Mikrotik With Cisco VLAN Made Easy

Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ... https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...
Syed Jahanzaib Personal Blog to Share

Knowledge !
June 2, 2015
Mikrotik with Cisco VLAN made easy
Filed under: Cisco Related, Mikrotik Related Tags: 3750, cisco vlan, isolate, mikrotik vlan, vlan Syed
Jahanzaib / Pinochio~:) @ 3:16 PM
i
12 Votes
1 of 17 31/03/2017 13:20
~!~ Mikrotik with Cisco VLAN made easy ~!~

~!~ For Beginners ~!~
5 + - 5 + - are a solution to allow you to separate users into individual network segments for
security and other reasons. 5 + - membership can be congured through software instead of physically
relocating devices or connections. 5 + - allow you to break up devices on your network regardless of
their location.
The main advantage of 5 + - are
Broadcast Control
2 of 17 31/03/2017 13:20
Security / Client Isolation

DMZ
Controlled Network Management
Costing
It is very useful for any network including large/small oces, ISPs, Cable.Internet services providers etc.
The main problem of any large network is broadcast and specially for network operators when any single
user swap his wan router LAN cable to wan cable thus broadcast his router DHCP to operator network,
or single user eected with virus/trojans broadcast to whole network. VLAN can help you in many
situations like these or others.
TASK:
To avoid broadcasting/ooding and above all for be?er be?er management +security and monitoring, we
want to break the network in smaller segments.
Scenario:
Consider the following scenario
We have Mikrotik Router which is acting as a DHCP and PPPoE Server as well. and we want to isolate the
dierent network areas by breaking them in smaller segments. Each area will get dierent IP series from
the mikrotik dhcp server.
In this example following ports are used for
Mikrotik = Port 1 [as TRUNK port]

Dealer-1 = Port 2
Dealer-2 = Port 3
Dealer-3 = Port 4
Hardware Used in this Guide:
1. Mikrotik RB2011
2. Cisco 3750-E Series
3. Two Laptops for testing
3 of 17 31/03/2017 13:20
MIKROTIK CONFIG
1 # Create VLAN Interfaces and provide them name and VLAN#ID

2 /interface vlan
3 add interface=LAN l2mtu=1594 name=DEALER-1 vlan-id=10
6
7 # Assign IP addresses to the interfaces
8 /ip address
9 add address=192.168.1.1/24 interface=LAN network=192.168.1.0
10 add address=192.168.10.1/24 interface=DEALER-1 network=192.168.10.0
13
14 # Create DHCP Server and assign different Pools for the dealers
15 # You can DHCP wizard as well if CLI is a bit hectic
16 /ip dhcp-server
17 add address-pool=DEALER-1-POOL disabled=no interface=DEALER-1 lease-time=6h name=dh
20
21 /ip dhcp-server network
22 add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
Some screenshots for the reference purpose
4 of 17 31/03/2017 13:20
Done. Now we have to create VLANs at CISCO Switch
CISCO VLAN CONFIGURATION
I assume that you have Cisco switch with any IP address for the management purposes.
Telnet to the switch
telnet 192.168.0.1
5 of 17 31/03/2017 13:20
1 # Enter your Cisco switch password

2 User Access Verification
3 Password: xxxxxx
4
5 # Switch to change mode
6 enable
7 Password: xxxxxxxxx
8
9 # Enter in Config mode
10 config t
11
12 # Select Port number which will be connected with the Mikrotik and change encapsula
13
14 interface gigabitEthernet 1/0/1
15 switchport trunk encapsulation dot1q
16 switchport mode trunk
17
18 switchport trunk allowed vlan all
19 switchport nonegotiate
20
21 #Create VLAN id and name for dealers/areas
22 vlan 10
23 name DEALER-1
24 vlan 20
25 name DEALER-2
26 vlan 30
27 name DEALER-3
28 exit
29
30 # Now Select Dealer1 interface , like port 2 and assign it with the vlan id
31
33 # OR RANGE like interface range gigabitEthernet 1/0/1-4 (Port Range 1 to 4)
34 switchport mode access
35 switchport access vlan 10
36
40
44
45 exit
46 exit
47
48 # SAVE the configuration you just made above
49 wr
Some screenshots for reference
6 of 17 31/03/2017 13:20
7 of 17 31/03/2017 13:20
Done!
TEST!
Now connect your PC with the port 2 and port3 , 4
You will get dierent IP in each port.

