¹ÌÅ©·Îƽ ¶ó¿ìÅÍ¿Í ½ºÀ§Ä¡¸¦ È°¿ëÇÑ VLAN±¸¼º.., Á¦´ë·Î µÆ´ÂÁö È®ÀÎ ºÎŹµå·Áµµ µÉ±î¿ä?

¶°ºí·ù   
   Á¶È¸ 3616   Ãßõ 0    

아래에도 VLAN 구성관/144; 문1032;를 드/160;었lj16;데요,

0149;,148;님께서 상세한 가1060;드를 해1452;셔서 1060;해에 많1008; 도움1060; .104;었습니다. 다시한번 감사1032; 말씀1012; 드립니다.


1060;1204; 문1032;와 1060;Ǻ12;1652; 내용1077;니다만, 

다1020;과 그림과 같1060; 포트단위 VLAN1012; 구성Ȣ16;/140;고 합니다.

,148;물과 기능1060; ǥ16;산.104;Ǻ12; 1080;lj16; 환ᅆ1;에서, VLAN1012; 구성Ȣ16;여 기능별 ᇼ1;1068;네트웍1004;/196; 1060;용Ȣ16;/140;lj16; 목1201;1077;니다.


0120;크/196;ᔘ1; 매뉴얼, 2CPU 사1060;트1088;료, 유ț16;브1088;료 그리고 가1060;드해1452;신 내용1012; 0148;ᓢ1;1004;/196; 라우터와 스위치1032; Configuration1012; 1676;보았습니다

빠1652;ǥ12;ǥ16;1008; 없lj16;1648;?, 수1221;할 ǥ12;ǥ16;1008; 없lj16;1648; 봐1452;시면 감사Ȣ16;,192;습니다.


<라우터 CCR1009 Configuration>

/interface bridge

add name="bridge-common"

add name=bridge-VLAN vlan-filtering=yes

#

/interface vlan

add interface=bridge-VLAN name="VLAN-10" vlan-id=10

add interface=bridge-VLAN name="VLAN-20" vlan-id=20

add interface=bridge-VLAN name="VLAN-99" vlan-id=99

#

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

#

/ip pool

add name=dhcp_pool0 ranges=192.168.110.2-192.168.110.254

add name=dhcp_pool1 ranges=192.168.120.2-192.168.120.254

add name=dhcp_pool2 ranges=192.168.100.2-192.168.100.254

#

/ip dhcp-server

add address-pool=dhcp_pool0 disabled=no interface="VLAN-10" name=\

&#160; &#160; dhcp1

add address-pool=dhcp_pool1 disabled=no interface="VLAN-20" name=dhcp2

add address-pool=dhcp_pool2 disabled=no interface="bridge-common" name=\

&#160; &#160; dhcp3

#

/interface bridge port

add bridge=bridge-VLAN interface=sfp-sfpplus1

add bridge=bridge-VLAN interface=combo1

add bridge=bridge-VLAN interface=ether2

add bridge=bridge-VLAN interface=ether3

add bridge=bridge-VLAN interface=ether4 pvid=10

add bridge=bridge-VLAN interface=ether5 pvid=10

add bridge="bridge-common" interface=ether6

add bridge="bridge-common" interface=ether7

#

/interface bridge vlan

add bridge=bridge-VLAN tagged=sfp-sfpplus1,combo1,ether2,ether3,bridge-VLAN \

&#160; &#160; untagged=ether4,ether5 vlan-ids=10

add bridge=bridge-VLAN tagged=\

&#160; &#160; sfp-sfpplus1,combo1,ether2,ether3,ether4,ether5,bridge-VLAN vlan-ids=20

add bridge=bridge-VLAN tagged=\

&#160; &#160; sfp-sfpplus1,combo1,ether2,ether3,ether4,ether5,bridge-VLAN vlan-ids=99

#

/ip address

add address=192.168.110.1/24 interface="VLAN-10" network=\

&#160; &#160; 192.168.110.0

add address=192.168.120.1/24 interface="VLAN-20" network=192.168.120.0

add address=192.168.199.1/24 interface="VLAN-99" network=\

&#160; &#160; 192.168.199.0

add address=192.168.100.1/24 interface="bridge-common" network=\

&#160; &#160; 192.168.100.0

#

/ip dhcp-client

add disabled=no interface=ether1

#

/ip dhcp-server network

add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1

add address=192.168.110.0/24 gateway=192.168.110.1

add address=192.168.120.0/24 gateway=192.168.120.1

#

/ip firewall address-list

add address=192.168.110.0/24 list=Shindoch-VLAN

add address=192.168.120.0/24 list=Shindoch-VLAN

#

/ip firewall filter

add action=accept chain=input comment="accept established,related" connection-state=established,related

add action=drop chain=input comment="drop invalid packet" connection-state=invalid

add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp

add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp

add action=drop chain=input comment="block everything else" in-interface=ether1

add action=drop chain=forward comment="Block User Traffic to Management Vlan" dst-address=192.168.199.0/24 src-address-list=UserNetwork

