Manual:Interface/VLAN: Difference between revisions
examples |
|||
| Line 10: | Line 10: | ||
<b>Standards:</b> <code>[http://standards.ieee.org/getieee802/download/802.1Q-1998.pdf IEEE 802.1Q]</code></p> | <b>Standards:</b> <code>[http://standards.ieee.org/getieee802/download/802.1Q-1998.pdf IEEE 802.1Q]</code></p> | ||
Virtual Local Area Network (VLAN) is layer 2 method that allows you to have multiple Virtual LANs on a single physical interface (ethernet, wireless, etc.), giving the ability to segregate LANs efficiently | Virtual Local Area Network (VLAN) is layer 2 method that allows you to have multiple Virtual LANs on a single physical interface (ethernet, wireless, etc.), giving the ability to segregate LANs efficiently. | ||
You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to mark these packets as well as to accept and route marked ones. | You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to mark these packets as well as to accept and route marked ones. | ||
| Line 19: | Line 17: | ||
You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface. | You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface. | ||
==802.1Q== | |||
The most commonly used protocol for Virtual LANs (VLANs) is IEEE 802.1Q. It is standardized encapsulation protocol that defines how to insert a four-byte VLAN identifier into Ethernet header. (see Figure 12.1.) | |||
<center>[[Image:image12001.gif]]</center> | |||
Each VLAN is treated as separate subnet. It means that, by default, host in specific VLAN cannot communicate with host that is member of another VLAN, although they are connected in the same switch. So if you want inter-VLAN communication you need a router. | |||
RouterOS supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per interface. VLAN priorites may also be used and manipulated. | |||
When the VLAN extends over more than one switch, the inter-switch link have to become ''trunk'', where packets are tagged to indicate which VLAN they belong to. A trunk carries the traffic of multiple VLANs, it is like a point-to-point link that carries tagged packets between switches or between a switch and router. | |||
<center>[[Image:image12003.gif]]</center> | |||
==Q-in-Q== | ==Q-in-Q== | ||
| Line 74: | Line 84: | ||
==Setup examples== | ==Setup examples== | ||
===Simple Example=== | |||
Lets assume that we have several MikroTik routers connected to a hub. Remember that hub is OSI physical layer device (if there is a hub between routers, then from L3 point of view it is the same as Ethernet cable connection between them). For simplification assume that all routers are connected to the hub using ether1 interface and has assigned IP addresses as illustrated in figure below. Then on each of them the VLAN interface should be created. | |||
[[Image:image12004.gif]] | |||
Configuration for R2 and R4 is shown below: | |||
R2: | |||
<pre> | |||
[admin@MikroTik] /interface vlan> add name=VLAN2 vlan-id=2 interface=ether1 disabled=no | |||
[admin@MikroTik] /interface vlan> print | |||
Flags: X - disabled, R - running, S - slave | |||
# NAME MTU ARP VLAN-ID INTERFACE | |||
0 R VLAN2 1500 enabled 2 ether1 | |||
</pre> | |||
R4: | |||
<pre> | |||
[admin@MikroTik] /interface vlan> add name=VLAN2 vlan-id=2 interface=ether1 disabled=no | |||
[admin@MikroTik] /interface vlan> print | |||
Flags: X - disabled, R - running, S - slave | |||
# NAME MTU ARP VLAN-ID INTERFACE | |||
0 R VLAN2 1500 enabled 2 ether1 | |||
</pre> | |||
The next step is to assign IP addresses to the VLAN interfaces. | |||
R2: | |||
<pre> | |||
[admin@MikroTik] ip address> add address=10.10.10.3/24 interface=VLAN2 | |||
[admin@MikroTik] ip address> print | |||
Flags: X - disabled, I - invalid, D - dynamic | |||
# ADDRESS NETWORK BROADCAST INTERFACE | |||
0 10.0.1.4/24 10.0.1.0 10.0.1.255 ether1 | |||
1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1 | |||
2 10.10.10.3/24 10.10.10.0 10.10.10.255 vlan2 | |||
[admin@MikroTik] ip address> | |||
</pre> | |||
R4: | |||
<pre> | |||
[admin@MikroTik] ip address> add address=10.10.10.5/24 interface=VLAN2 | |||
[admin@MikroTik] ip address> print | |||
Flags: X - disabled, I - invalid, D - dynamic | |||
# ADDRESS NETWORK BROADCAST INTERFACE | |||
0 10.0.1.5/24 10.0.1.0 10.0.1.255 ether1 | |||
1 10.30.0.1/24 10.30.0.0 10.30.0.255 pc2 | |||
2 10.10.10.5/24 10.10.10.0 10.10.10.255 vlan2 | |||
[admin@MikroTik] ip address> | |||
</pre> | |||
At this point it should be possible to ping router R4 from router R2 and vice versa: | |||
<pre> | |||
'''Ping from R2 to R4:''' | |||
[admin@MikroTik] ip address> /ping 10.10.10.5 | |||
