Mikrotik With Cisco VLAN Made Easy _ Syed Jahanzaib Personal Blog to Share Knowledge !
Short Description
Mikrotik with cisco vlan made easy - Router cisco con switch cisco vlan trunk....
Description
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
1 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
Syed Jahanzaib Personal Blog to Share Knowledge !
June 2, 2015
Mikrotik with Cisco VLAN made easy Filed under: Cisco Related, Mikrotik Related — Tags: 3750, cisco vlan, isolate, mikrotik vlan, vlan — Syed Jahanzaib / Pinochio~:) @ 3:16 PM
i 12 Votes
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
2 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
~!~ Mikrotik with Cisco VLAN made easy ~!~ ~!~ For Beginners ~!~ 5 ∞̟ªº ®≥І+ - ∫ І∆5 + - ∫ Εare a solution to allow you to separate users into individual network segments for security and other reasons. 5 + - membership can be configured through software instead of physically relocating devices or connections. 5 + - ∫ allow you to break up devices on your network regardless of their location. The main advantage of 5 + - are Broadcast Control 31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
3 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
Security / Client Isolation DMZ Controlled Network Management Costing It is very useful for any network including large/small offices, ISP’s, Cable.Internet services providers etc. The main problem of any large network is broadcast and specially for network operators when any single user swap his wan router LAN cable to wan cable thus broadcast his router DHCP to operator network, or single user effected with virus/trojans broadcast to whole network. VLAN can help you in many situations like these or others.
TASK: To avoid broadcasting/flooding and above all for be?er be?er management +security and monitoring, we want to break the network in smaller segments.
Scenario: Consider the following scenario We have Mikrotik Router which is acting as a DHCP and PPPoE Server as well. and we want to isolate the different network areas by breaking them in smaller segments. Each area will get different IP series from the mikrotik dhcp server. In this example following ports are used for Mikrotik = Port 1 [as TRUNK port] Dealer-1 = Port 2 Dealer-2 = Port 3 Dealer-3 = Port 4
Hardware Used in this Guide: 1. Mikrotik RB2011 2. Cisco 3750-E Series 3. Two Laptops for testing ∫ І∫Ø∂樴 І∞µІªØ¨І∞¥ ®Æ¨І©¨≥∂æІΉ
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
4 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
MIKROTIK CONFIG 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
# Create VLAN Interfaces and /interface vlan add interface=LAN l2mtu=1594 add interface=LAN l2mtu=1594 add interface=LAN l2mtu=1594
provide them name and VLAN#ID name=DEALER-1 vlan-id=10 name=DEALER-2 vlan-id=20 name=DEALER-3 vlan-id=30
# Assign IP addresses to the interfaces /ip address add address=192.168.1.1/24 interface=LAN network=192.168.1.0 add address=192.168.10.1/24 interface=DEALER-1 network=192.168.10.0 add address=192.168.20.1/24 interface=DEALER-2 network=192.168.20.0 add address=192.168.30.1/24 interface=DEALER-3 network=192.168.30.0
# Create DHCP Server and assign different Pools for the dealers # You can DHCP wizard as well if CLI is a bit hectic /ip dhcp-server add address-pool=DEALER-1-POOL disabled=no interface=DEALER-1 lease-time=6h name=dh add address-pool=DEALER-2-POOL disabled=no interface=DEALER-2 lease-time=6h name=dh add address-pool=DEALER-3-POOL disabled=no interface=DEALER-3 lease-time=6h name=dh /ip add add add
dhcp-server network address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
Some screenshots for the reference purpose …
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
5 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
Done. Now we have to create VLANs at CISCO Switch…
CISCO VLAN CONFIGURATION I assume that you have Cisco switch with any IP address for the management purposes. Telnet to the switch telnet 192.168.0.1
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
6 of 17
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
# Enter your Cisco switch password User Access Verification Password: xxxxxx # Switch to change mode enable Password: xxxxxxxxx # Enter in Config mode config t
# Select Port number which will be connected with the Mikrotik and change encapsula interface gigabitEthernet 1/0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan all switchport nonegotiate #Create VLAN id and name for dealers/areas vlan 10 name DEALER-1 vlan 20 name DEALER-2 vlan 30 name DEALER-3 exit # Now Select Dealer1 interface , like port 2 and assign it with the vlan id interface gigabitEthernet 1/0/2 # OR RANGE like interface range gigabitEthernet 1/0/1-4 (Port Range 1 to 4) switchport mode access switchport access vlan 10 interface gigabitEthernet 1/0/3 switchport mode access switchport access vlan 20 interface gigabitEthernet 1/0/4 switchport mode access switchport access vlan 30 exit exit # SAVE the configuration you just made above wr
Some screenshots for reference…
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
7 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
8 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
Done!
TEST! Now connect your PC with the port 2 and port3 , 4 You will get different IP in each port. ∫ І∫Ø∂樴 І∞µІªØ¨І∞¥ ®Æ¨І©¨≥∂æІ≠̟∂¥ І¥ ∞≤̟∂ª∞≤І´ Ø™ ∑І∫¨̟Ω¨̟Μ ∫
Test From Dealer-1 System
Dealer-1 have receive ╖╞╗΄╖╛╝΄╖╕΄ø series ip, exactly the one we configured in mikrotik. Now try to ping any dealer-2 series and to the internet as well. You will see that you will be able to ping the internet and mikrotik LAN ip, but not with dealer-2 subnet or likewise.