Test From Dealer-1 System
Dealer-1 have receive series ip, exactly the one we congured in mikrotik.
Now try to ping any dealer-2 series and to the internet as well. You will see that you will be able to ping
the internet and mikrotik LAN ip, but not with dealer-2 subnet or likewise.
8 of 17 31/03/2017 13:20
- . 3 $For the client isolation / to block communication between all VLANs , you must createFILTER
rule as explained in TIPs n TRICK section below
TIPS n TRICKS
1- Block communication between all or specific VLAN

Subnet
9 of 17 31/03/2017 13:20
It is usually required to block all communication between specic or all 5 + - subnets for security or
other reasons. By default mikrotik will allow communications between all vlan. You can block them by
creating %(+3 $1 rules. Example is we want that users of all vlans can access internet via 6 - interface
but should not be able to communicate with any other 5 + - subnet. use following as an example
- there are many other ways to achieve this either at switch level or mikrotik, i am showing just an
example only here.
1 /ip firewall filter

2 add chain=forward comment="Accept traffic from VLAN subnets to WAN" out-interface=WA
3
4 add action=reject chain=forward comment="Block Communication between all vlan subnet
5 192.168.0.1-192.168.255.255
6
7 # Masquerade rule to allow internet , wan link interface
8 /ip firewall nat
9 add action=masquerade chain=srcnat out-interface=WAN
Snapshots of Working VLAN config with pppoe server
10 of 17 31/03/2017 13:20
Pending work:
Add pppoe or hotspot conguration

Firewall conguration for isolation in pppoe/hotpost
Few more tips n tricks with VLAN
Regards
2 )
11 of 17 31/03/2017 13:20
Comments (25)
25 Comments
1. Dear Jahanzaib,
How can we make sure that on mikrotik side the port is in the trunking mode. Is there any specic
commands ? or is it by default that the ethernet interfaces on mikrotik are in the trunking mode ??
Comment by Khizer June 2, 2015 @ 11:29 PM
Reply
2. love it
Comment by mushhood June 2, 2015 @ 11:51 PM
Reply
3. But what about mikrotik to mikrotik foe example Rb2011 to Rb750 rb2011 have two networks pppoe
and hotspot going through 1 trunk and in remote area there is 750 from connections are distributed
although it is also possible to have both pppoe and hotspot on same lan but i am generating a scenario
a vice versa..
12 of 17 31/03/2017 13:20
Comment by UmmarHussain June 3, 2015 @ 1:02 AM
Reply
4. How to Dial Multiple and more PPPOE Client Over Single WAN Interface in Mikrotik
Comment by ramanji June 3, 2015 @ 3:26 PM
Reply
5. dear sir , How to Dial Multiple PPPOE Client Over Single WAN Interface in Mikrotik?
Detail:
I got 2 ports on my mikrotik router
1xWAN & 1xLAN port
I need to dial 2 or more pppoe clients and load balance over the single wan port
How?
actually i create a multiple 1mbps pppoe clients in my mikrotik the both connections are showing
connected and
i use adeel uploaded load balancing se?ings in my mikrotik.when i check in speedtest its showing
sometimes 1mbps and sometimes 2mbps.
pls help me..
Comment by ramanji neyuluk June 4, 2015 @ 11:22 AM
Reply
As far as i know, You cannot dial multiple PPPoE client over one interface. why not use
manageable switch with vlans to do the job ?
Comment by Syed Jahanzaib / Pinochio~:) June 9, 2015 @ 9:04 AM
Reply
6. nice work >>> having on question i have rb 2011 with 1 switch cisco L3 and 3 rb 1100.in rb 2011
making 3 vlans and 3 user pppoe client >>in cisco also same 3 vlans RB 1100 each router taking one
user pppoe client how can separate between them meaning user 1 is working on rst router but not
working one other routers second and third router 1100 ?
Comment by Laith Adnan June 9, 2015 @ 12:26 AM
Reply
perhaps a network diagram will help to understand the issue.
