什么是VLAN-BASED port access vlanVLAN
点击联系发帖人
时间:2012-05-07 15:42
vlan|LOFTER(乐乎) - 记录生活,发现同好
LOFTER for ipad —— 记录生活,发现同好
  被喜欢
  被喜欢
{list posts as post}
{if post.type==1 || post.type == 5}
{if !!post.title}${post.title|escape}{/if}
{if !!post.digest}${post.digest}{/if}
{if post.type==2}
{if post.type == 3}
{if !!post.image}
{if post.type == 4}
{if !!post.image}
{if !!photo.labels && photo.labels.length>0}
{var wrapwidth = photo.ow < 500?photo.ow:500}
{list photo.labels as labs}
{var lbtxtwidth = Math.floor(wrapwidth*(labs.ort==1?labs.x:(100-labs.x))/100)-62}
{if lbtxtwidth>12}
{if !!labs.icon}
{list photos as photo}
{if photo_index==0}{break}{/if}
品牌${make||'-'}
型号${model||'-'}
焦距${focalLength||'-'}
光圈${apertureValue||'-'}
快门速度${exposureTime||'-'}
ISO${isoSpeedRatings||'-'}
曝光补偿${exposureBiasValue||'-'}
镜头${lens||'-'}
{if data.msgRank == 1}{/if}
{if data.askSetting == 1}{/if}
{if defined('posts')&&posts.length>0}
{list posts as post}
{if post_index < 3}
{if post.type == 1 || post.type == 5}
{if !!post.title}${post.title|escape}{/if}
{if !!post.digest}${post.digest}{/if}
{if post.type == 2}
{if post.type == 3}
{if post.type == 4}
{if drlist.length>0}
更多相似达人:
{list drlist as dr}{if drlist.length === 3 && dr_index === 0}、{/if}{if drlist.length === 3 && dr_index === 1}、{/if}{if drlist.length === 2 && dr_index === 0}、{/if}{/list}
暂无相似达人,
{if defined('posts')&&posts.length>0}
{list posts as post}
{if post.type == 2}
{if post.type == 3}
{if post.type == 4}
this.p={ currentPage:1,pageNewMode:true,isgooglead3:false,ishotrecompost:false,visitorId:0, first:'',tag:'vlan',recommType:'new',recommenderRole:0,offset:20,type:0,isUserEditor:0,};请问这一段话是什么意思vlan qinq session-no 303 customer-port gei_4/19 uplink-port gei_4/21 in-vlan 178 untag helper-vlan 4094
虚拟局域网的QinQ会话没有303客户端口gei_4/19上行端口gei_4/21在- VLAN的178过渡时期援助团帮手- VLAN的4094
为您推荐:
扫描下载二维码抓包,端口镜像,monitor&session命令(转)
一、SPAN简介
SPAN技术主要是用来监控交换机上的数据流,大体分为两种类型,本地SPAN和远程SPAN.
—-Local Switched Port Analyzer (SPAN) and Remote SPAN
(RSPAN),实现方法上稍有不同。
利用SPAN技术我们可以把交换机上某些想要被监控端口(以下简称受控端口)的数据流COPY或MIRROR一份,发送给连接在监控端口上的流
量分析仪,比如CISCO的IDS或是装了SNIFFER工具的PC.
受控端口和监控端口可以在同一台交换机上(本地SPAN),也可以在不同的交换机上(远程SPAN)。
二、名词解释
SPAN Session——SPAN会话
SPAN会话是指一组受控端口与一个监控端口之间的数据流。可以同时对多个端口的进入流量或是一个端口的外出流量进行监控,也可以对VLAN内
所有端口的进入流量进行监控,但不能同时对多个端口的外出流量及VLAN的外出流量进行监控,可以对处于关闭状态的端口设置SPAN,但此时的SPAN会
话是非活动,但只要相关的接口被打开,SPAN就会变为活动的。
监控端口最好是&=受控端口的带宽,否则可能会出现丢包的情况。
SPAN Traffic——SPAN的流量
使用本地SPAN可以监控所有的网络流量,包括multicast、bridge protocol data unit
(BPDU),和CDP、VTP、DTP、STP、PagP、LACP packets. RSPAN不能监控二层协议。
Traffic Types——流量类型
被监控的流量类型分为三种,Receive (Rx) SPAN 受控端口的接收流量,Transmit (Tx) SPAN
受控端口的发送流量,Both 一个受控端口的接收和发送流量。
Source Port——SPAN会话的源端口(也就是monitored port-即受控端口)
受控端口可以是实际的物理端口、VLAN、以太通道端口组EtherChannel,物理端口可以在不同的VLAN中,受控端口如果是VLAN
则包括此VLAN中的所以物理端口,受控端口如果是以太通道则包括组成此以太通道组的所有物理端口,如果受控端口是一个TRUNK干道端口,则此
TRUNK端口上承载的所有VLAN流量都会受到监控,也可以使用filter vlan 参数进行调整,只对filter vlan
中指定的VLAN数据流量做监控。
Destination Port——SPAN会话的目的端口(也就是monitoring port-即监控端口)
监控端口只能是单独的一个实际物理端口,一个监控端口同时只能在一个SPAN会话中使用,监控端口不参与其它的二层协议如:
Layer 2 protocols
Cisco Discovery Protocol (CDP),
VLAN Trunk Protocol (VTP),
Dynamic Trunking Protocol (DTP),
Spanning Tree Protocol (STP),
Port Aggregation Protocol (PagP),
Link Aggregation Control Protocol (LACP)。
缺省情况下监控端口不会转发除SPAN
Session以外的任何其它的数据流,也可以通过设置ingress参数,打开监控端口的二层转发功能,比如当连接CISCO
IDS的时会有这种需求,此时IDS不仅要接收SPAN
Session的数据流,IDS本身在网络中还会与其它设备有通讯流量,所以要打开监控端口的二层转发功能.
Reflector Port——反射端口
反射端口只在RSPAN中使用,与RSPAN中的受控端口在同一台交换机上,是用来将本地的受控端口流量转发到RSPAN中在另一台交换机上的
远程监控端口的方法,反射端口也只能是一个实际的物理端口,它不属于任何VLAN(It is invisible to all
VLANs.)。
RSPAN中还要使用一个专用的VLAN来转发流量,反射端口会使用这个专用VLAN将数据流通过TRUNK端口发送给其它的交换机,远程交换
机再通过此专用VLAN将数据流发送到监控端口上的分析仪。
关于RSPAN VLAN的创建,所有参与RSPAN的交换机应在同一个VTP域中,不能用VLAN
1,也不能用,这是保留的(reserved for Token Ring and FDDI
VLANs),如果是2-1001的标准VLAN,则只要在VTP
Server上创建即可,其它的交换机会自动学到,如果是的扩展VLAN,则需要在所有交换机上创建此专用VLAN.