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
9 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
- . 3 $ΆFor the client isolation / to block communication between all VLAN’s , you must createFILTER rule as explained in TIP’s n TRICK section below …
TIP’S n TRICKS
1- Block communication between all or specific VLAN Subnet
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
It is usually required to block all communication between specific or all 5 + - subnets for security or other reasons. By default mikrotik will allow communications between all vlan. You can block them by creating %(+3 $1 rules. Example is we want that users of all vlans can access internet via 6 - interface but should not be able to communicate with any other 5 + - subnet. use following as an example - ∂ª¨ Άthere are many other ways to achieve this either at switch level or mikrotik, i am showing just an example only here. 1 2 3 4 5 6 7 8 9
/ip firewall filter add chain=forward comment="Accept traffic from VLAN subnets to WAN" out-interface=WA
add action=reject chain=forward comment="Block Communication between all vlan subnet 192.168.0.1-192.168.255.255 # Masquerade rule to allow internet , wan link interface /ip firewall nat add action=masquerade chain=srcnat out-interface=WAN
Snapshots of Working VLAN config with pppoe server
10 of 17
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
Pending work: – Add pppoe or hotspot configuration – Firewall configuration for isolation in pppoe/hotpost – Few more tips n tricks with VLAN
Regard’s 2¿¨ ´ І)®Ø®µ¡ ®∞©
11 of 17
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
Comments (25)
25 Comments »
12 of 17
1. Dear Jahanzaib, How can we make sure that on mikrotik side the port is in the trunking mode. Is there any specific commands ? or is it by default that the ethernet interfaces on mikrotik are in the trunking mode ?? Comment by Khizer — June 2, 2015 @ 11:29 PM Reply 2. love it Comment by mushhood — June 2, 2015 @ 11:51 PM Reply 3. But what about mikrotik to mikrotik foe example Rb2011 to Rb750 rb2011 have two networks pppoe and hotspot going through 1 trunk and in remote area there is 750 from connections are distributed although it is also possible to have both pppoe and hotspot on same lan but i am generating a scenario a vice versa..
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
13 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
Comment by UmmarHussain — June 3, 2015 @ 1:02 AM Reply 4. How to Dial Multiple and more PPPOE Client Over Single WAN Interface in Mikrotik Comment by ramanji — June 3, 2015 @ 3:26 PM Reply 5. dear sir , How to Dial Multiple PPPOE Client Over Single WAN Interface in Mikrotik? Detail: I got 2 ports on my mikrotik router 1xWAN & 1xLAN port I need to dial 2 or more pppoe clients and load balance over the single wan port How? actually i create a multiple 1mbps pppoe clients in my mikrotik the both connections are showing connected and i use adeel uploaded load balancing se?ings in my mikrotik.when i check in speedtest its showing sometimes 1mbps and sometimes 2mbps. pls help me….. Comment by ramanji neyuluk — June 4, 2015 @ 11:22 AM Reply As far as i know, You cannot dial multiple PPPoE client over one interface. why not use manageable switch with vlans to do the job ? Comment by Syed Jahanzaib / Pinochio~:) — June 9, 2015 @ 9:04 AM Reply 6. nice work >>> having on question …i have rb 2011 with 1 switch cisco L3 and 3 rb 1100….in rb 2011 making 3 vlan’s and 3 user pppoe client >>in cisco also same 3 vlan’s …RB 1100 each router taking one user pppoe client how can separate between them “meaning user 1 is working on first router but not working one other routers ” second and third router 1100″ ? Comment by Laith Adnan — June 9, 2015 @ 12:26 AM Reply perhaps a network diagram will help to understand the issue. Comment by Syed Jahanzaib / Pinochio~:) — June 9, 2015 @ 9:02 AM Reply i upload simple diagram …the idea is isolate users pppoe client on the same router…meaning …there is Main router ( cloud core ) having 2 user pppoe A and B …and there is two routers ( Router 1 and Router 2 ) connected directly to main router ( cloud core ) …i wanna user A is connected only to Router 1 and not connected to Router 2 and user B connected to Router 2 and not connected to Router 1 Comment by Laith Adnan — June 9, 2015 @ 8:24 PM
31/03/2017 13:20
Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ...
14 of 17
https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
still waiting for answer Comment by Laith Adnan — June 13, 2015 @ 3:35 PM any idea? Comment by Laith Adnan — June 21, 2015 @ 11:15 PM 7. dear you need to use policy based routing as far as destination end routing is concern , in which you can configure for user A to user R1, and User B to R2. Comment by Jack — June 22, 2015 @ 4:32 PM Reply how can i use that policy ? Comment by Laith Adnan — June 24, 2015 @ 5:38 AM Reply use google to implement PBR in MT Comment by Jack — June 29, 2015 @ 10:19 AM 8. Dear Mr.Jahanazib , Could you please tell me which cisco switch are able to tagged/trunked with mikrotik .My model is 1100 ahx2 Comment by sohag — July 2, 2015 @ 12:01 PM Reply In general all Cisco base manageable switch are capable of doing vlan. I used Cisco 3750 giga bit switch at various places and found it very stable are also good choices. but it all depends on availability and budget as well.
cisco 2960 or likewise
Comment by Syed Jahanzaib / Pinochio~:) — July 2, 2015 @ 12:11 PM Reply 9. Hello Brother Assalamu alikum, This is Nahid from Bangladesh. I have a new problem at hand. Recently i add a new Cisco Catalyst 2960 TCS with my network, Using Mikrotik CCR-1016 for Routing, When I add This new switch with mikrotik interface, ge?ing some packet loss, Like If i ping my gateway its showing Replay from 2ms or sometime 30ms+, also miss 1 packet after 15-20 replay from gateway. I have another old Catalyst 2960TCL which is ok no ping loss from gateway, If i connect my new Catalyst 2960 with old Catalyst 2960TCL, then no packet loss also ge?ing ping from gateway
View more...
Comments