#

/ip firewall nat

add action=masquerade chain=srcnat

add action=dst-nat chain=dstnat comment="Link to Media Server (NAS)" dst-address=190.10.0.2 dst-port=80 protocol=tcp to-addresses=192.168.110.200 to-ports=3927


<스위치 CRS-326-1 Configuration>

/interface bridge

#add name=bridge-CRS326-1 vlan-filtering=no

add name=bridge-CRS326-1 vlan-filtering=yes

#

/interface vlan

add interface=bridge-CRS326-1 name="VLAN-99" vlan-id=99

#

/interface bridge port

add bridge=bridge-CRS326-1 interface=ether2 pvid=10

add bridge=bridge-CRS326-1 interface=ether3 pvid=10

add bridge=bridge-CRS326-1 interface=ether4 pvid=10

add bridge=bridge-CRS326-1 interface=ether5 pvid=10

add bridge=bridge-CRS326-1 interface=ether6 pvid=10

add bridge=bridge-CRS326-1 interface=ether7 pvid=10

add bridge=bridge-CRS326-1 interface=ether8 pvid=10

add bridge=bridge-CRS326-1 interface=ether9 pvid=10

add bridge=bridge-CRS326-1 interface=ether10 pvid=10

add bridge=bridge-CRS326-1 interface=ether11 pvid=10

add bridge=bridge-CRS326-1 interface=ether12 pvid=10

add bridge=bridge-CRS326-1 interface=ether13 pvid=10

add bridge=bridge-CRS326-1 interface=ether14 pvid=10

add bridge=bridge-CRS326-1 interface=ether15 pvid=10

add bridge=bridge-CRS326-1 interface=ether16 pvid=10

add bridge=bridge-CRS326-1 interface=ether17 pvid=20

add bridge=bridge-CRS326-1 interface=ether18 pvid=20

add bridge=bridge-CRS326-1 interface=ether19 pvid=20

add bridge=bridge-CRS326-1 interface=ether20 pvid=20

add bridge=bridge-CRS326-1 interface=ether21 pvid=20

add bridge=bridge-CRS326-1 interface=ether22 pvid=20

add bridge=bridge-CRS326-1 interface=ether23 pvid=20

add bridge=bridge-CRS326-1 interface=ether24 pvid=20

add bridge=bridge-CRS326-1 interface=ether1

add bridge=bridge-CRS326-1 interface=sfp-sfpplus1

add bridge=bridge-CRS326-1 interface=sfp-sfpplus2

#

/interface bridge vlan

add bridge=bridge-CRS326-1 tagged=ether1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=10

add bridge=bridge-CRS326-1 tagged=ether1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=20

add bridge=bridge-CRS326-1 tagged=ether1,sfp-sfpplus1,sfp-sfpplus2,bridge-CRS326-1 vlan-ids=99

#

/ip address

add address=192.168.199.2/24 interface="VLAN-99" network=192.168.199.0

#

/ip route

add distance=1 gateway=192.168.199.1


<스위치 CRS-326-2 Configuration>

/interface bridge

add name=bridge-CRS326-2 vlan-filtering=yes

#

/interface vlan

add interface=bridge-CRS326-2 name="VLAN-99" vlan-id=99

#

/interface bridge port

add bridge=bridge-CRS326-2 interface=ether1 pvid=10

add bridge=bridge-CRS326-2 interface=ether2 pvid=10

add bridge=bridge-CRS326-2 interface=ether3 pvid=10

add bridge=bridge-CRS326-2 interface=ether4 pvid=10

add bridge=bridge-CRS326-2 interface=ether5 pvid=10

add bridge=bridge-CRS326-2 interface=ether6 pvid=10

add bridge=bridge-CRS326-2 interface=ether7 pvid=10

add bridge=bridge-CRS326-2 interface=ether8 pvid=10

add bridge=bridge-CRS326-2 interface=ether9 pvid=10

add bridge=bridge-CRS326-2 interface=ether10 pvid=10

add bridge=bridge-CRS326-2 interface=ether11 pvid=10

add bridge=bridge-CRS326-2 interface=ether12 pvid=10

add bridge=bridge-CRS326-2 interface=ether13 pvid=10

add bridge=bridge-CRS326-2 interface=ether14 pvid=10

add bridge=bridge-CRS326-2 interface=ether15 pvid=10

add bridge=bridge-CRS326-2 interface=ether16 pvid=10

add bridge=bridge-CRS326-2 interface=ether17 pvid=20

add bridge=bridge-CRS326-2 interface=ether18 pvid=20

add bridge=bridge-CRS326-2 interface=ether19 pvid=20

add bridge=bridge-CRS326-2 interface=ether20 pvid=20

add bridge=bridge-CRS326-2 interface=ether21 pvid=20

add bridge=bridge-CRS326-2 interface=ether22 pvid=20

add bridge=bridge-CRS326-2 interface=ether23 pvid=20

add bridge=bridge-CRS326-2 interface=ether24 pvid=20

add bridge=bridge-CRS326-2 interface=sfp-sfpplus1

add bridge=bridge-CRS326-2 interface=sfp-sfpplus2

#

/interface bridge vlan

add bridge=bridge-CRS326-2 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=10

add bridge=bridge-CRS326-2 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=20

add bridge=bridge-CRS326-2 tagged=sfp-sfpplus1,sfp-sfpplus2,bridge-CRS326-2 vlan-ids=99

