Mikrotik VLANs - CRS3XX Step by Step - Mikrotik Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
do you know that migrate has up to six different ways for configuring vlans on their different devices on this video i'm gonna show you how to configure correctly and efficiently billions on the cloud router switches or crs 300 series and specifically i'm going to use a crs 326 device let's get started and go to the lav [Music] before starting with the configuration process i will show you exactly what are we going to do micro tick has two operating system for layer 2 devices router s and switch os if we go with router os then we have devices that are including switch chips and we have devices that doesn't have any switch chip at all if we take devices with swisschip then we have two main categories router boards and crs crs are the cloud router switches and there we have three big families 100 200 and 300. each of those families as you can see here have a different way for configuring billings in this video i'm going to show you how to configure billions on a divide from the family 300. i'm going to include one video per family so at the end you will know how to configure efficiently and correctly billings on any migrating device the process that we can take in a 300 device is the following it's a five-step process so i will go through each of those steps in my topology so before starting with this process i will show you the topology that i have here so you can see that i have a router and then i have two switches i have one switch over here and i have the second one on the right so those will be crs 326 in this case i'm using gns3 to virtualize those devices but in a real production environment those must be 300 switches but the process that i'm going to show you is exactly the same procedure that we'll take in a physical device if you don't have the ns3 or you don't know how to try this functionality you can check that video and then you will learn how to install gns3 and how to include migrating images and you can play with these so in this scenario we have three vlans as you can see there you have bill and 10 that is intended for the marketing department we have bill and 20 for it and we have one management bill bill and 99 so here we have all the subnets that are assigned to each billion this here will be a trunk link basically all the interview and routing process will be managed on the router and then the trundling will be sending the traffic to this switch below crs 326.1 then in that switch we have two different types of ports trunk and axis trunk ports are the ones that are going to be sending traffic for one or more billions an access port is a port that is mapped to an specific billing and all the frames that are sent out are not going to include any bill and tag at all so that means that this pc's here doesn't need to have any bill and configuration they are just going to be connected to the switch and they automatically will be mapped to the bill and 10 in this particular case additionally we have some devices assigned to the vlan 20. that means that we are going to have two billions to different broadcast domains in that point the management billing will be used just for management purposes on those two switches so to start i will configure the router so this will be a router on a stick so we don't have any special configuration there so i will go to the winbox and you can see that i have here the chr so i will get connected to it for the router my first step would be to add all the sub interface required for each vlan so if i go to this device to interface it ether one is the interface connected to a crs so i will add a comment and i will say link linked to crs 326.1 now i need to add three billion interfaces i need to go here to interfaces and then i have here the tab big land so i will go to bilan i can add a new billion and i will call that 1 billion dash 10 then i will assign the bill an id in this case that will be 10 and the main or master interface in this case would be ether1 so this interface here is the one that is connected to the crs so remember that then i can click in okay now i have one vlan interface so i need to add two more so now i will have vlan 20 billion id 20 same ether one okay again now i have the blank 99 this will be the management bill and so bill and id 99 and then okay so i have three billion interfaces on my router now i need to assign one ip address to each sub interface the ip address that i'm going to assign to each bill and interface will come from the subnet that is associated to that particular billing so in this case you can see here bill antenna and using that sublet bill 120 and so on and so forth so the ap will be the first usable ip in this case dot one so to add an address on migrate i need to go to ip and then addresses i'll click the add button and then i can assign the first ip 172.16.10.1 slash 24 and that will be mapped to the bill and 10. then ok and i will assign the second ip to the second billing interface 172 1621 it's like 24 in this case blank 20 then okay and finally the management billing 10 99.99 one slash 24 that will be mapped to billing 99 and then okay now i need to configure that crs-326 since i'm using the cloud object here and i connect to the router i will use roman to get access to that device that's a protocol that migrates has available for us when we need to have access to a device that is in a different broadcast domain so in this case i'm going to tools and then rom roman and i will enable that feature and now i will go to the console on that crs web console and i will type the following command tool roman set enable equal yes and also i will change the system identity or hostname system identity set name crs 326-1 and enter so that means that in this moment i will be able to