Playing with RouterOS's VLANs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thank you I am Lorenzo Bhusari from Italy so we understand some mistakes about profession in your language but by the way and doing networking since 1997 and bla bla bla bla you can read this in the slides I am a trainer I just deliver and ipv6 training classes in Austin the previous two days and had nine students that have this training and they enjoy that I live in Italy and am eager to present something into the moms I start in 2011 to deliver something and this is the little history about about my presentations and the topics I almost so the founder of the routing a wireless Academy and most important the Auriga boot camp I don't know if you know that but it is a one week of training that we are used to deliver twice four years in Riga in one week we use it to deliver two training classes and it's amazing experience because we live together with lunches the dinner and even good city tour in the midday and the free day in the middle and with the networking games with prizes and it's a very nice experience and we have lot of us subscribe this year for this summer this is for June ok finish it advertising time what about my presentation it's about the villains in rudder OS rather s allow you to work with villains in different ways by software by this which shape and by the bridges so we have today three points sorry three main points were three main places where we can create villains this presentation will try to cover the pro and the cause of death approaches and to show you some tips of using them the villains seem to be simple to deploy but can actually be very complex even simple operations can be tricky if you don't know where and how to put your hands while delivering many training courses I discover that dividends are often used improperly that's why I made this presentation and I have also to tell you just a little story that is not a joke one years ago ot I had I have a friends that when I make making some consulting and he see me I tried to use the one mikrotik a switch for tank jig interface but I have to replace with another brand because was not able to deliver more than four gigabyte messy why is not possible it can deliver at Y speed 10g debate but which configuration did you made on that switch oh just a villain okay and where you created this villain so on interfaces villains so maybe you should know you can know what happens and that's why I am delivering that to you the target of this presentation is to understand how you can make the villains in these three places and the differences between them is not a step-by-step tutorials about all the villain things I will to a LAN or villain it is any broadcast domain that is partition and isolated at the data link layer so OSI model layer to the protocol the first edition is from 2003 so it's not quite all way the villains are just a heater a villain ad heater that is from 0 to 4000 95 don't forget that the last one the first one and the second one is not should be used so we have 4096 villains that we can create in any switch and router and this is the VLAN tag that is just added into the layer two frames that's why a villain is a VPN it's a layer 2 VPN yes it is without authentication it is without encryption but I'm used to say that is free it's a free VPN because it's not taking is not eating your layer 3 and to you it's for free in the villains world we have the definitions of the port role but they are not uniform as a standard and usually any vendor use his own terms by but the following one's are almost universal use it by technician and as they are we have the tacit port where all the packets will be forward by the interface contain the villain informations the untangled one where the packets will be forwarded by the interface are untagged so with without the villain tag so can be understand by devices that does not have villain setting up the export are belong to one villain at the port will be on target at the end then we have two different kind two different flavor hybrid port where multiple villains can be untagged and target and the trunk port trunk port is a wait sorry definition because it is a in different manner between vendors and you can do something wrong maybe just read careful the documentation before apply but the trunk port usually just carry out multiple villains in one physical links that's the Tod part is just finished the villains now rather ways where we can create villains these are the three main play yes the projector is a you know in a wrong position but it's not my fault and sorry for that today is impossible sorry is possible to manage the villains rather OS in three different main places on the interfaces on the bridge and on the switch and usually people are used to make a mess with the settings yes it's very easy it's not so hard but if you don't know how to do that you will do a mess so they are managed in the same manner they can be set up using the same commands they have the same performance no absolutely no let me show you the differences between them and you will enjoy a lot the villains under rather OS first one the software the software villains you can create them from the interfaces menu and they are software villains I mean that the traffic all the traffic through this villain will affect and will be affected as a consequence by the CPU so we'll use the CPU but they are available on any rather wise devices even my small little friend the were famous applied any authorized device can run the villains from the interfaces menu but they are software that is not a bad things but you have just to know that they will use the CPU and that's all that's what my friend as I told you before was able just to push for a gigabit on a switch because he used it as software villain on the switch so was using all the CPU and was a mistake then we have the hardware villains the hardware villains are usually made on under the switch menu that one the traffic will be managed by this which chip at a while speed so at full speed of the interfaces yes depending the switch type and will not affect the CPU for this villains the CPU will not be used but they are only available on rudder eyes devices that have a switch ship and side lot of routers but not all and the switches all the system of the CSR switches of Microtech have this with chip and you can use D by rudder s and then from last we have the villains in the bridge there into the bridge