反射端口最好是&=受控端口的带宽,否则可能会出现丢包的情况。
VLAN-Based SPAN——基于VLAN的SPAN
基于VLAN的SPAN只能监控VLAN中所有活动端口接收的流量(only received (Rx)
traffic),如果监控端口属于此VLAN,则此端口不在监控范围内,VSPAN只监控进入交换机的流量,不对VLAN接口上的路由数据做监控。
(VSPAN only monitors traffic that enters the switch, not traffic
that is routed between VLANs. For example, if a VLAN is being
Rx-monitored and the multilayer switch routes traffic from another
VLAN to the monitored VLAN, that traffic is not monitored and is
not received on the SPAN destination port. )
三、SPAN和RSPAN与其它特性的互操作性
Routing——SPAN不监控VLAN间的路由数据;(不好理解)
Routing—Ingress SPAN does not monitor routed traffic. VSPAN only
monitors traffic that enters the switch, not traffic that is routed
between VLANs. For example, if a VLAN is being Rx-monitored and the
multilayer switch routes traffic from another VLAN to the monitored
VLAN, that traffic is not monitored and not received on the SPAN
destination port.
STP——监控端口和反射端口不会参与STP,但SPAN对受控端口的STP没有影响;
CDP——监控端口不参与CDP;
VTP——RSPAN VLAN可以被修剪pruning;
trunking——可以修改受控端口、监控端口和反射端口的VLAN和TRUNK设置,受控端口的改变会立即生效,而监控端口和反射端口则要在从
SPAN中去除后才会生效;
EtherChannel——整个以太通道组可以做为受控端口使用,如果一个属于某个以太通道组的物理端口被配成了受控端口、监控端口或反射端
口,则此端口会自动从以太通道组去除,当SPAN删除后,它又会自动加入原以太通道组;
QoS——由于受QoS的策略影响,监控端口上收到的数据流会与受控端口实际的数据流不同,比如DSCP值被修改等;
Multicast——SPAN可以监控组播的数据流;
Port security——安全端口不能做为监控端口使用;
802.1x——受控端口、监控端口和反射端口上可以设置802.1x,但有些限制。
四、SPAN和RSPAN的配置举例
SPAN的限制和缺省设置
Catalyst 3550交换机上最多只能设置两个SPAN
Session,缺省SPAN没有使用,如果做了设置,缺省情况下,第一个被设为受控端口的接口进出流量都会受到监控,以后再追加的受控端口只会对接收的
流量进行监控,监控端口的默认封装类型为Native,也就是没有打VLAN的标记.
1、Configuring SPAN——配置本地SPAN
Switch(config)# no monitor session 1 //先清除可能已经存在SPAN设置
Switch(config)# monitor session 1 source interface
fastethernet0/10//设定SPAN的受控端口
Switch(config)# monitor session 1 destination interface
fastethernet0/20 //设定SPAN的监控端口
Switch#sh mon
Type : Local Session
Source Ports : Both : Fa0/10 //注意此处是Both
Destination Ports : Fa0/20
Encapsulation : Native
Ingress: Disabled
Switch(config)# monitor session 1 source interface
fastethernet0/11 - 13 //添加SPAN的受控端口
Switch#sh mon
Type : Local Session
Source Ports : RX Only : Fa0/11-13 //注意此处是
RX OnlyBoth : Fa0/10 //注意此处还是Both
Destination Ports : Fa0/20
Encapsulation : Native
Ingress: Disabled
Switch(config)# monitor session 1 destination interface fa0/20
ingress vlan 5 //设定SPAN的监控端口并启用二层转发
Switch#sh mon
Type : Local Session
Source Ports :
RX Only : Fa0/11-13
Both : Fa0/10
Destination Ports : Fa0/20
Encapsulation : Native
Ingress: Enabled, default VLAN = 5 //允许正常的流量进入 Ingress
encapsulation: Native
2、Specifying VLANs to Filter
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source vlan 101 - 102 rx
Switch(config)# monitor session 2 destination interface
fastethernet0/30
Switch#sh mon ses 2
Type : Local Session
Source VLANs : RX Only : 101-102 //注意此处是RX Only
Destination Ports : Fa0/30
Encapsulation : Native
Ingress: Disabled
Switch(config)# monitor session 2 source vlan 201 - 202 rx
Switch#sh mo se 2
Type : Local Session
Source VLANs : RX Only : 101-102,201-202 //注意此处多了201-202
Destination Ports : Fa0/30
Encapsulation : Native
Ingress: Disabled
3、Configuring RSPAN——配置远程RSPAN
RSPAN的Session分成RSPAN Source Session和RSPAN Destination
Session两部分,所以相应的配置也要分别在Session的源和目的交换机上做。
3.1、首先要配置专用的RSPAN VLAN
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source interface
fastethernet0/48 rx
Switch(config)# monitor session 2 filter vlan 100 - 102
//指定受控的VLAN范围
Switch(config)# monitor session 2 destination interface
fastethernet0/30
Switch#sh mon ses 2
Type : Local Session
Source Ports : Both : Fa0/48
Destination Ports : Fa0/30
Encapsulation : Native
Ingress: Disabled
Filter VLANs : 100-102 //只监控VLAN100-102中的流量
3.2、配置RSPAN Source Session
Switch(config)# vlan 800
Switch(config-vlan)# remote-span
Switch(config-vlan)# end
sw1#sh vl id 800
VLAN Name Status Ports
---- --------------------------------
800 VLAN0800 active Fa0/47, Fa0/48
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1
---- ----- ---------- ----- ------
800 enet 0 - - - - - 0 0
Remote SPAN VLAN
----------------
Enabled //注意看此处的提示
Primary Secondary Type Ports
------- --------- -----------------
3.3、配置RSPAN Destination Session
Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface
fastethernet0/10 - 13
Switch(config)# monitor session 1 source interface
fastethernet0/15 rx
Switch(config)# monitor session 1 destina remote vlan 800
reflector-port fa0/20
sw1#sh mo se 1
Type : Remote Source Session
Source Ports :
RX Only : Fa0/11-13,Fa0/15
Both : Fa0/10
Reflector Port : Fa0/20
Dest RSPAN VLAN : 800
(VLAN-Based
RSPAN)基于VLAN的RSPAN也和上面的方法类似,只不过受控的是整个VLAN.启用监控端口的二层转发以及Specifying
VLANs to Filter 的方法也和本地SPAN相同,此处不再举例。详见CISCO CD.
