Mastering VLAN Configuration on MikroTik, Step-by-Step Guide

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey there guys theatri Berg here hope you've been doing well so let's get into another VLAN video on microtic now why do I want to make another VLAN video well because a lot of the previous videos that I've covered regarding it it shows you the various different ways you can potentially configure a VLAN and it's great for stuff like the mtcre or micro certified routing engineer because I specifically focused on the in a routing type of world but it doesn't necessarily mean it's the most optimal way of how to configure vlans and there's definitely room for error where you can potentially do some misconfiguration that can potentially cause some speed issues so I think this way that I'm going to show you is going to be definitely the most optimal way and I really encourage you to follow along look at stuff like the documentation and verify some stuff like the block diagrams for any equipment that you have just to verify that it can actually support the stuff that you wanted to do so anyways let's get into the video and learn more about vlans on [Music] microtic so before we actually do the configuration I first just want to discuss some things and nuances behind vlans and microti if you just want to see the configuration please skip to the Tim stamp it is listed here but I really really think it's a good idea to stick around a little bit and just see this because this is actually quite wild now with vlans if you ever want to configure them and you are struggling then I highly also recommend that you look at the microtic documentation it's full of useful information if you don't know where the documentation is it is in the pin comment but you can just head on to the help. micro.com dooc site it should boot this up for you and then you can find the subject that you want some more information on now in our example I want to look a little bit at bridging and switching and here is great information on different topics but the place that I think you're going to learn the most from is by going into the bridging and switching case studies and here is actually a bunch of different cool configuration guides and more or less real world examples and you can even see stuff like Layer Two Miss configuration where you can potentially have some throughput issues because you used the incorrect VLAN method when you wanted to configure stuff but I just want to have a look at the basic vlans switching and it gives us a very broad overview of how to configure vlans and the General consensus is that you are going to use what we call the single Bridge method to configure your vlans manage them and all of your Bridge ports really but it's nice to just go through things you can see some detailed information you can see what a switch chip is and what type of features these switch chips might also support let me just quickly open up this page as well and if you don't know what a switch chip is in essence it is an Asic it is a dedicated CPU if you want that has been made to just process the forwarding of frames or to send traffic out between interfaces on the switch it doesn't do anything with routing it doesn't do anything with the firewalling its main job is switching and it's darn good at that so that is why people put stuff like switch chips into the equipment but it's worth noting not all switch chips are the same and there are even some models that don't have a switch chip where the traffic is going to go through the CPU regardless of how you configure your stuff so it's definitely worth noting how these things work from the very beginning and read up about it if you want to see if your model of marketic or switch supports the stuff that you want now another way to get more information is actually from the marketic website again and this I love this is kind of like having a hack or a super power so if you go to the marketic website and you go to the hardware section you can actually find the equipment that you're using or the equipment that you potentially want to buy and see what's happening inside the that equipment so let's say you want to buy a new router so let me go to the ethernet routers and let's say you saw some videos about this L9 you can go in there and to find what we call a block diagram you can just scroll down to the support and downloads you can find the block diagram obviously the user manual like all of these other informations are great as well but this block diagram when I open this it's like getting X-ray vision and seeing what's inside the micro and just how everything's basically connected especially stuff like the internal links which is very worthwhile to note because this also paints a clearer picture of what the microtic true capabilities are because like I said the switch chip its function is to properly switch traffic between these interfaces or out to other devices as quickly and as fast as possible and that's great for us because here we can see these devices are all directly connected into the switch chip and this allows us to achieve what you hear many times be called wire speed now what does that actually mean that means if let's say ether 2 that is connecting at a gigabit wanted to talk to Ether 3 that's also connecting on a gigabit you'd be able to essentially get that full gigabit between these two ports but if the traffic had to go through the