IT, Mikrotik, Network

Configuring VLAN on Mikrotik Cloud Router Switch

Hi!

After a day of trying to figure out how to configure VLAN on a Mikrotik Cloud Router Switch, I finally got it to work!

So, first thing’s first, VLAN (Virtual Local Area Network) is a neat feature on Layer 2 devices (a.k.a. switch) that offers virtual segmentation on a physical switch. In other words, we are able to segregate different networks on one physical port of the switch. This is particularly helpful when you are trying to segregate departments but don’t have enough physical ports to do so.

There are two types of ports that VLAN uses: access and trunk. Access ports are used to connect to the end-devices, whereas, the trunk ports are used to connect different VLANS.

vlan access trunk

Now, back to the post. I was trying to segregate the intranet from the local network, so VLAN came to the rescue. We were trying to figure out how to do VLANs on our Netgear switch to the Cyberoam router, however, we realized that our Netgear switch doesn’t have the capability to do VLAN routing, which allows VLANs to communicate with one another on a Layer 3 scale. So, after doing our research, we found out that Mikrotik Cloud Router Switch has the feature to do VLAN routing.

For testing purposes, here is my topology:

Cloud Router Switch:

  • Port 1 is connected to the Cyberoam router (192.168.88.2/24)
  • Port 9-16 (IT) is VLAN 20 (192.168.20.0/24)
  • Port 17-24 (SALES) VLAN 30 (192.168.30.0/24)

Cyberoam Router:

  • Port E is connected to the CRS (192.168.88.1/24)
  • Port E.20 (192.168.20.248/24)
  • Port E.30 (192.168.30.248/24)

Okay, let’s get started with the configuration:

  1. Configure the “slave” ports (the ports that are connected to the end devices) to talk to the “master” port. In our case, the master port will be our trunk port (port 1), the port that will communicate to the router and will seperate the VLANs.
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-TRUNK
    set [ find default-name=ether9 ] master-port=ether1-TRUNK name=ether9-IT
    set [ find default-name=ether10 ] master-port=ether1-TRUNK name=ether10-IT
    set [ find default-name=ether11 ] master-port=ether1-TRUNK name=ether11-IT
    set [ find default-name=ether12 ] master-port=ether1-TRUNK name=ether12-IT
    set [ find default-name=ether13 ] master-port=ether1-TRUNK name=ether13-IT
    set [ find default-name=ether14 ] master-port=ether1-TRUNK name=ether14-IT
    set [ find default-name=ether15 ] master-port=ether1-TRUNK name=ether15-IT
    set [ find default-name=ether16 ] master-port=ether1-TRUNK name=ether16-IT
    set [ find default-name=ether17 ] master-port=ether1-TRUNK name=ether17-SALES
    set [ find default-name=ether18 ] master-port=ether1-TRUNK name=ether18-SALES
    set [ find default-name=ether19 ] master-port=ether1-TRUNK name=ether19-SALES
    set [ find default-name=ether20 ] master-port=ether1-TRUNK name=ether20-SALES
    set [ find default-name=ether21 ] master-port=ether1-TRUNK name=ether21-SALES
    set [ find default-name=ether22 ] master-port=ether1-TRUNK name=ether22-SALES
    set [ find default-name=ether23 ] master-port=ether1-TRUNK name=ether23-SALES
    set [ find default-name=ether24 ] master-port=ether1-TRUNK name=ether24-SALES
  2. Add VLAN 20 and 30 to the trunk port

    /interface vlan
    add interface=ether1-TRUNK name=vlan20 vlan-id=20
    add interface=ether1-TRUNK name=vlan30 vlan-id=30

  3. Configure the master port to accept both VLAN 20 and 30 tags
    /interface ethernet switch egress-vlan-tag
    add tagged-ports=ether1-TRUNK,switch1-cpu vlan-id=20
    add tagged-ports=ether1-TRUNK,switch1-cpu vlan-id=30
  4. Configure the ports to read their respected VLAN tag

    /interface ethernet switch egress-vlan-translation
    add customer-vid=20 customer-vlan-format=untagged-or-tagged new-customer-vid=0 \
    ports=”ether9-IT,ether10-IT,ether11-IT,ether12-IT,ether13-IT,ether14-IT,ethe\
    r15-IT,ether16-IT” service-vlan-format=untagged-or-tagged
    add customer-vid=30 customer-vlan-format=untagged-or-tagged new-customer-vid=0 \
    ports=”ether17-SALES,ether18-SALES,ether19-SALES,ether20-SALES,ether21-SALES\
    ,ether22-SALES,ether23-SALES,ether24-SALES” service-vlan-format=\
    untagged-or-tagged

  5. Configure the ports to wrap the packet with the respected VLAN tag

    /interface ethernet switch ingress-vlan-translation
    add customer-vid=0 new-customer-vid=20 ports=”ether9-IT,ether10-IT,ether11-IT,et\
    her12-IT,ether13-IT,ether14-IT,ether15-IT,ether16-IT”
    add customer-vid=0 new-customer-vid=30 ports=”ether17-SALES,ether18-SALES,ether1\
    9-SALES,ether20-SALES,ether21-SALES,ether22-SALES,ether23-SALES,ether24-SALE\
    S”

  6. Configure the ports to accept respected VLAN tags

    /interface ethernet switch vlan
    add ports=”ether1-TRUNK,ether9-IT,ether10-IT,ether11-IT,ether12-IT,ether13-IT,et\
    her14-IT,ether15-IT,ether16-IT,switch1-cpu” vlan-id=20
    add ports=”ether1-TRUNK,ether17-SALES,ether18-SALES,ether19-SALES,ether20-SALES,\
    ether21-SALES,ether22-SALES,ether23-SALES,ether24-SALES,switch1-cpu” \
    vlan-id=30

  7. Configure IP address for VLANs and trunk port

    /ip address
    add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
    add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
    add address=192.168.88.2/24 interface=ether1-TRUNK network=192.168.88.0

  8. Configure gateway (Cyberoam)

    /ip route
    add distance=1 gateway=192.168.88.1

For the Cyberoam Router, I will configure port E with the IP address of 192.168.88.1/24 and add VLAN 20 (192.168.20.0/24) and VLAN 30 (192.168.30.0/24).

And voila! Devices on VLAN 20 are able to communicate with one another, however, it will not be able to communicate with VLAN 30, and vice versa.

References:

http://www.forummikrotik.com/tutorial/25703-cloud-router-switch-configuration-bonding-trunking-lacp.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s