How to configure vlan on mikrotik and cisco ? | Batna24.com

VLAN configuration on Mikrotik and Cisco devices

A short step-by-step guide showing how to configure VLAN networks based on Mikrotik and Cisco devices. As our main router, we will use a very powerful Mikrotik RB4011IGS+RM unit, while the switch function will be performed by Cisco SF350-24. Before we start to configure the devices, it's time for some theory.

WAN | LAN | NAT

Our home networks are usually configured in such a way that we have one local network LAN and access to the public network through the WAN port. It is obvious that through the WAN port our ISP gives us access to Internet. Our home router uses a mechanism for translating addresses and ports from our LAN to an external network (Internet). And this functionality is called NAT (Network Address Translation). Generally, to make such a network, a router equipped with two Ethernet ports and several switch ports is enough.
The situation changes dramatically when we need to use more networks than just LAN and WAN. For example, if we would like to divide the network in our workplace into several sections, e.g. DIVISION_IT and BOOKING, we also have a WWW server in the network and would like to access it from outside.
LAN diagram Kliknij aby powiększyć!
In this guide we assume the following networks:
  • WAN - Internet access link (public address: 10.0.0.0/29)
  • DZIAL_IT (address: 192).168.10.0.0/24 VLAN tag: 10)
  • KSIEGOWOSC (address: 192.168.20.0/24 VLAN tag: 20)
  • DMZ_SERWER_WWW (address: 192.168.30.0/24 VLAN tag: 30)

. For all subnetworks our router will assign IP addresses using DHCP_SERVERVER.
In this situation, there can be a big problem if our router has for example only two physical ports and we are not able to divide the network according to our assumptions. And in this situation we are helped by VLANs (Virtual Local Area Network).

How does the VLAN work?

In short, VLAN is a mechanism that enables logical division of networks (segmentation) and aggregation of different networks (broadcast domains) within one physical port. According to this assumption, we can configure the connection between the router and the switch in such a way that several networks (BOOK, ACTION_IT, DMZ) are available on one physical port of the router and switch. The principle of VLANs is also very simple. Every Ethernet frame receives a unique identifier called VLAN TAG. The identifier indicates which subnet the packet belongs to. VLAN TAG is simply a number from 0 to 4096, which is assigned by the network administrator. The switch must remove the identifier on the ports to which terminal devices such as printers, telephones, IP telephones, etc. are connected. Such port is called ACCESS. Using VLAN mechanism has many advantages:
  • Less cables! We save the number of physical ports on routers and
  • switches. Division into subnets makes it easier to manage the firewall policy
  • With VPN you can connect multiple branches of a company that has multiple LANs
  • No need to use a separate switch for each of the supported subnets.

MicroTik router configuration

Well, let's start setting up. First we will configure our main Mikrotik RB4011IGS+RM router.

1. microTics reset to default configuration
Default configuration Kliknij aby powiększyć!
2. WAN port address (ether1)
IP address: 10.0.0.2/24
Network: 10.0.0.0/24
Gateway: 10.0.0.1
IP addresses ether1 Kliknij aby powiększyć!
default gateway Kliknij aby powiększyć!
VLAN configuration Kliknij aby powiększyć!
Kliknij aby powiększyć!
VLAN addresses Kliknij aby powiększyć!
Vlan addresses_2 Kliknij aby powiększyć!
6. DHCP Server
Of course, we configure the DHCP Server in the same way as for any network: DIVISION_IT, BOOKING, DMZ_SERVER_WWW.
vlan dhcp server Kliknij aby powiększyć!
Vlan DHCP Pool Kliknij aby powiększyć!
7. Set SRCNAT for all created networks.
srcnat masquarade Kliknij aby powiększyć!
VLAN masquarade Kliknij aby powiększyć!

We must also not forget that we have a web server on our network that we want to have access to from outside.
For windows server we set the IP address 192.168.30.2.
Vlan Web Server Kliknij aby powiększyć!
DSTNAT web server Kliknij aby powiększyć!

