CRS328 as a Layer 2 Switch UK MUM 2018

Similar documents
Switching, VLAN, QinQ in Ros 6.41 Onwards and their application to CRS 3.xx models. SOUMIL GUPTA BHAYA Mikortik Certified Trainer

MikroTik SwOS Basic VLAN Configuration

MikroTik SwOS Basic VLAN Configuration

Switch? Many ports. L2/Ethernet traffic VLAN. Wire-speed on MikroTik switches

Chapter 4 Configuring Switching

Plug and play solution for managing lan users with MikroTik RouterOS

Wireless and Wired Bridging using Vlan.

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

AT-S41 Version 1.1.7C Management Software for the AT-8326GB and AT-8350GB Series Fast Ethernet Switches. Software Release Notes

Campus Networking Workshop. Layer 2 engineering Spanning Tree and VLANs

NCT240 IP DSLAM with IAC4500 VLAN Tagging Implementation

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

48-Port 10/100/1000BASE-T + 4-Port 100/1000BASE-X SFP Gigabit Managed Switch GS T4S

SWP-0208G, 8+2SFP. 8-Port Gigabit Web Smart Switch. User s Manual

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

MikroTik RouterOS Online Training Class Special Series 3

Intro To VLANS on the CRS Joshua Gray, Brian Vargyas Baltic Networks MUM 2016 CRS VLans

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Chapter 10: Review and Preparation for Troubleshooting Complex Enterprise Networks

Configuring Rapid PVST+

48-Port Gigabit Ethernet Smart Managed Plus Switch User Manual

Easy Setup of IP Based CAPsMAN with link failover & CAPs monitor

A redundant router for $79,90

Take your network Farther with Transition Networks. METRO-ETHERNET ETHERNET SOLUTION ETTx Service Aggregator Switch

Wireless Client Isolation. Overview. Bridge Mode Client Isolation. Configuration

Configuring Q-in-Q VLAN Tunnels

CCNA TECHNOLOGIES SERIES

DD2490 p Layer 2 networking. Olof Hagsand KTH CSC

Configuring Private Hosts

Figure 7-1 Unicast Static FDB window

Figure Untagged and 802.1Q-Tagged Ethernet frames

MIKROTIK ROUTEROS BURMESE VERSION ONLINE TRAINING CLASS CHAPTER 1

Understanding Load Balance and Policy Route. andrew zheng! edcwifi co limited

Product features. Applications

Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling

Configuring STP. Understanding Spanning-Tree Features CHAPTER

Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling

How to configure the IAC4500 Internet Access Controller for Billing by Volume Application with NCT480 IP DSLAM using port location mapping

Table of Contents 1 VLAN Configuration 1-1

2D1490 p Bridging, spanning tree and related issues. Olof Hagsand KTHNOC/NADA

Management Software AT-S101. User s Guide. For use with the AT-GS950/8POE Gigabit Ethernet WebSmart Switch. Version Rev.

Building Cisco Multilayer Switched Networks (BCMSN)

MIKROTIK ROUTEROS LAB WITH VIRTUALIZATION TECHNOLOGIES YANGON, MYANMAR

User Handbook. Switch Series. Default Login Details. Version 1.0 Edition

Configuring Rapid PVST+ Using NX-OS

RouterOs L2 filtering

VLAN - SP6510P8 2013/4. Copyright 2011 Micronet Communications, INC

User Guide TL-R470T+/TL-R480T REV9.0.2

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

Huawei Technologies engaged Miercom to evaluate the S2700-EI

VLANs Level 3 Unit 9 Computer Networks

DD2490 p Bridging, spanning tree and related issues. Olof Hagsand KTH/CSC

CCNP SWITCH (22 Hours)

24-Port Fast + 2-Port Giga Intelligent Ethernet Switch SG9224B WEB USER GUIDE. Date: 02, Standard Version. Version: 1.02

Configuring IEEE 802.1Q Tunneling

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

EstiNet L2/SDN Switch Web User Interface USER GUIDE

Features and usage examples of wap device

User Manual ES-5808PHG. Gigabit 8-Port 802.3at PoE Web Smart Switch

Trademarks. Statement of Conditions by NETGEAR, Inc. All rights reserved.

