Optimising Your MikroTik Layer2 configuration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
um good afternoon started out in my working career as a network engineer started out with Cisco have moved across as my job has changed been using route OS 4 since 2010 consultant since 2014 and 2 years now as a trainer I worked for a company based in the UK we've been going 13 and a bit years there's now 29 of us I started there when I was the very first engineer all those years ago were based out of Sheffield which is up north and we are now working nationally and we now have a few sites through Europe for some of our clients we have two of us who do the marketing consultancy and I provide the training service to our staff and to people in the north and part of England our company is primarily based around desktop and server support and connectivity and while it installs to offices and a lot of our clients now are sites at a multi site but then we want to offer the full services which is why we have a network team as well this afternoon I want to talk about some of the stuff that comes out of the changes since 6:41 with the new bridge and configuration I want to address and I want to encourage people to use these new features and to use them optimally um over the last sort of three or four months we've done quite a lot of consultancy work with other companies who've all tried to install mainly crs 3-series switches and everyone that I have logged into for some reason or other isn't working right and they are and bemused confused or baffled as to why so this afternoon this presentation is not set as a step-by-step guide but I'm going to show some of those configurations or variations of that I have been working on for the last few months to solve for people as they've come in if you want a step-by-step guide on setting up the new VLAN configuration then if you go on the website you can watch my presentation that I did in Birmingham at the end of last year and when you download the slides of this presentation I will marked all the pages in the PDF - which are correct and incorrect configurations so there is no confusion I'd like you all to again meet Mike we last time we met Mike he just installed his new mikrotik Wireless he finally got it all working took him quite a bit of time thanks to some really cool guy that he met at the UK mum Mike invites his good friend Dave who did introduced him to mikrotik last year to see how good he's Wireless he's working they sit down in Mike's office kitchen drinking tea and while Mike shows how good his Wi-Fi is - Dave Dave looks up and Mike's patch cabinet and sees this mess mike has 12 wireless access points dotted around his office all of them powered by p OE injectors and the resulting ham wiring shows that dave suggests to mike that he really should use a pair we switch and that will power all his APs and then he will be able to get rid of the hot mess and shut the door we've probably all seen those been to those sites I definitely have seen people try to do that Mike does some research on the internet and being a new find Mike tick fan he discovers that mikrotik have a POA switch and as it's really cheap he buys one and mike buys himself the CRS 3 2 8 24 pour goe gigabit switch and Mike installs this switch in his cabinet he means he now doesn't need 13 extra 14 power sockets and has now got it down to a few power sockets and he is able to tidy his wiring up and he shuts the door on it mike is really excited about his features so like everybody else who gets excited these days he tweets about it Dave also points out to Mike that you really should have not just one wireless network but you should have something different for your visitors to use to keep them away from your office network to prevent them from taking it down and this can again it's something else that we see so often as we travel round as I go to other venues that I log onto their Wi-Fi using the that we are given apparently as a guest I was a venue last weekend and I could see all their servers their sequel the photocopier and everything on what was of supposedly the guest Network the Mike's got his switches he's got his half AC squared Ruta that he installed last year and he sets about configuring a new bridge on his half AC squared to support this new network gets it all up and running but then Mike discovers a zit he starts doing some testing between his wireless and his wired client and he notices that when he's doing his throughput test to prove that it's working to full capacity that he's got some quite large latency that his half AC squared has a very high CPU load and he doesn't think that it should be like that so he calls Dave Dave tells Mike to check that he has turned on Hardware offloading Mike has turned on Hardware offloading but then looks a little bit more closely and though Hardware offloading is turned on on all his bridge ports only the ports in one of his bridges are actually doing Hardware offloading his other bridge and the other ports in his which is Bridge LAN which is his staff network at the moment are going through the CPU not optimally using the switch chip resulting in slow throughput high latency and high CPU usage what's going on here only the crs-1 serious and two series supports hardware offloading on more than one bridge at a time even though hard roll off offloading is enabled the second bridge can't use it on this three series switch also to note though not relevant to Mike's problem but the configuration is slightly different if you're using and the new hardware offloading on one of the units like the 2011 30 1140 11 etc which have to switch chips then that's different to what I'm talking about here just read the manual if you're needing to do that solution to Mike's problem well you can control which bridge uses hardware offloading one of your bridges may not need to pass much traffic