Setup of VLAN on Mikrotik together with Cisco
It so happened that neither the official documentation nor the active googling gave an understanding and result on the configuration of the VLAN, and especially in conjunction with the Cisco SG200.
Two separate subnets within the device, each of which looks into its own VLAN (51 or 66) and can go online. One separate network for telephony, where VLAN (16) is already explicitly set on the phones.
Firewall configuration will not be considered in detail.
Model: Mikrotik 951G-2HnD
Port1: Cable from CiscoSG200, with 40U, 16T, 51T, 66T VLANs
Port2: Connected directly to the outlet for the first subnet
Port3: Connected directly to the outlet for the first subnet
Port 4,5: Empty
WifiAP1: Must look into the first subnet
WifiAP2: Must look into the second subnet
The presence of a VLAN on a port is determined by the creation of a vlan-type interface with an indication of the master port. The traffic that goes through the main port will be considered UNTAGGED, the traffic that goes through the “vlan” interface is TAGGED. In accordance with this, bridges will be created.
')
1. For Port1, we create 3 “vlan” type interfaces with VLAN ID 16, 51, 66. We call them Port1-VLAN16 (51.66), respectively .
2. We send the route 0.0.0.0/0 to Port1 , it will be Internet access.
3. Since, in parallel with computers, phones for Port2 , 3 will be connected to unmanaged switches, we create vlan interfaces with VLAN ID 16 for these ports. We call them Port2, 3-VLAN16, respectively.
4. Create the Bridge-VLAN16 bridge . We integrate Port1,2,3-VLAN16 interfaces into it. Telephony earned.
5. Set up a wifi point. Call it Wifi0 . In its parameters we do not specify vlan id.
6. Add a new interface like “Virtual AP”. Call it Wifi1 . We do not specify vlan id in the parameters.
7. Create the Bridge-VLAN66 bridge . We integrate into it interfaces Port1-VLAN66, Port2, Port3 and Wifi0 . Since in this subnet, the devices do not know about vlan, then the packets will come to the “bare” port, and automatically be tagged if they fall into VLAN66 and become unprocessed, coming from it. On this bridge we hang DCHP, NAT, Internet, etc.
8. Create the Bridge-VLAN51 bridge . We combine the interfaces Port1-VLAN51 and Wifi1 into it . The package situation will be similar. Spice up the DHCP and firewall rules to taste.
Enjoying.
Need to configure:
Two separate subnets within the device, each of which looks into its own VLAN (51 or 66) and can go online. One separate network for telephony, where VLAN (16) is already explicitly set on the phones.
Firewall configuration will not be considered in detail.
Given:
Model: Mikrotik 951G-2HnD
Port1: Cable from CiscoSG200, with 40U, 16T, 51T, 66T VLANs
Port2: Connected directly to the outlet for the first subnet
Port3: Connected directly to the outlet for the first subnet
Port 4,5: Empty
WifiAP1: Must look into the first subnet
WifiAP2: Must look into the second subnet
Work Logic:
The presence of a VLAN on a port is determined by the creation of a vlan-type interface with an indication of the master port. The traffic that goes through the main port will be considered UNTAGGED, the traffic that goes through the “vlan” interface is TAGGED. In accordance with this, bridges will be created.
')
Setup:
1. For Port1, we create 3 “vlan” type interfaces with VLAN ID 16, 51, 66. We call them Port1-VLAN16 (51.66), respectively .
2. We send the route 0.0.0.0/0 to Port1 , it will be Internet access.
3. Since, in parallel with computers, phones for Port2 , 3 will be connected to unmanaged switches, we create vlan interfaces with VLAN ID 16 for these ports. We call them Port2, 3-VLAN16, respectively.
4. Create the Bridge-VLAN16 bridge . We integrate Port1,2,3-VLAN16 interfaces into it. Telephony earned.
5. Set up a wifi point. Call it Wifi0 . In its parameters we do not specify vlan id.
6. Add a new interface like “Virtual AP”. Call it Wifi1 . We do not specify vlan id in the parameters.
7. Create the Bridge-VLAN66 bridge . We integrate into it interfaces Port1-VLAN66, Port2, Port3 and Wifi0 . Since in this subnet, the devices do not know about vlan, then the packets will come to the “bare” port, and automatically be tagged if they fall into VLAN66 and become unprocessed, coming from it. On this bridge we hang DCHP, NAT, Internet, etc.
8. Create the Bridge-VLAN51 bridge . We combine the interfaces Port1-VLAN51 and Wifi1 into it . The package situation will be similar. Spice up the DHCP and firewall rules to taste.
Enjoying.
Source: https://habr.com/ru/post/282233/
All Articles