internal link to the CPU because it needed to get routed out or there had to be some firewall rules be applied against it or some quality of service stuff needed to happen then it would have to pass through this internal link now obviously for a single connection from one of your ethernet interfaces that's not a problem because this 2.5 gigb like line is big enough for the gigabit connection but what would happen if all 8 GB ports had to go through this CPU at the same time and they were all trying to push their respective gigabits across that would definitely cause a bottleneck you would actually hit some type of capacity on this internal link towards the CPU and this is where you will see degradation of performance or even packets dropping and here is pretty cool you can see some of these interfaces actually have a direct connection to the CPU itself um and why would that happen well there's various reasons and it's not bad if it's connected to the CPU it's just like how these interfaces are balanced together but again not everything is the same what I want to show you quickly is like the rb509 which is a fan favorite lots of people love it it's a great tinkerers piece of equipment you can learn so much with it here we can see it's kind of like the l009 or l09 it's got a big beefy switch chip but its SFP plus one 10 gig Port is also going directly into the switch chip it's got a bunch of gigabit Ethernet ports also one 2.5 GB ethernet port into the switch chip and then it's got this 10 gig internal link between itself and a much bigger and beefier CPU so this is such a strong device and definitely worth while Contender to put in any type of home lab or small or medium office even but let's look at something that does get put out a lot in the field maybe something like the RB 4011 and here this is going to blow your mind this device has two switch chips and each switch chip is responsible for x amount of ports and this is definitely where you're going to maybe run into some misconfiguration again because sometimes it's also recommended to have two separate bridges for two separate switch chips or you might even connect a separate link so let's say from ether 5 to Ether 6 to still carry that wire speed traffic between the switch chips instead of it having to go through the CPU even though it's not much of a bottleneck but that can happen so definitely worthwhile noting but I specifically want to have a look at this hap ax3 because this is what I'm using in my own network as my router at the moment and what would you know it it doesn't really have a switch chip we've got got five gab ethernet ports one of them able to run at 2.5 gig but here you can see there's basically these physical connections into something that's just called a switch and it's part of this ipq 610 stack now this is the CPU W land everything is kind of just built into this but it's worth noting and seeing from the g-o how this operates and understanding hey this device doesn't really have a switch chip so can you still do VLS on it yes you can you you can totally still do vlans on it you can still implement it the same way I'm going to do as on the switch it's just worth noting that this traffic will still it will go through the CPU regardless of what you do it's not really going to get Hardware offloaded if you think about it now one more device that I wanted to have a look at and that was actually the CRS 326 cuz that's another piece of equipment that I have on this home network of mine and it's also primarily a switch now obviously the switch is made for switch so if I look at the CRS 326 there it is let's just quickly find its block diagram we can see this actually has these let's say three bricks of eight ports amounting up to 24 ports and these internal links between these ports go down into a dedicated switch chip which also connect to two 10 gig SFP plus ports and this is great for us because the switch itself is very powerful for switching the traffic but the CPU on it isn't necessarily very powerful there you can see it's only 800 MHz and also there's only a 1.3 gbit connection between the CPU and the switch chip this is why it's definitely not advised to run stuff like bgp or Advanced routing protocols or like tons of firewall rules on these types of switches because you can definitely potentially run into some throughput issues if there is some misconfiguration involved so now that we've looked at like what vlans are or where to get some help with vlans and also how to read the block diagrams let's quickly discuss the topology that I'm using all right so let's actually look at my topology that I want to configure and I'm just going to zoom out a little bit here just to explain where what is and I highly recommend if you want to configure anything on a network write it down somewhere draw it out either on a piece of paper a whiteboard or on something like draw.io that I'm using that's totally free now what I've gone and done is I have an internet connection from my ISP coming in on ether one on my ha ax3 that's acting as my router then we have a Uplink port or a ding Port from ether 5 to Ether 23 of the switch a CRS 326 and then my actual computer that we're doing this recording from is connected not on ether 9 actually it's connected on ether 1 at the bottom left and if you don't know this about microti the switches actually don't start from one at the top left they start at the bottom