¹ÌÅ©·Îƽ ¶ó¿ìÅÍ¿Í ½ºÀ§Ä¡¸¦ È°¿ëÇÑ VLAN±¸¼º.., Á¦´ë·Î µÆ´ÂÁö È®ÀÎ ºÎŹµå·Áµµ µÉ±î¿ä?

   Á¶È¸ 4254   Ãßõ 0    

아래에도 VLAN 구성관련 문의를 드렸었는데요,

박건님께서 상세한 가이드를 해주셔서 이해에 많은 도움이 되었습니다. 다시한번 감사의 말씀을 드립니다.


이전 문의와 이어진 내용입니다만, 

다음과 그림과 같이 포트단위 VLAN을 구성하려고 합니다.

건물과 기능이 분산되어 있는 환경에서, VLAN을 구성하여 기능별 동일네트웍으로 이용하려는 목적입니다.


미크로틱 매뉴얼, 2CPU 사이트자료, 유튜브자료 그리고 가이드해주신 내용을 바탕으로 라우터와 스위치의 Configuration을 짜보았습니다

빠진부분은 없는지?, 수정할 부분은 없는지 봐주시면 감사하겠습니다.


<라우터 CCR1009 Configuration>

/interface bridge

add name="bridge-common"

add name=bridge-VLAN vlan-filtering=yes

#

/interface vlan

add interface=bridge-VLAN name="VLAN-10" vlan-id=10

add interface=bridge-VLAN name="VLAN-20" vlan-id=20

add interface=bridge-VLAN name="VLAN-99" vlan-id=99

#

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

#

/ip pool

add name=dhcp_pool0 ranges=192.168.110.2-192.168.110.254

add name=dhcp_pool1 ranges=192.168.120.2-192.168.120.254

add name=dhcp_pool2 ranges=192.168.100.2-192.168.100.254

#

/ip dhcp-server

add address-pool=dhcp_pool0 disabled=no interface="VLAN-10" name=\

    dhcp1

add address-pool=dhcp_pool1 disabled=no interface="VLAN-20" name=dhcp2

add address-pool=dhcp_pool2 disabled=no interface="bridge-common" name=\

    dhcp3

#

/interface bridge port

add bridge=bridge-VLAN interface=sfp-sfpplus1

add bridge=bridge-VLAN interface=combo1

add bridge=bridge-VLAN interface=ether2

add bridge=bridge-VLAN interface=ether3

add bridge=bridge-VLAN interface=ether4 pvid=10

add bridge=bridge-VLAN interface=ether5 pvid=10

add bridge="bridge-common" interface=ether6

add bridge="bridge-common" interface=ether7

#

/interface bridge vlan

add bridge=bridge-VLAN tagged=sfp-sfpplus1,combo1,ether2,ether3,bridge-VLAN \

    untagged=ether4,ether5 vlan-ids=10

add bridge=bridge-VLAN tagged=\

    sfp-sfpplus1,combo1,ether2,ether3,ether4,ether5,bridge-VLAN vlan-ids=20

add bridge=bridge-VLAN tagged=\

    sfp-sfpplus1,combo1,ether2,ether3,ether4,ether5,bridge-VLAN vlan-ids=99

#

/ip address

add address=192.168.110.1/24 interface="VLAN-10" network=\

    192.168.110.0

add address=192.168.120.1/24 interface="VLAN-20" network=192.168.120.0

add address=192.168.199.1/24 interface="VLAN-99" network=\

    192.168.199.0

add address=192.168.100.1/24 interface="bridge-common" network=\

    192.168.100.0

#

/ip dhcp-client

add disabled=no interface=ether1

#

/ip dhcp-server network

add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1

add address=192.168.110.0/24 gateway=192.168.110.1

add address=192.168.120.0/24 gateway=192.168.120.1

#

/ip firewall address-list

add address=192.168.110.0/24 list=Shindoch-VLAN

add address=192.168.120.0/24 list=Shindoch-VLAN

#

/ip firewall filter

add action=accept chain=input comment="accept established,related" connection-state=established,related

add action=drop chain=input comment="drop invalid packet" connection-state=invalid

add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp

add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp

add action=drop chain=input comment="block everything else" in-interface=ether1

add action=drop chain=forward comment="Block User Traffic to Management Vlan" dst-address=192.168.199.0/24 src-address-list=UserNetwork

#

/ip firewall nat

add action=masquerade chain=srcnat

add action=dst-nat chain=dstnat comment="Link to Media Server (NAS)" dst-address=190.10.0.2 dst-port=80 protocol=tcp to-addresses=192.168.110.200 to-ports=3927


