Community discussions

 
xt22
newbie
Topic Author
Posts: 48
Joined: Tue Jul 14, 2015 1:16 pm

VLAN problem with another network

Sun Jul 14, 2019 3:02 pm

Hello,

I need to bridge another network within our hw, probably with VLAN, even though I have read the tutorials, wiki etc it is not very clear for me, all examples are about one router creating more VLANs.

Situatuon:
Our network - CCR router in main rack with CRS317 and some CRS326s, fiber uplinks to other racks with CRS326s and there are even some 3com / TP-link core switches from other company.

Main rack:
CCR (sfpp1 internet gateway, eth2 - local network 192.168.0.1/24)
running firewall, dhcp etc
| fiber
CRS317 - rack1
| fiber
CRS326 - rack 2

In the main rack, there are also switches with the building's network (10.1.1.0-24) - we are not connected to it in any way.
Now, we need to add some access terminals to our rooms, but connected to the building's network (separate from our network). So I need to use our fiber cables, network equipment etc to work like another cable - the best way would be to connect the building's network to some free port on the CCR (eth3), tag in (with VLAN?) and on the CRS326 in rack 2, select some port assigned to that VLAN (eth24 for example).

The result I need is that a device connected to eth24 in CRS326 (in rack2) will be on the building's network, get their ip 10.1.1.0/24 from their dhcp etc and will be separated from our network - just like bridge, but over more devices.

I remember VLANs have worked somehow this way, but I don't work with them much and since there are people on our network, I don't want to mess with it much.

so, Is it possible with VLAN, is this the correct way to do this, or is there any better?
Will it work if there are 3com / tp-link switches on the way, or does it depend on them somehow (VLAN support for example)?


thank you very much
 
sindy
Forum Guru
Forum Guru
Posts: 3488
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN problem with another network

Sun Jul 14, 2019 4:22 pm

In general it will work, but there are several things to be careful about:
  • make sure that you prevent STP BPDUs from being both sent and received through the interconnect port to the building network
  • bear in mind that if the other vendor's/other owner's (not 100% clear from what you wrote) switches you've mentioned are not manageable ones, they are VLAN-agnostic so whoever connects a VLAN-aware device (like another Mikrotik) to one of their ports will be able to access the building VLAN; vice versa, if they are manageable, you'll have to create/permit the newly created VLAN on them to be forwarded.

If you have no previous experience with configuration of VLANs, I'd definitely recommend to do that outside business hours because it is quite easy to lock yourself out from management of the device when doing the first time transition from non-VLAN to VLAN mode even if you know how to properly deal with VLAN ID 1 and hybrid ports.

So if the traffic of the terminals is negligible, it may generate less adrenaline if you create an independent bridge for the building network on each of the Mikrotiks on which you need it, configure the Ethernet interface(s) used to connect the terminals and the uplink as ports of these dedicated bridge(s) instead of the default ones, and create L2 tunnels (using EoIP or L2TP with BCP) to interconnect the dedicated bridges.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 58 guests