Ir al contenido principal

Creating VLANs on Mikrotik

First, create the VLANs on the Mikrotik router, and assign them to the ether2 interface. Doing this step will automatically set 802.1q trunking on the ether2 interface, and will take down the link for normal untagged traffic. This will create an outage until the rest of the steps are complete, you have been warned.



/interface vlan
add comment="Home" interface=ether2 name="VLAN 100 - HR" vlan-id=100
add comment="VideoCam" interface=ether2 name="VLAN 150 - VideoCam" vlan-id=150
add comment="Raspberry" interface=ether2 name="VLAN 175 - Raspberry" vlan-id=175

I've taken the time to name the VLAN interfaces and give them a useful comment, and I suggest you do the same. This will make administering VLANs and onboarding new administrators easier. As mentioned earlier, creating the VLANs and assigning them to the physical ether2 interface automatically changed encapsulation to 802.1q, even though you won't see that if you print the interface details. This is one of those non-intuitive things mentioned before.
Addressing VLAN Interfaces

Next we'll put IP addresses on the VLAN interfaces so they can function as gateways:

/ip address
add address=192.168.100.1/24 comment="Home Gateway" interface="VLAN 100 - HR"
add address=192.168.150.1/24 comment="VideoCam Gateway" interface="VLAN 150 - VideoCam"
add address=192.168.175.1/24 comment="Raspberry Gateway" interface="VLAN 175 - Raspberry"

Again, I took the time to add comments and you should as well. At this point we have our VLANs, and they have usable addresses. If you're using static IP addressing on your network that's pretty much it for VLAN configurations. The next (optional) steps are setting up DHCP instances on the VLAN interfaces, so that clients inside each network segment can get dynamic addresses. First, create the address pools that DHCP will hand out:
DHCP for VLAN Networks

First set up IP address pools for each VLAN:

/ip pool
add name=Home ranges=192.168.100.2-192.168.100.254
add name=VideoCam ranges=192.168.150.2-192.168.150.254
add name=Raspberry ranges=192.168.175.2-192.168.175.254

Next, set up the DHCP networks with options for DNS (Google public servers) and the gateways:

/ip dhcp-server network
add address=192.168.100.0/24 comment="HR Network" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1
add address=192.168.150.0/24 comment="VideoCam Network" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.150.1
add address=192.168.175.0/24 comment="Guest Network" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.175.1

In this case I'm using Google's Public DNS service, and the internal gateways are set to the IP addresses you assigned before on the VLAN interfaces.

Lastly we'll spin up the DHCP server instances on the VLAN interfaces, using the pools you set up earlier:

/ip dhcp-server
add address-pool=HR disabled=no interface="VLAN 100 - HR" name=HR
add address-pool=VideoCam disabled=no interface="VLAN 150 - VideoCam" name=VideoCam
add address-pool=Raspberry disabled=no interface="VLAN 175 - Raspberry" name=Raspberry

The pools correspond with the networks set up previously, and that's how the DHCP options like gateway and DNS are associated with a particular DHCP instance. I like spinning up DHCP for each VLAN, so you can control lease times, options, etc individually for each network segment. This gives you a lot of flexibility to tweak and monitor DHCP across the organization.
Switch VLAN Configuration

At this point you'll need to assign access ports on your switches to specific VLANs, and the clients that are plugged into those should pull DHCP addresses from the Mikrotik and live happily inside their respective VLANs. It's up to you now to decide what VLANs should be able to talk to each other, and implement those Forward - Accept rules in the firewall. As a rule I like to only allow traffic forwarded to VLANs that is absolutely necessary. Allowing all traffic between VLANs bypasses the security of segmenting your network in the first place.

 

Original info Author:

 https://www.manitonetworks.com/mikrotik/2016/3/5/vlan-trunking

Comentarios

Publicar un comentario

Entradas más populares de este blog

BBS - Boletin Board Sistem

Antes de que Internet fuera tan grande y Google todavía no existía! Teníamos los BBS Eran Personas que tenían sus computadoras prendidas con sistemas para recibir llamadas. Te contestaba por medio de tu modem Dial UP uff tenia un 9600 en ese tiempo y una 8086 con DOS me conectaba a FileGallery para poder pegar al Internet que tiempos... En Puerto Rico tuvimos 42 BBS de los que visite por Dial-UP http://bbslist.textfiles.com/787/ Ya casi no existen pero me gustaria algundia toparme con alguno de los sysop. BBS Existentes en Puerto Rico bbs.thewallbbs.com bbs.efectolinux.com tiene DIALUPy trabaja:)
2 comentarios
Leer más

DOH cloudflare dns on Mikrotik V7

Protecting home Internet connections from malware With home Internet usage on the rise, it’s never been more important to protect your family from dangerous and malicious sites. 1.1.1.1 for Families is built on top of the same site categorization and filtering technology that powers Cloudflare’s enterprise products. It uses Cloudflare’s Internet intelligence to filter content on your home Internet network.
Publicar un comentario
Leer más