GS-5424G User Manual

Communication Redundancy User s Manual

SPANNING TREE PROTOCOL GUIDE FOR ARAKNIS NETWORKS EQUIPMENT

Configuring BPDU tunneling

VLANs. LAN Switching and Wireless Chapter 3. Version Cisco Systems, Inc. All rights reserved. Cisco Public 1

Real4Test. Real IT Certification Exam Study materials/braindumps

The features and functions of the D-Link Web Smart Switch can be configured for optimum use through the Web-based Management Utility.

Cloud Core in the PRAXIS Application. MikroTik Support Team at RF elements s.r.o. Martin Krug MUM 2014

Configuring STP and RSTP

Sections Describing Standard Software Features

For further information, please contact. DKT A/S Fanoevej 6 DK-4060 Kirke Saaby

: Building Cisco Multilayer Switched Networks

ITDumpsKR. IT 인증시험한방에패스시키는최신버전시험대비덤프

ASIT-33018PFM. 18-Port Full Gigabit Managed PoE Switch (ASIT-33018PFM) 18-Port Full Gigabit Managed PoE Switch.

Finding Feature Information, page 2 Information About DHCP Snooping, page 2 Information About the DHCPv6 Relay Agent, page 8

Top-Down Network Design

Network+ Guide to Networks 7 th Edition

8-Port Gigabit Ethernet Smart Managed Plus Switch with 2-Port 10G/Multi-Gig Uplinks User Manual

Monitoring the Internet Connections of WAN Links with Only Routing Configuration

Configuring Rapid PVST+

ProSAFE Easy-Mount 8-Port Gigabit Ethernet PoE+ Web Managed Switch

CCNP Switch Questions/Answers Securing Campus Infrastructure

Configuring Cisco IP Phone Support

CUDN PoP Switch Changes 2018

Number: Passing Score: 800 Time Limit: 120 min File Version: 9.0. Cisco Questions & Answers

Sections Describing Standard Software Features

The following steps should be used when configuring a VLAN on the EdgeXOS platform:

Configuring IP Addressing

DHCP Configuration. Page 1 of 14

Subjects, overview. DKT A/S Fanoevej 6 DK-4060 Kirke Saaby

Routeros Firewall Mikrotik

Configuring Wireless Multicast

Understanding and Configuring Switching Database Manager on Catalyst 3750 Series Switches

FastPath Overview MUM Eu rope, 2016

Ethernet Virtual Connections Configuration

MikroTik lifehacking. Daniel Starnowski

References: tates-roles.html

The features and functions of the D-Link Smart Managed Switch can be configured through the web-based management interface.

CTS2134 Introduction to Networking. Module : Troubleshooting

Transcription:

CRS328 as a Layer 2 Switch UK MUM 2018 Oct 2018 Jono Thompson BirchenallHowden Ltd

Jono Thompson Networking background started as a Cisco Engineer Started using ROS June 2010 MikroTik Consultant Since Dec 2014 MikroTik Trainer since March 2017 MTCNA MTCRE MTCWE MTCTCE MTCINE 2

Established in 2006 29 staff BirchenallHowden Ltd Based in Sheffield, UK and working throughout the UK and Europe Currently providing IT support for over 75 companies and 2800 users Currently have 2 MikroTik consultants 3

BirchenallHowden Ltd Services Provided Wired and wireless network design and installation, Desktop and server installation, support and maintenance ISP Services, leased lines, connectivity Telephony Wireless installs MikroTik Consultancy MikroTik Training Visit www.birchenallhowden.co.uk 4

Presentation Objectives Since 6.41 there has been some major changes to the Bridge Look at some of new features on the CRS3xx Series VLAN configuration on the CRS3xxx Switch Common Layer 2 misconfigurations Some of the other new features since 6.41 in bridge and on CRS3xx switch 5

