Basic VLANs with SwitchOS


Indroduction

     MikroTik has produced 3 different products which run SwithOS instead of RouterOS, the RB250GS (End of Life), the RB260GS, and the RB260GSP. This tutorial will show you how to do basic VLAN management using the RB260 series switches. This tutorial is based upon SwtichOS version 1.17.

1st Example – Using a switch to extend the number of Ethernet ports available to your router (clients are not tagging)

     In this 1st example, we will use the switches to basically add additional Ethernet ports to the router through VLANs. Each port of the switch will be on a separate VLAN, which the router in-turn can handle as if it were a separate Ethernet port. The SFP port will be the trunk port to the router. The most common scenario for this is when the switch is an Access Switch, meaning that hosts are connected directly to it. Usually, the host are not capable of tagging traffic for VLANs. This is usually true with host PCs and common network capable devices. Exceptions that are with network devices such as servers, phones, other switches, routers, ect. That example will be given next.

1st Example with RB2560GS

VLANs_1

 

The router config (only the VLAN specific settings will be shown):

Ethernet port 2 on the router will connect to the SFP port  on the switch. 6 VLANs will be created on the router, VLAN2 will be for management of the switch. An IP address for each VLAN will be configured and a DHCP server for each VLAN will setup. Goto Interfaces an choose the VLAN tab to create the VLANs in the router.

Router_VLANs

 

Next, add the IP address to each VLAN interface as shown by going to IP -> Addresses.

 

Router_IPs

 

Next, we’ll add a DHCP server on each VLAN by going to IP -> DHCP Server and using the DHCP Setup wizard (VLAN2 will not need a DHCP server since that VLAN is used just to communicate with the switch):

 

Router_DHCP_Server

 

A note on using DHCP accross the VLANs: I, personally, like using DHCP to test VLANs because the entire DHCP process is Layer 2, so if there are any problems with the VLAN, either the client will not get the DHCP reservation or the wrong client will get a DHCP reservation. If the correct clients is getting the correct reservations and you can ping both directions, then you can feel pretty confident that the VLANs are working correctly.

The switch config (only the VLAN specific setting will be shown):

The switch will have the SFP port configured as a Trunk port to communicate to the router. Each of the 5 switch ports (Ether1-5) are taking the host’s untagged traffic and tagging it so that it can exit the trunk port and reach the appropriate VLAN interface in the router. When the traffic is headed back to the host, it traverses the VLAN as tagged traffic and then the VLAN tag is removed by the switch at the last port it goes through. VLAN2 is how we communicate with the switch directly. In this example, the switch has an IP address of 192.168.88.2.

 

VLAN_Tab

 

Step 1: Set a static IP in your computer on the 192.168.88.0/24 subnet so that you can connect to the switch at 192.168.88.1. The only way to connect to the switch is through the web browser.

Step 2: Starting on the VLAN tab, we are going to change the “VLAN Mode” setting to “Strict” for all 6 ports. This setting will strictly enforce the ingress of frames by matching them to the “VLAN Table.” The VLAN Table is the list of VLANs on the VLANs tab (1 tab over). This setting would often be used together with “VLAN Receive” to ensure that only tagged or untagged frames are inbound to the switch, depending on the setting chosen. For our example, “any” will work just fine.

Step 3: The “Default VLAN ID” needs to be set for each port. This setting works together with the “Force VLAN ID” setting in our example. What these two settings are doing is that they are forcing a VLAN tag on the untagged traffic that in ingressing through that port. Since the traffic from our 5 hosts will be untagged when the host originates the traffic, this is how it will pick up the VLAN tag to traverse the switch and make it to the router. The SFP port is not using the “Force VLAN ID” setting or the “Defult VLAN ID” setting. 

Step 4: Next we will change the “VLAN Header” setting. Our host machines are looking for untagged traffic, so when the frames exit the switch, we are going to strip away the VLAN IDs by choosing “always strip.” The SFP port will be set to “leave as is” because we do not want to add or remove VLAN tags from that port.

 

VLANs_Tab

 

Step 5: On the VLANs tab, we are going to add an entry for each VLAN ID that we will be using. Since only one physical port will be participating in each VLAN, we will set that port and the trunk port to leave as is. In this case, “leave as is” means use the settings from the previous page. All of the other ports that are not participating in that particular VLAN group will be listed as “not a member.” The SFP port, which is our trunk port, will leave all VLANs as they are.

 

System_Tab

 

Step 6: The final step is to assign a new IP address to the switch, set the Identity, and choose the VLAN that it will be available from. Alternatively, you may want to make it available from a specific subnet. Now its time to test the configuration, by plugging a host which is configured to be a DHCP client into to each port. 

 

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>