so therefore it might be fine using the CPU going through your router or what we really should do is use the correct hardware optimally for the purpose that it was designed for Mike does some reading and discovers that sinks 641 mikrotik route OS supports VLANs with a single bridge Mike thinks great he's going to solve my problem I'm going down to one bridge Mike sets about and he configures VLAN filtering on his half AC squared so to only use one bridge and he turns it on Mike notices now that his clients his first problem his clients are now not getting a DHCP address even though he has DHCP servers running on his VLANs Mike thinking he knows everything about mikrotik emails mikrotik support to tell them that their VLAN configuration doesn't work and I'm sure my could get these emails as people are pointing out to them that they've done it wrong what has actually happened here and not gonna dive into that CLI from earlier but what mike has done is he has configured his VLAN interfaces on the port which is ether for in his network pointing to where his switch is configured he's plugged in what's actually happened is when you're using the bridge the ports in the bridge become slave interfaces so all traffic captured on those ports actually leaves the bridge on the master interface which is not the slave interfaces all the physical interfaces the things are plugged into what Mike needed to do and Mike does is he moves those VLAN interfaces so they are running as part of the master interface the bridge interface and Mike's DHCP server now starts working and his clients get IP addresses my tests his Network now he's good I P addresses back on his clients and now still sees that he has slow throughput but now not just on one of his networks but he now has slow throughput in both his networks Mike also notices that when he performs a performance test through his network trying to max it right out and on both networks this time gets high CPU load Mike thinking he's learnt some stuff he looks at his config on his HAP a C squared and sees that yes Hardware offloading is enabled on all his interfaces but there is still now no hate flag showing that they are using Hardware offloading on either of his bridges or any of his interfaces so Singh got one bridge on any of his interfaces Mike cannot understand why he thinks he's done it right he's only got one bridge he's got hardware offloading enabled on his interfaces and yet this bridge is not Hardware offloading Mike yet again bugs Dave Dave's probably sick of these phone calls by now but Dave answers dave tells Mike that he should look at the documentation and the documentation that he points Mike to in the wiki shows that each and Hardware mikrotik Hardware they have a different switch chip in them and different switch chips support different features with Hardware rock bridge Hardware offloading and if you use one of these unsupported features on your hard on your hardware bridge offloading that it will disable hard on your bridge it will disable hardware offloading and here this is not a complete table this is an extract from the wiki and doesn't show every root or s model because it would be many pages in PowerPoint but dave has a mic how sorry half a C squared and the half a C squared as you see they're highlighted has that switch chip same as other devices and as soon as you label VLAN filtering it is not supported with hardware offloading so therefore all his traffic for his bridge is going through the CPU Dave suggests to Mike that he should carry out yet another Network redesign to use his hardware optimally Mike takes us on board redesigns his network so it he no longer uses his HAP a C squared as a switch in his network and he just uses it as a Rooter Mike sees that his CRS that he's just bought CRS three to six supports VLAN filtering with Hardware offloading so Mike now starts configuring his CRS three to eight do to six re with VLANs and so that he can get both VLANs down to his access point ready to put on his new SSID so this is the design that Dave Mike comes up with and he connects all his switches together through switches Mike goes on to his CRS and he starts to configuration it creates a bridge and he adds the ports that he needs to add into his bridge into the bridge he checks at hardware offloading his ticked and he's got 12 access point so he adds 12 interfaces in as tank ports and a tag port up to his Rooter and then he turns on VLAN filtering he takes careful note not to turn VLAN filtering on while he's plugged into a port that he's added into the bridge because he read in the manual that I would kick him out now he needs to link in his old switch so he plugs his switch into another port on his switch his CRS port 23 and as his old switch has no VLANs configured on it and only needs traffic from this new VLAN 11 that he's created to support his new VLAN Network he creates VLAN on the physical interface and he adds the VLAN like that to the bridge as an untyped port great he thinks he's gonna get my trophy to the switch mic now start seeing some very weird things going on in his network I was diagnosing one of these only on Monday he sees some ports flapping on his old switch and he sees some spanning tree enabling and disabling ports on his switch and some traffic just stops randomly going around his network so might thinks this isn't right so again emails mikrotik to point out that their switches are incompatible with other vendors hardware actually happened here though this sometimes does work and we've seen this work some times and work for periods of time and then start doing some really random things this configuration that Mike has done actually violates spanning tree protocol and what's happening is that the the bridge or the switch is sending out bpdu packets out on the to the switch an untagged interface untagged in ether in VLAN 11 but then the