left as number one so so I I think that's also one little Nuance with my critique but it doesn't really matter for the end point because I'm going to be moving that Port around to test things with the VLAN configuration later on in the video now that we see what our connectivity on the topology looks like let's actually plan out our VLAN so I'm just going to zoom in nice and closely between the router and the switch and let's quickly figure out what we want to configure or how we're going to configure things so the first thing that I maybe want to do is configure my vlans so maybe let's just figure out what they are so I'm going to use something like hang on that's a little bit big there we go that's nice so I might use VLAN 10 for my management MGMT o and I might use the IP pool of or the network of 192 168 99.0 sl24 for the man management Network let's just grab another color and this is going to be for VLAN let's make this 100 and this is going to be for my servers so servers and let's just use the 10.0.0.0 sl24 network for the servers and then last but not least I'm going to grab this blue color for VLAN to 200 for my viip for my telepon and for this I might use the network of 172.16.0.0 sl28 so those are our networks that we will defining so let's figure out what we're going to be doing on a port level so let me just grab this pink marker for the management VLAN again and if we have a look at our interfaces we know ether one is currently connecting to our ISP ether 5 is connecting down to our switch so how can we configure things on this ha ax3 for management perhaps and what we could do is reserve something like ether 2 as an access port or an untagged port for the management VLAN for VLAN 10 and what does an access port actually mean or an untagged interface well all that means is any traffic that's leaving out of this interface will have the VLAN tag strip off of it so when the device like my computer when it connects into it it doesn't need to have any VLS or anything configured on it it just works it's kind of like magic so that is the awesome bit but what about traffic that's transiting between these interfaces or maybe down to the switch across the switch to other interfaces what's going to happen there well it's going to tag that traffic and keep that VLAN header on the frame and it will Transit across this network and this is where we will learn about something like a trunk port or a tagged interface and all that really means is this interface between ether 5 and ether 23 it can run multiple different vlans across the network so it's not untagged for anything it's going to be like just broadcasting or I shouldn't say broadcasting but transmitting different vlans traffic across now you can have something like a native or a native VLAN for each interface but we're not going to specifically be diving in that we will be just looking at the tagged interface bit so let me grab a color for actually let's not even grab a color so all three colors could come here all three of these different lines can be on this axis port or not axis Port the strong Port as a tag but then we can have certain interfaces maybe reserved again as access down by the switch so let's say we could either do it for each of these eight blocks make it nice and clean and easy but the world's not always nice and clean and easy maybe your network look something like this maybe your first two interfaces is reserved for this management VLAN and then maybe you will also later down the line see that this port 16 is also going to be for your management VLAN and then let's quickly grab this yellow marker and then for this we might have these interfaces all configured for our servers and then lastly you might have something like these three interfaces for your voice and these four interfaces for your voice and you might have a couple of reserved interfaces for maybe some further down links because like I said this isn't just about uh between a switch and a router because maybe you might buy another switch and let me just grab maybe this black marker and then this connection could also run down as another down link to another switch and it could follow this whole process again so multiple vlans multiple things just connecting everywhere but I've now kind of like figured out a plan of what I want to do on the network so in essence I'm going to just be tagging a couple of interfaces and untagging interfaces and putting them in certain fance so let's actually do the configuration bit now now for configuration I'm obviously going to be using windbox for this and I'm actually going to start off the configuration on the ha ax3 so let me just select it connect onto it and it has been factory reset so you can see in Ocean anigan we're going to be doing everything fresh as a clean setup let me just zoom in here and to actually work with the vlans the Main Place that you're going to be working from is the bridge so if we click on the bridge from here we can navigate to like the bridge ports and here we can actually set stuff like the PV ID and this is where you can think of what untag VLAN or access port you're setting an interface for so in our topology I said I may be going to make ether 2 a part of ban 10 and that is just going to reserve or untag ether 10 for VL 10 so if I connect my actual computer on ether 2 on this microtic it's going to be on that VLAN 10 interface basically or VLAN 10 it will be on that