This example shows how to configure SPAN so that both the transmit
and receive
traffic from port 2/4 (the SPAN source) is mirrored on port 3/6
(the SPAN destination):
Console& (enable) set span 2/4 3/6
// Overwrote Port 3/6 to monitor transmit/receive traffic of Port
Incoming Packets disabled. Learning enabled.
Console& (enable) show span
Destination : Port 3/6
Admin Source : Port 2/4
Oper Source : None
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Filter : -
Status : active
———————————————-
Total local span sessions: 1
Console& (enable)
This example shows how to set VLAN 522 as the SPAN source and port
2/1 as the SPAN destination:
Console& (enable) set span 522 2/1
// Overwrote Port 2/1 to monitor transmit/receive traffic of VLAN
Incoming Packets disabled. Learning enabled.
Console& (enable) show span
Destination : Port 2/1
Admin Source : VLAN 522
你得在交换机上做一个端口镜像,让其它端口的数据都复制一份到你所接入的这个端口上来,用sniffer软件就可以了,但你所在的这个端口只能做管理接口使用,别的就什么都不能做了。命令:
SW-3L(config)#monitor session 1 source int f0/1 both
所要抓的包所在的端口
SW-3L(config)#monitor session 1 destination int f0/24
你的机器连接的端口
已投稿到:From MikroTik Wiki
Applies to RouterOS: v3, v4+
Sub-menu: /interface vlan
Standards:
Virtual Local Area Network (VLAN) is a Layer 2 method that allows multiple Virtual LANs on a single physical interface (ethernet, wireless, etc.), giving the ability to segregate LANs efficiently.
You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to mark these packets as well as to accept and route marked ones.
As VLAN works on OSI Layer 2, it can be used just as any other network interface without any restrictions. VLAN successfully passes through regular Ethernet bridges.
You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface.
The most commonly used protocol for Virtual LANs (VLANs) is IEEE 802.1Q. It is a standardized encapsulation protocol that defines how to insert a four-byte VLAN identifier into Ethernet header. (see Figure 12.1.)
Each VLAN is treated as a separate subnet. It means that by default, a host in a specific VLAN cannot communicate with a host that is a member of another VLAN, although they are connected in the same switch. So if you want inter-VLAN communication you need a router.
RouterOS supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per interface. VLAN priorities may also be used and manipulated.
When the VLAN extends over more than one switch, the inter-switch link has to become a 'trunk', where packets are tagged to indicate which VLAN they belong to. A trunk carries the traffic of multiple VLANs; it is like a point-to-point link that carries tagged packets between switches or between a switch and router.
Original 802.1Q allows only one vlan header, Q-in-Q on the other hand allows two or more vlan headers.
In RouterOS Q-in-Q can be configured by adding one vlan interface over another.
/interface vlan
add name=vlan1 vlan-id=11 interface=ether1
add name=vlan2 vlan-id=12 interface=vlan1
If any packet is sent over 'vlan2' interface, two vlan tags will be added to ethernet header - '11' and '12'.
Description
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled)
Address Resolution Protocol mode
interface (name; Default: )
Name of physical interface on top of which VLAN will work
l2mtu (integer; Default: )
Layer2 MTU. For VLANS this value is not configurable.
mtu (integer; Default: 1500)
Layer3 Maximum transmission unit
name (string; Default: )
Interface name
use-service-tag (yes | no; Default: )
802.1ad compatible Service Tag
vlan-id (integer: 4095; Default: 1)
Virtual LAN identifier or tag that is used to distinguish VLANs. Must be equal for all computers that belong to the same VLAN.
MTU should be set to 1500 bytes same as on Ethernet interfaces. But this may not work with some Ethernet cards that do not support receiving/transmitting of full size Ethernet packets with VLAN header added (1500 bytes data + 4 bytes VLAN header + 14 bytes Ethernet header). In this situation MTU 1496 can be used, but note that this will cause packet fragmentation if larger packets have to be sent over interface. At the same time remember that MTU 1496 may cause problems if path MTU discovery is not working properly between source and destination.
VLANs on Mikrotik environment are also described here:
Port Based VLAN #1
Add necessary VLAN interfaces on ethernet interface to make it as a VLAN trunk port
/interface vlan
add interface=ether2 name=eth2-vlan200 vlan-id=200
add interface=ether2 name=eth2-vlan300 vlan-id=300
add interface=ether2 name=eth2-vlan400 vlan-id=400
Add bridges for each VLAN
/interface bridge
add name=bridge-vlan200
add name=bridge-vlan300
add name=bridge-vlan400
Add VLAN interfaces to their corresponding bridges and ethernet interfaces where untagged traffic is necessary
/interface bridge port
add bridge=bridge-vlan200 interface=eth2-vlan200
add bridge=bridge-vlan200 interface=ether6
add bridge=bridge-vlan300 interface=eth2-vlan300
add bridge=bridge-vlan300 interface=ether7
add bridge=bridge-vlan400 interface=eth2-vlan400
add bridge=bridge-vlan400 interface=ether8
Port Based VLAN #2
Add necessary VLAN interfaces on ethernet interfaces to make them as VLAN trunk ports
/interface vlan
add interface=ether2 name=eth2-vlan200 vlan-id=200
add interface=ether2 name=eth2-vlan300 vlan-id=300
add interface=ether2 name=eth2-vlan400 vlan-id=400
add interface=ether6 name=eth6-vlan300 vlan-id=300
add interface=ether6 name=eth6-vlan400 vlan-id=400
add interface=ether7 name=eth7-vlan200 vlan-id=200
add interface=ether7 name=eth7-vlan400 vlan-id=400
add interface=ether8 name=eth8-vlan300 vlan-id=300
add interface=ether8 name=eth8-vlan400 vlan-id=400
Add bridges for each VLAN
/interface bridge
add name=bridge-vlan200
add name=bridge-vlan300
add name=bridge-vlan400
Add VLAN interfaces to their corresponding bridges and ethernet interfaces where untagged traffic is necessary
/interface bridge port
add bridge=bridge-vlan200 interface=eth2-vlan200
add bridge=bridge-vlan200 interface=eth7-vlan200
add bridge=bridge-vlan200 interface=eth8-vlan200
add bridge=bridge-vlan200 interface=ether6
add bridge=bridge-vlan300 interface=eth2-vlan300
add bridge=bridge-vlan300 interface=eth6-vlan300
add bridge=bridge-vlan300 interface=eth8-vlan300
add bridge=bridge-vlan300 interface=ether7
add bridge=bridge-vlan400 interface=eth2-vlan400
add bridge=bridge-vlan400 interface=eth6-vlan400
add bridge=bridge-vlan400 interface=eth7-vlan400
add bridge=bridge-vlan400 interface=ether8
Lets assume that we have several MikroTik routers connected to a hub. Remember that a hub is an OSI physical layer device (if there is a hub between routers, then from L3 point of view it is the same as an Ethernet cable connection between them). For simplification assume that all routers are connected to the hub using ether1 interface and has assigned IP addresses as illustrated in figure below. Then on each of them the VLAN interface is created.