switch is tapped me then the virtual interface is tagging that these packets and a lot of end or the vendor switches cannot support tagged bpdu packets another one I was diagnosing on Monday it looked like though didn't dig too far into it because we saw the problems relatively quickly but it looked like that that BDU packet was actually triggering a loop as it was going from VLAN from one VLAN back in on the native VLAN into the switch creating a false loop and spanning tree on that switch that I was looking at a Monday shutter port down a rather unfortunate that it should have port down that meant then the switch went offline I nobody could have passed any traffic so there is two solutions to this problem the easy solution would be to turn spanning tree off the problem will go away until you turn it back on again or you plug something else in ruling spanning tree on your network or the preferred solution is to actually use bridge VLAN filtering correctly and tag that or untag that traffic in the bridge configuration not in the router so Mike decides he's going to be good and he's going to take this preferred solution and he makes some chain and Mike now adds the physical interface into the bridge and set its PV ID and he adds it as an untagged port in his VLAN just as a point on the CRS VLAN filtering is it if you actually set that PV ID she said that PV ID Rooter OS will actually add that as an intact interface even if you don't configure it as an untagged interface so you can see there the on this screenshot he he he didn't configure ether 23 as an untagged interface or because he set pv ID on it it's it actually set it as an untagged interface for him so Mike's got his network flowing again his ports are not flapping up and down disabling his traffic etc now he realizes that free switch to be really useful it'd be much easier if you could log into it by an IP address and once he's got an IP address he could set some NTP time sync up so that his logs don't show all the his switch events in 1970 I mean Mike's good at maths but adding time up is quite hard work for him so he realizes that he probably should have some useful logging with some time saying Mike because it's his staff Network decides he's freeze he's just going to manage it from his staff Network but he doesn't want any other VLANs to be able to access his switch because he doesn't want his guests to log into his switch and shut it down so Mike plugs his laptop into his switch plug as he underneath the 22 and then he sets ether 22 as an untagged port in VLAN 11 the beeline he wants to manage it to and he sets an IP address on ether 22 and then Mike tries to access his switch by its IP address and he can't login he tries to ping it and he cannot reach this IP address that he is set on his switch Mike calls Dave what's happened when you add that interface to the bridge it becomes a slave interface thought that he might have spotted this by now but he hadn't realized he might see some common themes in some of these solutions but how did it become a slave interface so yet again all this traffic captured and going in on either 22 it's actually not captured on 22 - it actually captured on the master interface of the bridge so therefore that IP address cannot be found on the network it's not that solution set the management fee LAN to be the master interface which in this case is the bridge LAN so Mike adds a VLAN to his bridge because he sees no other way of doing this but with the Peavey ID of 11 beeline ID 11 and he sets the VLAN interface as an untyped port in the bridge and just like just like that yeah adding a VLAN interface to the bridge and then adding it as an untagged port in his VLAN and he still cannot access his switch by his IP address Mike calls Dave days getting really frustrated with Mike by this point what's happening there is only one connection from the switch chip to the CPU and that is the bridge interface and what this was seeing through these themes of these problems is what actually happening is the bridge with VLAN filtering enabled works very much like a traditional Ethernet switch and what you should not do is mix up physical VLAN interfaces with the configuration inside the switch the two do not work together to solve this problem if you add the bridge as a tagged port in the VLANs that you need to take from the switch to the CPU those tag packets will pass between the switch and the CPU and then if you create VLAN interfaces on the bridge Dave Mike has already done that then the Pacific traffic will pass between those two interfaces correctly to further secure your access Dave tells Mike to also use ingress filtering to allow only the Pacific VLAN IDs as configured in the bridge VLAN table to pass between the two - ingress in then only the traffic that you has been configured in that VLAN table will go from the CPU with those VLAN IDs into the switch the solution to add the bridge port as a tagged interface in his VLAN 11 it sets the IP address on the VLAN interface and he can now access his switch by IP mic now configured ingress filtering now ingress filtering can be configured on a port by port basis but if you could go into your bridge settings you can configure ingress filtering on the bridge now that is not a global setting for every port in your bridge where you're actually doing on that Pacific menu showing behind me you are actually configuring ingress filtering as it flows from the bridge to the CPU not configuring it for all bridge ports so Mike enables ingress filtering between the CPU and his switch chip to further secure his network while we're talking about ingress filtering and egress filtering egress filtering is enabled by default only VLANs will leave the switch on ports including the Bridge port that are in the VLAN table anything not configuring the VLAN table will be dropped on egress and ingress filtering used alongside