Difference between revisions of "Manual:Interface/VLAN"
|Line 27:||Line 27:|
Revision as of 14:25, 14 June 2010
VLANs allow you to have multiple Virtual LANs on a single ethernet or wireless interface, giving the ability to segregate LANs efficiently. It supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per ethernet device. VLAN priorites may also be used and manipulated. Many routers, including Cisco and Linux based, and many Layer 2 switches use VLAN to enable multiple independent, isolated networks to exist on the same physical network.
VLANs are simply a way of grouping a set of switch ports together so that they form a logical network, separate from any other such group. It may also be understood as breaking one physical switch into several independent parts. Within a single switch this is straightforward local configuration. When the VLAN extends over more than one switch, the inter-switch links have to become trunks, on which packets are tagged to indicate which VLAN they belong to.
You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to mark these packets as well as to accept and route marked ones.
As VLAN works on OSI Layer 2, it can be used just as any other network interface without any restrictions. VLAN successfully passes through regular Ethernet bridges.
You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface.
Original 802.1Q allows only one vlan header in ethernet header. Q-in-Q allows more than one vlan header. In RouterOS Q-in-Q can be configured by adding one vlan interface over another. Example:
/interface vlan add name=vlan1 vlan-id=11 interface=ether1 add name=vlan2 vlan-id=12 interface=vlan1
If any packet is sent over "vlan2" interface, two vlan tags will be added to ethernet header - "11" and "12".
|arp (disabled | enabled | proxy-arp | reply-only; Default: enabled)||Address Resolution Protocol mode|
|interface (name; Default: )||Name of physical interface on top of which VLAN will work|
|l2mtu (integer; Default: )||Layer2 MTU. For VLANS this value is not configurable. Read more>>|
|mtu (integer; Default: 1500)||Layer3 Maximum transmission unit|
|name (string; Default: )||Interface name|
|use-service-tag (yes | no; Default: )||802.1ad compatible Service Tag|
|vlan-id (integer: 4095; Default: 1)||Virtual LAN identifier or tag that is used to distinguish VLANs. Must be equal for all computers that belong to the same VLAN.|
Let us assume that we have two or more MikroTik RouterOS routers connected with a hub. Interfaces to the physical network, where VLAN is to be created is ether1 for all of them (it is needed only for example simplification, it is NOT a must).
To connect computers through VLAN they must be connected physically and unique IP addresses should be assigned them so that they could ping each other. Then on each of them the VLAN interface should be created:
[admin@MikroTik] interface vlan> add name=test vlan-id=32 interface=ether1 [admin@MikroTik] interface vlan> print Flags: X - disabled, R - running # NAME MTU ARP VLAN-ID INTERFACE 0 R test 1500 enabled 32 ether1 [admin@MikroTik] interface vlan>
If the interfaces were successfully created, both of them will be running. If computers are connected incorrectly (through network device that does not retransmit or forward VLAN packets), either both or one of the interfaces will not be running.
When the interface is running, IP addresses can be assigned to the VLAN interfaces.
On the Router 1:
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=test [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.0.204/24 10.0.0.0 10.0.0.255 ether1 1 10.20.0.1/24 10.20.0.0 10.20.0.255 pc1 2 10.10.10.1/24 10.10.10.0 10.10.10.255 test [admin@MikroTik] ip address>
On the Router 2:
[admin@MikroTik] ip address> add address=10.10.10.2/24 interface=test [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.0.201/24 10.0.0.0 10.0.0.255 ether1 1 10.10.10.2/24 10.10.10.0 10.10.10.255 test [admin@MikroTik] ip address>
If it set up correctly, then it is possible to ping Router 2 from Router 1 and vice versa:
[admin@MikroTik] ip address> /ping 10.10.10.1 10.10.10.1 64 byte pong: ttl=255 time=3 ms 10.10.10.1 64 byte pong: ttl=255 time=4 ms 10.10.10.1 64 byte pong: ttl=255 time=10 ms 10.10.10.1 64 byte pong: ttl=255 time=5 ms 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 3/10.5/10 ms [admin@MikroTik] ip address> /ping 10.10.10.2 10.10.10.2 64 byte pong: ttl=255 time=10 ms 10.10.10.2 64 byte pong: ttl=255 time=11 ms 10.10.10.2 64 byte pong: ttl=255 time=10 ms 10.10.10.2 64 byte pong: ttl=255 time=13 ms 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 10/11/13 ms [admin@MikroTik] ip address>