management interface now to actually configure the vlans you can go to this VLAN Tab and then you can set it up here now what I want you to understand this is purely Layer Two and this is all for the switch chip itself but for this to work you actually need to enable something called VLAN filtering on the bridge itself so I'm just going to navigate back to the bridge double click on it go to the VLAN side and it's recommended to enable the VLAN filtering at the very end because you can potentially lock yourself out of the equipment and then you might have to factory reset it and this is where it's a good time to mention that I did showcase a video of how to configure a dedicated management interface because it's great for those type of scenarios so please go and watch that if you haven't but anyways what we'll do is we will just continue with the rest of the setup as do the VLAN filtering bit at the end so what I'm going to do is just navigate back to VLS then we can click on the plus and now it's very important you can set stuff like which Bridge it is because I did say there could be multiple Bridges because maybe you've got multiple switch chips this is why it's kind of going to be for that but for the most part you should just have a single bridge to manage the stuff next thing I'm going to do is specify my VLAN ID now I can type here VLAN 10 and you can specify tag now think of this as the trunk port and I know this is going to be ether 5 because that's what's going to be going down to the other switch or to the CRS 326 and untagged here I can specify ether 2 because I know I wanted the management VLAN for ether 2 to be untagged even though I did already set that in the port section it's kind of like normal to just come and set it here as well so I'm going to hit apply and if you have a keen I you might be thinking hey why don't you just click on that drop down where it says VLAN IDs and put in the other VLAN ID why don't you just add 100 and 200 in there and let me just explain to you why I'm not doing that because you can potentially have other misconfiguration issues because yes I'm defining these three VLS now and all three of them will be tagged for ether 5 but the problem is all three of them will also be untagged for ether 2 now so if it's just for a trun Port I think it's fine if you want to use multiple VLAN IDs but the recommended way of configuring the stuff is just to have a separate VLAN for each item or each line so let's just add the other vlans quickly I'll add VLAN 100 tag it to Ether 5 untag that actually I'm not going to untag that I I'll leave that just as it is and I will also just add VLAN 200 and that's also going to be tagged for ether 5 now there's a few other things that we need to also think about since I am introducing a layer three concept since I want IP addressing for these devices and I also want to use the microti here this ha ax as a default gateway it's going to need an IP address so I obviously need to bind some IP somewhere but where can I add these networks if I go into my IP addresses and I click on the plus you'll notice that when I go to interface those vlans aren't there and again it's because vlans are a layer 2 concept so we can actually configure a software VLAN and this is where it's going to be kind of processed by the CPU but since we're using VLAN filtering with the bridge although on it is going to use the CPU regardless but if this was a switch or something it would properly Hardware offloaded but what we're going to do is add a software VLAN so we can click on the plus click on VLAN and now we can Define our VLAN details so I can name this management and I can give it the VLAN ID of 10 and I'm going to bind this to the bridge since the bridge is responsible for managing all the vlans I don't tag this on a specific interface or anything so I'll hit apply and then I can just quick copy this since I want to add a couple of other vlans so maybe I want to add the servers as VLAN ID 100 for the bridge and then lastly I want to add my VoIP which is VLAN ID 200 for the bridge now that I've defined those details I can quickly add the IP addresses for them so from our IP addressing I can just click on the plus and I can Define 192168 99.1 24 for management I can add 10.0.0.0 or1 sl24 for my servers and then I can add 1726 0.128 for the VoIP so now I have my three interfaces defined for the vlans as well but this is where it gets interesting we're actually going to have to also Define these vlans or or the bridge for the tagging as well since we have that software defined VLAN that's connected to the bridge we also need to specified as a tagged interface in this vline configuration now this is only relevant if you have that layer three component if you actually have a VLAN interface with an IP address bound to it here this is why you're going to use this as well so what I can do is just go into each of these VLS and quickly add the bridge as the tagged interface as well so I'm adding the bridge you do not add the VLAN you add the bridge very important so now that I've added the bridge if I look at hosts everything is actually pretty not working yet because we haven't actually Ena the vlans to work yet because I didn't enable the VLAN filtering so let's quickly do that now but before I do that and this is also kind of like um leaning in on that management V or that management interface video I'm also just going to add the