Bridge VLAN Filtering in MikroTik

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

let's implement bridge vlan filtering in micro tick so in this micro tech fundamentals video so we will implement bridge vlan filtering so we will start with a discussion or a brief discussion with our network topology that will be used for our demonstration we will then demo how to create multiple bridges and trying to achieve our objective in our multiple broadcast domain and finally we will make use of bridge field and filtering bridge virtual local area network filtering in order to achieve the same result to have multiple broadcast domains so here we have a basic network topology where in our microtic is connected to two computers depicting two local air networks however they are on the same network subnet or addressing scheme is on the same network 192.168.1.0 network so the pc number one is one nine two one six eight one at one hundred and one and two six eight one and one the two hundred for our pc number two however we will want our pc to not communicate with one another so try to create a scenario where in pc number one and pc number two are on different local area networks okay so we have our demonstration here using gns3 so we will implement using multiple bridges so as you can see we have our two pc they are currently addressed as one nine two one six eight one that one hundred and one eight two one six eight one dot two hundred so they are connected to the same micro tick so on ether 2 and ether 4. so we have our win box here so that we could configure our micro tick so basically the objective is the to computers would not communicate to one another so if we will perform a simple ping test so pc1 should not be able to reach pc number two before we go to our microtic let's verify first the ip address if it's correctly set up on our pc number one so basically we'll just show ip so this is not a windows or linux computer or virtual machine so as you can see you have this show ip a different command normally we will use ipconfig or if config so basically the objective is to take a look at our ip address so it's correct 192.168.1.100 we don't have any gateway because we'll just try to implement layer 2 connectivity or we would not try to reach different networks in our demonstration so let's go to pc number two this time and perform the same command show ip so it is correctly addressed one nine two one six eight one that two hundred okay so there you go you have our computers that are already correctly an address okay so i'm now inside our micro tick number one or mt-1 so i make use of winbox utility or tool so we'll focus our attention for this demonstration on the bridge menu so if we click on the bridge menu so as you could see we don't have any bridge interface or bridge set up here so you don't have any ports assigned to the bridge obviously and you don't have any other configurations for our bridge we will create our bridge so a bridge so basically it's a computer networking terminology so when you create a bridge so basically you are creating a logical grouping of computers or endpoints and they will be on the same broadcast domain so they can talk on the layer 2 or data link layer so for microtic we'll just go to the bridge menu and go to the bridge tab and create click the plus sign so just leave the name as default bridge number one or bridge one so on the ports tab we'll add the member ports or interfaces on that particular bridge so for our topology we have ether2 so click ok and let's add the second port which is ether four so on bridge number one so if you take a look back on our topology our two computers are connected on ether 2 and ether 4. so therefore we will have the ports 2 and 4 for our bridge interface so obviously you could add more ports to the bridge so for example we will add either three and either five but then again for our simple demonstration for this particular video we will only use or make use of ether 2 and ether 4. so now that the bridge is created so let's perform a simple test so if pc1 is able to communicate to pc number two so by the use of the ping utility or ping command so this is pc number one so this is one nine two one six eight one that one hundred so obviously we will try to reach the other computer which is one nine two one six eight one the two hundred so there is now a reply if you could see the the the output there is a reply from one nine two one six eight one the two hundred we're in this is really true because we are on the same bridge interface we have only one bridge and ether two and either four are members on that particular bridge so there is communication between our computers however our objective for this demonstration is we don't want our pc one to communicate to pc2 or vice versa so we will implement a scenario wherein this pc number one is on a different lan so perhaps it is using the slash 25 or the bottom subnet of a slash 24 which is from 192.168.1.1 to 1.26 so this is will form our lan a so pc2 so is on the second half or the upper addressing of the slash 25 wherein it starts with 1.129 or 192.168.1.129 down to 192.168.1.254. so when that happens so this pc1 and pc2 should be on different lan and how we will implement it on our layer 2. so we go back to our micro tick so we go to the bridge menu as you can see we still have our configuration intact so we