the villains managed by the bridge can be software or hardware it depends depends from what about the presence of the switch chip if you have or not and how is configured your knowledge by the consequence will make if the CPU will be affected or not it's up the hardware that your choice and about your configuration so the villains in the bridge are very good things that we show you but can be hardware or software don't forget it at the end we have different places to manage them and with different performance do the evolution of rudder s am aquatic hardware devices in the last 10 years that's why it's up to you to know the differences between them and to use properly so let's talk about the first kind of villains this after one they exist from the beginning or rather less at least from very since version 230 something you can create them from the interfaces VLAN menu the their interfaces villain and you can create as many you want and they are 100% software when creating one villain by software or just a choice the name of the interface the villain ID that is there villain ID any in the lair to interface where to add the tag at the egress or check a remove it at ingress these are very easy to set up and to deploy and I think that you use a lot into the past but if you're layer to interface is into a bridge I suggest you to use the bridge for tagging the interface that should be the proper setting is not the one in the screenshot you have to select the bridge and the service tag the service tag is for using a 0 2.1 ad compatible service tag and it's very useful also is not the main scope but we work with some vendors for example if you are trying to do the violence between magnetic and HP maybe they will not work at the beginning but use the service tag start to work like a magic the software villains are useful to send some kind of traffic to the CPU to run a services on the villain because it's layer 2 interface it is a victor interface but it's an interface layer 2 at all the effort and you can run on top DHCP client DHCP server pppoe client EPP reserve any layer to services that you want and evenly actually of course IP addresses and so on at the end with the software villains you can tag and tag traffic from any layer 2 interface if you want you can create something that is similar like a switch using the bridge and bridging all the interfaces pros can be used on any device with or without the switch ship and side even on the see each arse but the cons is that they will use the CPU for pushing the traffic then we have the hardware villains hundred percent harder one they are into the sweet chip so if you have as we cheap on your router on your on your device you can create a manage them from the switch port villain and rule better the menu port villains and rules how to manage the harder villains for each switch port this is the switch port settings so for Ethernet port you can set up the villain mode for ingress traffic be careful that it's an ingress ingress traffic that can be set up into the villain mode that is there as they Zabel check fullback and sakura what they mean disabled we not check from for the villains and is by default fullback check for tagged traffic and forward all the anti get one check and succour are different but our similar from from t suspect they will check for tag it traffic and drop all the anti-gay traffic a check on the wiki all the behavior that are under the settings then we have the villain header the next one is just under the villain mode the villain either is set the actions which is performed on the port for egress traffic is not ingress anymore but is egress as add if missing that adds a villain tag on the ingress traffic and should be use it for trunk ports always trip that we remove the villain tag on the egress traffic that should be used for the SS port and leave as is that does not add or not remove a villain tag on the egress traffic should be used for the hybrid port and then we have the default VLAN ID the default VLAN ID is the last settings that one wiebe use it these settings when when the villain header is always trip as a show before will use best villain IP to replace and for hibbott ports to tag all the and track all the untidy traffic then we have the villain tab on the switch window there we can define the villain membership of the ports in this example the ethernet 3 and Ethernet for our members of the villain 1 you can add for each VLAN ID you can add as interface sorry at many interfaces as you wish then the last settings is the rule tab on the rule tab on the switch window you can create rules match on we choose which villain heater beyond ID and you can do actions for making something happen at the end the harder villains will use this week ship you can create almost any kind of port with the villains useful to manage villains like in a switch because it's a switch ship Pro will not use the CPU it's able to provide high speed but the cons is available only on devices provided with a switch chip and different function depend on the chip model you have to check on the rudder bot calm all the specification before buying and applying the cone fix because different models have different switch ship and can support the villain or not villain filtering or not and so on be careful about the hardware choice on the last one are Divi lands in the bridge my favorite one since the version 641 rudder OS had measures changes to the bridge configuration and today the bridge must be used for setting up basic switching functions if your hardware have as we chip the main belong setting because the topic of the presentation is about the villain is villain filtering that which globally control the villain awareness and VLAN tag processing into bridge so why and when creating a bridge I am on the bridge window on the bridge tab I push Plus and creating one bridge with a name a bridge LAN or something else you have a tab that is called villain on the bridge and here is a checkbox VLAN filtering if you will enable this check box you will enable all the villain functionality in this bridge otherwise know by default is uncheck it so the bridge will not consider any VLAN tags and cannot modify any villain packets after enabled our bridge to check about the villains we have on the bridge menu the villains tab and from here we can manage and create our villains under the bridge how this is creating our villain it's a bridge villain here is the list I have to repeat is the list