WIXLIB

Playing withRouterOS's VLANsBy Lorenzo BusattiMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy1

About meLorenzo Busatti - Grosseto – ITALY Founder of Grifonline S.r.l. [ISP] 1997A user of MikroTik since 2006Founder of Linkwave [WISP] 2006MikroTik Trainer since 2010:MTCNA, MTCWE, MTCRE, MTCTCE, MTCUME,MTCINE, MTCIPv6E, MTCSE Member of RIPE, AMS-IX, MIX-ITProud member of RoutedWorld.comMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy2

About meMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy3

About me Access Point Redundancy (2011 Las Vegas/US - 2012 Warsaw/PL) A redundant router for 79,99 (2012 Dubai/UAE) Peering the World (Fortaleza 2014/BR - 2015 Prague/CZ - 2016 Copenhagen/DK) The mAP and the mAP lite: The wireless swiss knife always in your pocket (2016Dallas/US) UserManager: a free radius server for Wireless, Hotspot, PPP, users and DHCP.(2016 Copenhagen/DK) NetFlow: what happens in your network? (2016 Ljubljana/SL) What's new in wireless since RouterOS v6.37 (2017 Milan/IT) The evolution of the wireless package 6.40-6.42 (2018 Berlin/DE) Common MikroTik OSPF mistakes and how to avoid them (2019 Vienna/A)MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy4

About meFounder (2016) of theHigh Quality Training ClassesMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy5

About meOne of the founders (2017) of the Riga Bootcamp!MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy6

MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy7

The Schedulehttps://www.mikrotik.campMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy8

The Riga BootcampMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy9

Dedicated to MaxMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy10

AbstractRouterOS allows you to work with VLANs indifferent ways.By software, by the switch chip and by thebridges .This presentation will try to cover the pros/consof these approaches and to show some tips.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy11

About the VLANsVLANs seem to be simple to deploy, but can actuallybe very complex.Even simple operations can be tricky if you don'tknow where and how to put your hands.While delivering many training courses I discoveredthat VLANs are often used improperly: that's why Imade this presentation JMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy12

About the VLANsThe target of this presentation is to understand howyou can made the VLANs in these 3 places and thedifferences between them.Is not a step-by-step tutorial about all the VLANsthings.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy13

About the VLANsA virtual LAN (VLAN) is any broadcast domainthat is partitioned and isolated at the data linklayer (OSI layer 2), invented by Dr. W. DavidSincoskie and then described in the first editionof the IEEE 802.1Q standard in the 2003.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy14

About the VLANsThey are made adding a VLAN ID header [04095] into Ethernet header:A VLAN is a VPN (without authentication andwithout encryption).I'm used to say that's for free JMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy15

About the VLANsThe definitions of the "port role" are notuniformed as standard, they are usuallydifferent between vendors.But the following ones are almost universallyadopted by technicians.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy16

VLAN TermsTagged: All packets forwarded by the interface contain VLANinformation.Untagged: Packets forwarded by the interface are untagged.Access port: Belong to one VLAN – Port is untaggedHybrid port: Multiple VLANs can be untagged and taggedTrunk port: Carry multiple VLANs on a single physical linkMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy17

The VLANs in RouterOSMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy18

The VLANs in RouterOSToday is possibleto manage theVLANs inRouterOS in 3different mainplaces:MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy19

The VLANs in RouterOS They are managed in the same manner? They can be setup using the same commands? They have the same performances?No, No and No.So let me show you the differences betweenthem and you will enjoy the VLANs underRouterOS JMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy20

The software VLANsThese are software VLANs,I mean that the traffic willaffect and will be affected by the CPU.They are available on any the RouterOS devices.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy21

The hardware VLANsThese are hardware VLANs,The traffic will be managedby the switch chip at wire speed and will notaffect the CPU.They are only available on the RouterOS deviceswith the switch chip.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy22

The VLANs in the BridgeThe VLANs managed in thebridge can be software orhardware, depending of the presence of theswitch chip and how is configured!Your knowledge will determine if the CPU willbe affected or not!?MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy23

The VLANs in RouterOSWe have different "places" tomanage them, and withdifferent performances, duethe evolution of RouterOSand the MikroTik hardwaredevices in the last decade.That's why is up to you toknow the differences.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy24

The software VLANsMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy25

The software VLANsCan be created and managed fromInterfaces - VLANMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy26

The software VLANsName of the interfaceThe VLAN IDThe L2 interface where toADD the tag (at egress) orcheck and remove it (atingress)MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy27

