bridge” and add VLAN10 and ether6 to that bridge and voila.

tuxtlequino · March 16, 2016, 7:31am

I forgot to mention something very important. In my example I said that you could add another ethernet port (I used ether6 as the example)by bridging it, which was correct. What I didn’t mention was that if you do that, your ether6 will not get an IP. This is because ether6 doesn’t have access to the switch chip. To solve that, simply move the DHCP server from the master port (In my example it was ether1) to the bridge interface you created (“vlan10-bridge”).