Professional Documents
Culture Documents
Manual - Interface - VLAN - MikroTik Wiki
Manual - Interface - VLAN - MikroTik Wiki
com/wiki/Manual:Interface/VLAN
Manual:Interface/VLAN
From MikroTik Wiki
< Manual:Interface
Applies
Contents to
RouterOS: v3,
v4+
1 Summary
2 802.1Q
3 Q-in-Q
4 Properties
5 Setup examples
5.1 Layer2 VLAN examples
5.1.1 Port based VLAN tagging #1 (Trunk and Access ports)
5.1.2 Port based VLAN tagging #2 (Trunk and Hybrid ports)
5.2 Layer3 VLAN examples
5.2.1 Simple VLAN routing
5.2.2 InterVLAN routing
5.3 RouterOS /32 and IP unnumbered addresses
Summary
/interface vlan
Standards: IEEE 802.1Q (http://standards.ieee.org/getieee802/download/802.1Q-1998.pdf)
Virtual Local Area Network (VLAN) is a Layer 2 method that allows multiple Virtual LANs on a single physical interface
(ethernet, wireless, etc.), giving the ability to segregate LANs efficiently.
You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to mark these packets as well as to
accept and route marked ones.
As VLAN works on OSI Layer 2, it can be used just as any other network interface without any restrictions. VLAN
successfully passes through regular Ethernet bridges.
You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that
as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and
recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while
wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless
interface in station mode bridged with any other interface.
802.1Q
The most commonly used protocol for Virtual LANs (VLANs) is IEEE 802.1Q. It is a standardized encapsulation protocol that
defines how to insert a four-byte VLAN identifier into Ethernet header. (see Figure 12.1.)
1 of 8 10/6/2017, 3:56 PM
Manual:Interface/VLAN - MikroTik Wiki https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
Each VLAN is treated as a separate subnet. It means that by default, a host in a specific VLAN cannot communicate with a
host that is a member of another VLAN, although they are connected in the same switch. So if you want inter-VLAN
communication you need a router. RouterOS supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per
interface. VLAN priorities may also be used and manipulated.
When the VLAN extends over more than one switch, the inter-switch link has to become a 'trunk', where packets are tagged
to indicate which VLAN they belong to. A trunk carries the traffic of multiple VLANs; it is like a point-to-point link that carries
tagged packets between switches or between a switch and router.
Q-in-Q
Original 802.1Q allows only one vlan header, Q-in-Q on the other hand allows two or more vlan headers. In RouterOS
Q-in-Q can be configured by adding one vlan interface over another. Example:
/interface vlan
add name=vlan1 vlan-id=11 interface=ether1
add name=vlan2 vlan-id=12 interface=vlan1
If any packet is sent over 'vlan2' interface, two vlan tags will be added to ethernet header - '11' and '12'.
Properties
Property Description
interface (name; Default: ) Name of physical interface on top of which VLAN will work
2 of 8 10/6/2017, 3:56 PM
Manual:Interface/VLAN - MikroTik Wiki https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
l2mtu (integer; Default: ) Layer2 MTU. For VLANS this value is not configurable. Read more>>
vlan-id (integer: 4095; Default: 1) Virtual LAN identifier or tag that is used to distinguish VLANs. Must be
equal for all computers that belong to the same VLAN.
Note: MTU should be set to 1500 bytes same as on Ethernet interfaces. But this may not work with some Ethernet cards
that do not support receiving/transmitting of full size Ethernet packets with VLAN header added (1500 bytes data + 4
bytes VLAN header + 14 bytes Ethernet header). In this situation MTU 1496 can be used, but note that this will cause
packet fragmentation if larger packets have to be sent over interface. At the same time remember that MTU 1496 may
cause problems if path MTU discovery is not working properly between source and destination.
