How to understand VLANs?

F

fdroid2018-06-12 21:35:07

D-Link

fdroid, 2018-06-12 21:35:07

Something happened that I avoided for a long time - it is necessary to configure the vlans. And I just stupidly cannot understand how it works, on the Internet there are either step-by-step instructions (which do not work), or a rigid theory, which there is no time to study, because. The problem needs to be solved "already yesterday". Plus, there are cryptic letters about trunks, tagged and untagged vlans, and there is no explanation for dummies how they differ at all. Initial data: Mikrotik 951 ROS 6.42.3, D-Link 1100-10 ME A1 switch. I got access to a managed switch for the first time, but, oddly enough, it doesn’t have such a complicated CLI - auto-completion, again, and in general, it’s not particularly scary. And here is an ambush with Mikrotik. At the moment, the scheme is as follows. In Mikrotik, all ports except the 1st are connected in a bridge. The first port is connected to the WAN, the second port is connected to a stupid switch, to which several more stupid switches are connected, to which ... etc. are connected. down to end computers. In general, the network type is STS - the Network of Stupid Switches (and admins). It is necessary to break into two (for starters) segments with different subnets. First, I train on cats: I connected a computer to a free fifth port and tried to make it so that, at least, it could be connected to a separate subnet. The entire network is at addresses 192.168.0.0, the experimental computer must be at 192.168.1.0, receive an address via DHCP, go online. At least even this, there is no talk of isolation from the main network. But the stone flower does not come out. What am I doing. I delete the 5th port from the bridge, Interfaces - VLAN - I create a new vlan1, interface - ether5 (there is still a checkmark Use service tag - do I need to set it?), IP - Adressess - I add an Address List with a range of 192.168.1.1/24 Network 192.168 .1.0, interface - vlan1. IP - Pool - I create a new pool1 with a range of 192.168.1.2-192.168.1.254. IP - DHCP Server, create a new dhcp1, interface - vlan1, Address Pool - pool1. IP - Firewal - NAT - add rule Chain - srcnat, src address - 192.168.1.0/24, Out interface - vlan1, action - Masquarade. I apply everything, and ... nothing! A computer connected to the 5th port does not even receive IP via DHCP, on some manually registered 192.168.1.10 it swears by an "unidentified network". I'm not sure about the NAT rule at all, but this does not change the essence, the computer simply does not connect to the network. At the same time, from the network 192.168.0... I can ping 192.168.1.1. In general, I tried several manuals, none of them work. Either I'm doing something wrong, or the manuals written for previous ROS do not work in the new version, or I'm missing some simple nuances,

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

athacker, 2018-06-12
@fdroid

Vlan is just an identifier in an ethernet frame. Which can take values from 1 to 4094. Vlans are not tagged or not tagged, they are tagged by definition. It can be tagged or non-tagged traffic. Tagged is the one in the ethernet frames of which the corresponding field actually contains the VID -- VLAN ID, i.e. the number of the vlan. Not-tagged - respectively, such a frame where there is no vlan number.
The switch trunk port is a port that is configured to receive and transmit tagged traffic, and this traffic can be from different vlans (physically, this means that there can be different VIDs in the traffic - vlan identifiers). For example, this is how the ports to which other switches are connected are configured. Or, for example, routers. Or, for example, servers with virtual machines.
A port configured to receive untagged traffic is still aware of itself in some kind of vlan. That is, the switch internally believes that untagged traffic arrives at this port, but this traffic must be attributed to such and such a vlan. Which specific vlan - is set by the network administrator when configuring and enabling the port. Untagged traffic can fly to a tagged (trunk) port, for example, and in this case, at the exit from the trunk port, the switch will explicitly tag the traffic in the traffic.
The reverse situation may also occur - tagged traffic will arrive at the trunk port (for example, in the 5th vlan). The switch will detect that the destination of the traffic is on a certain port, and that port is configured to send untagged traffic. Then the switch will remove the traffic from the frame before sending the packet to this port and only then will it send the frame to the port.
Any number of vlans can arrive at trunk ports (well, up to 4096, of course). In non-tagged ones, there is only one VLAN, as you understand, since there is no tag in the traffic, and the only way to attribute this traffic to some VLAN is to explicitly specify in the switch settings that this one here the port belongs to such and such a vlan.
Ordinary computers can accept tagged traffic only in case of additional actions. On Windows, this must be supported by the driver, and it must also have vlan controls on the interface. On Linux, you also need to create separate sub-interfaces with tags.
As for microt - first achieve a connection between the router and the computer on the 192.168.1.0 network, without DHCP, and even more so nats.
The IP 192.168.1.1 is being pinged from the 192.168.0.1 network -- understandable, since the address belongs to your router. You can hang it on the 8.8.8.8 interface, and it will also ping, even in the absence of the Internet - if there is a connection between the router and the computer.
You don't need to set the service tag - this is already from the Q-in-Q area, nested vlans (if on the fingers).
Vlan1 - what vlad ID has?

A

awgur, 2018-06-21
@awgur

Actual about VLANs in Mikrotik
https://mum.mikrotik.com/presentations/BY18/presen...
https://www.youtube.com/watch?v=jTCxeYzEirY&list=P...
All answers to your questions