Manual - CRS Examples - MikroTik Wiki

Manual:CRSexamples
FromMikroTikWiki
Contents
1Summary
2ManagementIPConfiguration
3VLAN
3.1PortBasedVLAN
3.2ProtocolBasedVLAN
3.3MACBasedVLAN
3.4InterVLANRouting
3.5Unknown/InvalidVLANfiltering
3.6VLANTunneling(QinQ)
4Mirroring
4.1PortBasedMirroring
4.2VLANBasedMirroring
4.3MACBasedMirroring
5Trunking
6Isolation
6.1PortLevelIsolation
6.2ProtocolLevelIsolation
7BandwidthLimiting
8TrafficStormControl
Applies
to
RouterOS:v6.12+
Summary
BasicusecasesandconfigurationexamplesforCloudRouterSwitchfeatures.
ManagementIPConfiguration
Untagged(VLAN0)ManagementIPaddresshastobeassignedtothemasterport.
/interfaceethernet
setether3masterport=ether2
/ipaddress
addaddress=192.168.88.1/24interface=ether2network=192.168.88.0
FortaggedVLANManagementIPaddressaddVLAN99interfaceandassignIPaddresstoit.Sincethemasterportreceivesall
thetrafficcomingfromswitchcpuport,VLANinterfacehastobeconfiguredonthemasterport,inthiscase"ether2"port.Now
fromswitchchippointtherealsohastobeVLAN99taggingonswitch1cpuport.
/interfacevlan
addname=vlan99vlanid=99interface=ether2
/ipaddress
addaddress=192.168.88.1/24interface=vlan99network=192.168.88.0
/interfaceethernetswitchegressvlantag
addtaggedports=switch1cpuvlanid=99
VLAN
Note:ItisrecommendedtogetSerialConsolecableandtestitbeforeconfiguringVLANsbecauseyoumayloseaccesstotheCPU
and/ortheportyouareconnectedto.
Note:SomechangesmaytakesometimetotakeeffectduetoalreadylearnedMACaddreses.InsuchcasesflushingUnicastForwarding
Databasecanhelp:/interfaceethernetswitchunicastfdbflush
Note:Multiplemasterportconfigurationisdesignedasfastandsimpleportisolationsolution,butitlimitspartofVLANfunctionality
supportedbyCRSswitchchip.ForadvancedconfigurationsuseonemasterportwithinCRSswitchchipforallports,configureVLANs
andisolateportgroupswithportisolationprofileconfiguration.
PortBasedVLAN
Example1
PortBasedVLAN1
Chooseamasterportandenslavetheportsyouneedtobeinthesameswitchgroup.
/interfaceethernet
AddinitialVLANassignments(PVID)toVLANaccessports.
/interfaceethernetswitchingressvlantranslation
addports=ether6customervid=0newcustomervid=200salearning=yes
AddVLAN200,VLAN300andVLAN400taggingonether2porttocreateitasVLANtrunkport.
addtaggedports=ether2vlanid=200
VLANmembershipdefinitionsintheVLANtablearerequiredforproperisolation.AddingentrieswithVLANidandportsmakes
thatVLANtrafficvalidonthoseports.
/interfaceethernetswitchvlan
addports=ether2,ether6vlanid=200learn=yes
AftervalidVLANconfigurationunknown/invalidVLANforwardingcanbedisabledinglobalswitchsettings.
/interfaceethernetswitch
setdropifinvalidorsrcportnotmemberofvlanonports=ether2,ether6,ether7,ether8
Example2
PortBasedVLAN2
Createagroupofswitchedports.
/interfaceethernet
AddinitialVLANassignments(PVID)foruntaggedtrafficonether6,ether7,ether8ports.
AddVLAN200,VLAN300andVLAN400taggingonportsaccordingtodiagram.Thetaggedportsoptionallowmultiple
valuestosupporttaggingonmanyports.
addtaggedports=ether2,ether7,ether8vlanid=200
VLANmembershipdefinitionsintheVLANtablearerequiredforproperisolation.AddingentrieswithVLANidandportsmakes
thatVLANtrafficvalidonthoseports.
addports=ether2,ether6,ether7,ether8vlanid=200learn=yes
UnknownVLANsshouldbedisabledaftervalidVLANmembershipconfiguration.
