Community discussions

MikroTik App
 
guletz
just joined
Topic Author
Posts: 20
Joined: Thu Feb 27, 2014 5:20 pm

Vlan Migration strategy

Tue Aug 16, 2022 7:56 pm

Hi to all,

I have a complicated network with at least 50 MT devices(CCRs, CRSs, Hapac2, HEXs, Dude, and so on, is a MT/ROS only network) on a 24h/24 enviroment, with no room for any mistakes. I manage this network remote most of the time, but only in week-ends I can go on site.

And in this nework I have some linux servers, 2 Proxmox cluster (6 nodes with windows guests and linux guests, about 20 VM /lxc Containers) .

Also ospf is present, some vpn's, some dhcp servers....

Now I think that I will need to create vlans.

I read a lot about vlans, I made some tests, I create some vlans on my home labs using MT devices, CHR, and GNS3. I start to create some vlan's on some not so important zones on this network, using tutorials from this Forum, adapted for my own case (2 years ago, starting with ros 6.x, with no problem).

My think until now, was, mesure twitce and cut once ... Test and retest.

As a side note, I am the only network admin on this network.... think like "one man show" :)


This is my landscape.

I have start to create a vlan admin for all my MT devices, and 2 other vlans, not so important.

Because I can not have the time to make ALL vlans that I need in one weekend, and to be sure 100 % that monday all wiil be ok, I think that a good migration scenario to vlans only will be to create all vlans step by step, but without filtering(tagg only on trunking ports). After all my vlans are made I could filter on trunking ports for vlan taggs only, and also ingress....

Now my big question is, could be other variants in my case?

Thx. a lot in advance for any opinion.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Vlan Migration strategy

Tue Aug 16, 2022 8:07 pm

It depends a lot on what exactly you want to achieve with your VLANs. Understand that merely creating VLANs will not bring you much, you will need to define what you want to do with them. E.g. restrict the routing between the VLANs using firewall rules. Or maybe you want to reduce the broadcast domain.
Also, you need to define the way of accessing the VLANs. Are you using tagging towards e.g. a server, where the untagging will be done inside the server, or are you doing the untagging in switches (so the final link to the server or device is untagged)?
You can do the migration in steps. It is possible to change the IP addressing while you still have the plain network and test that first, then separate the network in VLANs later. Or you can do the reverse: first separate the VLANs but bridge them all together in a MikroTik device, and then later remove the VLANs from that and move over to actually routing them.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Vlan Migration strategy

Tue Aug 16, 2022 8:50 pm

My recommendation whatever you do is dont attempt to change the config within the bridge...................
viewtopic.php?t=181718

Correct, all the smart devices that can read vlans should have their IP address (usually manually inserted) on the BASE or Management VLAN.
Then set as static IPs on the lease!
All MT devices in that mix should have
/ip neighbor discovery-settings
set discover-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

where typically
/interface list
add name=WAN
add name=LAN
add name=BASE
/interface list members
add ether1=WAN
add vlanxx=LAN
add vlanxy=LAN
add vlanab=LAN
add vlande=LAN
add vlande=BASE (Management Vlan)
[and in keeping with the recommendation]
add ether5-offbridge=BASE

Where BASE will be used in the config as noted above plus firewall rules such as
add chain=input action=accept in-interface-list=BASE dst-port=winboxport protocol=tcp
Last edited by anav on Wed Aug 17, 2022 1:57 pm, edited 1 time in total.
 
guletz
just joined
Topic Author
Posts: 20
Joined: Thu Feb 27, 2014 5:20 pm

Re: Vlan Migration strategy

Wed Aug 17, 2022 9:28 am

Hi,

Thx. a lot @pe1chl and @anav.

My main goal is restrict the "routing between the VLANs using firewall rules" and also the broadcast.
tagging towards e.g. a server, where the untagging will be done inside the server
Yes, this I will do.
All MT devices in that mix should have
/ip neighbor discovery-settings
set discover-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

where typically
/interface list
add name=WAN
add name=LAN
add name=BASE
/interface list members
add ether1=WAN
add vlanxx=LAN
add vlanxy=LAN
add vlanab=LAN
add vlande=LAN
add vlande=BASE (Management Vlan)
[and in keeping with the recommendation]
add ether5-offbridge=BASE
Yes this is already done on all MT devices for the management vlan. And even more(ssh, telnet, ftp is also restricted for use only in management vlan) .

Have a nice day!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Vlan Migration strategy

Wed Aug 17, 2022 1:58 pm

Why so many methods?, Winbox is the best and as backup perhaps SSH. I would not use telnet or ftp for access to the router.
As far as restricting access, easily accomplished.

Input chain
Default rules
add managment interface list access
add LAN access for DNS port 53 tcp,udp
Drop all else

Forward chain
Default rules
add LAN to WAN
add port forwarding
drop all else.

DONE, vlans have access to router services as required (input) and are all blocked from each other (forward).
If you need access to a shared device aka a printer etc just make the necessary rule for that in the forward chain and perhaps managment vlan to all vlans etc....

More info here: viewtopic.php?t=180838
 
guletz
just joined
Topic Author
Posts: 20
Joined: Thu Feb 27, 2014 5:20 pm

Re: Vlan Migration strategy

Wed Aug 17, 2022 7:15 pm

Hi @anav,

And again, I really apreciate your replay. And I also apreciate your post/tutorials on this Forum(.... former teacher here, so some habits die hard).

Your observation are valid regarding telnet.
But I use ssh and ftp for a custom script who is starting from a Linux host for backup.

Thanks!

Who is online

Users browsing this forum: No registered users and 33 guests