get access to that crs via box so i need a new window for the inbox as you can see here i have my main router i will connect to roman and you will see here that i'm going to get the crs 326.1 so i will click on that and now i can click on connect and i have access to that crs so i am in the switch now so i need to follow this process so my first step is to create a bridge interface please remember that a crs has one swiss chip so we only need to have one bridge interface please don't add multiple bridge interfaces because that's inefficient so i will create one bridge interface and then i will add all the ports on it so i'm going to bridge and then i will add a bridge so i will call that one british okay so that's my first step now it's completed i'm going to the second step add ports to the bridge in this step i will add all the used ports to the bridge so that's very simple so i go into the bridge again and now i need to go to the ports tab and here i need to add all the interfaces that are connected so you can see that i have either one two three four five and six so all of those interfaces will be added to that bridge so i'm going here at ports you can see eater one to the bridge then i will do the same with eater two eater three if they're four heater 5 and then eater 6. so now i have all the used interfaces added to the bridge one good practice is to disable all unused interfaces so in this case i'm going to interfaces and since i'm not using ether7 to 10 i will select all of them and i will press this disable button so this is a good practice so now i have completed this step two remember step one was creating the bridge the step two is adding all the ports that i am using in this topology the step number three is to create the billing table and there we need to identify the tie and the untagged ports from here you can say that the tag port will be the trunk ports and the on tag port will be the access ports the step 3 is probably the most important step to successfully configure vlans in a crs-300 device so i'm going back to my topology and i need to identify all the trunk interfaces and i need to identify all the access interfaces if we see this topology our conclusion will be that this link here and that link there are trunk links and also we know that all of those interfaces there are access ports because we only have a single device connected to them so once we have identified all the trunk and access ports then we can go to create a bill and table so to create the bill and table i need to go to bridge and then you can see here this tab on vlans i will click on the plus button i need one entry per billion so in this case i will start with bill and 10 billion 10 is the marketing's billing after adding that bill and id then i need to identify the trunk and access ports for that particular billing bill and 10 will be transmitted in that link and also will be transmitted in those two links ether 2 and ether three billante has nothing to do with eater four and five so that means that for my tag interface i will select eater one that means that every frame that is going out eater one will have the billing headed included for that particular villain then for the on tag those are the access ports so here we have ether two and also i will add a second port in this case ether three now i can click on apply and then okay so i must repeat the same process for vlan 20. so i will click on add now the billing id will be 20 and if we see for vlan 20 this will be the trunk interface and those two here will be the on tag interfaces so my tag interface will be again enter one and my own time interfaces will be ether four and also eater five and now i can click okay so i have two billions but i'm using my management bill and so i need the management billing here as well so i will click on the plus button and now i will add the billion id 99. in this particular case for vlan 99 i only need the trunk interface so my tag interface will be ether1 the interface that is facing the router but additionally since this is the management building i need to add access to the cpu this is the way how megarotik handles that basically that means that i need to add as a tag interface that bridge itself and this is going to allow access to the cpu to the vlan 99 so this is the way how migrating handles the management access to the cpu so i will click on apply and now okay at this point we have completed our bill and table now we need to add the port bill and id to each access port to do that we need to go to the ports tab and then one by one we need to specify the appropriate value for the poor's bid and id so in starting with eater two so i will go to ether two and you can see this tab vlan so i will change the pv id to 10 so this port is mapped to bill and ten and ether three as well so i'm going to click okay then i'm going to ether three this is 10 meter four will be 20 meter five will be 20 and now we have all the access ports with the correct value for the port billion id so the next step is to add the management bill and so this is basically a billing interface where we need to specify the ip address that we are going to use to manage that bridge so i'm going to the crs and now i need to go to interfaces and then to vlan and i will add a bill and interface so i will call that one vlan 99 and the billion id will be 99 one important point here is that the master interface in this case will be the bridge now we can click ok and we can assign an ip address to that plan so ip address plus button and now you can see here i will use the dot 2 ip address that will come from the management subnet so the ip will be 10 99 99 to slide 24. interface will be the vlan 99 interface now i can click on apply okay if we are going to be managing this device from remote networks then we need to add a route