Community discussions

MikroTik App
 
Tulga
just joined
Topic Author
Posts: 5
Joined: Wed Jun 02, 2021 9:41 am

Vlan on switch vs Vlan on interface

Thu Jun 03, 2021 5:23 am

Hello? I use mikrotik router switch CRS2**

I need to separate three LANs on single router switch. eth3 and eth 5 are must bridge/switch 192.168.1.0 LAN, eth 7 and eth 9 must bridge/switch 192.168.2.0 LAN, rest of eth ports must bridge/switch 192.168.100.0 LAN. And those LANs must not reach each other. I configured eth3 and eth5 to bridge 1, eth7 and eth9 to bridge 2. And added bridge1 to vlan10, bridge 2 to vlan 20, but I created VLan in interface section( interface-->VLAN). Today I found Vlan in switch section. Which one is better? Switch VLAN or interface VLAN?
And I am configuring firewall on Ethernet ports. For example eth 1 will allow only TCP 80 and TCP 443 port, rest of TCP ports will be rejected. How do I implement "rest of TCP ports rejected on webfig?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Vlan on switch vs Vlan on interface

Thu Jun 03, 2021 3:43 pm

You first statement is not helpful.
Is the device acting as a router or NOT? Is it attached to your ISPs modem.
If so its not really a switch but a router with switching capabilities like most routers.
If its purely acting as a switch then you can do what you want with setup but there are preferred methods for RoS setups for switches, or you can use SwOS with the switch I believe.
 
Tulga
just joined
Topic Author
Posts: 5
Joined: Wed Jun 02, 2021 9:41 am

Re: Vlan on switch vs Vlan on interface

Fri Jun 04, 2021 3:55 am

My device acts as Router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Vlan on switch vs Vlan on interface

Fri Jun 04, 2021 4:09 am

I am only familiar with vlan filtering on bridges which the best reference is here.
viewtopic.php?f=23&t=143620

A decent reference for switch chip vlans can be found here
https://help.mikrotik.com/docs/display/ ... ipFeatures
https://www.youtube.com/watch?v=Rj9aPoyZOPo
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Vlan on switch vs Vlan on interface

Fri Jun 04, 2021 4:18 am

Just to confirm.
You do not need more than one subnet per port (like two or more vlans on a single port).
If not then you dont really need vlans.

You can assign three bridges (each with its own dhcp settings etc.)
OR
You can assign one bridge and use vlans (each vlan has its own dhcp settings) [my preference]

but suggest first you do the research and reading......
Find your device and figure out what is best.

For example looking at the test results here...............
https://mikrotik.com/product/CRS212-1G- ... estresults

I would not use this device for routing unless my internet speeds were really low and it didnt matter.
If your internet speeds are high, better bet is to buy a hex router and let it handle dhcp and internet communication and send one cable to your switch and let the switch handle all the inter user/ device /traffic communications (that way the router is mainly for assigning IP and letting traffic flow back and forth from the internet, while the switching does all the high power switch work for the devices/users behind the switch if that makes sense. I am assuming that is the purpose of the device mainly handling a lot of internal traffic that is within the control of the switch --> users to internal servers etc......)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Vlan on switch vs Vlan on interface

Fri Jun 04, 2021 9:07 am

@Tulga described requirements:
  • eth3 and eth5 are members of same LAN (switching traffic between ports) - LAN1: 192.168.1.0/24 (I'm guessing subnet mask)
  • eth7 and eth9 are members of LAN2: 192.168.2.0/24
  • ethX (other than 3,5,7,9 and WAP port) are members of LAN3: 192.168.100.0/24

One can do it using 3 bridges, but the thing is: only one of bridges can be HW offloaded. If traffic between pairs eth3/eth5 and eth7/eth9 is not big, then these two bridges should be set with hw=no on member ports to ensure that the "big" bridge (spanning most ports) will get HW offloaded.
IP setup in this case would go directly to all 3 bridge interfaces.