will create multiple bridges so meaning to say we should have another bridge for land b so for bridge number one we will assign it to lan a which is on ether two and bridge number two with the port assignment of ether four and that is connected to our pc number two so we will proceed to create another bridge so we will accept the default naming which is bridge number two so we are fine with it so ports so simply assign or reassign the ether four on the new bridge because this is already correct ether two is on bridge number one ether four should be on bridge number two so what i just did is double click on the port and under the bridge selection so drop down so we'll have the bridge to choice now and we'll click ok so now let's see the effect of having another bridge so let's take a look if there is still connectivity between two computers now the pc one is connected or is assigned on bridge number one and pc2 is assigned on bridge number two so take note we have not changed any ip address on our computers so they remain to be one nine two one six eight one at one hundred and if we take a look at pc number two it will still remain one nine two one six eight one at two hundred but this time let's verify via our ping command if we are able to reach our pc number two okay so it says now not reachable so a while ago when there is only a single bridge our computers will be able to reach one another but now this time with multiple bridge or another bridge now the pc1 is unable to reach our pc2 so therefore we have achieved our objective that plan a would not be able to talk to land b in the data link layer or lay at least on layer 2 for our scenario we have pc1 and pc2 they are not able to reach so that is this simple solution on how we can separate our two local area network so we have lan a and land b so our lan a is connected on port number two and it is assigned on bridge number one and we have our lan b which is connected on ether 4 and this ether 4 is assigned on bridge number 2. so if you have more ports that are available for your micro tick device so therefore you could create more bridge or more bridges and assign whatever local area network you wanted to have for instance you have a separate bridge for your hotspot for your pppoe for your home network sometimes in networking so though as simple as it is to configure but not every simple solution will be the ideal or the appropriate solution that we will implement in production so a while ago we have implemented multiple bridges to at least create more broadcast domain on our network so we have created two broadcast domains by creating two bridges so this time we'll make use of bridge vlan to achieve the same result wherein we have our lan a and land b and we have two broadcast domains still okay so we are now at empty number two empty two our second micro tick for our demonstration so still we will focus our attention on the bridge menu so we'll create the bridge so we'll accept the default name bridge1 and assign the ports for this particular bridge so in our case we have ether two and we'll have also ether four on the same bridge so this is similar to our demonstration a while ago however we will now be implementing bridge vlan so we have the vlan tab here to add our vlans so vlan stands for virtual local area network so basically we'll create more broadcast domains or virtual local area networks from the naming itself so we'll have to add a vlan id each for our vlan so we have uh vlan 10 for our example so we have tag and and tag and we will have more discussions on this on the future but for now so the port that is assigned to the computer or the endpoint so we'll assign it with the untag so it's ether2 okay so we will just assume that it is an endpoint or a straightaway computer or printer that is connected to that particular bridge obviously if it's a different endpoint it could be a switch it could be an accent access point then it could be a different story with our un tag and type but for now i wouldn't confuse you for these terms so for our endpoints we just connect it to the and tag which is ether2 okay so click ok and on our bridge number one we will create another vlan this time with the vlan id20 and untag on the port number four or ether four okay so the end result is bridge number one is on vlan 10 and the end tag is the ether2 bridge number one would still have another vlan which is vln id number 20 and the end tag is ether four so this is not yet the end configuration we still need to go back to our ports so this time our ports we only add the port to the bridge we haven't gone to the vlan tab of the port configuration so we have the pv id or the port vlan assignment so as you know ether2 is on vlan 10 okay so the default vlan or the native vlan is vlan 1 so that is why we have one here so on our port number 2 it is now already configured to vlan 10 so we will do it on our ether 4 but this time it's vlan 20 okay so the final step is to enable the bridge vlan filtering okay so to enable the bridge villain for filtering but be careful obviously if your computer is uh connected to a port or a group of ports that is assigned to the vlan you may lose your connection or access to this particular micro t so we will have more on those topics where we will discuss the management vlan for management access but for this time so we'll just enable the vlan filtering