management VLAN to My Lan interface list just for management purposes um if anything goes wrong that I can connect onto it so let's just apply that and let's get back and it's very important to note the moment I turn on the VLAN filtering it is going to drop the connection on wibox and I'm going to have to reconnect so that that's not something that's weird that does happen so let me click on apply and wind box should drop and now that that's dropped we should be able to just reconnect so let's see we can pick up our ha X3 again I can connect and I'll Zoom back in for you guys and if I go to the bridge if I go back to this VLAN tab you can actually see it's showing the tagged stuff now before it was just blank and it will show you the untagged if you actually connect something and that the Bridge Port comes up I'll showcase that as well and if we look at our hosts here we can see what Mac addresses we're learning which interfaces we're learning them from Etc now what I'm actually going to do is move my interface from the switch to ether2 on the microtic or the hap ax3 so we're obviously dropping again but this is just to see that the connection is working and we can see it on this management VLAN and I want to see if the IP address is the right thing that we pick up in the neighbor so let's quickly check and there we can see the neighbor I pick up as 19212 8991 and there is the MAC address for it as well so let's just connect on the Mac address quickly and that's perfect so this is actually it like this is the the base of it but we will be configuring a few more things and also be working on the switch just to make sure that we don't just have this oneof little configuration success and then from the bridge if I look at the hosts now and this is quite nice here we can see what the VLAN ID is we can see which interface it's being learned from we can see what what the Mac addresses so this is very useful for us and the vlans are working so here if I go to this vlans tab there we can see what the untagged is what the tagged is so everything here on the hap ax3 is set up correctly so great yay the the router is set up the way that we wanted to now let's actually configure the switch and do a few vlans on the switch itself and also maybe configure a management VLAN on it so I'll just open up a new onebox session quickly and then I can just connect the directly onto the switch although now I'm not seeing it in the neighbors but I know why that's happening as well so I'm actually going to have to move my cable back quickly for this section of the configuration so let's just jump on ether 9 and we're just going to jump onto the switch to do the config and it might have been worthwhile to do the switch first or I could have moved to a different cable on the micro ticket it's just because of of that management V that I have U connecting on at the moment so there is our switch let's connect but I'm going to configure the management VLAN on the switch as well so this is like what we want to do is have this management VLAN so we can manage the device and connect to it from wherever on the network so let's quickly zoom in and it's going to be the same process really so bridge and then what we can do is quickly Define our ports so let's just keep this fairly simple even though we kind of mapped some stuff out on the topology and said we can make it how big we want let's just do something like this I will make ether 1 VLAN 10 I will make ether 2 VLAN 100 and that's untagged and ether 3 VLAN 200 I will quickly add the vlans as well so here I can add the bridge VLAN 10 and that is tagged for ether 23 and it's untagged for ether one I'm just going to copy this quickly so VLAN ID 100 untag 23 tagged two or untag two and then lastly we have VLAN 200 tag 23 untag three perfect now I'm also going to configure another software VLAN interface because I want to have that management IP on this microtic so what I'm going to do is head into the interfaces add a new VLAN interface name it management VLAN ID is 10 bind it to the bridge hit apply and then I can add the IP address to the bridge as well so this is going to be or not the bridge the management VLAN so 192168 99.2 sl24 buy it to management perfect and now the next stage is go back to the bridge and let me just make sure that VLAN 10 the bridge interface is also referenced here again if you have a layer three interface a software VLAN you also need to verify or add it to that tagged bridge in this VLAN configuration but I don't need to do anything for VLAN 100 or 200 because I don't have that layer 3 interface for those specific things on this switch so other thing that I can do now is just quickly enable the VLAN filtering so I can double click on the bridge and I can just go to VLAN enable VLAN filtering click on apply and that's obviously going to drop my connection so connection drops I'm not too scared I might not be able to really reconnect now actually I should I should see stuff um but the thing that I really want to do is connect onto ether 1 which is that management interface and I want to see if I pick up the management IP address cuz then I know it is in the right Port as well and then we'll do a few other tests we'll we'll we'll figure out a few other things quickly and there we can see the CRS 326 it does see1 192168 99.2 so it is a part of that management VLAN now and I can see the ha ax3 as well as the switch so I can connect back