a default route so i will go to ip then route and i will click the plus button and gateway will be 10.99.991 so the default gateway will be the ip that is configured on the interface blank 99 on the router so we need to apply security policies then we can add those into the router's firewall i will click ok now if i go to the terminal i must be able to ping the default gateway on the router you can see that i successfully have guarantee echo reply messages coming from the router so i almost done with this configuration so my final step is to activate vlan filtering so i'm going to the crs to bridge and then to the bridge tab i will open this bridge entry that is here and now if we go to the bill and tab we can click on bill and filtering after that we can click ok and now the billing filtering has been applied successfully and all the configuration that we have performed must be working properly how can we test that basically what i'm going to do is that i'm going to add the acp server in the router and then if we try to get an ip address from those devices those devices must get an ip coming from the appropriate vlan so let's try that so i'm going to the router so this is the router ip the acp server the acp setup i will select the vlan 10 next next so i will use all the default configuration for that device and everything must work correctly so i'm going to do the same process for vlan 20 next next next next to next next and finally we have two dhcp servers running on the router so i will go to this pc pc1 right click web console and i'm going to say ipdacp this must get an ip coming from the bill and number 10. the dora process has been completed successfully and it has an ip coming from vlan 10. if i try to ping my default gateway 10.1 that is working properly so that means that this access port where pc1 is connected is working properly now we can do the same with one device connected to vlan 20. so web console ip the acp enter and this must get an ip coming from v920 let's see if that's true and that's it so we have gotten an ip from v920 i will try to ping 172 16 21 and we can reach our default gateway i will try to ping when ip on vlan 10 like 10.1 you can see that we can successfully pin that device so the router is performing the interval and routing this switch has all the access ports and trunk ports working properly what happens if we have a second switch in our topology and then we need to expand the scope for one particular villain like in this case you can see here that we have a second switch probably that can be in a remote building in a different office in this case we only have users connected to the vlan 10 in that remote location so we can identify here a new trunk link the one that is connecting the switch 1 to the switch 2. that trunk link in this case will be sending traffic only for vlan 10 and blank 99 we don't have any divide for vlan 20 in the remote location so we don't need to send that bill and out that trunk link so in this case we need to make some modification on the first switch since we need to configure e36 as a trunk interface after that we need to get into the second switch and then we can configure those two interfaces the strong interface and then the access interface so i'm going back to the switch number one and i need to modify my bin and table since now i need to add the ether six to blank ten and bill 99 so i will modify the entry for bill and 10 so i will double click on that entry so i'm going here and i will add a new entry and i will select ether six and then i will click ok i will do the same for vlan 99 so in opening the entry for blank 99 i need to add a new tag interface and that would be ether 6. now we can click ok so that means that at this point this device here knows that all the traffic for bill and 10 ambulance 99 going out of ether 6 must include a header for that bill and id we are ready with the switch number one now we can go with the second switch so i will go to that device i am here on that switch so my first step is to add a bridge interface so i have that there then i need to add all the ports that i'm using so in this case i'm only using ether one and two so i will add those two entries either one to the bridge and then ether two i have those two interfaces and i will disable all the remaining interfaces this is a good practice this is not mandatory but it's a good idea to do that so i will keep enabling only the interfaces that i'm using in this particular moment then my next step is to create the bill and table so i will go to billions and here i only need two billions bin and ten and billion ninety nine so i'm starting with bill and ten so the billion id ten my tag interface will be ether one and my on tag interface is the one where the end point is connected in this case ether2 and then i will click ok then i have the management billing so that's billing 99 my tag interface is the same that is connected to the uplink switch so in this case that ether one in this case we don't have access ports because this is a management villain but that bill and needs access to the cpu and to do that we need to add to the tag section the bridge interface so i'm adding that one we'll click apply okay and i have those two entries in my bill and table my next step is to set the port being an id for every access port in this case i only have one access port and that's ether2 so i will go to ports ether2 and i will set the value for the port being an id to bin and 10. you can see here that port is mapped to bill and 10. so i'm adding that bill and 10 okay my second last step is to add the management interface because i need to assign an ip address to this device so i will go to interfaces then vlan and i will add a new entry here we'll call that 1v1999 the billion id will be 99 and the interface will be the