Configuration of the Cisco switch

Once we've configured our router, we can now proceed to configure our switch. The configuration is based on Cisco SF350-24 switch. 24 RJ45 ports with 100Mbps throughput, 2 Gigabit Combo (RJ45/SFP) ports and 2 SFP fiber optic ports. SF350-24 is a powerful switch; 9.52 million packets per second (with 64-byte packets) and 12.8Gb/s switching performance. This is enough to make it work in the network presented by us.
Cisco devices are invaluable! And we must admit that the configuration of a VLAN-based network on Cisco switches is trivially simple. Below in a few steps I present the configuration of VLAN networks.

Configuration of ports

We will configure the ports on our switch as follows:
  • Ports 1-5 - VLAN 10 - DZIAL_IT
  • Ports 10-15 - VLAN 20 - BOOKSHOP
  • Ports 20-22 - VLAN 30 - DMZ_SERWER_WWW
  • Port 24 - TRUNCTION

Access to CLI through Putty

To get to the device, use the CONSOLE port, the appropriate RS323-RJ45 cable (included) and the Putty software, which of course must be properly configured.
WARNING! For managed Cisco 300 and 500 series switches, the bitrate must be set to 115200, while the COM port must be selected according to its connection to the computer.
Putty

Switch configuration - VLAN

If we have configured Putty correctly, we will get to switch. Login: cisco , password: cisco.
cisco login
Then configure the switch ports according to the previous assumptions. We will start with TRUNK port.
cisco port liquor
And of course all VLANy: DZIAL_IT (vlan 10); KSIEGOWOSC (vlan 20); DMZ_SERWER_WWW (vlan 30).
cisco vlan 10
cisco vlan 20
cisco vlan 30

Summary

And in such a quick way we managed to configure our network with division into VLANy. The whole configuration process is really easy. Both the router and the switch have been properly configured. Of course, when configuring such a network you have to remember a few important assumptions. First of all, we use very complicated passwords on each device and disable those login methods that we don't use for example Telnet. It is also worth introducing restrictions on IP/Neighbors protocol operation. Generalizing, networks based on VLANs are very secure and facilitate the management of the entire structure for each administrator. To build a network based on vlans we only need layer 2 switch (Layer2). Well, I hope this guide will be useful when designing LAN based on virtual LAN (VLAN). Applying some basic rules for network design we are able to build a very efficient and secure LAN.

For further discussion on the subject, please visit our FORUM!!!

Author:
Leszek Błaszczyk

Products

MikroTik RB4011IGS+RM | Router | 10x RJ45 1000Mb/s, 1x SFP+
MIKROTIK
Product code: RB4011IGS+RM
sentiment_very_satisfied star_border star_border star_border star_border star_border

we usually ship in 1 day: 24h

AVAILABILITY
147,37 GBP

with VAT

we usually ship in 1 day: 24h

MikroTik RB4011iGS+5HacQ2HnD-IN | WiFi Router | Dual Band 1733Mb/s, 10x RJ45 1000Mb/s, 1x SFP+
MIKROTIK
Product code: RB4011IGS+5HACQ2HND-IN
sentiment_very_satisfied star_border star_border star_border star_border star_border

we usually ship in 1 day: 24h

AVAILABILITY
183,07 GBP

with VAT

we usually ship in 1 day: 24h

MikroTik RB4011 wall mount kit | Mounting accessory | dedicated for RB4011
MIKROTIK
Product code: WMK4011
sentiment_very_satisfied star_border star_border star_border star_border star_border

we usually ship in 1 day: 24h

AVAILABILITY
8,27 GBP

with VAT

we usually ship in 1 day: 24h

Cisco SF350-24 | Switch | 24x 100Mb/s, 2x 1Gb/s Combo(RJ45/SFP)+ 2x SFP, Managed
CISCO
Product code: SF350-24-K9-EU
sentiment_very_satisfied star_border star_border star_border star_border star_border

possible availability within 7 days

AVAILABILITY
live_help
102,20 GBP

with VAT

possible availability within 7 days

Choose a different country or region to shop in the language that suits you
Our site uses cookies (so-called "cookies"). You can find more about these files, as well as about how we process your personal data, in our privacy policy.