Configuration for R2 and R4 is shown below:
[admin@MikroTik] /interface vlan& add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
[admin@MikroTik] /interface vlan& print
Flags: X - disabled, R - running, S - slave
VLAN-ID INTERFACE
[admin@MikroTik] /interface vlan& add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
[admin@MikroTik] /interface vlan& print
Flags: X - disabled, R - running, S - slave
VLAN-ID INTERFACE
The next step is to assign IP addresses to the VLAN interfaces.
[admin@MikroTik] ip address& add address=10.10.10.3/24 interface=VLAN2
[admin@MikroTik] ip address& print
Flags: X - disabled, I - invalid, D - dynamic
10.0.1.4/24
10.0.1.255
10.20.0.1/24
10.20.0.255
10.10.10.3/24
10.10.10.0
10.10.10.255
[admin@MikroTik] ip address&
[admin@MikroTik] ip address& add address=10.10.10.5/24 interface=VLAN2
[admin@MikroTik] ip address& print
Flags: X - disabled, I - invalid, D - dynamic
10.0.1.5/24
10.0.1.255
10.30.0.1/24
10.30.0.255
10.10.10.5/24
10.10.10.0
10.10.10.255
[admin@MikroTik] ip address&
At this point it should be possible to ping router R4 from router R2 and vice versa:
&Ping from R2 to R4:&
[admin@MikroTik] ip address& /ping 10.10.10.5
10.10.10.5 64 byte ping: ttl=255 time=4 ms
10.10.10.5 64 byte ping: ttl=255 time=1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1/2.5/4 ms
&From R4 to R2:&
[admin@MikroTik] ip address& /ping 10.10.10.3
10.10.10.3 64 byte ping: ttl=255 time=6 ms
10.10.10.3 64 byte ping: ttl=255 time=1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1/3.5/6 ms
To make sure if VLAN setup is working properly, try to ping R1 from R2. If pings are timing out then VLANs are successfully isolated.
&From R2 to R1:&
[admin@MikroTik] ip address& /ping 10.10.10.2
10.10.10.2 ping timeout
10.10.10.2 ping timeout
3 packets transmitted, 0 packets received, 100% packet loss
If separate VLANs are implemented on a switch, then a router is required to provide communication between VLANs.
Switch works at OSI layer 2 so it uses only Ethernet header to forward and does not check IP header.
For this reason we must use the router that is working as a gateway for each VLAN. Without a router, a host is unable to communicate outside of its own VLAN.
Routing process between VLANs described above is called inter-VLAN communication.
To illustrate inter-VLAN communication, we will create a trunk that will carry traffic from three VLANs (VLAN2 and VLAN3, VLAN4) across a single link between a Mikrotik router and a manageable switch that supports VLAN trunking.
Each VLAN has its own separate subnet (broadcast domain) as we see in figure above:
VLAN 2 – 10.10.20.0/24;
VLAN 3 – 10.10.30.0/24;
VLAN 4 – 10.10.40.0./24.
VLAN configuration on most switches is straightforward, basically we need to define which ports are members of the VLANs and define a 'trunk' port that can carry tagged frames between the switch and the router.
"Configuration example on MikroTik router:"
"Create VLAN interfaces:"
/interface vlan
add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
add name=VLAN3 vlan-id=3 interface=ether1 disabled=no
add name=VLAN4 vlan-id=4 interface=ether1 disabled=no
"Add IP addresses to VLANs:"
/ip address
add address=10.10.20.1/24 interface=VLAN2
add address=10.10.30.1/24 interface=VLAN3
add address=10.10.40.1/24 interface=VLAN4
In RouterOS, to create a point-to-point tunnel with addresses you have to use address with a network mask of '/32' that effectively brings you the same features as some vendors unnumbered IP address.
There are 2 routers RouterA and RouterB where each is part of networks 10.22.0.0/24 and 10.23.0.0/24 respectively and to connect these routers using VLANs as a carrier with the following configuration:
/ip address add address=10.22.0.1/24 interface=ether1
/interface vlan add interface=ether2 vlan-id=1 name=vlan1
/ip address add address=10.22.0.1/32 interface=vlan1 network=10.23.0.1
/ip route add gateway=10.23.0.1 dst-address=10.23.0.0/24
/ip address add address=10.23.0.1/24 interface=ether1
/interface vlan add interface=ether2 vlan-id=1 name=vlan1
/ip address add address=10.23.0.1/32 interface=vlan1 network=10.22.0.1
/ip route add gateway=10.22.0.1 dst-address=10.22.0.0/24}
LOFTER for ipad —— 记录生活,发现同好
  被喜欢
  被喜欢
{list posts as post}
{if post.type==1 || post.type == 5}
{if !!post.title}${post.title|escape}{/if}
{if !!post.digest}${post.digest}{/if}
{if post.type==2}
{if post.type == 3}
{if !!post.image}
{if post.type == 4}
{if !!post.image}
{if !!photo.labels && photo.labels.length>0}
{var wrapwidth = photo.ow < 500?photo.ow:500}
{list photo.labels as labs}
{var lbtxtwidth = Math.floor(wrapwidth*(labs.ort==1?labs.x:(100-labs.x))/100)-62}
{if lbtxtwidth>12}
{if !!labs.icon}
{list photos as photo}
{if photo_index==0}{break}{/if}
品牌${make||'-'}
型号${model||'-'}
焦距${focalLength||'-'}
光圈${apertureValue||'-'}
快门速度${exposureTime||'-'}
ISO${isoSpeedRatings||'-'}
曝光补偿${exposureBiasValue||'-'}
镜头${lens||'-'}
{if data.msgRank == 1}{/if}
{if data.askSetting == 1}{/if}
{if defined('posts')&&posts.length>0}
{list posts as post}
{if post_index < 3}
{if post.type == 1 || post.type == 5}
{if !!post.title}${post.title|escape}{/if}
{if !!post.digest}${post.digest}{/if}
{if post.type == 2}
{if post.type == 3}
{if post.type == 4}
{if drlist.length>0}
更多相似达人:
{list drlist as dr}{if drlist.length === 3 && dr_index === 0}、{/if}{if drlist.length === 3 && dr_index === 1}、{/if}{if drlist.length === 2 && dr_index === 0}、{/if}{/list}
暂无相似达人,
{if defined('posts')&&posts.length>0}
{list posts as post}
{if post.type == 2}
{if post.type == 3}
{if post.type == 4}
this.p={ currentPage:1,pageNewMode:true,isgooglead3:false,ishotrecompost:false,visitorId:0, first:'',tag:'vlan',recommType:'new',recommenderRole:0,offset:20,type:0,isUserEditor:0,};请问这一段话是什么意思vlan qinq session-no 303 customer-port gei_4/19 uplink-port gei_4/21 in-vlan 178 untag helper-vlan 4094
虚拟局域网的QinQ会话没有303客户端口gei_4/19上行端口gei_4/21在- VLAN的178过渡时期援助团帮手- VLAN的4094
为您推荐:
扫描下载二维码抓包,端口镜像,monitor&session命令(转)
一、SPAN简介
SPAN技术主要是用来监控交换机上的数据流,大体分为两种类型,本地SPAN和远程SPAN.