<스위치 CRS-326-1 Configuration>

/interface bridge

#add name=bridge-CRS326-1 vlan-filtering=no

add name=bridge-CRS326-1 vlan-filtering=yes

#

/interface vlan

add interface=bridge-CRS326-1 name="VLAN-99" vlan-id=99

#

/interface bridge port

add bridge=bridge-CRS326-1 interface=ether2 pvid=10

add bridge=bridge-CRS326-1 interface=ether3 pvid=10

add bridge=bridge-CRS326-1 interface=ether4 pvid=10

add bridge=bridge-CRS326-1 interface=ether5 pvid=10

add bridge=bridge-CRS326-1 interface=ether6 pvid=10

add bridge=bridge-CRS326-1 interface=ether7 pvid=10

add bridge=bridge-CRS326-1 interface=ether8 pvid=10

add bridge=bridge-CRS326-1 interface=ether9 pvid=10

add bridge=bridge-CRS326-1 interface=ether10 pvid=10

add bridge=bridge-CRS326-1 interface=ether11 pvid=10

add bridge=bridge-CRS326-1 interface=ether12 pvid=10

add bridge=bridge-CRS326-1 interface=ether13 pvid=10

add bridge=bridge-CRS326-1 interface=ether14 pvid=10

add bridge=bridge-CRS326-1 interface=ether15 pvid=10

add bridge=bridge-CRS326-1 interface=ether16 pvid=10

add bridge=bridge-CRS326-1 interface=ether17 pvid=20

add bridge=bridge-CRS326-1 interface=ether18 pvid=20

add bridge=bridge-CRS326-1 interface=ether19 pvid=20

add bridge=bridge-CRS326-1 interface=ether20 pvid=20

add bridge=bridge-CRS326-1 interface=ether21 pvid=20

add bridge=bridge-CRS326-1 interface=ether22 pvid=20

add bridge=bridge-CRS326-1 interface=ether23 pvid=20

add bridge=bridge-CRS326-1 interface=ether24 pvid=20

add bridge=bridge-CRS326-1 interface=ether1

add bridge=bridge-CRS326-1 interface=sfp-sfpplus1

add bridge=bridge-CRS326-1 interface=sfp-sfpplus2

#

/interface bridge vlan

add bridge=bridge-CRS326-1 tagged=ether1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=10

add bridge=bridge-CRS326-1 tagged=ether1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=20

add bridge=bridge-CRS326-1 tagged=ether1,sfp-sfpplus1,sfp-sfpplus2,bridge-CRS326-1 vlan-ids=99

#

/ip address

add address=192.168.199.2/24 interface="VLAN-99" network=192.168.199.0

#

/ip route

add distance=1 gateway=192.168.199.1


<스위치 CRS-326-2 Configuration>

/interface bridge

add name=bridge-CRS326-2 vlan-filtering=yes

#

/interface vlan

add interface=bridge-CRS326-2 name="VLAN-99" vlan-id=99

#

/interface bridge port

add bridge=bridge-CRS326-2 interface=ether1 pvid=10

add bridge=bridge-CRS326-2 interface=ether2 pvid=10

add bridge=bridge-CRS326-2 interface=ether3 pvid=10

add bridge=bridge-CRS326-2 interface=ether4 pvid=10

add bridge=bridge-CRS326-2 interface=ether5 pvid=10

add bridge=bridge-CRS326-2 interface=ether6 pvid=10

add bridge=bridge-CRS326-2 interface=ether7 pvid=10

add bridge=bridge-CRS326-2 interface=ether8 pvid=10

add bridge=bridge-CRS326-2 interface=ether9 pvid=10

add bridge=bridge-CRS326-2 interface=ether10 pvid=10

add bridge=bridge-CRS326-2 interface=ether11 pvid=10

add bridge=bridge-CRS326-2 interface=ether12 pvid=10

add bridge=bridge-CRS326-2 interface=ether13 pvid=10

add bridge=bridge-CRS326-2 interface=ether14 pvid=10

add bridge=bridge-CRS326-2 interface=ether15 pvid=10

add bridge=bridge-CRS326-2 interface=ether16 pvid=10

add bridge=bridge-CRS326-2 interface=ether17 pvid=20

add bridge=bridge-CRS326-2 interface=ether18 pvid=20

add bridge=bridge-CRS326-2 interface=ether19 pvid=20

add bridge=bridge-CRS326-2 interface=ether20 pvid=20

add bridge=bridge-CRS326-2 interface=ether21 pvid=20

add bridge=bridge-CRS326-2 interface=ether22 pvid=20

add bridge=bridge-CRS326-2 interface=ether23 pvid=20

add bridge=bridge-CRS326-2 interface=ether24 pvid=20

add bridge=bridge-CRS326-2 interface=sfp-sfpplus1

add bridge=bridge-CRS326-2 interface=sfp-sfpplus2

#

/interface bridge vlan

add bridge=bridge-CRS326-2 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=10

