802.1q

vlan

{«Oh, when the saints go marching in \\ Oh, when the saints go marching in \\ Lord, how I want to be in that number»} Gospel tradizionale statunitense

IEEE 802.1Q is a standard that allows multiple VLAN virtual networks to share the same physical connection without losing information between one device and another. Virtual LAN technology allows segmenting the broadcast domain of a LAN, dividing it into multiple virtual LANs, isolated one from each other, but sharing the same physical infrastructure. There are two ways to create a Virtual LAN:

• port tagged VLAN: the switch assigns a VLAN to ports;
• IP/MAC tagged VLAN: the switch associates a VLAN with an IP / MAC address.

This last method guarantees greater security, because one is sure of the belonging of a specific host to a Virtual LAN; while in the first method, by simply changing the physical interface, the host is assigned to another VLAN. In this chapter we will analyze the VLANs realized with the method that labels the ports of the connection device (port tagged VLAN). VLANs can also be useful in order to restrict access to resources without having to change the physical topology of the network. VLANs operate at level 2 (the Data Link Layer) of the ISO / OSI Stack. The VLANs are defined inside the switch, through a name and an ID (VID: VLAN Identificator), this with range 0-4095. To manage multiple VLANs on the same physical structure, the switch must be able to perform functions of:

• Ingress : understand the VLAN from which the frame comes;
• Forwarding : to understand the destination port of the frame, based on the destination VLAN ;
• Egress : transmit the frame so that its VLAN membership is correctly interpreted by other possible switches.

At this point it is useful to pay attention to the used terms, in fact different switch and router manufacturers use different terms to indicate the same type of ports. The table table:terms on page table:terms shows the most common matches. In the VLAN context, the term trunk or core denotes a network connection transposing multiple VLANs, identified by labels (called tag ) inserted in their packets. Trunks must be connected to ports that analyze the tags, the tagged-port , of a VLAN-enabled device: often these are switch-switch or switch-router connections.

The 802.1q standard

802.1q is the name of the encapsulation protocol used in the trunking process in Ethernet networks. The 802.1q protocol does not follow the encapsulation logic but is implemented by adding 4 bytes (32 bits) in the Ethernet header (figure frame ).

A 802.1q packet

frame

In the 4 added bytes we have:

• The first modified 2 bytes concern the tag protocol identifier (TPID) .
• This contains the EtherType tag which is changed to 0x8100, a number that highlights the new frame format.
• The next 2 bytes concern the tag control information (TCI) (also called VLAN Tag) divided as follows:
• • user_priority : This 3-bit field can be used to indicate a priority level for the frame.
  • The use of this field is defined by the IEEE 802.1p standard.
  • CFI : 1-bit field that indicates whether the MAC addresses in the frame are in canonical form.
  • VID : 12-bit field indicating the ID of the VLANs, which can thus be up to 4096 (ie 2^{12}).
  • Of the 4096 possible VLANs, VLANs 0, 1 and 4095 are reserved.

The 802.1q introduces among other things two new protocols:

• GVRP: Generic VLAN Registration Protocol - allows switches to dynamically negotiate which VLANs to manage on a trunk;
• MSTP: Multiple Spanning Tree Protocol - evolution of the Spanning Tree Protocol adapted to the 802.1q context.

Ports types

The ports of a switch can be access, used to connect hosts, or trunks, used for uplinks among switches or among switches and routers. The trunk is therefore a link that allows the transport of frames belonging to different VLANs. Here we have to highlight a very important concept: the frames run in 802.1q format only on the trunk ports. When forwarded to hosts or hosts on access ports, the VLAN tag is deleted and the frame format returns to that of the Ethernet standard. Summarizing what has been explained so far, in a switch we find two types of ports:

1. Edge ports, (Cisco terminology: access; HP terminology: untagged)
   - packets passing through an edge (or access) port do not have a VLAN tag. In fact on these are connected PCs and devices that know nothing about VLANs. These are the ports that insert the VLAN tag to the incoming traffic on the port and remove the VLAN tag from outgoing traffic to the hosts.
2. Core Ports (Cisco Terminology: Trunk; HP Terminology: tagged)
   - a core port is able to receive "tagged" packets, and on these ports only devices capable of interpreting VLAN tags, such as switches, routers and firewalls compatible with the 802.1q protocol, can be connected. These are the ports where traffic travels with the VLAN tag, which is then left unchanged.