ProtocolBasedVLAN
ProtocolBasedVLAN
/interfaceethernet
SetVLANforIPandARPprotocols
/interfaceethernetswitchprotocolbasedvlan
addport=ether2protocol=arpsetcustomervidfor=allnewcustomervid=0
addport=ether6protocol=arpsetcustomervidfor=allnewcustomervid=200
addport=ether2protocol=ipsetcustomervidfor=allnewcustomervid=0
addport=ether6protocol=ipsetcustomervidfor=allnewcustomervid=200
SetVLANforIPXprotocol
addport=ether2protocol=ipxsetcustomervidfor=allnewcustomervid=0
addport=ether7protocol=ipxsetcustomervidfor=allnewcustomervid=300
SetVLANforAppleTalkAARPandAppleTalkDDPprotocols
addport=ether2protocol=0x80F3setcustomervidfor=allnewcustomervid=0
addport=ether8protocol=0x80F3setcustomervidfor=allnewcustomervid=400
addport=ether2protocol=0x809Bsetcustomervidfor=allnewcustomervid=0
addport=ether8protocol=0x809Bsetcustomervidfor=allnewcustomervid=400
MACBasedVLAN
MACBasedVLAN
/interfaceethernet
EnableMACbasedVLANtranslationonaccessport.
/interfaceethernetswitchport
setether7allowfdbbasedvlantranslate=yes
AddMACtoVLANmappingentriesinMACbasedVLANtable.
/interfaceethernetswitchmacbasedvlan
addsrcmac=A4:12:6D:77:94:43newcustomervid=200
addsrcmac=84:37:62:DF:04:20newcustomervid=300
addsrcmac=E7:16:34:A1:CD:18newcustomervid=400
AddVLAN200,VLAN300andVLAN400taggingonether2porttocreateitasVLANtrunkport.
InterVLANRouting
InterVLANRouting
InterVLANroutingconfigurationconsistsoftwomainpartsVLANtagginginswitchchipandroutinginRouterOS.Thisconfiguration
canbeusedinmanyapplicationsbycombiningitwithDHCPserver,Hotspot,PPPandotherfeaturesforeachVLAN.Additionallythis
examplecoversblockingofunwantedotherVLANtrafficonports.
/interfaceethernet
SetVLANtaggingonCPUportforallVLANstomakepacketstaggedbeforetheyareroutedandaddingressVLANtranslation
rulestoensurecorrectVLANidassignmentisdoneonaccessports.
ForroutingaddVLANinterfacesonmasterportbecauseitconnectswithCPUportandaddIPaddressestocreatedVLAN
interfaces.Inthisexamplethree192.168.x.1addressesareaddedtovlan200,vlan300andvlan400interfaces.
/interfacevlan
addname=vlan200interface=ether2vlanid=200
/ipaddress
Unknown/InvalidVLANfiltering
VLANmembershipisdefinedintheVLANtable.AddingentrieswithVLANidandportsmakesthatVLANtrafficvalidonthoseports.
AftervalidVLANconfigurationunknown/invalidVLANforwardingcanbedisabledinglobalswitchsettings.ThisVLANfiltering
configurationexampleappliestoInterVLANRoutingsetup.
addports=switch1cpu,ether6vlanid=200learn=yes
Option1:disableinvalidVLANforwardingonspecificports:
Option2:disableinvalidVLANforwardingonallports:
setforwardunknownvlan=no
VLANTunneling(QinQ)
ThisexamplecoverstypicalVLANtunnelingusecasewhereserviceproviderdevicesaddanotherVLANtagforindependent
forwardinginthemeantimeallowingcustomerstousetheirownVLANs.
Note:ThisexamplecontainsonlyServiceVLANtaggingpart.
ItisrecommendedtoadditionallysetUnknown/InvalidVLANfilteringconfigurationonports.
thumb
CRS1:ThefirstswitchontheedgeofserviceprovidernetworkhastoproperlyindentifytrafficfromcustomerVLANidonportand
assignnewserviceVLANidwithingressVLANtranslationrules.
VLANtrunkportconfigurationforserviceproviderVLANtagsisinthesameegressvlantagtable.
ThemaindifferencefrombasicPortBasedVLANconfigurationisthatCRSswitchchiphastobesettodoforwardingaccordingto