10.10.10.5 64 byte ping: ttl=255 time=4 ms | |||
10.10.10.5 64 byte ping: ttl=255 time=1 ms | |||
2 packets transmitted, 2 packets received, 0% packet loss | |||
round-trip min/avg/max = 1/2.5/4 ms | |||
'''From R4 to R2:''' | |||
[admin@MikroTik] ip address> /ping 10.10.10.3 | |||
10.10.10.3 64 byte ping: ttl=255 time=6 ms | |||
10.10.10.3 64 byte ping: ttl=255 time=1 ms | |||
2 packets transmitted, 2 packets received, 0% packet loss | |||
round-trip min/avg/max = 1/3.5/6 ms | |||
</pre> | |||
To make sure if VLAN setup is working properly, try to ping R1 from R2. If pings are timing out then VLANs are successfully isolated. | |||
<pre> | |||
'''From R2 to R1:''' | |||
[admin@MikroTik] ip address> /ping 10.10.10.2 | |||
10.10.10.2 ping timeout | |||
10.10.10.2 ping timeout | |||
3 packets transmitted, 0 packets received, 100% packet loss | |||
</pre> | |||
===Trunk=== | |||
<p> | <p> | ||
Let us assume that we have two or more MikroTik RouterOS routers connected with a hub. Interfaces to the physical network, where VLAN is to be created is ether1 for all of them (it is needed only for example simplification, it is NOT a must). | Let us assume that we have two or more MikroTik RouterOS routers connected with a hub. Interfaces to the physical network, where VLAN is to be created is ether1 for all of them (it is needed only for example simplification, it is NOT a must). | ||
Revision as of 12:22, 30 August 2010
Applies to RouterOS: v3, v4+
Summary
Sub-menu: /interface vlan
Standards: IEEE 802.1Q
Virtual Local Area Network (VLAN) is layer 2 method that allows you to have multiple Virtual LANs on a single physical interface (ethernet, wireless, etc.), giving the ability to segregate LANs efficiently.
You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to mark these packets as well as to accept and route marked ones.
As VLAN works on OSI Layer 2, it can be used just as any other network interface without any restrictions. VLAN successfully passes through regular Ethernet bridges.
You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface.
802.1Q
The most commonly used protocol for Virtual LANs (VLANs) is IEEE 802.1Q. It is standardized encapsulation protocol that defines how to insert a four-byte VLAN identifier into Ethernet header. (see Figure 12.1.)
Each VLAN is treated as separate subnet. It means that, by default, host in specific VLAN cannot communicate with host that is member of another VLAN, although they are connected in the same switch. So if you want inter-VLAN communication you need a router. RouterOS supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per interface. VLAN priorites may also be used and manipulated.
When the VLAN extends over more than one switch, the inter-switch link have to become trunk, where packets are tagged to indicate which VLAN they belong to. A trunk carries the traffic of multiple VLANs, it is like a point-to-point link that carries tagged packets between switches or between a switch and router.
Q-in-Q
Original 802.1Q allows only one vlan header, Q-in-Q in the other hand allows two or more vlan headers. In RouterOS Q-in-Q can be configured by adding one vlan interface over another. Example:
/interface vlan add name=vlan1 vlan-id=11 interface=ether1 add name=vlan2 vlan-id=12 interface=vlan1
If any packet is sent over "vlan2" interface, two vlan tags will be added to ethernet header - "11" and "12".
Properties
| Property | Description |
|---|---|
| arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) | Address Resolution Protocol mode |
| interface (name; Default: ) | Name of physical interface on top of which VLAN will work |
| l2mtu (integer; Default: ) | Layer2 MTU. For VLANS this value is not configurable. Read more>> |
| mtu (integer; Default: 1500) | Layer3 Maximum transmission unit |
| name (string; Default: ) | Interface name |
| use-service-tag (yes | no; Default: ) | 802.1ad compatible Service Tag |
| vlan-id (integer: 4095; Default: 1) | Virtual LAN identifier or tag that is used to distinguish VLANs. Must be equal for all computers that belong to the same VLAN. |
Note: MTU should be set to 1500 bytes as on Ethernet interfaces. But this may not work with some Ethernet cards that do not support receiving/transmitting of full size Ethernet packets with VLAN header added (1500 bytes data + 4 bytes VLAN header + 14 bytes Ethernet header). In this situation MTU 1496 can be used, but note that this will cause packet fragmentation if larger packets have to be sent over interface. At the same time remember that MTU 1496 may cause problems if path MTU discovery is not working properly between source and destination.