Generic term	Cisco	HP	What it does
Edge	Access	Untagged	Insert the VLAN tag (hence tag) to incoming traffic on the port and remove the VLAN tag to outbound traffic (directed to hosts).
Core	Trunk	Tagged	These are the ports where traffic travels with the VLAN tag, which is then left unchanged.

Comparison of the VLAN terms used by the various producers

table:terms

VLAN on RouterOS

vlan-simple To understand how RouterOS manages VLANs, consider the diagram in figure lab-vlan1 .

The simplest use of VLANs

lab-vlan1

On router R1, the ether1 network card behaves like a connection (trunk) that carries the two VLANs up to router R2. This will create two new vlan type interfaces. On each of these interfaces will be active two dhcp servers that release the IP addresses related to each of the three VLANs. The router R2 behaves like a switch with VLAN: it will take the vlan through the trunk ether1 interface and will route it to the ether2 interfaces for the vlan10 and ether3 for the vlan20. In RouterOS the management of VLANs passes through the bridge and interface management menus. Note that the R2 router configuration does not contain any IP address: the router will behave like a switch operating only at L2 level. The following are the final configurations of the two routers: {R1}

/system identity set name=R1

#
# Definition of vlan and core link (trunk)
#
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan20 vlan-id=20

/ ip pool
add name=vlan10 ranges=10.10.10.100-10.10.10.200
add name=vlan20 ranges=10.20.20.100-10.20.20.200
/ip dhcp-server
add address-pool=vlan10 disabled=no interface=vlan10 name=vlan10
add address-pool=vlan20 disabled=no interface=vlan20 name=vlan20
/ip address
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.20.20.1/24 interface=vlan20 network=10.20.20.0

/ip dhcp-server network
add address=10.10.10.0/24 netmask=24
add address=10.20.20.0/24 netmask=24

{R2}

/system identity set name=R2
#
# Definition of core port (trunk)
#
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan20 vlan-id=20

#
# Definition of bridges for edge ports
#
/interface bridge
add fast-forward=no name=bridgevlan10
add fast-forward=no name=bridgevlan20

#
# Vlan extraction from bridges
#
/interface bridge port
add bridge=bridgevlan10 interface=vlan10
add bridge=bridgevlan20 interface=vlan20
add bridge=bridgevlan20 interface=ether3
add bridge=bridgevlan10 interface=ether2

Lab on trunk propagated among switches

trunk-lab

Three routers and at least one PC are required for this laboratory.

VLAN

The aim of this workshop is to learn how to propagate a trunk among different switches.

VLAN - lab on trunk propagated among switches

lab-vlan3

The network infrastructure to be configured is that of figure lab-vlan3 . The peculiarity of the laboratory is the propagation of the trunk from router R2 to router R3. In particular see the configuration of the R2 router and the use of the bridgevlan1030 bridge and its ports. {R1}

/system identity set name=R1
/interface vlan
add interface=ether3 name=vlan10 vlan-id=10
add interface=ether3 name=vlan20 vlan-id=20
add interface=ether3 name=vlan30 vlan-id=30
/ip pool
add name=vlan10 ranges=10.10.10.100-10.10.10.200
add name=vlan20 ranges=10.20.20.100-10.20.20.200
add name=vlan30 ranges=10.30.30.100-10.30.30.200
/ip dhcp-server
add address-pool=vlan10 disabled=no interface=vlan10 name=vlan10
add address-pool=vlan20 disabled=no interface=vlan20 name=vlan20
add address-pool=vlan30 disabled=no interface=vlan30 name=vlan30
/ip address
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.20.20.1/24 interface=vlan20 network=10.20.20.0
add address=10.30.30.1/24 interface=vlan30 network=10.30.30.0
/ip dhcp-server network
add address=10.10.10.0/24 netmask=24
add address=10.20.20.0/24 netmask=24
add address=10.30.30.0/24 netmask=24