add bridge=bridge-CRS326-2 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=20

add bridge=bridge-CRS326-2 tagged=sfp-sfpplus1,sfp-sfpplus2,bridge-CRS326-2 vlan-ids=99

#

/ip address

add address=192.168.199.3/24 interface="VLAN-99" network=192.168.199.0

#

/ip route

add distance=1 gateway=192.168.199.1

¹Ú°Ç 2022-07
¿Í... °í»ýÁ» Çϼ̰ڽÀ´Ï´Ù.
ÇÑ°¡Áö, ¶ó¿ìÅÍ¿¡¼­ src-address-list=UserNetwork ºÎºÐÀÌ ÁöÁ¤ÀÌ ¾ÈµÇ¾î Àֳ׿ä. Shindoch-VLAN·Î ¼öÁ¤ÇÏ½Ã¸é µÇ°Ú½À´Ï´Ù.
±×¸®°í, Æ÷Æ®Æ÷¿öµù »ç¿ë½Ã, ¹æÈ­º® inputüÀο¡¼­ ÇØ´çÆ÷Æ®¸¦ ¿­¾îÁà¾ß ÇÕ´Ï´Ù.
     
¶°ºí·ù 2022-07
Á¶¾ð ÁֽŴë·Î ´ÙÀ½°ú °°ÀÌ ¼öÁ¤Çß½À´Ï´Ù.
add action=drop chain=forward comment="Block User Traffic to Management Vlan" dst-address=192.168.199.0/24 src-address-list=Shindoch-VLAN

Ãß°¡·Î FirewallÀ» º¸°­Çϱâ À§Çؼ­
"Building Your First Firewall" ¹®¼­ (https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall) ¸¦ Âü°íÇÏ¿©, ´ÙÀ½°ú °°ÀÌ FirewallÇ׸ñÀ» Ãß°¡ÇÏ·Á°í ÇÕ´Ï´Ù. ±¦Âú°Ú´ÂÁö¿ä? 

#¶ó¿ìÅÍ ÀÚü º¸È£
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.100.2-192.168.100.254 list=allowed_to_router
add address=192.168.110.2-192.168.110.254 list=allowed_to_router
add address=192.168.120.2-192.168.120.254 list=allowed_to_router
add address=192.168.199.2-192.168.199.254 list=allowed_to_router
#
#LAN ÀåÄ¡ º¸È£
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
#
#"icmp" üÀο¡¼­ ÇÊ¿äÇÑ icmp Äڵ常 Çã¿ë:
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
          
¹Ú°Ç 2022-07
¾Æ·¡ ³»¿ë±îÁö Ãß°¡ÇØÁÖ¸é ´õ ÁÁ½À´Ï´Ù. blacklist¶ó´Â À̸§ÀÇ address-list°¡ °è¼Ó ¾÷µ¥ÀÌÆ®µÉ°Ì´Ï´Ù.
¸ñ·Ï ¾÷µ¥ÀÌÆ®¸¸ ÇÏÁö, ½ÇÁ¦·Î ÇÊÅ͸µÇÏ´Â ºÎºÐÀÌ ¾ø±â¿¡, filter¿¡¼­ blacklist ¸ñ·Ï¿¡ ´ëÇÏ¿© Ãß°¡ÇØÁÖ¸é µË´Ï´Ù.
http://www.2cpu.co.kr/network/2761
               
¶°ºí·ù 2022-07
Á¶¾ð ÁֽŴë·Î ¾Ë·ÁÁֽŠ¸µÅ©ÀÇ ³»¿ë±îÁö Ãß°¡ÇÏ¿´½À´Ï´Ù.
- http://www.2cpu.co.kr/network/2761

ÀÌ·¸°Ô Çϸé, ¾î´À Á¤µµ ¹æÈ­º® ¾È½ÉÀº µÇ´Â°Å°ÚÁÒ^^

°Åµì °¨»çµå¸³´Ï´Ù.


Á¦¸ñPage 5310/105
°Ô½Ã¹°ÀÌ ¾ø½À´Ï´Ù.