#

/ip address

add address=192.168.199.3/24 interface="VLAN-99" network=192.168.199.0

#

/ip route

add distance=1 gateway=192.168.199.1
¹Ú°Ç 2022-07
¿Í... °í»ýÁ» Çϼ̰ڽÀ´Ï´Ù.
ÇÑ°¡Áö, ¶ó¿ìÅÍ¿¡¼­ src-address-list=UserNetwork ºÎºÐÀÌ ÁöÁ¤ÀÌ ¾ÈµÇ¾î Àֳ׿ä. Shindoch-VLAN·Î ¼öÁ¤ÇÏ½Ã¸é µÇ°Ú½À´Ï´Ù.
±×¸®°í, Æ÷Æ®Æ÷¿öµù »ç¿ë½Ã, ¹æÈ­º® inputüÀο¡¼­ ÇØ´çÆ÷Æ®¸¦ ¿­¾îÁà¾ß ÇÕ´Ï´Ù.
     
¶°ºí·ù 2022-07
Á¶¾ð ÁֽŴë·Î ´ÙÀ½°ú °°ÀÌ ¼öÁ¤Çß½À´Ï´Ù.
add action=drop chain=forward comment="Block User Traffic to Management Vlan" dst-address=192.168.199.0/24 src-address-list=Shindoch-VLAN

Ãß°¡·Î FirewallÀ» º¸°­Çϱâ À§Çؼ­
"Building Your First Firewall" ¹®¼­ (https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall) ¸¦ Âü°íÇÏ¿©, ´ÙÀ½°ú °°ÀÌ FirewallÇ׸ñÀ» Ãß°¡ÇÏ·Á°í ÇÕ´Ï´Ù. ±¦Âú°Ú´ÂÁö¿ä? 

#¶ó¿ìÅÍ ÀÚü º¸È£
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.100.2-192.168.100.254 list=allowed_to_router
add address=192.168.110.2-192.168.110.254 list=allowed_to_router
add address=192.168.120.2-192.168.120.254 list=allowed_to_router
add address=192.168.199.2-192.168.199.254 list=allowed_to_router
#
#LAN ÀåÄ¡ º¸È£
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
#
#"icmp" üÀο¡¼­ ÇÊ¿äÇÑ icmp Äڵ常 Çã¿ë:
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
          
¹Ú°Ç 2022-07
¾Æ·¡ ³»¿ë±îÁö Ãß°¡ÇØÁÖ¸é ´õ ÁÁ½À´Ï´Ù. blacklist¶ó´Â À̸§ÀÇ address-list°¡ °è¼Ó ¾÷µ¥ÀÌÆ®µÉ°Ì´Ï´Ù.
¸ñ·Ï ¾÷µ¥ÀÌÆ®¸¸ ÇÏÁö, ½ÇÁ¦·Î ÇÊÅ͸µÇÏ´Â ºÎºÐÀÌ ¾ø±â¿¡, filter¿¡¼­ blacklist ¸ñ·Ï¿¡ ´ëÇÏ¿© Ãß°¡ÇØÁÖ¸é µË´Ï´Ù.
http://www.2cpu.co.kr/network/2761
               
¶°ºí·ù 2022-07
Á¶¾ð ÁֽŴë·Î ¾Ë·ÁÁֽŠ¸µÅ©ÀÇ ³»¿ë±îÁö Ãß°¡ÇÏ¿´½À´Ï´Ù.
- http://www.2cpu.co.kr/network/2761

ÀÌ·¸°Ô Çϸé, ¾î´À Á¤µµ ¹æÈ­º® ¾È½ÉÀº µÇ´Â°Å°ÚÁÒ^^

°Åµì °¨»çµå¸³´Ï´Ù.
·Î±×ÀÎ ÇÏ½Ã¸é ´ñ±ÛÀ» ³²±æ ¼ö ÀÖ½À´Ï´Ù


³×Æ®¿÷
¾²±â
Á¦¸ñPage 2/93
2019-12   4100   Ŭ·¡½Ä
2020-02   6204   NeTe
2020-03   4527   µ·´ë½Å¸öÀ¸·Î
2020-03   12240   ÇÞºûÃàÁ¦
2020-06   9975   NeTe
2020-07   2864   ¸Æ½Ã¸Ø
2020-11   4195   po2481
2020-12   3763   °ø¹é±â
2021-01   9676   heeko
2021-02   4742   Ä«ÀÌÁ¦¸°
2021-03   4871   Çظð¶ó
2021-05   3228   »õ³»±â
2021-06   4045   ÅëÅëÆ¢³×
2021-08   4694   ¸ð¸Ê
2021-09   4185   ¿ì·ç¸®·ç
2021-11   2802   asdf123123
2022-01   2958   °­¾ÆÁöÁÁ¾Æ
2022-03   2751   ÿµð
2022-05   4642   MOONL
2022-07   3203   Wnahd
¸ñ·Ï
¾²±â