Setup examples
Simple Example
Lets assume that we have several MikroTik routers connected to a hub. Remember that hub is OSI physical layer device (if there is a hub between routers, then from L3 point of view it is the same as Ethernet cable connection between them). For simplification assume that all routers are connected to the hub using ether1 interface and has assigned IP addresses as illustrated in figure below. Then on each of them the VLAN interface should be created. File:Image12004.gif
Configuration for R2 and R4 is shown below:
R2:
[admin@MikroTik] /interface vlan> add name=VLAN2 vlan-id=2 interface=ether1 disabled=no [admin@MikroTik] /interface vlan> print Flags: X - disabled, R - running, S - slave # NAME MTU ARP VLAN-ID INTERFACE 0 R VLAN2 1500 enabled 2 ether1
R4:
[admin@MikroTik] /interface vlan> add name=VLAN2 vlan-id=2 interface=ether1 disabled=no [admin@MikroTik] /interface vlan> print Flags: X - disabled, R - running, S - slave # NAME MTU ARP VLAN-ID INTERFACE 0 R VLAN2 1500 enabled 2 ether1
The next step is to assign IP addresses to the VLAN interfaces.
R2:
[admin@MikroTik] ip address> add address=10.10.10.3/24 interface=VLAN2 [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.1.4/24 10.0.1.0 10.0.1.255 ether1 1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1 2 10.10.10.3/24 10.10.10.0 10.10.10.255 vlan2 [admin@MikroTik] ip address>
R4:
[admin@MikroTik] ip address> add address=10.10.10.5/24 interface=VLAN2 [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.1.5/24 10.0.1.0 10.0.1.255 ether1 1 10.30.0.1/24 10.30.0.0 10.30.0.255 pc2 2 10.10.10.5/24 10.10.10.0 10.10.10.255 vlan2 [admin@MikroTik] ip address>
At this point it should be possible to ping router R4 from router R2 and vice versa:
'''Ping from R2 to R4:''' [admin@MikroTik] ip address> /ping 10.10.10.5 10.10.10.5 64 byte ping: ttl=255 time=4 ms 10.10.10.5 64 byte ping: ttl=255 time=1 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 1/2.5/4 ms '''From R4 to R2:''' [admin@MikroTik] ip address> /ping 10.10.10.3 10.10.10.3 64 byte ping: ttl=255 time=6 ms 10.10.10.3 64 byte ping: ttl=255 time=1 ms 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 1/3.5/6 ms
To make sure if VLAN setup is working properly, try to ping R1 from R2. If pings are timing out then VLANs are successfully isolated.
'''From R2 to R1:''' [admin@MikroTik] ip address> /ping 10.10.10.2 10.10.10.2 ping timeout 10.10.10.2 ping timeout 3 packets transmitted, 0 packets received, 100% packet loss
Trunk
Let us assume that we have two or more MikroTik RouterOS routers connected with a hub. Interfaces to the physical network, where VLAN is to be created is ether1 for all of them (it is needed only for example simplification, it is NOT a must).
To connect computers through VLAN they must be connected physically and unique IP addresses should be assigned them so that they could ping each other. Then on each of them the VLAN interface should be created:
[admin@MikroTik] interface vlan> add name=test vlan-id=32 interface=ether1 [admin@MikroTik] interface vlan> print Flags: X - disabled, R - running # NAME MTU ARP VLAN-ID INTERFACE 0 R test 1500 enabled 32 ether1 [admin@MikroTik] interface vlan>
If the interfaces were successfully created, both of them will be running. If computers are connected incorrectly (through network device that does not retransmit or forward VLAN packets), either both or one of the interfaces will not be running.
When the interface is running, IP addresses can be assigned to the VLAN interfaces.
On the Router 1:
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=test [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.0.204/24 10.0.0.0 10.0.0.255 ether1 1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1 2 10.10.10.1/24 10.10.10.0 10.10.10.255 test [admin@MikroTik] ip address>
On the Router 2:
[admin@MikroTik] ip address> add address=10.10.10.2/24 interface=test [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.0.201/24 10.0.0.0 10.0.0.255 ether1 1 10.10.10.2/24 10.10.10.0 10.10.10.255 test [admin@MikroTik] ip address>
If it set up correctly, then it is possible to ping Router 2 from Router 1 and vice versa:
[admin@MikroTik] ip address> /ping 10.10.10.1 10.10.10.1 64 byte pong: ttl=255 time=3 ms 10.10.10.1 64 byte pong: ttl=255 time=4 ms 10.10.10.1 64 byte pong: ttl=255 time=10 ms 10.10.10.1 64 byte pong: ttl=255 time=5 ms 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 3/10.5/10 ms [admin@MikroTik] ip address> /ping 10.10.10.2 10.10.10.2 64 byte pong: ttl=255 time=10 ms 10.10.10.2 64 byte pong: ttl=255 time=11 ms 10.10.10.2 64 byte pong: ttl=255 time=10 ms 10.10.10.2 64 byte pong: ttl=255 time=13 ms 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 10/11/13 ms [admin@MikroTik] ip address>
[ Top | Back to Content ]