Switch vs Router - which is most powerful? CCR1072-1G-8S+ CRS317-1G-16S+RM 72 Core 1GHz Tile chipset 16GB Ram 2 Core 800MHz Arm Chipset 1GB RAM RRP $3050 RRP $399 Layer 2 Throughput 79,000 Mbps Layer 3 Throughput 79,000 Mbps Layer 2 Throughput 159,000 Mbps Layer3 Throughput 3,000 Mbps CCR1072 test results 1518byte packet Bridging no filters with fastpath - https://mikrotik.com/product/ccr1072-1g-8splus#fndtn-testresults CRS317 test results 1518byte packet switching non blocking layer2 throughput - https://mikrotik.com/product/crs317_1g_16s_rm#fndtn-testresults 6

Switch vs Router - which is most powerful? CCR1072-1G-8S+ CRS317-1G-16S+RM Depends on what you going to use it for! CRS has almost double the throughput at Layer2 CRS is just over 10% of the cost Choose the correct unit for the correct job! 7

New Bridge Configuration 8

Bridge If you have started using stable versions and are not just using long-term versions you will have seen Since 6.41 there has been some changes to the bridge and switch configuration No master/slave configuration on interface to pass packets through switch chip and not the CPU 9

Interfaces Pre 6.41 10

Interfaces 6.41 Onwards 11

Bridge hardware offloading Adding ports to the bridge will now automatically (if supported and enabled) use switch 12

Bridge VLAN Filtering Since 6.41 bridge VLAN filtering has been supported This simplifies the VLAN setup on ROS This makes bridge operation more like a traditional Ethernet switch CRS326 makes an ideal LAN switch TIP: Create all VLANs before enabling VLAN filtering to prevent loosing access to the router during configuration! 13

Bridge HW offloading Since ROS 6.41 Bridges handle all Layer2 forwarding and the use of the switch chip HW offloading is turned on if appropriate conditions are met Enabling some bridge features disables hw offloading eg:- Spanning Tree Rapid Spanning Tree Multiple Spanning Tree IGMP Snooping DHCP Snooping VLAN Filtering Bonding 14

Bridge HW offloading Depending on the model or the switch chip, different features will disable bridge HW offloading Model STP/RSTP MSTP DHCP Snooping VLAN Filtering Bonding CRS3xx CRS1xx/2xx Switch Chip STP/RSTP MSTP DHCP Snooping VLAN Filtering Bonding QCA8337 AR8327 AR8227 AR8316 AR7240 RTL8367 ICPlus175D Complete list https://wiki.mikrotik.com/wiki/manual:switch_chip_features#bridge_hardware_offloading 15

Bridge VLAN Setup 16

Bridge VLAN Setup For this configuration as we are unable to alter the phone configs we will need a mixture of Trunk Ports for link to other switches and router Port 1 Link to router Port 2 Link to next switch Access ports for the servers, PCs and phones Ports 3-6 PCs and Phones Port 7 Untagged in VLAN11 for a server Port 8 Untagged in VLAN201 for public device 17

VLAN Configuration Create a bridge 18

VLAN Configuration Add all Switch Ports to the Bridge Default is hardware offloaded 19

VLAN Configuration Configure VLANs on bridge and assign ports to them For this example we have these VLANs VLAN 11 Data VLAN 101 Phones VLAN 201 Public We going to Start with the Trunk Ports 1 & 2 20

VLAN Configuration Create VLANs and add ether1 and ether2 as tagged 21

VLAN Configuration TIP Add extra columns to WinBox! This will make it easier to see the config 22

VLAN Configuration Now you can see both the configured and current settings Current column populated when devices connected up 23

Untagged Ports Next we will configure ports 3-6 These ports are for PCs and Phones PCs need to be in VLAN 11 and Phones in VLAN101. We will use a MAC based VLAN rule to put the phones in VLAN 101 24

MAC based VLAN We can use switch rules to create a MAC based VLAN. We will use this for our phones. We can use a MAC address mask to catch all phones with the same OUI based MAC We will set up these ports so we can also use the PC port in the phone without reconfiguring the phones. 25