{R2}

/system identity set name=R2
/interface bridge
add fast-forward=no name=bridgevlan10
add fast-forward=no name=bridgevlan20
add name=bridgevlan1030
/interface vlan
add interface=bridgevlan1030 name=vlan10 vlan-id=10
add interface=bridgevlan1030 name=vlan20 vlan-id=20
add interface=bridgevlan1030 name=vlan30 vlan-id=30
/interface bridge port
add bridge=bridgevlan10 interface=vlan10
add bridge=bridgevlan20 interface=vlan20
add bridge=bridgevlan10 interface=ether1
add bridge=bridgevlan20 interface=ether2
add bridge=bridgevlan1030 interface=ether4
add bridge=bridgevlan1030 interface=ether3
/interface bridge vlan
add bridge=bridgevlan1030 tagged=ether3,ether4 vlan-ids=10,30

{R3}

/system identity set name=R3
/interface bridge
add fast-forward=no name=bridgevlan10
add fast-forward=no name=bridgevlan30
/interface vlan
add interface=ether4 name=vlan10 vlan-id=10
add interface=ether4 name=vlan30 vlan-id=30
/interface bridge port
add bridge=bridgevlan10 interface=vlan10
add bridge=bridgevlan30 interface=vlan30
add bridge=bridgevlan10 interface=ether1
add bridge=bridgevlan30 interface=ether3

Lab

Two routers and at least one PC are required for this laboratory.

VLAN

The goal of this workshop is to start handling VLANs in RouterOS using the WinBox interface.

VLAN - lab

lab-vlan2

The network infrastructure to be configured is that of figure lab-vlan2 . On the router R1, in the network cards ether1, ether2 and ether3 three dhcp servers are active which release the IP addresses related to each of the three VLANs. The R2 router behaves like a switch with VLAN.

1. First of all, new interfaces are created by indicating the VLAN ID.
   Each VLAN interface refers to a physical interface that determines the trunk.
   
2. The process is repeated for each VLAN:
   
3. Subsequently, bridge type interfaces are created which will be useful for configuring the access/untagged ports.
   
4. Among the ports of each switch there will always be the vlan concerned and the ethernet NIC:
   
5. At this point, we need to configure the three dhcp servers with their pools.
   Remember that ip addresses and dhcp servers must be anchored to the respective bridge interfaces.
6. The following are the final configurations of the two routers:
   {R1}
   /system identity set name=R1
   /interface vlan
   add interface=ether4 name=vlan10 vlan-id=10
   add interface=ether4 name=vlan20 vlan-id=20
   add interface=ether4 name=vlan30 vlan-id=30
   /interface bridge
   add fast-forward=no name=bridgevlan10
   add fast-forward=no name=bridgevlan20
   add fast-forward=no name=bridgevlan30
   /interface bridge port
   add bridge=bridgevlan10 interface=ether1
   add bridge=bridgevlan10 interface=vlan10
   add bridge=bridgevlan20 interface=ether2
   add bridge=bridgevlan20 interface=vlan20
   add bridge=bridgevlan30 interface=vlan30
   add bridge=bridgevlan30 interface=ether3
   /ip address
   add address=10.10.10.1/24 interface=bridgevlan10 network=10.10.10.0
   add address=10.20.20.1/24 interface=bridgevlan20 network=10.20.20.0
   add address=10.30.30.1/24 interface=bridgevlan30 network=10.30.30.0
   /ip pool
   add name=vlan10 ranges=10.10.10.100-10.10.10.200
   add name=vlan20 ranges=10.20.20.100-10.20.20.200
   add name=vlan30 ranges=10.30.30.100-10.30.30.200
   /ip dhcp-server
   add address-pool=vlan10 disabled=no interface=bridgevlan10 name=vlan10
   add address-pool=vlan20 disabled=no interface=bridgevlan20 name=vlan20
   add address-pool=vlan30 disabled=no interface=bridgevlan30 name=vlan30
   /ip dhcp-server network
   add address=10.10.10.0/24 netmask=24
   add address=10.20.20.0/24 netmask=24
   add address=10.30.30.0/24 netmask=24
   