One can do it using VLANs and switch chip. The basic idea is to have three VLANs configured on switch chip, each of VLANs acting same role as each of bridges in previous paragraph. Make sure that switch chip - CPU interconnect (switch port named switch1-cpu) is tagged member of all VLANs so that ROS (CPU) will be able to interact with all VLANs (needed for routing). On the SW side one would then add all ether ports to same bridge (and make sure no VLAN-related settings are done under /interface bridge). Those VLANs will be entirely internal to CRS2xx device and will effectively partition switch into 3 separate (on L2) switches. The manual to be used for configuring VLANs on switch chip is this one.
IP setup in this case would need corresponding VLAN interfaces (/interface vlan) anchored on common bridge.


In both cases it is necessary to configure IP firewall to block connections between different IP subnets according to requirements. Without it connections between subnets will be possible - not because L2 setup would bleed traffic between them but because you're using CRS2xx as router and router by default forwards packets between its L3 interfaces (interfaces which have IP address set) unless that's blocked using some other mechanism (OK, could be routing filters as well, but on device with statefull firewall enabled it's easier to block that traffic using a few simple firewall filter rules).


[edit] the above is what would work on ROS v6. I guess ROS v7 would run same configuration just fine, I'm not sure about switch chip config though. As @anav already wrote: this device is essentially ethernet switch with (low performance) L3 capability. As such I wouldn't run ROS v7 on it unless the device is used as a lab test device to test v7.
 
sky4
just joined
Posts: 8
Joined: Thu Oct 08, 2020 10:00 pm

Re: Vlan on switch vs Vlan on interface

Sat Dec 25, 2021 12:49 pm

heres an example on ac2, i followed the wiki https://wiki.mikrotik.com/wiki/Manual:Switch_Router
export terse
# ac2 RouterOS 7.1
/interface bridge add admin-mac=x auto-mac=no comment=defconf name=bridge
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/interface vlan add interface=bridge name=vlan0 vlan-id=10
/interface vlan add interface=bridge name=vlan1 vlan-id=20
/interface vlan add interface=bridge name=vlan2 vlan-id=30

/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip address add address=192.168.0.1/24 interface=vlan0 network=192.168.0.0
/ip address add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
/ip address add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0

/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=dhcp_pool4 ranges=192.168.0.2-192.168.0.254
/ip pool add name=dhcp_pool5 ranges=192.168.1.2-192.168.1.254
/ip pool add name=dhcp_pool6 ranges=192.168.2.2-192.168.2.254

/ip dhcp-server network add address=192.168.0.0/24 dns-server=5.2.75.75 gateway=192.168.0.1 netmask=24
/ip dhcp-server network add address=192.168.1.0/24 dns-server=5.2.75.75 gateway=192.168.1.1 netmask=24
/ip dhcp-server network add address=192.168.2.0/24 dns-server=5.2.75.75 gateway=192.168.2.1 netmask=24
/ip dhcp-server network add address=192.168.88.0/24 dns-server=5.2.75.75 gateway=192.168.88.1 netmask=24

/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server add address-pool=dhcp_pool4 interface=vlan0 name=dhcp1
/ip dhcp-server add address-pool=dhcp_pool5 interface=vlan1 name=dhcp2
/ip dhcp-server add address-pool=dhcp_pool6 interface=vlan2 name=dhcp3

/interface ethernet switch port set 1 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 2 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 4 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 5 vlan-mode=secure

/interface ethernet switch vlan add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=10
/interface ethernet switch vlan add independent-learning=yes ports=ether5,switch1-cpu switch=switch1 vlan-id=20
/interface ethernet switch vlan add independent-learning=yes ports=ether3,ether2,switch1-cpu switch=switch1 vlan-id=30

#hw isolation port4,5
/interface ethernet switch rule add dst-address=192.168.0.0/24 new-dst-ports="" ports=ether4 switch=switch1
/interface ethernet switch rule add dst-address=192.168.1.0/24 new-dst-ports="" ports=ether5 switch=switch1

#accept from pc
/ip firewall filter add action=accept chain=input disabled=yes dst-address=192.168.88.1 src-address=192.168.x.254

Who is online

Users browsing this forum: No registered users and 18 guests