—-Local Switched Port Analyzer (SPAN) and Remote SPAN
(RSPAN),实现方法上稍有不同。
利用SPAN技术我们可以把交换机上某些想要被监控端口(以下简称受控端口)的数据流COPY或MIRROR一份,发送给连接在监控端口上的流
量分析仪,比如CISCO的IDS或是装了SNIFFER工具的PC.
受控端口和监控端口可以在同一台交换机上(本地SPAN),也可以在不同的交换机上(远程SPAN)。
二、名词解释
SPAN Session——SPAN会话
SPAN会话是指一组受控端口与一个监控端口之间的数据流。可以同时对多个端口的进入流量或是一个端口的外出流量进行监控,也可以对VLAN内
所有端口的进入流量进行监控,但不能同时对多个端口的外出流量及VLAN的外出流量进行监控,可以对处于关闭状态的端口设置SPAN,但此时的SPAN会
话是非活动,但只要相关的接口被打开,SPAN就会变为活动的。
监控端口最好是&=受控端口的带宽,否则可能会出现丢包的情况。
SPAN Traffic——SPAN的流量
使用本地SPAN可以监控所有的网络流量,包括multicast、bridge protocol data unit
(BPDU),和CDP、VTP、DTP、STP、PagP、LACP packets. RSPAN不能监控二层协议。
Traffic Types——流量类型
被监控的流量类型分为三种,Receive (Rx) SPAN 受控端口的接收流量,Transmit (Tx) SPAN
受控端口的发送流量,Both 一个受控端口的接收和发送流量。
Source Port——SPAN会话的源端口(也就是monitored port-即受控端口)
受控端口可以是实际的物理端口、VLAN、以太通道端口组EtherChannel,物理端口可以在不同的VLAN中,受控端口如果是VLAN
则包括此VLAN中的所以物理端口,受控端口如果是以太通道则包括组成此以太通道组的所有物理端口,如果受控端口是一个TRUNK干道端口,则此
TRUNK端口上承载的所有VLAN流量都会受到监控,也可以使用filter vlan 参数进行调整,只对filter vlan
中指定的VLAN数据流量做监控。
Destination Port——SPAN会话的目的端口(也就是monitoring port-即监控端口)
监控端口只能是单独的一个实际物理端口,一个监控端口同时只能在一个SPAN会话中使用,监控端口不参与其它的二层协议如:
Layer 2 protocols
Cisco Discovery Protocol (CDP),
VLAN Trunk Protocol (VTP),
Dynamic Trunking Protocol (DTP),
Spanning Tree Protocol (STP),
Port Aggregation Protocol (PagP),
Link Aggregation Control Protocol (LACP)。
缺省情况下监控端口不会转发除SPAN
Session以外的任何其它的数据流,也可以通过设置ingress参数,打开监控端口的二层转发功能,比如当连接CISCO
IDS的时会有这种需求,此时IDS不仅要接收SPAN
Session的数据流,IDS本身在网络中还会与其它设备有通讯流量,所以要打开监控端口的二层转发功能.
Reflector Port——反射端口
反射端口只在RSPAN中使用,与RSPAN中的受控端口在同一台交换机上,是用来将本地的受控端口流量转发到RSPAN中在另一台交换机上的
远程监控端口的方法,反射端口也只能是一个实际的物理端口,它不属于任何VLAN(It is invisible to all
VLANs.)。
RSPAN中还要使用一个专用的VLAN来转发流量,反射端口会使用这个专用VLAN将数据流通过TRUNK端口发送给其它的交换机,远程交换
机再通过此专用VLAN将数据流发送到监控端口上的分析仪。
关于RSPAN VLAN的创建,所有参与RSPAN的交换机应在同一个VTP域中,不能用VLAN
1,也不能用,这是保留的(reserved for Token Ring and FDDI
VLANs),如果是2-1001的标准VLAN,则只要在VTP
Server上创建即可,其它的交换机会自动学到,如果是的扩展VLAN,则需要在所有交换机上创建此专用VLAN.
反射端口最好是&=受控端口的带宽,否则可能会出现丢包的情况。
VLAN-Based SPAN——基于VLAN的SPAN
基于VLAN的SPAN只能监控VLAN中所有活动端口接收的流量(only received (Rx)
traffic),如果监控端口属于此VLAN,则此端口不在监控范围内,VSPAN只监控进入交换机的流量,不对VLAN接口上的路由数据做监控。
(VSPAN only monitors traffic that enters the switch, not traffic
that is routed between VLANs. For example, if a VLAN is being
Rx-monitored and the multilayer switch routes traffic from another
VLAN to the monitored VLAN, that traffic is not monitored and is
not received on the SPAN destination port. )
三、SPAN和RSPAN与其它特性的互操作性
Routing——SPAN不监控VLAN间的路由数据;(不好理解)
Routing—Ingress SPAN does not monitor routed traffic. VSPAN only
monitors traffic that enters the switch, not traffic that is routed
between VLANs. For example, if a VLAN is being Rx-monitored and the
multilayer switch routes traffic from another VLAN to the monitored
VLAN, that traffic is not monitored and not received on the SPAN
destination port.