frame type will limit which pip packets are allowed to access the device from which physical ports and also from the CPU based on the entries in the VLAN table VLAN packets not specified in the veil and table will be if you enable and set frame type equals VLAN tagged only only tagged traffic will pass from the switch and as soon as you set frame type VLAN tagged only will also disable the dynamic adding of the untag port based on the pv ID if you look back on those screenshots until he set this you will see that there is actually a dynamic entry created for VLAN 1 because that is the PV ID that was left set that he'd left set on his other interfaces and his bridge and it is created and added them Mike have learned some really important things about this new bridge VLAN configuration by trying to do it and the tips given to him by Mike things didn't work firstly Mike's learned that it is important to check what features and choose the correct hardware for what you want to use it use a switch for a switch and a Rooter as a Rooter the bridge configuration when VLAN filtering is enabled so the bridge works like a switch when VLAN filtering is enabled we not the switch to the CPU is the bridge int with his switch wants to dig further into what he can do and his network Mike notices that some of his ports on his switch have some really high traffic Mike been into IT and managing his network is very curious Mike I'm sure most of you guys are as to what your users are actually doing on his network so you a few packets but he can see the counters going up on the interfaces table so he knows there is more traffic than he can see and he thinks this is not right so Mike yet again because of the phone and calls his mate or now possibly ex mate Dave Dave immediately knows what might need to do dave tells my that you need to go on to the documentation pages and find the block diagram for your hardware to understand how the hardware works Mike last year spent quite a lot of time looking at these block diagrams the different my physic hardware so he's very familiar with them Dave looks at the block diagram 3 CRS 3 2 6 24 P switch with Mike and explained how we port across his network cuz it's all local traffic to be able to see traffic that he's on a switch chip in tools like sniffer and torch they need to be sent to the switch CPU and mikrotik route RS gives us a functionality to be able to do that and you can apply a rule to pass some traffic capture that traffic that you're wanting to find out about whether it be a particular MAC address or or a particular service to your CPU so there's a example for a MAC address of one of my laptop's that I use for testing Mike getting de scripts with his features thinks that he should now be able to use and make his network better and Mike thinks that they're using a lot of bandwidth between his servers or the video a lot of media or the file transfers so he wants to increase that he reads the mikrotik supports bonded interfaces he notices that the ethernet cards in his servers also support l AC bonding so he bonds the two interfaces together on his server and bonds two interfaces together on his switch to increase throughput Mike remembers to check if he CRS supports hard roll off loading with bonded interfaces because he doesn't want to slow his traffic down inadvertently and he looks in the wiki and he sees that his particular unit his CRS 3 series supports 802 11 802 3 ad which is the l AC protocol bonding is supported with hardware offloading Mike thinks great server supports it so it supports it great will use it you are his CRS supports VLAN I'm sorry bonded interfaces Mike configures his bonding sets bonding mode to 802 dot 3 ad and in two slaves plug it all in adds the bonding interfaces as untagged ports in his bridge sets the correct PVI de traffic flows but Mike does some performance testing using one of the very well known performance testing tools but he's only seeing one gig pass between his two servers thinks that's not right and then he looks at the traffic and sees all his traffic is only on one of the two interfaces in his bonded pair he checks CPU CPU isn't hard over heavenly offloaded you are that's his speed test or throughput test and one of the interfaces of each of the bonded pair Dave remembers to check that he's got a hate flag and yes his bonded interfaces are Hardware offloading he doesn't know what to do next so he calls Dave what's happened using bonding with LACP does not create though people try to convince me that he does it does not create one 2gig interface but it creates an interface that can transmit traffic over multiple slave interfaces LACP uses a transmit hash policy you can set layer two layer three or layer four but for his performance test that he did he is doing one stream from one IP address from one source MAC to one destination MAC to one destination IP to warn destination port in a single stream and in that scenario load balancing over different members does not happen and that is correct for LACP bonding if you if he was to have actually done a multi stream and and had multiple connections traffic from multiple sources multiple destinations will load that up and will push that throughput between his servers to more than one gig one of his options could be to use different transmit hash policy there are different load balancing policies that you can do in route LS however those are not yet hardware or floated in the bridge so therefore that traffic would be limited by your cpu so probably will not be beneficial to you Mike still having some problems in his office I had this one also on Monday to deal with his users don't think there are enough ports under their desks so they bring in from home their old spare broadband rooters from home and they have four ports in them and his users plug one of them into the wall socket their computer into another and