Comment by Syed Jahanzaib / Pinochio~:) June 9, 2015 @ 9:02 AM
Reply
i upload simple diagram the idea is isolate users pppoe client on the same routermeaning
there is Main router ( cloud core ) having 2 user pppoe A and B and there is two routers (
Router 1 and Router 2 ) connected directly to main router ( cloud core ) i wanna user A is
connected only to Router 1 and not connected to Router 2 and user B connected to Router 2
and not connected to Router 1
Comment by Laith Adnan June 9, 2015 @ 8:24 PM
13 of 17 31/03/2017 13:20
still waiting for answer
any idea?
7. dear you need to use policy based routing as far as destination end routing is concern , in which you
can congure for user A to user R1, and User B to R2.
Comment by Jack June 22, 2015 @ 4:32 PM
Reply
how can i use that policy ?
Comment by Laith Adnan June 24, 2015 @ 5:38 AM
Reply
use google to implement PBR in MT
Comment by Jack June 29, 2015 @ 10:19 AM
8. Dear Mr.Jahanazib ,
Could you please tell me which cisco switch are able to tagged/trunked with mikrotik .My model is
1100 ahx2
Comment by sohag July 2, 2015 @ 12:01 PM
Reply
In general all Cisco base manageable switch are capable of doing vlan.
I used Cisco 3750 giga bit switch at various places and found it very stable cisco 2960 or likewise
are also good choices. but it all depends on availability and budget as well.
Comment by Syed Jahanzaib / Pinochio~:) July 2, 2015 @ 12:11 PM
Reply
9. Hello Brother Assalamu alikum,
This is Nahid from Bangladesh. I have a new problem at hand. Recently i add a new Cisco Catalyst
2960 TCS with my network, Using Mikrotik CCR-1016 for Routing, When I add This new switch with
mikrotik interface, ge?ing some packet loss, Like If i ping my gateway its showing Replay from 2ms or
sometime 30ms+, also miss 1 packet after 15-20 replay from gateway. I have another old Catalyst
2960TCL which is ok no ping loss from gateway, If i connect my new Catalyst 2960 with old Catalyst
2960TCL, then no packet loss also ge?ing ping from gateway <1ms-2ms.
From Mikrotik I connected to Giga Ethernet port to switch with Machine made Cable. In Mikrotik
Auto Port Negotiation is on also selected 100 full, 1000full, I changed MSS in rewall.
If i Reboot my Mikrotik or change port then there is no Ping loss or ge?ing good ping time for only 5
minute then again its starts to loss after every 20 replay.
Mikrotik Conguration: All user connect with DHCP, No Filter Rules, NAT set to Masquerade, In
mangle only rules for FTP servers,
Please Anyone solve this issue, Thanks in Advance
14 of 17 31/03/2017 13:20
Comment by MD. Nahid July 30, 2015 @ 4:29 PM
Reply
10. Dear,
i have mikrotik working ok with cisco vlan congured and working ok.
now i want to use mikrotik in vmware but in vmware vlan not working. what to do now?
Comment by SunStar August 17, 2015 @ 2:53 PM
Reply
11. Dear Syed Jahanzaib,
i want to use vlans for Security / Client Isolation in the hostpot
i wnant to create 250 vlans each user tack one ip from dierent rang (dierent vlan)
is it passibal in mikrotik
what are the process ??
Comment by Alaa Abdulsalam Al-thobhani December 29, 2015 @ 3:32 AM
Reply
i wnant to create 250 vlans each user take one ip from dierent rang (dierent vlan)
Comment by Alaa Abdulsalam Al-thobhani December 29, 2015 @ 3:38 AM
Reply
i wnant to create 250 vlans each user tack one ip from dierent rang (dierent vlan)
Comment by M Anees February 15, 2016 @ 10:41 AM
Reply
14. Salam
What if want to createT TRUNK between Cisco 2960 switch and mikrotik crs125-24g-1s-2hnd-in,
Cisco 2960
#switchport mode trunk
#no shut
VLAN 1 -192.168.200.0/24 Management ip address.
15 of 17 31/03/2017 13:20
mikrotik crs125-24g-1s-2hnd-in
Ether 24 trunk.
Ether 24 IP address 192.168.200.100/24 (I dont have any idea here)
default gateway 192.168.200.1
Ether 1- VLAN 126

