(ML-001) How to properly manage multiple public or private IPs on the edge router
$8,99
VLAN Interconnection: Routing between virtual networks
- Mauro Escalante
- No comments
- Share this article
Facebook
Twitter
LinkedIn
WhatsApp
Telegram
VLAN interconnection refers to the process of establishing communication between different virtual networks (VLANs) in a network infrastructure. VLANs are logical segments of a physical network that allow administrators to divide the network into smaller logical groups to improve network security, management, and performance.
When separate VLANs are created, by default, they cannot communicate directly with each other. However, in many situations, it is necessary to allow communication between different VLANs to share resources or allow users to access specific services on other virtual networks. This is where the routing between VLANs.
Inter-VLAN routing allows traffic to move between different VLANs by using a routing device or layer 3 switch that has routing capability. These devices act as bridges between VLANs and allow them to communicate with each other.
Ways to implement routing
The main ways to implement routing between VLANs are:
1. Routing with an external router
In this configuration, each VLAN is connected to its own interface on the router. When a data packet needs to be sent from one VLAN to another, it is sent to the router, which then forwards it to the destination VLAN. This technique is simple and effective, but can be inefficient if there are many VLANs, since it requires a separate interface for each.
2. Routing at Layer 3 Switching
In this configuration, routing is performed within the switch, which can understand and manipulate packets at the network level. This type of switch has multiple virtual Layer 3 interfaces, one for each VLAN, allowing you to route between them. This technique is more efficient than routing with an external router, but requires more sophisticated and expensive hardware.
3. Routing with a trunk (Router-on-a-stick)
In this configuration, a single physical interface on a router is used to handle traffic from multiple VLANs. VLANs are differentiated using VLAN (802.1Q) tags on data packets. This technique is more efficient than routing with an external router in terms of interface usage, but may be limited by the amount of bandwidth available on the trunk interface.
Essential steps
When configuring routing between VLANs, several steps must be performed:
1. VLAN configuration
First, individual VLANs are created on the switches or network devices. Each VLAN is configured with a unique ID and specific ports are assigned to each VLAN.
2. Configuration of routing interfaces
On the routing device or Layer 3 switch, the interfaces that will connect to each VLAN must be configured. These interfaces are configured with IP addresses belonging to the subnets of each VLAN.
3. Routing table configuration
Static routes are configured or a dynamic routing protocol is used to allow the routing device to know how to reach the subnets of each VLAN.
4. Establishment of access policies
Access control lists (ACLs) can be applied to control what traffic is allowed or blocked between VLANs. This provides an additional layer of security and control.
Once these steps are completed, the VLANs will be interconnected and will be able to communicate with each other through the routing device or layer 3 switch. The routing device will examine the destination information of the packets and route them to the corresponding destination VLAN.
It is important to note that routing between VLANs can have an impact on network performance as it involves additional packet processing and can generate additional traffic on the network.
Therefore, it is important to carefully design the routing configuration and consider the available bandwidth and resources to ensure optimal network performance.
Layer 3 Routers or Switches
The choice between using a router or a Layer 3 switch for routing between VLANs will depend on several factors, including the size of the network, the volume of traffic, available resources, and the specific needs of the organization.
Here are some considerations that can help you make a decision:
1 performance
Layer 3 switches are typically faster than routers for routing, since the switch hardware is designed to handle high-speed packet routing. This can be especially important on networks with a large amount of inter-VLAN traffic.
2. Cost
Layer 3 switches are typically more expensive than routers due to their specialized hardware. Therefore, if budget is an important consideration, a router may be a more cost-effective option.
3. Scalability
If the network is intended to grow in size and complexity, a Layer 3 switch may be a more scalable option. Layer 3 switches can handle large numbers of VLANs and provide inter-VLAN routing without the need for additional physical interfaces as required by a router.
4. Advanced features
Routers typically offer a wider range of advanced features compared to Layer 3 switches. These may include support for a wider range of routing protocols, firewall capabilities, VPNs, and other security features.