because you can specify with this down black arrow how many villains it is that you wish and then the ports target ports and target ports using the common names in the world and here with our magic black down arrows you can add all the interfaces that will participate in this violence if the target one and the intact ones then we have in other settings into the Bridgeport into the Bridgeport we have the villain tab what does it mean here we can set up the port villain ID or Peavy ID let's specify which villain the untagged ingress traffic is assigned to it's useful to create hybrid or export and then you have the ingress filtering it's a checkbox there that will check if the ingress port is a member of the receive villain ID into the bridge villain table that we created before and then the tag stacking that will force all packet to be thread as untagged packets packets on the English port will be tagged with another villain tag regardless if a VLAN tag already exists the package with villain will be blue its aura will be tagged with a villain d that match the PV ID value but as I told you before the bridge can be hardware or software how we can know that or how we can set up that these are my statement a bridge can be hardware if the device have a swig chip on board the port's have HW - yes that I will show you in the next slide and we are using a bridge function that is support by that sweet chip if all the above condition are satisfied then the CPU will not be used for this task and this is the magic the hardware of loading if you want to use the hardware things you have to setup the heart of Lourdes in the report but the trick is that at zoom for you on the status bar of a bridge port on the right bottom corner when is hardware you have this statement hardware of load this one is harder so it is using the switch chip and not the CPU if you will try to use some configs on a wrong hardware or using a settings that is not allowed but the function supported by this we cheap this magic word will disappear and we not dark anymore from this one you can know that and this is a small table that you will find on the wiki well by the chip model you can see the function that they have the switch the bridge and the VLAN filtering look at that the bridge villain filtering it is actually support by only one C rs300 series so all the mikrotik switches of the 300 series support on the bridge the villain filtering as a sugar before and will be hardware because they are as which product so the villains in the bridge as I show you in the previous table our talent is supported only this series and they support the bridge and the villain filtering with the other half load at the same time using the bridge you can create almost any kind of port with a V useful to manage villains like in as wage and like in a bridge also the pro are that they are very flexible configs but we'll use the CPU or not depending the hardware and depending the settings that you made because they will use the CPU or not depending the hardware and the settings that you made almost the same statement you know so check the specification before by your product are you now looking for some practical example about the villains on the wiki you will find all the example in there's three kind of flavours hoping that now you know the differences between them and the trick is that I hope you enjoy my presentation that you learn differences about the villains here otherwise plan your setup using the right hander and please don't make a mess with the villains so see you in Riga if you can and thank you for listening [Applause] Thank You Lorenzo any questions yeah so we have a CCR 1872 and ran into a problem with the MAC address of the fee lands and so what we had to do was add a MAC address to the bridge and then bridge the VLAN to the MAC address or to that particular bridge otherwise we couldn't see the router because we couldn't get an ARP yes the this is the CCR is not as which yet his router does not have as big sheep on side so if you want to move layer two traffic between the pours you have to use a software bridge and we well know service yeah and you just do like yes and you have it's a very good idea to specify to set up in any bridge any software bridge remembered that it's very suggested to specify the admin MAC address yeah or the MAC address maybe can change the MAC address is not specified in to the admin Mac on the bridge will be taken from the first port that is up from Ethernet one to Ethernet something the first one is up we'll take this MAC address and use it as a as a minimal it sorry it mean MAC address if you unplug one day this port may be the bridge in the past we change and we switch MAC address so the idea is yeah so the problem we ran into was that we were just doing VLAN interfaces on the VLANs on the interface yeah first yeah and then we kept getting the same MAC address even though we just tried to have a IP address bound and we wouldn't be able to ping the Gateway right so to get around that we had to create a bridge and then bridge and the villains the villains from interfaces VLAN tagging or a tag in the bridge one yeah not the internet one yeah thank you this may be outside the scope of your presentation but we use Q and Q villains and I didn't see anywhere I noticed on the hardware side you could change it change the tag but do you there's a software side the only place that you could do Q and Q yeah you can do on the software on the villain software you can do QQ is supported by brother rice totally totally supported is not supported maybe by Rage thank you any more questions yep Lorenzo what's the villain it's a game I know I was looking at multiple bridges before it seemed like there was a limitation or you could only have the hardware filtering on one bridge are you aware of any configuration where you could actually have like two bridges both with VLAN one in hardware the two bridges configuration should be supported by specific chips with shape and is not in the CRS 300 the CRS 300 support only one bridge as hardware but there is a way if you want to make two bridges you can choice the one that should be hardware and the other not that's it it's not nice question anyone else Thank You Lorenzo thank you [Applause]

Info

Channel: MikroTik

Views: 13,427

Rating: 4.8936172 out of 5

Keywords: mikrotik, routerboard, routeros, latvia

Id: 7x5WjkhlEZg

Channel Id: undefined

Length: 31min 45sec (1905 seconds)

Published: Tue Apr 09 2019