Hello everybody,
We encounter enormous difficulties in the realization of our network architecture in DC, indeed we wish through the CCR1016-12S-1S + filtered the input MACs and redirect them in vlans or under vlan.
Example:
Step 1: MAC 22222299A155 has no attribution in our databases, so it goes by default in the vlan500 (which is a vlan not allowing communication).
Step 2: The mac is detected in the vlan500, the information is transmitted by http to the management server.
Step 3: The management server has decided to assign the MAC 22222299A155 to the sub-sub-vlan 145 (20.200.145), the management server contacts the mikrotik by api then the mikrotik redirects this MAC address in the sub vlan to allow it to communicate only in it.
This in order to allow our customers to create their own private network between the different services we offer and allow total isolation.
How can we achieve this architecture? Do you think this is possible?
Thanks for your help.
Up ?
I have just contacted mikrotik support who answers me this:
One option could be to use dot1x feature, as this allows to assign port VLAN-ID for certain MAC address and assign default or reject port VLAN-ID for unknown MACs.
https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
For filtering, you could use bridge NAT or bridge filter rules, but you cannot change the VLAN-ID for the packet.
Any experience with Dot1x ?
Sure I have experience, but not with Mikrotik and not in such specific context.
It is very important to understand that we are talking about LAN-ports changing state (eg. server with MAC-address 11:22:33:44:55:66) so plugged onto your network right ?
DOT1X cannot be used on a device to work on “intercepted” MAC-addresses but the DOT1X is triggered mainly by physical ports going down > up.
On a side-note, MAC “authentication” is really (to me) the last resort as it is not really authentication is can be spoofed very easy. Normally the LAN-port/switch starts talking to connected host/PC/server which has a piece of software on it called “supplicant” and authentication can be done by certificate, username/password combination or indeed the MAC-address of the connected station.
There is couple of aspects not possible with dot1x like you want it => authentication is done by RADIUS protocol, not “http”
Therefore your “management server” will be a RADIUS-server. On there indeed you can have policies, keep the MAC-addresss database to authenticate against and if “OK-Pass” you can return some RADIUS attributed dictating the switch to PUT THAT PORT INTO VLANx.
Again, this is also RADIUS-protocol, so the Mikrotik API will not be involved here using standardised dot1x implementation.
There is no concept of “redirect MAC” into a certain VLAN. It is a physical LAN-poort that is placed into a certain VLAN on device-level after successful authentication and with the correct attributed asking the switch to do this. That’s it basically.
Thank you for your return, sorry for the delay.
For the management server, we were thinking of creating an update mikrotik script to an http v2 rest api server and thus making the use of mikrotik more powerful and more dynamic. Macs will be managed by a sql database and an API engine which will return the actions to be performed on all of our mikrotiks on the requested datacenter.
But it was only a simple idea, I will explain our goal and our constraints if you allow me.
In reality we have IPv4 and IPv6 blocks that we want to assign to client machines (physical servers, vm and more) in a specific vLan and those in a fixed way (either by mac after auth, or by fix on the dhcp server so prevent the use of another client ip).
Today on each machine, we have to make a relatively simple configuration to connect it to the internet:
address: 92.10.4.15
gateway: 92.10.4.254
broadcast: 92.10.4.255
network: 92.10.4.0
This configuration is enough today to allow our customers to obtain a dedicated IP on their machines and we want to keep this method.
But several problems arise:
- How to prevent a machine from stealing another client’s public IP?
- How to allow the customer to connect his services to each other by ensuring that the customer is on a completely isolated network and that he does what he wants there. (Class A, B or C & IPv4 / IPv6 DHCP or not, etc …)? hence the attribution of ip by mac and vlan
- How can we ensure that the customer can extend this private local network to our other data centers?
- How can we allow the customer to buy blockIp from us and allow it to be used in his private network?
Our goal is simply to allow our customers the possibility of creating their own virtual network isolated from other customers which will allow communication between its different services. We therefore thought of allocating one vlan per customer in the vlan 200. In addition, the customer’s network must be able to extend over different data centers. It will also be possible for the client to obtain an IPv4 & IPv6 block in this vLan in order to allow their machines to also be connected to the internet. We will also put in place bandwidth restrictions. But the hardest part of all of this will be how will it be automated with APIs?
Of course first you must decide between building-it-all-yourself or using one of the existing commercial (and also free) implementations that do what you want, e.g. using VXLAN.
MikroTik has no support for that I think.
When you want to do-it-yourself I would say it is required that you have an employee or consultant that can answer such questions himself and implement the mechanisms you require, doing that via a forum topic (under a schedule that you define by adding pointless “up” replies) is not the way to go.
Thank you for your answer, I will try to contact a specialist as of Monday. Nevertheless Mikrotik supports vxlan in v7b5. The only concern is that on this “tile” version the EoIP tunnel crashes the system during startup. So we get a loop restart.
Unless I use vxlan behind mikrotik with a wireguard or whatever I don’t see how?