Devices addresses:<\/p>\n\n\n\n
- \n
- PC1, 10.1.10.2\/24, def. gw. 10.1.10.1<\/li>\n\n\n\n
- PC1, 10.1.20.2\/24, def. gw. 10.1.20.1<\/li>\n\n\n\n
- Mikrotik, 10.1.99.2\/24, def. gw. 10.1.99.1<\/li>\n\n\n\n
- Cisco router:\n
- \n
- VLA10: 10.1.10.1<\/li>\n\n\n\n
- VLA20: 10.1.20.1<\/li>\n\n\n\n
- VLA99: 10.1.99.1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Mikrotik resources<\/h3>\n\n\n\n
Mikrotik trunk and access port configuration links:<\/p>\n\n\n\n
- \n
- Bridging and Switching: https:\/\/help.mikrotik.com\/docs\/display\/ROS\/Bridging+and+Switching<\/a><\/li>\n\n\n\n
- VLANs: https:\/\/help.mikrotik.com\/docs\/display\/ROS\/VLAN<\/a><\/li>\n\n\n\n
- Basic VLAN switching: https:\/\/help.mikrotik.com\/docs\/display\/ROS\/Basic+VLAN+switching<\/a><\/li>\n<\/ul>\n\n\n\n
Note<\/strong>: Mikrotik devices in gns3 do not have built-in hw switch chip. Therefore the configuration is little bit different than on devices with built in chip.<\/em><\/p>\n\n\n\n
Topology<\/h3>\n\n\n\n
![\"\"](\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2023\/12\/image-5-1024x533.png\")
<\/figure>\n\n\n\nGNS3 topology<\/p>\n\n\n\n
![\"\"](\"https:\/\/nil.uniza.sk\/wp-content\/uploads\/2023\/12\/image-4.png\")
<\/figure>\n\n\n\nThe R1 router config:<\/p>\n\n\n\n
hostname R1\ninterface FastEthernet0\/0\n ip address dhcp\n ip nat outside\n no shut\ninterface FastEthernet0\/1\n no shut\ninterface FastEthernet0\/1.10\n encpapsulation dot1q 10\n ip address 10.1.10.1 255.255.255.0\n ip nat inside\ninterface FastEthernet0\/1.20\n encapsulation dot1q 20\n ip address 10.1.20.1 255.255.255.0\n ip nat inside\ninterface FastEthernet0\/1.99\n encapsulation dot1q 99\n ip address 10.1.99.1 255.255.255.0\n ip nat inside\nip access-list standard 1\n permit 10.1.0.0 0.0.255.255\nip nat inside source list 1 int fa 0\/0 overload<\/code><\/pre>\n\n\n\nA test of connectivity<\/p>\n\n\n\n
R1(config)#do ping 1.1.1.1 so fa 0\/1.10\nType escape sequence to abort.\nSending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:\nPacket sent with a source address of 10.1.1.1\n!!!!!\nSuccess rate is 100 percent (5\/5), round-trip min\/avg\/max = 8\/16\/40 ms\nR1(config)#<\/code><\/pre>\n\n\n\nNetworking on Mikrotik<\/h3>\n\n\n\n
As I’m focusing on the RouterOS configuration, here I will provide the RouterOS configuration In GNS3 the Mikrotik boot empty, and there is no configuration, no bridges and no port assignments.<\/p>\n\n\n\n
First, we need to create the bridge<\/strong><\/p>\n\n\n\n
\n\/interface bridge\nadd frame-types=admit-only-vlan-tagged name=main vlan-filtering=yes\n<\/code><\/pre>\n\n\n\nWhere<\/p>\n\n\n\n
- \n
- frame-types specifies allowed ingress frame types on a bridge port. This property only has an effect when vlan-filtering is set to yes.<\/li>\n\n\n\n
- name is the nameof the bridge<\/li>\n\n\n\n
- vlan-filtering=yes .. enable VLAN functionality<\/li>\n<\/ul>\n\n\n\n
To verify it type print<\/strong><\/p>\n\n\n\n
[admin@MikroTik] \/interface\/bridge> print<\/strong>\nFlags: X - disabled, R - running\n0 R name=\"main\" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto\nmac-address=0C:12:B3:7C:00:00 protocol-mode=rstp fast-forward=yes igmp-snooping=no\nauto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s\ntransmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1\nframe-types=admit-only-vlan-tagged ingress-filtering=yes dhcp-snooping=no<\/code><\/pre>\n\n\n\nNow we create VLANs<\/strong><\/p>\n\n\n\n
\/interface vlan\nadd name=Home interface=main vlan-id=10\nadd name=IoT interface=main vlan-id=20\nadd name=MGMT interface=main vlan-id=99<\/code><\/pre>\n\n\n\nVerification<\/p>\n\n\n\n