Setup examples
VLANs on Mikrotik environment are also described here: VLANs with bridging (http://wiki.mikrotik.com
/wiki/Vlans_on_Mikrotik_environment)
Add necessary VLAN interfaces on ethernet interface to make it as a VLAN trunk port
/interface vlan
add interface=ether2 name=eth2-vlan200 vlan-id=200
add interface=ether2 name=eth2-vlan300 vlan-id=300
add interface=ether2 name=eth2-vlan400 vlan-id=400
/interface bridge
add name=bridge-vlan200
add name=bridge-vlan300
add name=bridge-vlan400
3 of 8 10/6/2017, 3:56 PM
Manual:Interface/VLAN - MikroTik Wiki https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
Add VLAN interfaces to their corresponding bridges and ethernet interfaces where untagged traffic is necessary
Add necessary VLAN interfaces on ethernet interfaces to make them as VLAN trunk ports
/interface vlan
add interface=ether2 name=eth2-vlan200 vlan-id=200
add interface=ether2 name=eth2-vlan300 vlan-id=300
add interface=ether2 name=eth2-vlan400 vlan-id=400
/interface bridge
add name=bridge-vlan200
add name=bridge-vlan300
add name=bridge-vlan400
Add VLAN interfaces to their corresponding bridges and ethernet interfaces where untagged traffic is necessary
4 of 8 10/6/2017, 3:56 PM
Manual:Interface/VLAN - MikroTik Wiki https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
Lets assume that we have several MikroTik routers connected to a hub. Remember that a hub is an OSI physical layer
device (if there is a hub between routers, then from L3 point of view it is the same as an Ethernet cable connection
between them). For simplification assume that all routers are connected to the hub using ether1 interface and has assigned
IP addresses as illustrated in figure below. Then on each of them the VLAN interface is created.
R2:
R4:
R2:
5 of 8 10/6/2017, 3:56 PM
Manual:Interface/VLAN - MikroTik Wiki https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
[admin@MikroTik] ip address>
R4:
[admin@MikroTik] ip address>
At this point it should be possible to ping router R4 from router R2 and vice versa:
"From R4 to R2:"
To make sure if VLAN setup is working properly, try to ping R1 from R2. If pings are timing out then VLANs are successfully
isolated.
"From R2 to R1:"
InterVLAN routing
If separate VLANs are implemented on a switch, then a router is required to provide communication between VLANs. Switch
works at OSI layer 2 so it uses only Ethernet header to forward and does not check IP header. For this reason we must use
the router that is working as a gateway for each VLAN. Without a router, a host is unable to communicate outside of its own
VLAN. Routing process between VLANs described above is called inter-VLAN communication.
To illustrate inter-VLAN communication, we will create a trunk that will carry traffic from three VLANs (VLAN2 and VLAN3,
VLAN4) across a single link between a Mikrotik router and a manageable switch that supports VLAN trunking.
6 of 8 10/6/2017, 3:56 PM
Manual:Interface/VLAN - MikroTik Wiki https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
Each VLAN has its own separate subnet (broadcast domain) as we see in figure above:
VLAN 2 – 10.10.20.0/24;
VLAN 3 – 10.10.30.0/24;
VLAN 4 – 10.10.40.0./24.
VLAN configuration on most switches is straightforward, basically we need to define which ports are members of the VLANs
and define a 'trunk' port that can carry tagged frames between the switch and the router.
/interface vlan
add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
add name=VLAN3 vlan-id=3 interface=ether1 disabled=no
add name=VLAN4 vlan-id=4 interface=ether1 disabled=no
/ip address
add address=10.10.20.1/24 interface=VLAN2
add address=10.10.30.1/24 interface=VLAN3
add address=10.10.40.1/24 interface=VLAN4
In RouterOS, to create a point-to-point tunnel with addresses you have to use address with a network mask of '/32' that
effectively brings you the same features as some vendors unnumbered IP address.
There are 2 routers RouterA and RouterB where each is part of networks 10.22.0.0/24 and 10.23.0.0/24 respectively and to
connect these routers using VLANs as a carrier with the following configuration:
7 of 8 10/6/2017, 3:56 PM
Manual:Interface/VLAN - MikroTik Wiki https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
RouterA:
RouterB:
8 of 8 10/6/2017, 3:56 PM