5. Ease of configuration and management
Layer 3 switches are typically easier to configure and manage for inter-VLAN routing compared to routers. This is because you can configure multiple VLAN interfaces on a single device instead of having to manage multiple physical interfaces on a router.
In summary, choosing between a router and a Layer 3 switch for inter-VLAN routing will depend on the specific needs of your network. Both options have advantages and disadvantages, and the best option will vary from situation to situation.
Routers versus Layer 3 Switches
Below, we present a comparative table that highlights some of the advantages offered by both routers as layer 3 switches for routing between VLANs in a network:
| Router | Layer 3 Switch | |
|---|---|---|
| Performance | Typically slower routing speeds compared to Layer 3 switches | High performance, capable of high speed routing |
| Cost | Generally cheaper | Generally more expensive due to specialized hardware |
| Scalability | May be limited by the number of physical interfaces available | Very scalable, can handle a large number of VLANs |
| Advanced features | Support for a wide range of routing protocols, firewall, VPN, among others | Primarily limited to routing, although some models may include advanced features |
| Configuration and management | Can be more complicated due to the need to manage multiple physical interfaces | Easier configuration and management due to virtual VLAN interfaces |
Implementing VLAN routing in RouterOS
The following is an example of how you could configure inter-VLAN routing on a MikroTik router. This assumes that you already have two VLANs configured (VLAN 10 and VLAN 20) on port ether2, and you want to configure routing between them.
This is a simple example and you may need to adjust the commands to fit the specific needs of your network.
First, we will need to assign IP addresses to each of the VLANs. These addresses will act as the default gateway for each VLAN. Suppose we will use 192.168.10.1/24 for VLAN 10 and 192.168.20.1/24 for VLAN 20:
/ip address add address=192.168.10.1/24 interface=ether2.10
/ip address add address=192.168.20.1/24 interface=ether2.20
2. Next, we will enable routing between the VLANs. MikroTik does this automatically through its layer 3 routing capability:
/ip route add dst-address=192.168.10.0/24 gateway=192.168.10.1
/ip route add dst-address=192.168.20.0/24 gateway=192.168.20.1
3. Finally, if you want the VLANs to also be able to access the Internet, you will need to configure a default route through your Internet gateway. Let's say your Internet gateway is 192.168.1.1:
/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1
Adding firewall rules to control traffic between VLANs on a MikroTik router can help improve network security. Here's an example of how you could do this.
Suppose you want to block all traffic from VLAN 10 to VLAN 20, but allow traffic in the opposite direction. First, you will need to identify the networks corresponding to your VLANs (for example, 192.168.10.0/24 for VLAN 10 and 192.168.20.0/24 for VLAN 20), then you can use the following commands:
/ip firewall filter add chain=forward src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=drop
/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.10.0/24 action=accept
These commands will create two firewall rules:
- The first rule will block all traffic from VLAN 10 to VLAN 20 (that is, all packets originating from the 192.168.10.0/24 network and destined for the 192.168.20.0/24 network will be dropped).
- The second rule will allow traffic from VLAN 20 to VLAN 10 (that is, all packets originating from the 192.168.20.0/24 network and destined for the 192.168.10.0/24 network will be accepted).
This is a very basic example. Firewall rules can be much more complex and specific depending on your security needs. For example, you might want to block or allow only certain types of traffic (e.g. HTTP, SSH, etc.), or you might want to block or allow traffic to/from certain specific IP addresses.
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Related Posts
Related Posts
Microlabs
Other topics that may interest you
Ways to Assign IPv6 Addressing (Part 2)
March 25th, 2024
WireGuard on MikroTik RouterOS: A Secure and Efficient VPN Solution
March 13th, 2024
Ways to Assign IPv6 Addressing (Part 1)
March 11th, 2024
Do you want to suggest a topic?
Every week we post new content. Do you want us to talk about something specific?
Upcoming online courses
MTCINE OnLine
$187,00
MTCNA Online
$187,00
MTCRE Online
$187,00
Pack 4 MikroTik RouterOS books
$68,47