[admin@MikroTik] \/interface\/vlan> print\nFlags: R - RUNNING\nColumns: NAME, MTU, ARP, VLAN-ID, INTERFACE\n# NAME MTU ARP VLAN-ID INTERFACE\n0 R Home 1500 enabled 10 main\n1 R IoT 1500 enabled 20 main\n2 R MGMT 1500 enabled 99 main\n<\/code><\/pre>\n\n\n\nNow we specify which kind of frames the port accepts or what it will do when will send frame out. Each bridge port have multiple VLAN related settings.<\/p>\n\n\n\n
Ether1 as the trunk port accepts only tagged frames or in opposite, it send out frames properly tagged. Port ether 2 accept untagged frames which in ingress processing will be assigned to VLAN defined by pvid property. Or, port accept also frames tagged with correct VLAN ID (i.e. VLAN ID to which it belongs and which may also contain QoS Class of Service tag|) here it is VLAN ID 10 here. Similarly we configure ether 3 port for VLAN 20.<\/p>\n\n\n\n
\/interface bridge port\nadd bridge=main interface=ether1 frame-types=admit-only-vlan-tagged\nadd bridge=main interface=ether2 pvid=10 frame-types=admit-only-untagged-and-priority-tagged\nadd bridge=main interface=ether3 pvid=20 frame-types=admit-only-untagged-and-priority-tagged<\/code><\/pre>\n\n\n\nto verify type<\/p>\n\n\n\n
admin@MikroTik] \/interface\/bridge\/port> print\n<\/strong>\nColumns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON\n# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON\n0 ether1 main yes 1 0x80 10 10 none\n1 ether2 main yes 10 0x80 10 10 none\n2 ether3 main yes 20 0x80 10 10 none<\/code><\/pre>\n\n\n\nFinaly, we specify the trunk port processing. From the Mikrotik perspective we define, that ether1 port (that have defined frame-types=admit-only-vlan-tagged) in egress processing will set correct VLAN tag as is defined on tagged access ports.<\/p>\n\n\n\n
\/interface bridge vlan\nadd bridge=main tagged=ether1 vlan-ids=10\nadd bridge=main tagged=ether1 vlan-ids=20\nadd bridge=main tagged=ether1,main vlan-ids=99\n<\/code><\/pre>\n\n\n\nVerification<\/p>\n\n\n\n
admin@MikroTik] \/interface\/bridge\/vlan> print\nColumns: BRIDGE, VLAN-IDS\n# BRIDGE VLAN-IDS\n0 main 10\n1 main 20\n2 main 99<\/code><\/pre>\n\n\n\nNow we specify the IP address of the bridge to be able manage it over IP connection. This has nothing with VLANs and trunking. <\/p>\n\n\n\n
\/ip address\nadd address=10.1.99.2\/24 interface=MGMT<\/code><\/pre>\n\n\n\nand finally add the default route<\/p>\n\n\n\n
\/ip route add dst-address=0.0.0.0\/0 gateway=10.1.99.1\n\n[admin@MikroTik] \/ip\/address> print\nColumns: ADDRESS, NETWORK, INTERFACE\n# ADDRESS NETWORK INTERFACE\n0 10.1.99.2\/24 10.1.99.0 MGMT<\/code><\/pre>\n\n\n\nFinal config should looks like<\/p>\n\n\n\n
[admin@MikroTik] > export\n# 2023-12-05 19:41:23 by RouterOS 7.12.1\n# software id =\n#\n\/interface bridge\nadd frame-types=admit-only-vlan-tagged name=main vlan-filtering=yes\n\/interface vlan\nadd interface=main name=Home vlan-id=10\nadd interface=main name=IoT vlan-id=20\nadd interface=main name=MGMT vlan-id=99\n\/interface bridge port\nadd bridge=main frame-types=admit-only-vlan-tagged interface=ether1\nadd bridge=main frame-types=admit-only-untagged-and-priority-tagged interface=ether2 \\\n pvid=10\nadd bridge=main frame-types=admit-only-untagged-and-priority-tagged interface=ether3 \\\n pvid=20\n\/interface bridge vlan\nadd bridge=main tagged=ether1 vlan-ids=10\nadd bridge=main tagged=ether1 vlan-ids=20\nadd bridge=main tagged=ether1,main vlan-ids=99\n\/ip address\nadd address=10.1.99.2\/24 interface=MGMT network=10.1.99.0\n\/ip dhcp-client\n# DHCP client can not run on slave or passthrough interface!\nadd interface=ether1\n\/ip route\nadd dst-address=0.0.0.0\/0 gateway=10.1.99.1\n\/system note\nset show-at-login=no\n<\/code><\/pre>\n\n\n\nFinal verification using ping<\/h3>\n\n\n\n