7. Note that the R2 router configuration contains no IP address:
   the router will behave like a switch operating only at L2 level. {R2}
   /system identity set name=R2
   /interface bridge
   add fast-forward=no name=bridgevlan10
   add fast-forward=no name=bridgevlan20
   add fast-forward=no name=bridgevlan30
   /interface vlan
   add interface=ether4 name=vlan10 vlan-id=10
   add interface=ether4 name=vlan20 vlan-id=20
   add interface=ether4 name=vlan30 vlan-id=30
   /interface bridge port
   add bridge=bridgevlan10 interface=ether1
   add bridge=bridgevlan10 interface=vlan10
   add bridge=bridgevlan20 interface=ether2
   add bridge=bridgevlan20 interface=vlan20
   add bridge=bridgevlan30 interface=vlan30
   add bridge=bridgevlan30 interface=ether3
   
8. To verify the correct functioning of the created network infrastructure, just check the IP address that each PC gets depending on the port to which it is connected.

For further examples see the link http://bit.ly/2Fje2dp which also includes a detailed explanation.

Comparison of configurations

In this chapter we have repeatedly mentioned brands like Cisco and HP, for completeness in the next two pages we report in synopsis the R2 configurations of the laboratory of figure lab-vlan1 on page lab-vlan1 is the R2 configurations of the laboratory of figure lab-vlan3 on page lab-vlan3 comparing what happens in Mikrotik RouterOS, in HP and in Cisco IOS.

Mikrotik RouterOS

/system identity set name=R2

/interface vlan
add interface=ether1 name=vlan10 \
    vlan-id=10
add interface=ether1 name=vlan20 \
    vlan-id=20

/interface bridge
add fast-forward=no \
    name=bridgevlan10
add fast-forward=no \
    name=bridgevlan20

/interface bridge port
add bridge=bridgevlan10 \
    interface=vlan10
add bridge=bridgevlan20 \
    interface=vlan20
add bridge=bridgevlan20 \
    interface=ether3
add bridge=bridgevlan10 \
    interface=ether2

HP

vlan 10
   name "vlan10"
   untagged 1
   tagged 3
   exit
vlan 20
   name "vlan20"
   untagged 2
   tagged 3
   exit

Cisco IOS

vlan database
vlan 10
vlan 20
exit

configure terminal

interface FastEthernet1/2
 switchport mode access
 switchport access vlan 10
!
interface FastEthernet1/3
 switchport mode access
 switchport access vlan 20
!
interface FastEthernet1/1
 switchport mode trunk
 switchport trunk allowed vlan all
!

Mikrotik RouterOS

/system identity set name=R2
/interface bridge
add fast-forward=no \
    name=bridgevlan10
add fast-forward=no \
    name=bridgevlan20
add name=bridgevlan1030
/interface vlan
add interface=bridgevlan1030 \
    name=vlan10 vlan-id=10
add interface=bridgevlan1030 \
    name=vlan20 vlan-id=20
add interface=bridgevlan1030 \
    name=vlan30 vlan-id=30
/interface bridge port
add bridge=bridgevlan10 \
    interface=vlan10
add bridge=bridgevlan20 \
    interface=vlan20
add bridge=bridgevlan10 \
    interface=ether1
add bridge=bridgevlan20 \
    interface=ether2
add bridge=bridgevlan1030 \
    interface=ether4
add bridge=bridgevlan1030 \
    interface=ether3
/interface bridge vlan
add bridge=bridgevlan1030 \
    tagged=ether3,ether4 \
    vlan-ids=10,30

HP

vlan 10
   name "vlan10"
   untagged 1
   tagged 3-4
   exit
vlan 20
   name "vlan20"
   untagged 2
   tagged 3
   exit
vlan 30
   name "vlan30"
   tagged 3-4
   exit

Cisco IOS

vlan database
vlan 10
vlan 20
vlan 30
exit

configure terminal

interface FastEthernet1/1
 switchport mode access
 switchport access vlan 10
!
interface FastEthernet1/2
 switchport mode access
 switchport access vlan 20
!
interface FastEthernet1/3
 switchport mode trunk
 switchport trunk allowed vlan all
!
interface FastEthernet1/4
 switchport mode trunk
 switchport trunk allowed vlan all
!