service(outer)VLANidinsteadofcustomer(inner)VLANid.
/interfaceethernet
set[finddefaultname=ether2]masterport=ether1
addcustomervid=200newservicevid=400ports=ether1salearning=yes
setbridgetype=servicevidusedaslookupvid
CRS2:Thesecondswitchintheserviceprovidernetworkrequireonlyswitchedportsusingmasterportandbridgetypeconfiguredto
doforwardingaccordingtoservice(outer)VLANidinsteadofcustomer(inner)VLANid.
/interfaceethernet
CRS3:ThethirdswitchhassimilarconfigurationtoCRS1:
Portsinaswitchgroupusingmasterport
IngressVLANtranslationrulestodefinenewserviceVLANassingmentsonports
taggedportsforserviceproviderVLANtrunks
CRSswitchchipsettouseserviceVLANidinswitchinglookup.
/interfaceethernet
Mirroring
Mirroring
TheCloudRouterSwitchessupportthreetypesofmirroring.Portbasedmirroringcanbeappliedtoanyofswitchchipports,VLAN
basedmirroringworksforallspecifiedVLANsregardlessswitchchipportsandMACbasedmirroringcopiestrafficsentorreceived
fromspecificdevicereachablefromtheportconfiguredinUnicastForwardingDatabase.
PortBasedMirroring
Thefirstconfigurationsetsether5portasamirror0analyzerportforbothingressandegressmirroring,mirroredtrafficwillbesentto
thisport.Portbasedingressandegressmirroringisenabledfromether7port.
setingressmirror0=ether8egressmirror0=ether8
setether7egressmirrorto=mirror0ingressmirrorto=mirror0
VLANBasedMirroring
Thesecondexamplerequiresportstobeswitchedinagroup.Mirroringconfigurationsetsether5portasamirror0analyzerportandsets
mirror0porttobeusedwhenmirroringfromVLANoccurs.VLANtableentryenablesmirroringonlyforVLAN300trafficbetween
ether2andether7ports.
/interfaceethernet
setingressmirror0=ether5vlanuses=mirror0
addports=ether2,ether7vlanid=300learn=yesingressmirror=yes
MACBasedMirroring
Thethirdconfigurationalsorequiresportstobeswitchedinagroup.Mirroringconfigurationsetsether5portasamirror0analyzerport
andsetsmirror0porttobeusedwhenmirroringfromUnicastForwardingdatabaseoccurs.TheentryfromUnicastForwardingdatabase
enablesmirroringforpacketswithsourceordestinationMACaddressE7:16:34:A1:CD:18fromether8port.
/interfaceethernet
setingressmirror0=ether5fdbuses=mirror0
/interfaceethernetswitchunicastfdb
addport=ether8mirror=yessvl=yesmacaddress=E7:16:34:A1:CD:18
Trunking
Trunking
TheTrunkingintheCloudRouterSwitchesprovidesstaticlinkaggregationgroupswithhardwareautomaticfailoverandloadbalancing.
IEEE802.3adandIEEE802.1axcompatibleLinkAggregationControlProtocolisnotsupportedyet.Upto8Trunkgroupsaresupported
withupto8TrunkmemberportsperTrunkgroup.
ConfigurationrequiresagroupofswitchedportsandanentryintheTrunktable.
/interfaceethernet
/interfaceethernetswitchtrunk
addname=trunk1memberports=ether6,ether7,ether8
ThisexamplealsoshowsproperbondingconfigurationinRouterOSontheotherend.
/interfacebonding
addname=bonding1slaves=ether2,ether3,ether4mode=balancexortransmithashpolicy=layer2and3\
linkmonitoring=miimiiinterval=100ms
Isolation
PortLevelIsolation
PortLevelIsolation
PortlevelisolationisoftenusedforPrivateVLAN,where:
Oneormultipleuplinkportsaresharedamongallusersforaccessinggatewayorrouter.
PortgroupIsolatedPortsisforguestusers.Communicationisthroughtheuplinkportsonly.