so we'll accept the default values here so click ok ok so now let's verify if our pc number three which is on the same network the current ip addressing scheme is on the same network 192.168.1.0 network so pc3 is 192.168.1.100 so let's try to reach 192.168.1 the 200 pc number four so if we run the ping command we notice that the reply is the host on 192.168.1 at 200 is not reachable so now let's prove this time that it is because of our bridge vlan so how can we prove we will uncheck the bridge vlan filtering in our previous configuration in our micro tick number two so i go back to the mt-2 so under the bridge minnow under the bridge tab we have a single bridge so the difference again if you'll notice also is we have a single bridge this time rather than we have multiple bridges so in the bridge configuration we will uncheck the vlan filtering so let's uncheck that and click ok let's go back to our pc number three and this time ping again the host pc number four and this time although we have configuration impact on our port vlan id which is 10 and we have vlan databases of vlan 10 and vlan 20 now it is not taking effect or the vlans are not taking effect and there is now a reply because we haven't applied the vlan on our bridge itself so if this is on unchecked or it will remain unchecked then whatever configurations you have on the ports on vlan particular will not take effect on the bridge so that's why name goes it's bridge vlan filtering so if we will to check this again and click ok and let's go back to our pc number 3 and run the same ping command now there are no communication to the host of our pc number 4. so the vlan bridge filtering is kicking in or taking it let me show you quickly why we would not prefer the solution of having multiple bridges and implement bridge vlan or obviously there are more vlan configurations and we will configure them or i will show them to you in the future but for now so why we will not implement or apply this multiple bridges solution although it will also achieve our objective in separating our local air network so as you can remember when you create a bridge you'll assign ports to it and when you assign a port for example ether2 is assigned on bridge number one you'll notice a check here which is a hardware offload so every port that is assigned to a bridge is by default there is a hardware offload check so hardware offload and hardware offload on our remaining ports so meaning to say there is a certain chip or a certain hardware that will help our micro tick in particularly layer 2 communication so between the members of the bridge so that is why the term hardware offload so there's an another set of hardware that is helping our micro tick which has a cpu so this is a different uh hardware than our cpu so if we go to system resources we have the cpu mips for the hub ac light so now even though the hardware offload is checked on our ports so if you i'll just going through the ports either to ether three ether four and either five the hardware offload is checked however you'll notice on the flag okay although it's inactive only the first or the this two which is on bridge number one or the first bridge has the h flag turned on okay so the h flag is for hardware offload so meaning to say even though this ether 4 so my computer is doing a demonstration is connected on ether 4 it does not have any h flag so the moment you create multiple bridges all of the bridge ports will not have the h or only few ports that is that is uh connected will have the h flag obviously it will have a different scenario wherein if you have more hardware because there are microtic models that have more hardware in terms of our layer 2 for the bridging capability and we will have some more hardware offload here but for for this case the hub ac light has only a single chip for its hardware offloading so therefore only a single bridge among multiple bridges will have the hardware offload turned on so what is the consequence if only of these two so meaning to say the inter local era network or meaning to say within this local area network you won't have the the advantage of having the hardware offload and therefore you will be consuming more cpu resources in your communication between or inside this bridge number two so in this video bridge vlan filtering in micro tick so we come up with a network topology where in we want to have a separate broadcast domain or local area network and we have our pc one and pc number two to depict or to have that particular scenario so in our first solution we have the creation of multiple bridges and to achieve that particular separation of our local air networks we then go to the bridge vlan filtering so ideally we'll make use of a single bridge and to make use of the vlan feature that is within our micro tick so to achieve the same effect we're in our computers are this time on different local air networks also i've shown you the reason why we may not be able to implement the simple solution which is just to create multiple bridges on our production network because we will lose the hardware offload capability so i hope you find this video helpful and i would like to thank you for viewing

Info

Channel: Inquirinity

Views: 3,839

Rating: undefined out of 5

Keywords:

Id: JcinExkyHZA

Channel Id: undefined

Length: 25min 48sec (1548 seconds)

Published: Wed Jun 02 2021