STP——监控端口和反射端口不会参与STP,但SPAN对受控端口的STP没有影响;
CDP——监控端口不参与CDP;
VTP——RSPAN VLAN可以被修剪pruning;
trunking——可以修改受控端口、监控端口和反射端口的VLAN和TRUNK设置,受控端口的改变会立即生效,而监控端口和反射端口则要在从
SPAN中去除后才会生效;
EtherChannel——整个以太通道组可以做为受控端口使用,如果一个属于某个以太通道组的物理端口被配成了受控端口、监控端口或反射端
口,则此端口会自动从以太通道组去除,当SPAN删除后,它又会自动加入原以太通道组;
QoS——由于受QoS的策略影响,监控端口上收到的数据流会与受控端口实际的数据流不同,比如DSCP值被修改等;
Multicast——SPAN可以监控组播的数据流;
Port security——安全端口不能做为监控端口使用;
802.1x——受控端口、监控端口和反射端口上可以设置802.1x,但有些限制。
四、SPAN和RSPAN的配置举例
SPAN的限制和缺省设置
Catalyst 3550交换机上最多只能设置两个SPAN
Session,缺省SPAN没有使用,如果做了设置,缺省情况下,第一个被设为受控端口的接口进出流量都会受到监控,以后再追加的受控端口只会对接收的
流量进行监控,监控端口的默认封装类型为Native,也就是没有打VLAN的标记.
1、Configuring SPAN——配置本地SPAN
Switch(config)# no monitor session 1 //先清除可能已经存在SPAN设置
Switch(config)# monitor session 1 source interface
fastethernet0/10//设定SPAN的受控端口
Switch(config)# monitor session 1 destination interface
fastethernet0/20 //设定SPAN的监控端口
Switch#sh mon
Type : Local Session
Source Ports : Both : Fa0/10 //注意此处是Both
Destination Ports : Fa0/20
Encapsulation : Native
Ingress: Disabled
Switch(config)# monitor session 1 source interface
fastethernet0/11 - 13 //添加SPAN的受控端口
Switch#sh mon
Type : Local Session
Source Ports : RX Only : Fa0/11-13 //注意此处是
RX OnlyBoth : Fa0/10 //注意此处还是Both
Destination Ports : Fa0/20
Encapsulation : Native
Ingress: Disabled
Switch(config)# monitor session 1 destination interface fa0/20
ingress vlan 5 //设定SPAN的监控端口并启用二层转发
Switch#sh mon
Type : Local Session
Source Ports :
RX Only : Fa0/11-13
Both : Fa0/10
Destination Ports : Fa0/20
Encapsulation : Native
Ingress: Enabled, default VLAN = 5 //允许正常的流量进入 Ingress
encapsulation: Native
2、Specifying VLANs to Filter
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source vlan 101 - 102 rx
Switch(config)# monitor session 2 destination interface
fastethernet0/30
Switch#sh mon ses 2
Type : Local Session
Source VLANs : RX Only : 101-102 //注意此处是RX Only
Destination Ports : Fa0/30
Encapsulation : Native
Ingress: Disabled
Switch(config)# monitor session 2 source vlan 201 - 202 rx
Switch#sh mo se 2
Type : Local Session
Source VLANs : RX Only : 101-102,201-202 //注意此处多了201-202
Destination Ports : Fa0/30
Encapsulation : Native
Ingress: Disabled
3、Configuring RSPAN——配置远程RSPAN
RSPAN的Session分成RSPAN Source Session和RSPAN Destination
Session两部分,所以相应的配置也要分别在Session的源和目的交换机上做。
3.1、首先要配置专用的RSPAN VLAN
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source interface
fastethernet0/48 rx
Switch(config)# monitor session 2 filter vlan 100 - 102
//指定受控的VLAN范围
Switch(config)# monitor session 2 destination interface
fastethernet0/30
Switch#sh mon ses 2
Type : Local Session
Source Ports : Both : Fa0/48
Destination Ports : Fa0/30
Encapsulation : Native
Ingress: Disabled
Filter VLANs : 100-102 //只监控VLAN100-102中的流量
3.2、配置RSPAN Source Session
Switch(config)# vlan 800
Switch(config-vlan)# remote-span
Switch(config-vlan)# end
sw1#sh vl id 800
VLAN Name Status Ports
---- --------------------------------
800 VLAN0800 active Fa0/47, Fa0/48
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1
---- ----- ---------- ----- ------
800 enet 0 - - - - - 0 0
Remote SPAN VLAN
----------------
Enabled //注意看此处的提示
Primary Secondary Type Ports
------- --------- -----------------
3.3、配置RSPAN Destination Session
Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface
fastethernet0/10 - 13
Switch(config)# monitor session 1 source interface
fastethernet0/15 rx
Switch(config)# monitor session 1 destina remote vlan 800
reflector-port fa0/20
sw1#sh mo se 1
Type : Remote Source Session
Source Ports :
RX Only : Fa0/11-13,Fa0/15
Both : Fa0/10
Reflector Port : Fa0/20
Dest RSPAN VLAN : 800
(VLAN-Based
RSPAN)基于VLAN的RSPAN也和上面的方法类似,只不过受控的是整个VLAN.启用监控端口的二层转发以及Specifying
VLANs to Filter 的方法也和本地SPAN相同,此处不再举例。详见CISCO CD.
This example shows how to configure SPAN so that both the transmit
and receive
traffic from port 2/4 (the SPAN source) is mirrored on port 3/6
(the SPAN destination):
Console& (enable) set span 2/4 3/6
// Overwrote Port 3/6 to monitor transmit/receive traffic of Port
Incoming Packets disabled. Learning enabled.
Console& (enable) show span
Destination : Port 3/6
Admin Source : Port 2/4
Oper Source : None
Direction : transmit/receive
Incoming Packets: disabled
Learning : enabled
Filter : -
Status : active
———————————————-
Total local span sessions: 1
Console& (enable)
This example shows how to set VLAN 522 as the SPAN source and port
2/1 as the SPAN destination:
Console& (enable) set span 522 2/1
// Overwrote Port 2/1 to monitor transmit/receive traffic of VLAN
Incoming Packets disabled. Learning enabled.
Console& (enable) show span
Destination : Port 2/1
Admin Source : VLAN 522
你得在交换机上做一个端口镜像,让其它端口的数据都复制一份到你所接入的这个端口上来,用sniffer软件就可以了,但你所在的这个端口只能做管理接口使用,别的就什么都不能做了。命令:
SW-3L(config)#monitor session 1 source int f0/1 both
所要抓的包所在的端口
SW-3L(config)#monitor session 1 destination int f0/24
你的机器连接的端口
已投稿到:From MikroTik Wiki
Applies to RouterOS: v3, v4+
Sub-menu: /interface vlan
Standards:
Virtual Local Area Network (VLAN) is a Layer 2 method that allows multiple Virtual LANs on a single physical interface (ethernet, wireless, etc.), giving the ability to segregate LANs efficiently.