their printers in and everything else that they want to connect up on their desks but this causes his clients to go offline and lose internet access and access to the other office resources trying to convince people that they can't use their all broadband rooters in their office without correct configuration is quite difficult because they don't understand Mike knows exactly what's happening that they are broadcasting DHCP and giving out the incorrect IPS to some devices randomly on his network Mike is getting sick of running around his office hunting for these devices under people's desks etc behind pieces of furniture and he wants to solve this problem Mike reads Mike reads about the features that he gets in route is and he sees that the new bridge configuration now supports DHCP snooping Mike thinks great I can solve this problem without me running around the office and having everybody shouting at me when the whole thing isn't working Mike turns on DHCP snooping on his bridge on his CRS three to six he has checked the documentation DHCP snooping on the 3-series still supported with Hardware offloading Mike now has another problem none of his clients are getting a DHCP address he checks his switch Hardware offloading is still enabled great he checks the CPU he's knowing some things to check now he's remembering this CPU is not maxed out he calls Dave once again dave tells Mike you maybe you should check the logs on both of his CR s's and his half AC squared and he checked the logs and he sees they're straight in front of him in the logs on his TRS the message received DHCP on untrusted port and Mike says today what does this mean and he also sees on his harp a C squared that it just failed to give out it's offered leases what's happened DHCP snooping is a great layer to security feature L says I company we enable it on all our kit it saves us loads of work in needing to go to sites in loads of networks going down we can deal with it without us having to intervene and having people down for chunks of time with problems but what's that what this does is it limits the ports on which the DHCP messages are and it blocks them and it drops those messages and does not pass dhcp messages between one port and another which is when it is a DHCP server that you don't want is great but what as long well dropping those messages from those rogue reuters on his network that he doesn't want he's inadvertently stopped the legitimate ones that he does need so no one has got an IP address from his legitimate server Dave tells Mike that you need to allow DHCP messages to be forwarded on the ports where your DHCP server is and this is the important one that people miss on the ports facing other switches to Mike sets his two ports has trusted and Mike's clients now get an IP address and everything starts working again well simple tick box on the interface Mike now has happy clients Mike is now not running round his office trying to find things that are taking him down he's got fast throughput he's got his secure wireless he shut his door his staff can get to the microwave everybody is happy thank you [Applause] hello nice presentation I do have one question you have one bridge with multiple violence in your presentation what for example if you want to add for some reason a second interface like you have with caps man you can actually offload or log remotely forwards the traffic for two villains you need two bridges so how do you do that in your presentation then because now you say like you actually you can't so well the two ways to solve that firstly you can you what one of our solutions is and this is what I deploy on most of our networks is we actually do local forwarding on the caps and you can apply in the data path a VLAN ID to those verge to the caps map to the caps and then you do VLAN filtering as I've shown the other ways you can have two bridges because those virtual interfaces that caps man would create with server forwarding would never have been Hardware offloaded anyway and they would have always gone through the CPU because those interfaces are not connected to the switch chip so therefore you're still you you're not creating an optimal configuration you're still using your hardware to full capacity but our preferred solution is to use local forwarding on the caps and on some units and we've seen quite significant traffic increased through our caps faster wireless traffic by actually doing local forwarding not manager forwarding it is actually noticeably slower I'm perv yes well that was so a multiple spanning tree so well I I'd admitted talking about a spanning tree because the presentation that was going to follow me was going to talk about spanning tree and we don't have that presentation today now so yeah
Info
Channel: MikroTik
Views: 9,891
Rating: 4.6226416 out of 5
Keywords: mikrotik, routerboard, routeros, latvia
Id: _Tjcoq0aRR4
Channel Id: undefined
Length: 48min 40sec (2920 seconds)
Published: Sun Mar 10 2019
Related Videos
Common MikroTik WiFi mistakes and how to avoid them
MikroTik
75K
Radar Detect and DFS on MikroTik
MikroTik
21K
MikroTips: managing many access points with CAPsMAN
MikroTik
16K
Security analysis of recent RouterOS exploits
MikroTik
5K
CAPsMAN WiFi Layer 1 Optimisation
MikroTik
34K
Mikrotik Real World Tips
MikroTik
18K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
1.1M
BGP vs OSPF when using PPPoE and Tunnels
MikroTik
4.4K
Layer 2 Switching & VLANs | Cisco CCNA 200-301
Keith Barker
66K
Why was Facebook down for five hours?
Ben Eater
379K
The Insane Engineering of the 787
Real Engineering
1.4M
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
510K
Subnet Mask - Explained
PowerCert Animated Videos
249K
The Map of Particle Physics | The Standard Model Explained
DoS - Domain of Science
499K
TOP 10 RouterOS Configuration Mistakes
MikroTik
116K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.