The software VLANsCan be ANY L2 interface.But in case it’s a port of abridge, use the bridgeinterface!For using the 802.1adcompatible Service Tag,useful with some vendors.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy28

The software VLANsUseful to send some kind of traffic to the cpu, to run aservice in a VLAN (dhcp, PPP, etc.).Will appear as a "virtual interface".MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy29

The software VLANsWith the software VLANs you can TAG/UNTAG a traffic fromany L2 interface.Pros: can be used on any device (with or without theswitch chip) even on the CHRs.Cons: will use the CPUMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy30

The hardware VLANsMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy31

The hardware VLANsCan be created and managed fromSwitch - Port / VLAN / RuleMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy32

The hardware VLANsFor each ethernet port you cansetup the VLAN Mode foringress traffic as:Disabled: will not checkVLANsfallback: checks for taggedtraffic, forwards all untaggedtraffic.Check/secure: checks fortagged traffic, drops alluntagged trafficMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy33

The hardware VLANsThe VLAN Header sets actionwhich is performed on the portfor egress traffic as:add-if-missing: adds aVLAN tag on egress traffic.Should be used for trunk ports.always-strip: removes aVLAN tag on egress traffic.Should be used for access ports.leave-as-is: does not addnor removes a VLAN tag onegress traffic. Should be used forhybrid ports.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy34

The hardware VLANsThe default VLAN ID is usedwhenvlan-header alwaysstripand for hybrid ports to taguntagged traffic.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy35

The hardware VLANsFrom the VLAN tab we candefine the VLANmembership of the ports.In this example the ether3and the ether4 aremembers of the VLAN 1.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy36

The hardware VLANsDepending the chip switchfunctionality will bepossible to create VLANsbased rules also.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy37

The hardware VLANsUsing the switch chip you can create almost any kind ofport with the VLANs. Useful to manage VLANs "like in aswitch".Pros: will not use the CPU, able to provide wire speedCons: available only on devices provided with a chip switch,different functions depending the chip model (check thespecs before buy!).MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy38

The VLANs in the BridgeMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy39

The VLANs in the BridgeSince version 6.41 RouterOS had majorchanges to the bridge configuration.Today the bridge must be used for settingup basic switching functions (if yourhardware have a chip switch).MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy40

The VLANs in the BridgeThe main VLAN setting is vlan-filtering which globally controls vlanawareness and VLAN tag processing in the bridge.If vlan-filtering no,bridge ignores VLAN tagsand cannot modify VLANtags of packets.Turning on vlan-filteringenables all bridge VLANrelated functionality.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy41

The VLANs in the BridgeCan be created and managed fromBridge - VLANsMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy42

The VLANs in the BridgeThe list of VLAN IDsInterfaces with a VLAN tagadding action in egressInterfaces with a VLAN tagremoving action in egressMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy43

The VLANs in the BridgePort VLAN ID (pvid):specifies which VLANthe untagged ingresstraffic is assigned to.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy44

The VLANs in the BridgeIngress Filtering:Will check if the ingressport is a member of thereceived VLAN ID in thebridge VLAN table.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy45

The VLANs in the BridgeTag Stacking:Forces all packets to betreated as untagged packets.Packets on ingress port willbe tagged with anotherVLAN tag regardless if aVLAN tag already exists.The packets will be taggedwith a VLAN ID that matchesthe pvid value.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy46

The VLANs in the BridgeBut as I told you before, the bridge can be:HardwareorSoftwareMUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy47

The VLANs in the BridgeA bridge can be “hardware” if: the device have a switch chip; The ports have the hw yes We’re using a bridge “function” that issupported by that switch chip.If all the above conditions are satisfied then thecpu will not be used for these tasks.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy48

The VLANs in the BridgeThe Hardware Offloading, when available and enabled, willdo the job. The status bar will tell us when is activated( hardware).MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy49

The VLANs in the BridgeHw Offload in the bridge, based on the chip switch modelRouterBoard/[Features inSwitch Chip]Switch menuModelBridgeSTP/RSTPBridge MSTPBridge IGMPSnoopingBridge DHCPSnoopingBridge VLANFilteringBondingCRS3xx series CRS1xx/CRS2xx series - 1 1--[QCA8337] -- 2--[Atheros8327] -- 2--[Atheros8227] -----[Atheros8316] -- 2--[Atheros7240] -----[MT7621][RTL8367] ------[ICPlus175D] ------MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy50

The VLANs in the BridgeAs show in the previous table, currentlyonly CRS3xx series devices are capableof using bridge VLAN filtering andhardware offloading at the same time.MUM US Austin 2019 Lorenzo Busatti, http://routing.wireless.academy51