![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2020-01-31
Basic
# 建立一個 vlan interface, 名叫 vlan11, id 11, 並把 ether2 放到 vlan
/interface vlan add interface=ether2 vlan-id=11 name=vlan11
# 為 vlan interface 設定 ip (for management)
/ip address add address=10.22.0.1/24 interface=vlan11 network=10.23.0.1
CRS1xx/CRS2xx/CRS3xx 系列
bridge VLAN (new features)
Bridge VLAN filtering on non-CRS3xx
* use this configuration on a CRS1xx/CRS2xx series device and you started to notice that the CPU usage is very high
(not all devices support bridge VLAN filtering on a hardware level)
Symptoms: Missing "H" flag on bridge port
bridge vlan
Since RouterOS v6.41 provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge.
Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action.
'tagged' ports
ports send out frames with a learned VLAN ID tag. (Interface list)
'untagged' ports
remove VLAN tag before sending out frames if the learned VLAN ID matches the port pvid. (Interface list)
'hybrid' ports
A port has tagged and untagged ports in them
CPU port
The bridge itself is a port as well, this is can be called as the CPU port since this is the port that is used to communicate with the device's CPU.
'vlan-ids' (integer 1..4094; Default: 1)
Under /interface bridge vlan you can specify an entry which VLANs are allowed on specific ports.
(The VLAN ID is checked on egress ports)
The list of VLAN IDs(e.g. vlan-ids=100-115,120) for certain port configuration.
VLAN Table
Bridge VLAN table represents per-VLAN port mapping with an egress VLAN tag action.
tagged ports send out frames with a learned VLAN ID tag.
untagged ports remove VLAN tag before sending out frames if the learned VLAN ID matches the port pvid.
pvid (1..4094; Default: 1)
Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to.
It applies e.g. to frames sent from bridge IP and destined to a bridge port.
Configure VLAN per port(Port Based VLAN)
CRS3xx series switches
/interface bridge
vlan-filtering
"no"
bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets.
"yes"
Turning on vlan-filtering enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode.
* Note: PVID has no effect until VLAN filtering is enabled.
i.e. This example only works for CRS3xx series switches
[1]
/interface bridge
add name=vlan_bridge
[2]
/interface bridge port
# 清 default 的 comment
set [find comment=defconf] comment=""
# 將用到的 port 加到 vlan bridge
add bridge=vlan_bridge interface=ether1 hw=yes pvid=11 add bridge=vlan_bridge interface=ether2 hw=yes pvid=11 ... add bridge=vlan_bridge interface=ether5 hw=yes pvid=12 add bridge=vlan_bridge interface=ether6 hw=yes pvid=12 ... add bridge=vlan_bridge interface=ether23 hw=yes add bridge=vlan_bridge interface=ether24 hw=yes
Remark
如果不是 add, 就要 set
set numbers=0 bridge=vlan_bridgeOR
set [find interface=ether2] bridge=vlan_bridge[3]
# trunk port: ether23,ether24; access port: ether1 ...
/interface bridge vlan
add bridge=vlan_bridge tagged=ether23,ether24 untagged=ether1,ether2,ether3,ether4 vlan-ids=11
add bridge=vlan_bridge tagged=ether23,ether24 untagged=ether5,ether6,ether7,ether8 vlan-ids=12
add bridge=vlan_bridge tagged=ether23,ether24 untagged=ether9,ether10,ether11,ether12 vlan-ids=13
[4]
/interface bridge> set vlan_bridge vlan-filtering=yes
Checking
/interface bridge
0 X ;;; defconf name="bridge" mtu=auto arp=enabled arp-timeout=auto mac-address=74:4D:28:62:1E:70 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=74:4D:28:62:1E:70 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes pvid=1 1 R name="vlan_bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=74:4D:28:62:1E:70 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no
/interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload # INTERFACE BRIDGE HW PVID PR PATH-COST INTERNA... HORIZON 0 I H ether1 vlan_bridge yes 11 0x 10 10 none 1 I H ether2 vlan_bridge yes 11 0x 10 10 none 2 H ether3 vlan_bridge yes 11 0x 10 10 none 3 H ether4 vlan_bridge yes 11 0x 10 10 none 4 I H ether5 vlan_bridge yes 12 0x 10 10 none 5 I H ether6 vlan_bridge yes 12 0x 10 10 none ... 12 H ether23 vlan_bridge yes 1 0x 10 10 none 13 I H ether24 vlan_bridge yes 1 0x 10 10 none
/interface bridge vlan> print # 看 config 要 "print terse"
Flags: X - disabled, D - dynamic # BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED 0 vlan_bridge 99 ether23 vlan_bridge 1 vlan_bridge 13 ether23 ether9 # <- running 的 port 才顯示 2 D vlan_bridge 1 vlan_bridge ether23 3 vlan_bridge 11 ether23 ether3 4 vlan_bridge 12 ether23
* vlan-filtering=yes 後才有效
/interface bridge vlan> print value-list
Turning
Trunk port
Since you are expecting that the trunk port is only supposed to receive tagged traffic (i.e. it should only receive VLAN20/VLAN30),
but no untagged traffic, then you can use ingress-filtering along with frame-type to filter out unwanted packets,
but in order to fully understand the behavior of ingress filtering, we must first understand the details of management access.
Management VLAN
Allowing access to the device using untagged traffic is not considered as a good security practice,
a much better way is to allow access to the device using a very specific VLAN sometimes called the management VLAN (i.e. VLAN99)
This adds a significant layer of security since an attacker must guess the VLAN ID that is being used for management purposes
Even though you can limit the allowed VLANs and packet types on a port,
it is never a good security practice to allow access to a device through access ports
since an attacker could sniff packets and extract the management VLAN's ID,
you should only allow access to the device from the trunk port (ether1) since trunk ports usually have better physical security
frame-type(egress and ingress traffic)
which limits the allowed packet types (tagged, untagged, both),
but in order for frame-type to work properly, ingress-filtering must be enabled
(otherwise it will not have any effect)
i.e.
/interface bridge port set [find where interface=ether23] ingress-filtering=yes frame-types=admit-only-vlan-tagged set [find where interface=ether1] ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
admit-only-vlan-tagged is used on a port, then the port is not dynamically added as untagged port for the PVID.
Always try to use ingress-filtering wherever it is possible, it adds a significant layer of security.
Management VLan
/ip address
/ip address> set [find comment=defconf] comment=""
/ip address> set [find interface=vlan_bridge] address=192.168.1.2/24
/ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.1.2/24 192.168.1.0 vlan_bridge/interface bridge> set vlan_bridge pvid=99
/interface bridge> print
1 R name="vlan_bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=74:4D:28:62:1E:70 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes pvid=99
/interface bridge vlan> add bridge=vlan_bridge vlan-ids=99 tagged=ether23,ether24 untagged=vlan_bridge,ether21,ether22