MAC based VLAN Create a Switch ACL rule to change VID based on MAC address 26

Untagged Ports We will now create some Untagged ports for our PCs and phones 27

Untagged Ports Set the Ports to Add PVID to untagged traffic to put PC in data VLAN. Phones will be tagged in phone VLAN using the switch rule 28

Untagged Ports Next we will configure Port 7 as a Data VLAN port and set the PVID on port 7 29

Untagged Ports And Port8 untagged in VLAN201 and PVID on port 8 30

Management Interface We need an IP Address on the switch so we can manage it For this example we will manage the switch from the Data VLAN (VLAN 11) 31

Management Interface Create a VLAN interface on the bridge interface 32

Management Interface Add bridge as a Tagged Port on the VLAN11 IMPORTANT Add an IP Address to the VLAN interface 33

Enable VLAN filtering Now we have finished the VLAN setup we can Enable VLAN Filtering We can also enable Ingress Filtering. This will only allow VLANs we have configured into the bridge 34

Ingress Filtering Checks Ingress Port and VLAN ID in bridge VLAN table. Specify what frames types to permit Admit all (default) Admit only untagged and priority tagged Admit only VLAN tagged 35

Layer 2 Misconfigurations 38

Layer 2 Misconfigurations Here are a few common incorrect Layer 2 configurations and then the correct way to do it. The following slides show the INCORRECT setup follow by the correct setup Do not follow the incorrect setup! 39

Scenario:- Layer 2 Misconfigurations Multiple Bridges You are using a CRS3xx series switch You need to isolate certain ports from each other. You decide to create 2 bridges. As each bridge is a separate Layer 2 domain you have isolated the ports from each other Symptoms You start to use your switch and notice that one set of ports work at wire speed and give full throughput. However the other set of ports do not. 40

What has happened? Layer 2 Misconfigurations Multiple Bridges You test further and notice that the CPU is very high when traffic flows slowly though one of the bridges. You look at your configuration See how the H flag is not set for ports in bridge1 41

Layer 2 Misconfigurations Multiple Bridges Only some devices support more than 1 hardware offloaded bridge CRS1xx\2xx series switch support up to 7 bridges using hardware offloading Consider reconfiguration of your network to use VLANs and VLAN filtering and port isolation. 42

Scenario Layer 2 Misconfigurations VLAN on slave interface You want a DHCP server to give out IP addresses only to a certain tagged port 44

Problem Layer 2 Misconfigurations VLAN on slave interface VLAN interface will never capture any traffic at all since it is immediately forwarded to the master interface before any packet processing is done. Symptoms DHCP Client / Server not working properly Device unreachable 45

Solution Layer 2 Misconfigurations VLAN on slave interface Change the VLAN to the bridge 46

Layer 2 Misconfigurations VLAN in a Bridge with Physical Interface Scenario You want to send tagged traffic out of a physical port 47

Problem Layer 2 Misconfigurations VLAN in a Bridge with Physical Interface This will work in most cases It will cause problems if also using STP/RSTP with other vendor s switches because BPDUs are tagged Not all switches can understand tagged BPDUs Symptoms Port blocking by RSTP Port flapping Network loops 48

Solution Layer 2 Misconfigurations VLAN in a Bridge with Physical Interface Use VLAN filtering as we have just looked at 49

Scenario Layer 2 Misconfigurations Bridged VLANs You are using VLANs to isolate Layer 2 domains connected to your switch You create VLAN interfaces on each physical interface 50

Scenario (cont..) Layer 2 Misconfigurations Bridged VLANs Put VLAN interface into a separate bridge for each VLAN 51

Problem Layer 2 Misconfigurations Bridged VLANs You notice parts of the network are unreachable You notice links keep flapping. This is due to sending out tagged BPDU packets Symptoms Port blocking by (R)STP Port flapping Network inaccessible 52