Important note on performance

Many MikroTik devices have built-in switch chips that typically have the ability to perform VLAN switching at the hardware level, which means that wire-speed performance can be achieved using VLANs if an appropriate configuration method is used. The configuration method changes between different models. For configuration examples that follow the hardware specifications, see the link http://bit.ly/2Fg8jVu .

RouterOS /32 and IP addresses unnumbered IP

Reading the literature on VLANs often the unnumbered IP expression is encountered. This is an IP /32 address that allows you to enable IP processing on an interface without assigning it an explicit IP address. We can approximate this by stating that an interface with an unnumbered IP "borrows" the IP address of another interface already configured on the router, which preserves the network and the address space. To learn more about the subject, refer to the article available at the link http://bit.ly/2FhTT6y . The question that arises is: why use an address /32 and not just configure an IP address on the interface? To answer this question we must immerse ourselves in the past. At the beginning of the Internet, the subnet masks with variable length, ie the VLSM numbering (Variable Length Subnet Mask) were not available and this was particularly annoying when using classful routing protocols such as RIP v1 and IGRP, the predecessor of EIGRP. With the VLSM numbering the smallest subnet that could be used was /24. Imagine what a waste when using public IP addresses. IP unnumbered was created to solve this problem so as not to waste entire subnets /24 on point-to-point interfaces: the IP unnumbered mechanism borrows an IP address from another interface so as not to have to configure one on the point-to-point interface. Nowadays we have multiple alternatives: we can use VLSM and create subnets /30 without wasting many IP addresses; or we can use private IP addresses, if our network allows it. It follows that we no longer need unnumbered IP as in the past. However, it can be useful if you want to quickly set up a point-to-point connection without worrying about IP addresses and finding a suitable subnet. RouterOS offers the possibility of using the address with a network mask of /32 for example in a point-to-point tunnel with addresses and this offers the same functionality as the unnumbered IPs of other manufacturers.

Unnumbered IP

unnumbered

In the infrastructure of figure unnumbered there are two routers R1 and R2, each of which is part of the networks 10.22.0.0/24 and 10.23.0.0/24 respectively. The following configurations using IP unnumbered are used to connect these routers using VLANs as carriers: {R1}

/system identity set name=R1
/ip address add address=10.22.0.1/24 interface=ether1
/interface vlan add interface= ether2 vlan-id=10 name=vlan10
/ip address add address=10.22.0.1/32 interface=vlan10 network=10.23.0.1
/ip route add gateway=10.23.0.1 dst-address=10.23.0.0/24

{R2}

/system identity set name=R2
/ip address add address=10.23.0.1/24 interface=ether1
/interface vlan add interface=ether2 vlan-id=10 name=vlan10
/ip address add address=10.23.0.1/32 interface=vlan10 network=10.22.0.1
/ip route add gateway=10.22.0.1 dst-address=10.22.0.0/24

Summary questions

domande-4

1. Is it possible to create a configuration where VLANs and PPTP interfaces coexist in a bridge?
   1. Yes
   2. No
2.   Is it possible to create a wireless point-to-point network where the connection among the two antennas behaves like a VLAN trunk?
   1. Yes
   2. No

Solutions

1. Yes. On this see the interesting speech "VLAN in MikroTik" by Mohammed Khomeini Bin ABU at MUM 2013, in particular from slide 13 (http://bit.ly/2Qz3Xdg)
   Yes. On this see http://bit.ly/2QvImTb which shows the complete configuration of a typical use case.