PortgroupCommunity0isfordepartmentA.Communicationisallowedbetweenthegroupmembersandthroughuplinkports.
PortgroupCommunityXisfordepartmentX.Communicationisallowedbetweenthegroupmembersandthroughuplinkports.
TheCloudRouterSwitchesuseportlevelisolationprofilesforPrivateVLANimplementation:
UplinkportsPortlevelisolationprofile0
IsolatedportsPortlevelisolationprofile1
Community0portsPortlevelisolationprofile2
CommunityX(X<=30)portsPortlevelisolationprofileX
Thisexamplerequiresagroupofswitchedports.Assumethatallportsusedinthisexampleareinoneswitchgroupconfiguredwith
masterportsetting.
ThefirstpartofportisolationconfigurationissettingtheUplinkportsetportprofileto0forether2.
setether2isolationleakageprofileoverride=0
Thencontinuewithsettingisolationprofile1toallisolatedportsandaddingthecommunicationportforportisolationprofile1.
/interfaceethernetswitchportisolation
addportprofile=1ports=ether2type=dst
ConfigurationtosetCommunity0andCommunity1portsissimilar.
addportprofile=2ports=ether2,ether7,ether8type=dst
addportprofile=3ports=ether2,ether9,ether10type=dst
ProtocolLevelIsolation
ProtocolLevelIsolation
ProtocollevelisolationonCRSswitchescanbeusedtoenchancenetworksecurity.Forexample,restrictingDHCPtrafficbetweenthe
usersandallowingitonlytotrustedDHCPserverportcanpreventsecurityriskslikeDHCPspoofingattack.Thefollowingexample
showshowtoconfigureitonCRS.
Chooseamasterportandenslavetheportsyouneedtobewithinthesameswitchgroup.
/interfaceethernet
SetthesameCommunityportprofileforallDHCPclientports.Communityportprofilenumbersarefrom2to30.
Andconfigureportisolation/leakageprofileforselectedCommunity(2)toallowDHCPtrafficdestinedonlytoportwherethe
trustedDHCPserverislocated.registrationstatusandtraffictypepropertieshavetobesetemptyinordertoapplyrestriction
onlyforDHCPprotocol.
addportprofile=2protocoltype=dhcpv4type=dstforwardingtype=bridgedports=ether1\
registrationstatus=""traffictype=""
BandwidthLimiting
BothIngressPortpolicerandShaperprovidebandwidthlimitingfeaturesforCRSswitches.
IngressPortPolicersetsRXlimitonport:
/interfaceethernetswitchingressportpolicer
addport=ether5meterunit=bitrate=10M
ShapersetsTXlimitonport:
/interfaceethernetswitchshaper
addport=ether5meterunit=bitrate=10M
TrafficStormControl
ThesameIngressPortpoliceralsocanbeusedforthetrafficstormcontroltopreventdisruptionsonLayer2portsbyabroadcast,
multicast,orunicasttrafficstorm.
Broadcaststormcontrolexampleonether5portwith8kilobitlimitpersecond:
addport=ether5rate=8kmeterunit=packetpackettypes=broadcast
ExamplewithmultiplepackettypeswhichincludesARPandNDprotocolsandunregisteredmulticasttraffic.Unregistered
multicastistrafficwhichisnotdefinedinMulticastForwardingdatabase.
addport=ether5rate=2Mmeterunit=packetpackettypes=broadcast,arpornd,unregisteredmulticast
[Top|BacktoContent]
Retrievedfrom"http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&oldid=26886"
Categories: Manual Interface CaseStudies Routerboard
Thispagewaslastmodifiedon15December2014,at09:21.
Thispagehasbeenaccessed99,180times.

Manual - CRS Examples - MikroTik Wiki

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Manual - CRS Examples - MikroTik Wiki

Transféré par

Droits d'auteur :

Formats disponibles

Manual:CRSexamples

Vous aimerez peut-être aussi