You can use MikroTik RouterOS (as well as Cisco IOS, Linux and other router systems) to mark these packets as well as to accept and route marked ones.
As VLAN works on OSI Layer 2, it can be used just as any other network interface without any restrictions. VLAN successfully passes through regular Ethernet bridges.
You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface.
The most commonly used protocol for Virtual LANs (VLANs) is IEEE 802.1Q. It is a standardized encapsulation protocol that defines how to insert a four-byte VLAN identifier into Ethernet header. (see Figure 12.1.)
Each VLAN is treated as a separate subnet. It means that by default, a host in a specific VLAN cannot communicate with a host that is a member of another VLAN, although they are connected in the same switch. So if you want inter-VLAN communication you need a router.
RouterOS supports up to 4095 VLAN interfaces, each with a unique VLAN ID, per interface. VLAN priorities may also be used and manipulated.
When the VLAN extends over more than one switch, the inter-switch link has to become a 'trunk', where packets are tagged to indicate which VLAN they belong to. A trunk carries the traffic of multiple VLANs; it is like a point-to-point link that carries tagged packets between switches or between a switch and router.
Original 802.1Q allows only one vlan header, Q-in-Q on the other hand allows two or more vlan headers.
In RouterOS Q-in-Q can be configured by adding one vlan interface over another.
/interface vlan
add name=vlan1 vlan-id=11 interface=ether1
add name=vlan2 vlan-id=12 interface=vlan1
If any packet is sent over 'vlan2' interface, two vlan tags will be added to ethernet header - '11' and '12'.
Description
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled)
Address Resolution Protocol mode
interface (name; Default: )
Name of physical interface on top of which VLAN will work
l2mtu (integer; Default: )
Layer2 MTU. For VLANS this value is not configurable.
mtu (integer; Default: 1500)
Layer3 Maximum transmission unit
name (string; Default: )
Interface name
use-service-tag (yes | no; Default: )
802.1ad compatible Service Tag
vlan-id (integer: 4095; Default: 1)
Virtual LAN identifier or tag that is used to distinguish VLANs. Must be equal for all computers that belong to the same VLAN.
MTU should be set to 1500 bytes same as on Ethernet interfaces. But this may not work with some Ethernet cards that do not support receiving/transmitting of full size Ethernet packets with VLAN header added (1500 bytes data + 4 bytes VLAN header + 14 bytes Ethernet header). In this situation MTU 1496 can be used, but note that this will cause packet fragmentation if larger packets have to be sent over interface. At the same time remember that MTU 1496 may cause problems if path MTU discovery is not working properly between source and destination.
VLANs on Mikrotik environment are also described here:
Port Based VLAN #1
Add necessary VLAN interfaces on ethernet interface to make it as a VLAN trunk port
/interface vlan
add interface=ether2 name=eth2-vlan200 vlan-id=200
add interface=ether2 name=eth2-vlan300 vlan-id=300
add interface=ether2 name=eth2-vlan400 vlan-id=400
Add bridges for each VLAN
/interface bridge
add name=bridge-vlan200
add name=bridge-vlan300
add name=bridge-vlan400
Add VLAN interfaces to their corresponding bridges and ethernet interfaces where untagged traffic is necessary
/interface bridge port
add bridge=bridge-vlan200 interface=eth2-vlan200
add bridge=bridge-vlan200 interface=ether6
add bridge=bridge-vlan300 interface=eth2-vlan300
add bridge=bridge-vlan300 interface=ether7
add bridge=bridge-vlan400 interface=eth2-vlan400
add bridge=bridge-vlan400 interface=ether8
Port Based VLAN #2
Add necessary VLAN interfaces on ethernet interfaces to make them as VLAN trunk ports
/interface vlan
add interface=ether2 name=eth2-vlan200 vlan-id=200
add interface=ether2 name=eth2-vlan300 vlan-id=300
add interface=ether2 name=eth2-vlan400 vlan-id=400
add interface=ether6 name=eth6-vlan300 vlan-id=300
add interface=ether6 name=eth6-vlan400 vlan-id=400
add interface=ether7 name=eth7-vlan200 vlan-id=200
add interface=ether7 name=eth7-vlan400 vlan-id=400
add interface=ether8 name=eth8-vlan300 vlan-id=300
add interface=ether8 name=eth8-vlan400 vlan-id=400
Add bridges for each VLAN
/interface bridge
add name=bridge-vlan200
add name=bridge-vlan300
add name=bridge-vlan400
Add VLAN interfaces to their corresponding bridges and ethernet interfaces where untagged traffic is necessary
/interface bridge port
add bridge=bridge-vlan200 interface=eth2-vlan200
add bridge=bridge-vlan200 interface=eth7-vlan200
add bridge=bridge-vlan200 interface=eth8-vlan200
add bridge=bridge-vlan200 interface=ether6
add bridge=bridge-vlan300 interface=eth2-vlan300
add bridge=bridge-vlan300 interface=eth6-vlan300
add bridge=bridge-vlan300 interface=eth8-vlan300
add bridge=bridge-vlan300 interface=ether7
add bridge=bridge-vlan400 interface=eth2-vlan400
add bridge=bridge-vlan400 interface=eth6-vlan400
add bridge=bridge-vlan400 interface=eth7-vlan400
add bridge=bridge-vlan400 interface=ether8
Lets assume that we have several MikroTik routers connected to a hub. Remember that a hub is an OSI physical layer device (if there is a hub between routers, then from L3 point of view it is the same as an Ethernet cable connection between them). For simplification assume that all routers are connected to the hub using ether1 interface and has assigned IP addresses as illustrated in figure below. Then on each of them the VLAN interface is created.
Configuration for R2 and R4 is shown below:
[admin@MikroTik] /interface vlan& add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
[admin@MikroTik] /interface vlan& print
Flags: X - disabled, R - running, S - slave
VLAN-ID INTERFACE
[admin@MikroTik] /interface vlan& add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
[admin@MikroTik] /interface vlan& print
Flags: X - disabled, R - running, S - slave
VLAN-ID INTERFACE
The next step is to assign IP addresses to the VLAN interfaces.