Layer 2 Misconfigurations VLAN in a bridge with Physical interface Solution a) Easiest solution is to disable (R)STP on the bridge Or Even still use recommend to rewrite your config and b) Use VLAN filtering as we have just looked at 53

New Features in 6.43 55

DHCP Snooping Since 6.43rc56, bridge supports DHCP Snooping DHCP Snooping is a Layer 2 Security feature This limits the ports on which DHCP Offer packets are received 56

Rogue DHCP Server Rogue DHCP Server could provide legitimate clients with bogus TCP/IP Information This could prevent them communicating on the network as their address is incorrect This could change their gateway address to a rogue gateway They could obtain rogue DNS server settings 57

DHCP Server Spoofing 192.168.0.1 DISCOVER DISCOVER DHCP Server DNS Server 192.168.0.10 1. Client sends DHCP DISCOVERY broadcast packet. Because it is a broadcast packet, switch sends it out of every switch port. 58

DHCP Server Spoofing 192.168.0.1 DISCOVER DISCOVER OFFER OFFER IP = 192.168.0.100 GW = 192.168.0.1 DNS = 192.168.0.10 DHCP Server DNS Server 192.168.0.10 1. Client sends DHCP DISCOVERY broadcast packet. Because it is a broadcast packet, switch sends it out of every switch port. 2. Server sends a DHCP Reply. 59

DHCP Server Spoofing 192.168.0.1 DISCOVER DISCOVER OFFER OFFER IP = 10.0.0.100 GW = 10.0.0.1 DNS = 10.0.0.1 OFFER DISCOVER DHCP Server DNS Server 192.168.0.10 1. Client sends DHCP DISCOVERY broadcast packet. Because it is a broadcast packet, switch sends it out of every switch port. 2. Server sends a DHCP Reply. 3. Fake DHCP server can also receive the DHCP DISCOVERY packet and send a DHCP Reply. 4. Attacker could give out incorrect IP addresses. 60

DHCP Server Spoofing 192.168.0.1 5.6.7.8 1.2.3.4 DISCOVER DISCOVER OFFER OFFER IP 192.168.0.100 GW 192.168.0.1 DNS 192.168.0.200 OFFER DISCOVER DNS Server 192.168.0.200 HSBC.COM = 5.6.7.8 DHCP Server DNS Server 192.168.0.10 HSBC.COM = 1.2.3.4 1. Client sends DHCP DISCOVERY broadcast packet. Because it is a broadcast packet, switch sends it out of every switch port. 2. Server sends a DHCP Reply. 3. Fake DHCP server can also receive the DHCP DISCOVERY packet and send a DHCP Reply. 4. Attacker could give out incorrect IP addresses. 5. Attacker could give out incorrect DNS Server. 61

DHCP Snooping HW offloading Depending on the model or the switch chip, using DHCP Snooping will disable bridge HW offloading RouterBOARD model CRS3xx series CRS1xx/CRS2xx series Switch Chip model QCA8337 AR8327 AR8227 AR8316 AR7240 RTL8367 ICPlus175D HW offloading https://wiki.mikrotik.com/wiki/manual:switch_chip_features#bridge_hardware_offloading 62

Bridge DHCP Snooping Create Trusted Port for port(s) which you want to allow DHCP ACK messages on This is normally ports with DHCP server connected and ports with other switches on. In this setup its Ether1 and Ether2 64

Once ports are configured Bridge DHCP Snooping Turn on DHCP Snooping on the bridge 65

Thank you for Listening 66

References Visio Templates Mikrotik Forum user FernandoSuperGG https://forum.mikrotik.com/viewtopic.php?f=2&t=120957 MikroTik Manual https://wiki.mikrotik.com/wiki/manual:crs_router#crs3xx_series_switches https://wiki.mikrotik.com/wiki/manual:crs3xx_series_switches https://wiki.mikrotik.com/wiki/manual:layer2_misconfiguration https://wiki.mikrotik.com/wiki/manual:interface/bridge https://wiki.mikrotik.com/wiki/manual:switch_chip_features#bridge_hardware_offloading 67

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback