M
M
Mikhail Vorobyov2016-09-30 15:09:12
Computer networks
Mikhail Vorobyov, 2016-09-30 15:09:12

How to divide a network into subnets using VLAN in Mikrotik?

Good afternoon! There was a problem of division of a network, division of video surveillance. There is a Mikrotik RB2011 and two switches JG538A - for users (192.168.24.0) and JG539A - for cameras (192.168.25.0). Divided as follows:
Port-5 disconnected from the master port, created a new Bridge, brought port 5 there, assigned an ip address for Bridge and raised DHCP (192.168.25.0) on it. In Routes Rules restricted circulation between these networks.
The question is, what is the fundamental difference from vlan separation, what are the comments in my example? Please show an example with vlan for my task, preferably with two examples (access and trunk access) for users.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
I
Ilyas, 2016-09-30
@id2669099

and as I understood, these are hp switches and they are managed.
And I would do this: I would
create 3 vlans:
- one equipment management, then these 2 switches will be managed in the same network;
- the second is a network for users;
- the third one is for the video.
With vlans, you divide your network into logical ones, that is, from one vlan you will not have access to another by setting the appropriate rules in the firewall.
Accordingly, on Mikrotik, let's trunk to the ports that are connected to the switches, and on the client ports on the switches, you need to register the ports in access, because clients and cameras are not aware of vlans.
As a result, we get that all traffic coming to the end ports is automatically wrapped in the vlan that you specify in access.

C
Cool Admin, 2016-09-30
@ifaustrue

If I was able to correctly in the model of your iron (we are talking about switches), then they are not managed by you, which means they do not support normal differentiation by ports / vlans.
In this case, you don’t need any vlans, just make two separate l2 networks and separate addressing for them, prohibit traffic between them either by routes (like yours) or (which is more reliable) at the firewall level with two drop rules.
A bridge is not required in this design; with the same success, addresses and firewall rules can be applied directly to the fifth port.
Also, I note that, in principle, a situation is possible when cameras are able to VLAN, then it would be possible to configure native vlan on each camera, then add a virtual interface with the same vlan id to the master port and create addressing, routing and firewall rules on this VLAN interface . But again, I note that in your case (in the presence of two separate switches, each for its own l2 network), this is unnecessary and, moreover, not safe, because. anyone will be able to receive traffic by registering the vlan id on the interface.

O
Obsession, 2016-10-03
@Obsession

And it’s easier to hang a network for subscribers (YYYY / 24) on the master port and a network for cameras (Х.Х.Х.Х / 24) on a worthless port, this will not interfere with Mikrotik, give the rules for communication between networks in the firewall and draw routes. the only thing! addresses will not be distributed via DHCP for both ranges, 2 "servers" per interface do not seem to be filed, but you can assign statics by catching sessions on Mikrotik.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question