[admin@MikroTik] ip address& add address=10.10.10.3/24 interface=VLAN2
[admin@MikroTik] ip address& print
Flags: X - disabled, I - invalid, D - dynamic
10.0.1.4/24
10.0.1.255
10.20.0.1/24
10.20.0.255
10.10.10.3/24
10.10.10.0
10.10.10.255
[admin@MikroTik] ip address&
[admin@MikroTik] ip address& add address=10.10.10.5/24 interface=VLAN2
[admin@MikroTik] ip address& print
Flags: X - disabled, I - invalid, D - dynamic
10.0.1.5/24
10.0.1.255
10.30.0.1/24
10.30.0.255
10.10.10.5/24
10.10.10.0
10.10.10.255
[admin@MikroTik] ip address&
At this point it should be possible to ping router R4 from router R2 and vice versa:
&Ping from R2 to R4:&
[admin@MikroTik] ip address& /ping 10.10.10.5
10.10.10.5 64 byte ping: ttl=255 time=4 ms
10.10.10.5 64 byte ping: ttl=255 time=1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1/2.5/4 ms
&From R4 to R2:&
[admin@MikroTik] ip address& /ping 10.10.10.3
10.10.10.3 64 byte ping: ttl=255 time=6 ms
10.10.10.3 64 byte ping: ttl=255 time=1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1/3.5/6 ms
To make sure if VLAN setup is working properly, try to ping R1 from R2. If pings are timing out then VLANs are successfully isolated.
&From R2 to R1:&
[admin@MikroTik] ip address& /ping 10.10.10.2
10.10.10.2 ping timeout
10.10.10.2 ping timeout
3 packets transmitted, 0 packets received, 100% packet loss
If separate VLANs are implemented on a switch, then a router is required to provide communication between VLANs.
Switch works at OSI layer 2 so it uses only Ethernet header to forward and does not check IP header.
For this reason we must use the router that is working as a gateway for each VLAN. Without a router, a host is unable to communicate outside of its own VLAN.
Routing process between VLANs described above is called inter-VLAN communication.
To illustrate inter-VLAN communication, we will create a trunk that will carry traffic from three VLANs (VLAN2 and VLAN3, VLAN4) across a single link between a Mikrotik router and a manageable switch that supports VLAN trunking.
Each VLAN has its own separate subnet (broadcast domain) as we see in figure above:
VLAN 2 – 10.10.20.0/24;
VLAN 3 – 10.10.30.0/24;
VLAN 4 – 10.10.40.0./24.
VLAN configuration on most switches is straightforward, basically we need to define which ports are members of the VLANs and define a 'trunk' port that can carry tagged frames between the switch and the router.
"Configuration example on MikroTik router:"
"Create VLAN interfaces:"
/interface vlan
add name=VLAN2 vlan-id=2 interface=ether1 disabled=no
add name=VLAN3 vlan-id=3 interface=ether1 disabled=no
add name=VLAN4 vlan-id=4 interface=ether1 disabled=no
"Add IP addresses to VLANs:"
/ip address
add address=10.10.20.1/24 interface=VLAN2
add address=10.10.30.1/24 interface=VLAN3
add address=10.10.40.1/24 interface=VLAN4
In RouterOS, to create a point-to-point tunnel with addresses you have to use address with a network mask of '/32' that effectively brings you the same features as some vendors unnumbered IP address.
There are 2 routers RouterA and RouterB where each is part of networks 10.22.0.0/24 and 10.23.0.0/24 respectively and to connect these routers using VLANs as a carrier with the following configuration:
/ip address add address=10.22.0.1/24 interface=ether1
/interface vlan add interface=ether2 vlan-id=1 name=vlan1
/ip address add address=10.22.0.1/32 interface=vlan1 network=10.23.0.1
/ip route add gateway=10.23.0.1 dst-address=10.23.0.0/24
/ip address add address=10.23.0.1/24 interface=ether1
/interface vlan add interface=ether2 vlan-id=1 name=vlan1
/ip address add address=10.23.0.1/32 interface=vlan1 network=10.22.0.1
/ip route add gateway=10.22.0.1 dst-address=10.22.0.0/24}
我要回帖
更多推荐
- ·闲鱼确认收货后还能退款成功吗买家签收了不想要可以退款吗?
- ·怎么进微信5分钟挣500元红包群
- ·手机清理最好的软件有哪些自带软件?
- ·为什么在百度评论知道里无法看到回复?
- ·这个所有的男明星叫什么名字是谁?
- ·养生馆体验一般需要什么仪器、
- ·为什么我的2012qq好看分组分组不能显示韩语,视频的时候也无法语音
- ·某商场购进甲乙两家商场种服装后,都加价40%标价出售,春节期间商场搞优惠促销
- ·下面的句子换成现在的说法应该怎样说?出自五年级下册22课《猴王出世出自我国》
- ·氨硼烷臭氧是极性分子吗吗? 帮我解释下谢谢,回答的好的有加分
- ·一级机电注册电气工程师挂靠靠多少钱一年
- ·我国耕地有多少亿亩亩产量是多少
- ·atrp反应中能够用吡啶甲酸铬作为溶剂吗
- ·我要去北京高校看所有的高校大学、就一天、怎样合适
- ·在京东买电脑上新组了台电脑,点不亮,是怎么回事呢?
- ·怎么查看查看电脑网卡地址址?
- ·哪些手机视频格式有哪些是没有声音的?有吗?
- ·帮我配台功率在100w之内的电脑,最好是ddr3 1066的内存,配置不要求太高,价...
- ·求专家配置一台4000元台式电脑配置
- ·现在的大蜘蛛免费版安全空间还能更新吗?要中文版的噢,谢谢
- ·什么是VLAN-BASED port access vlanVLAN
- ·音视频解决方案pc厂商排名的排名。求,谢谢
- ·数字键输入法1打不出来,一直按住,拼音输入法就不停闪跳
- ·可充气仿真娃娃是什么约束设备感知与诊断模块SDM是什么意思
- ·怎样在郴州市农经网农经网免费建网站
- ·华硕EAH6770 华硕1g显卡报价怎么样
- ·rtf格式的文件不能换行!w7关机很慢怎么办办?还有这个w7的系统,word格式的文件打不开,也就是doc格式的文件打不开。
- ·我一不碰电脑过一个小时左右就断网指甲易断怎么回事事
- ·为什么360安全卫士不直接连接到360云安全3.0中心
- ·谁可以给个微微玩神仙道道的号我玩,哪个区都行。绝不改密码。谢谢。 QQ 190937991
- ·刚不小心想u盘格式化怎么恢复U盘,结果错按到了F盘。怎么恢复?有80G.
- ·三星i9220root教程完后,开不了机
- ·freegate教程...... gate 最新版呀,谢谢,.
- ·P4充不进电,而且笔记本一个按键坏了也坏了,机子是网上买的。
- ·HP负卡路里食物是干什么的?
- ·跪求佳域论坛前一万UID ! 跪求 !!!邮箱,百度文库财富值值就剩20了...