Ether 2- 10 VLAN 30
/interface ethernet
set ether1 master-port=ether24
TRUNK PORT
/interface ethernet switch egress-vlan-tag add tagged-ports=ether24,switch1-cpu vlan-id=30 add
tagged-ports=ether24 vlan-id=126
ACCESS PORT
/interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=30 ports=\
ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,switch1-cpu \
sa-learning=yes
/interface ethernet switch ingress-vlan-translation add customer-vid=0 new-customer-vid=126 ports=\
ether1,switch1-cpu \
sa-learning=yes
NOTE:
Problem is i can access see access and trunk conguration is working perfectly.
but issue is i cant access 192.168.200.100 (mokrotik switch IP address) from cisco network .
I cant ping vlan1 trunk ip address of Mikrotik switch.
Please explain where i am doing wrong.
Comment by Abbas March 20, 2016 @ 2:02 PM
Reply
15. Any Idea for mikrotik vlans with Rocket M2 and Nano M5 Vlans connect congration
Comment by Muhammad Azam Ghouri May 7, 2016 @ 12:29 PM
Reply
16. hi
16 of 17 31/03/2017 13:20
i have a rb750r2 and i try to setup Vlan but i can not

i have at
ether1 wan1
ether5 pppoe
and i want at
ether4 4 vlans etc10,20,30,40 and this port (ether4) it is connect with trunk port of cisco with vlan 10,
20, 30 ,40 at port ether1. ether2 , etc (cisco setup is tested and work ne!!)
my ip range is 192.168.1.1-254
i have a pc that i have the ip 192.168.10.2
and i want from mikrotik to see the range 192.168.10.1-254 as vlan 10 forward the trac of this pc only
on ether4, tagged as vlan10
to have the from the cisco trunk port that trac at ether 1 witch is vlan10
like this h?ps://postimg.org/image/kvlulsglx/
Comment by afric January 3, 2017 @ 3:22 AM
Reply
17. dear jahanzaib how can i add multiple pppoe clients in mikrotik to dial from 1 interface using vlan in
cisco i have created vlans and trunk port in cisco but i am confused in mikrotik side conguration
Comment by arslan jabbar February 20, 2017 @ 3:38 PM
Reply
RSS (Really Simple Syndication) feed for comments on this post. TrackBack URI (Uniform Resource
Identier)
17 of 17 31/03/2017 13:20

Mikrotik With Cisco VLAN Made Easy - Syed Jahanzaib Personal Blog To Share Knowledge !

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Mikrotik With Cisco VLAN Made Easy - Syed Jahanzaib Personal Blog To Share Knowledge !

Загружено:

Авторское право:

Доступные форматы

Mikrotik with Cisco VLAN made easy | Syed Jahanzaib Personal Blog to ... https://aacable.wordpress.com/2015/06/02/mikrotik-with-cisco-vlan-mad...

Syed Jahanzaib Personal Blog to Share

~!~ Mikrotik with Cisco VLAN made easy ~!~

The main advantage of 5 + - are

Security / Client Isolation

Consider the following scenario

In this example following ports are used for

Mikrotik = Port 1 [as TRUNK port]

Hardware Used in this Guide:

1 # Create VLAN Interfaces and provide them name and VLAN#ID

Some screenshots for the reference purpose

Done. Now we have to create VLANs at CISCO Switch

CISCO VLAN CONFIGURATION

Telnet to the switch

1 # Enter your Cisco switch password

Some screenshots for reference

Now connect your PC with the port 2 and port3 , 4

You will get dierent IP in each port.

Test From Dealer-1 System

1- Block communication between all or specific VLAN

1 /ip firewall filter

Snapshots of Working VLAN config with pppoe server

Add pppoe or hotspot conguration

Comment by Khizer June 2, 2015 @ 11:29 PM

Comment by mushhood June 2, 2015 @ 11:51 PM

Comment by UmmarHussain June 3, 2015 @ 1:02 AM

Comment by ramanji June 3, 2015 @ 3:26 PM

Comment by ramanji neyuluk June 4, 2015 @ 11:22 AM

Comment by Syed Jahanzaib / Pinochio~:) June 9, 2015 @ 9:04 AM

Comment by Laith Adnan June 9, 2015 @ 12:26 AM

Comment by Syed Jahanzaib / Pinochio~:) June 9, 2015 @ 9:02 AM

Comment by Laith Adnan June 9, 2015 @ 8:24 PM

still waiting for answer

Comment by Laith Adnan June 13, 2015 @ 3:35 PM

Comment by Laith Adnan June 21, 2015 @ 11:15 PM

Comment by Jack June 22, 2015 @ 4:32 PM

Comment by Laith Adnan June 24, 2015 @ 5:38 AM

Comment by Jack June 29, 2015 @ 10:19 AM

Comment by sohag July 2, 2015 @ 12:01 PM

Comment by Syed Jahanzaib / Pinochio~:) July 2, 2015 @ 12:11 PM

Comment by MD. Nahid July 30, 2015 @ 4:29 PM

Comment by SunStar August 17, 2015 @ 2:53 PM

what are the process ??

Comment by Alaa Abdulsalam Al-thobhani December 29, 2015 @ 3:32 AM

what are the process ??

Comment by Alaa Abdulsalam Al-thobhani December 29, 2015 @ 3:38 AM

Comment by M Anees February 15, 2016 @ 10:41 AM

VLAN 1 -192.168.200.0/24 Management ip address.

Ether 1- VLAN 126

I cant ping vlan1 trunk ip address of Mikrotik switch.

Please explain where i am doing wrong.

Comment by Abbas March 20, 2016 @ 2:02 PM

Comment by Muhammad Azam Ghouri May 7, 2016 @ 12:29 PM

i have a rb750r2 and i try to setup Vlan but i can not

like this h?ps://postimg.org/image/kvlulsglx/

Comment by afric January 3, 2017 @ 3:22 AM

Comment by arslan jabbar February 20, 2017 @ 3:38 PM

Вам также может понравиться