bridge now i can click ok and you can see here the ip that i'm going to use for management in that switch will be dot three still i'm going to use the same subnet for the management billing so i will go to ip addresses i will add a new value here 10 99 99.3 is like 24 and that will be assigned to bill and 99 i can click okay and now i need a default route if i need to get access from a different network to that device i'll add a new one and then the gateway will be the ap configure on the router 10 99.99 one i can try to pin that router being 10.99 99.1 you can see that we have successfully reached our router so i will expand this just to see the full response here and you can see that i'm getting response from my router so we don't have enable all the configurations that we have just added to this device so to do that i need to go to bridge and then to the bridge interface vlan and i will enable bina filtering now i can click ok and if i go back to blanks then you can see that now i have the current tag and current on tag fields showing information about the appropriate ports so that means that at this point if i go to my topology and i try to get an ip via dhcp on this virtual pc i must get one from vlan 10 ip the acp enter and you will see the dora process successfully completed and that means that i have an ipv from the vlan 10 i can try to ping my gateway you can see that i can successfully pin that device if i try to pin another device from a different network like this one here show ip you can see that it's 2254 and we'll go back to pc5 the one on the remote location being is 172 16 20 to 54 and you can see that i can successfully pin that device additionally at this moment we don't have any security policy in the router that means that any user can have ip connectivity to any switch so you can see i can reach the switch number two from a user's pc so what is happening here the all this traffic is going to the router that the router is routing the traffic to the appropriate ip so that's something that we must avoid so we can include some policy rules in the router how can we block the access to those management ip for traffic coming from those vlans so we can just add a simple rule here i'm going to go to the router so this is the router and negrotic has something that is called addressed so i can go to ip then firewall then address list i can add another list and include all the network that are assigned for users like for example user network and i can add an entry for each of those like 172 16 10 0 it's like 24 i can apply that i will copy for the second subnet you can see that i have now one add release with two entries one per billion that means that now i can use that address and block all the traffic that is coming from any of those network to the management bill so to do that i can go to filter and then i can add a new entry here and i can say forward so in this case it will be the forward chain this is traffic that is going through the router and then i can go to advanced source address and i can select user network i can go back to general and then here in destination address i can say 10 99.9924 so this is basically telling to router that if any packet coming from a user's network is trying to reach an ip in the management billing then we can drop that packet so i will say block user traffic to management vlan i can click ok and basically now if i go back to this pc and i try to pin the management building again you can see that that user won't be able to reach any management ip so that has been applied to the forward traffic so in negro tech there are three chains input forward and output forward is traffic that is going through the router if there is traffic that is going to the router that is called input so that means that since the rule has been applied to the forward only if i try to pin the ip that is configure on the router that is going to reply so if i need to block the access to the right key as well then i need to add the same rule i will copy that one but i will include the chain input so now if i repeat the pin you can see that that user is not able to reach any management ip address this is the appropriate method that you must follow when configuring a crs-300 device this is going to take advantage of the swiss chip everything will be handled in a hardware level thank you for watching and i see you in the next one
Info
Channel: The Network Trip
Views: 25,495
Rating: undefined out of 5
Keywords: network, networking, ccna, network tutorials
Id: YLtGQAQ8iS0
Channel Id: undefined
Length: 30min 4sec (1804 seconds)
Published: Sat May 15 2021
Related Videos
Mikrotik VLANs - CRS1xx & CRS2xx - Mikrotik Tutorial
The Network Trip
5.2K
TOP 10 RouterOS Configuration Mistakes
MikroTik
119K
MikroTik CRS328-24P-4S+RM Video Review
ServeTheHome
58K
Configuring VLAN's on MikroTik RouterBoard using the Switch Chip
MAICT Consult
39K
TSP #202 - A Uniquely Complicated Nixie Tube Clock: HP 5245L Electronic Counter & ERA EasySynth++
The Signal Path
12K
MikroTik CRS305-1G-4S+IN 10G Switch Setup Review With VLANS
Lawrence Systems
115K
Diving deep into RouterOS: Switching
MikroTik
21K
1951 Radio Receiver - Can We Bring It Back To Life?
Mr Carlson's Lab
39K
đź“—MikroTik MTCNA - Firewall Principles (Forward,Input,Output)
The Network Berg
1.7K
Playing with RouterOS's VLANs
MikroTik
14K
SwitchOS MikroTik [Live Streaming]
Mikrotik Indonesia (Citraweb)
2.7K
Install GNS3 VM + Mikrotik on VMWare - Mikrotik Tutorial
The Network Trip
3.8K
Intro To Azure Static Web Apps - Free Hosting, SSL, Global Distribution, and More
IAmTimCorey
3.6K
DIY Home Rack Build
Lawrence Systems
389K
Getting Started: MikroTik Firewall
The Network Berg
24K
DHCP Configuration in cisco router with VLAN 10 20 30 in packet tracer
chin Tips
100K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.