From PC1<\/p>\n\n\n\n
\nPC1> ping 10.1.10.1\n\n84 bytes from 10.1.10.1 icmp_seq=1 ttl=255 time=60.166 ms\n84 bytes from 10.1.10.1 icmp_seq=2 ttl=255 time=16.222 ms\n84 bytes from 10.1.10.1 icmp_seq=3 ttl=255 time=5.646 ms\n^C\nPC1> ping 1.1.1.1\n\n84 bytes from 1.1.1.1 icmp_seq=1 ttl=50 time=20.098 ms\n84 bytes from 1.1.1.1 icmp_seq=2 ttl=50 time=16.590 ms\n84 bytes from 1.1.1.1 icmp_seq=3 ttl=50 time=15.860 ms\n^C\n\nPC1> ping 10.1.20.2\n\n84 bytes from 10.1.20.2 icmp_seq=1 ttl=63 time=48.422 ms\n84 bytes from 10.1.20.2 icmp_seq=2 ttl=63 time=16.633 ms\n84 bytes from 10.1.20.2 icmp_seq=3 ttl=63 time=16.966 ms\n^C\n\n\nPC1> ping 10.1.99.1\n\n84 bytes from 10.1.99.1 icmp_seq=1 ttl=255 time=6.143 ms\n84 bytes from 10.1.99.1 icmp_seq=2 ttl=255 time=6.243 ms\n^C\n\nPC1> ping 10.1.99.2\n\n84 bytes from 10.1.99.2 icmp_seq=1 ttl=63 time=19.523 ms\n84 bytes from 10.1.99.2 icmp_seq=2 ttl=63 time=16.822 ms\n84 bytes from 10.1.99.2 icmp_seq=3 ttl=63 time=16.655 ms\n^C\n<\/code><\/pre>","protected":false},"excerpt":{"rendered":"In this article, I will set up a simple LAN network consisting of two PCs, one Mikrotik box that acts as a L2 LAN switch, and one Cisco router that connects everything to the internet using NAT. PCs and Mikrotik switch are in the separate VirtualLANs (VLANs). My VLAN definition is: Devices addresses: Mikrotik resources…<\/p>","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[1625,1502],"tags":[],"class_list":["post-6472","post","type-post","status-publish","format-standard","hentry","category-practical_-_cisco-en-en","category-prcatical-mikrotik"],"taxonomy_info":{"category":[{"value":1625,"label":"Practical - Cisco"},{"value":1502,"label":"Practical \u2013 Mikrotik"}]},"featured_image_src_large":false,"author_info":{"display_name":"palo73","author_link":"https:\/\/nil.uniza.sk\/en\/author\/palo73\/"},"comment_info":9,"category_info":[{"term_id":1625,"name":"Practical - Cisco","slug":"practical_-_cisco-en-en","term_group":0,"term_taxonomy_id":1623,"taxonomy":"category","description":"","parent":0,"count":1,"filter":"raw","cat_ID":1625,"category_count":1,"category_description":"","cat_name":"Practical - Cisco","category_nicename":"practical_-_cisco-en-en","category_parent":0},{"term_id":1502,"name":"Practical \u2013 Mikrotik","slug":"prcatical-mikrotik","term_group":0,"term_taxonomy_id":1500,"taxonomy":"category","description":"","parent":0,"count":2,"filter":"raw","cat_ID":1502,"category_count":2,"category_description":"","cat_name":"Practical \u2013 Mikrotik","category_nicename":"prcatical-mikrotik","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/6472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=6472"}],"version-history":[{"count":1,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/6472\/revisions"}],"predecessor-version":[{"id":7208,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/6472\/revisions\/7208"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=6472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=6472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=6472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- VLANs: https:\/\/help.mikrotik.com\/docs\/display\/ROS\/VLAN<\/a><\/li>\n\n\n\n
- Bridging and Switching: https:\/\/help.mikrotik.com\/docs\/display\/ROS\/Bridging+and+Switching<\/a><\/li>\n\n\n\n