onto the switch and that's perfect so from the switch I can quickly test and see can I ping the ha ax3 which is 9 connection's going to drop again because I am on the Mac address and Mac addresses are sometimes a bit finicky that's why it's kind of better to connect on an IP so let's just reconnect and ping 192168 99.1 awesome so connectivity is up and running so I could either now statically configure an IP address or I could also enable stuff like dhp servers for the vlans required and this is actually something that I saw someone ask about in another video so I'm just going to head back onto the hap ax3 quickly connect onto its Mac address and then from the ha ax3 we can configure the hgp as normal so I can just go into my my dhp settings so IP dhp server and then from here I can just either run the wizard or set up everything statically now why people is asking this specifically is because when you have ports and stuff in a bridge you can't can't use them as the HP servers because it doesn't work on slave interfaces and then you need to use the bridge interface but since we have vlans you can actually reference your software vlans even if they are a part of the bridge inside the dhp server so that's not a problem so I can go into the DHCP server wizard quickly and then I can just select my VLAN so maybe I want the management VLAN to issue out some DHCP addresses and I'm going to do the same for the other vlans quickly just so so we can actually test and see if things are working uh but I'm pretty confident things are working but we've now added three separate DHCP servers for these three separate networks and let's just quickly see if I connect well I'm already connected on ether one on the switch so let's see if I do an IP config for/ release and we renew let's see if we pick up an IP address from the ax3 and we do we actually get an IP address of 192168 99254 now that's great because this means that I should be able to reach the microti router so 192168 99.1 I can get there and I can get to the microtic switch obviously and I can now manage these devices using their IP addresses which is just a lot more stable and reliable and it just works better but let's move this cable around to the other interfaces where I've configured the vlans on so I'm going to connect on to Ether 2 quickly where I've configured VLAN 100 and this is quite cool I want you to take note of if I can connect onto that device on the neighbors and stuff and also if I can just get an IP address the main point is just to make sure that we are getting an IP because now we know that we're actually on different VLS and we're able to run multiple different dhp servers and we can segregate Network quite nicely now I think in a separate video I'll actually tackle some stuff like firewall rules as well because I think it's important to figure out how to properly restrict access between the vlans but that's definitely not the scope of this video so let's see if I do a renew do I get an IP address from our servers yes I do and can I ping our server Gateway I can and do I have internet access I do and and then the last test I want to perform is just move the cable to Ether 3 which was part of the VoIP Network the telepon network so that was the telephone VLAN so I can just again do another renew and I should in theory get an IP address of 17216 .14 there we go cool so that's actually awesome so now we've actually configured vlans on our ha ax3 our router as well as our switch we've looked at how to configure the trunk interface we've looked at setting access ports or untr or or untagged interfaces and we've just gone over quite a few subjects so I know this is a little bit of a beefy video but try and keep things as simple as possible when it comes to configuring vlans look at the documentation and remember there's some simple steps Bridge VLAN filtering very important but you can enable that at the very end because you might kick yourself out if you don't you need to set stuff like the vlans in the VLAN tab if you're running layer three interfaces or you want to run gateways on top of a like a router for example then you need to set a VLAN interface bind it to the bridge and then that also needs to be tagged inside the VLAN configuration and that's really it it's so straightforward if you think about it and again this is kind of considered the bestas way of configuring vlans using the single Bridge method across the board but again it's all not just across the the board because different models just work a little bit differently so again this is where I highly recommend you look at the documentation but in a baseline the configuration steps will look roughly the same anyways I'd like to thank you for watching and I'll catch you guys in the next video see [Music] [Music] you

Info

Channel: The Network Berg

Views: 14,328

Rating: undefined out of 5

Keywords: MikroTik VLAN Configuration, VLAN Setup Tutorial, Network Segmentation, MikroTik RouterOS, MikroTik SwOS, Network Optimization, IT Networking, VLAN Troubleshooting, Inter-VLAN Routing, MikroTik Tutorial, VLAN Configuration Guide, Advanced Networking, MikroTik Networking, Network Security, VLAN Best Practices, Network Configuration, IT Professional Tips, MikroTik Router Setup, Switch Configuration, Networking Fundamentals, MikroTik, The Network Berg

Id: 4Z32oOPqCqc

Channel Id: undefined

Length: 34min 55sec (2095 seconds)

Published: Mon Feb 19 2024