¹ÌÅ©·Îƽ ¶ó¿ìÅÍ¿Í ½ºÀ§Ä¡¸¦ È°¿ëÇÑ VLAN±¸¼º.., Á¦´ë·Î µÆ´ÂÁö È®ÀÎ ºÎŹµå·Áµµ µÉ±î¿ä?
아래에도 VLAN 구성관련 문의를 드렸었는데요,
박건님께서 상세한 가이드를 해주셔서 이해에 많은 도움이 되었습니다. 다시한번 감사의 말씀을 드립니다.
이전 문의와 이어진 내용입니다만,
다음과 그림과 같이 포트단위 VLAN을 구성하려고 합니다.
건물과 기능이 분산되어 있는 환경에서, VLAN을 구성하여 기능별 동일네트웍으로 이용하려는 목적입니다.
미크로틱 매뉴얼, 2CPU 사이트자료, 유튜브자료 그리고 가이드해주신 내용을 바탕으로 라우터와 스위치의 Configuration을 짜보았습니다
빠진부분은 없는지?, 수정할 부분은 없는지 봐주시면 감사하겠습니다.
<라우터 CCR1009 Configuration>
/interface bridge
add name="bridge-common"
add name=bridge-VLAN vlan-filtering=yes
#
/interface vlan
add interface=bridge-VLAN name="VLAN-10" vlan-id=10
add interface=bridge-VLAN name="VLAN-20" vlan-id=20
add interface=bridge-VLAN name="VLAN-99" vlan-id=99
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
#
/ip pool
add name=dhcp_pool0 ranges=192.168.110.2-192.168.110.254
add name=dhcp_pool1 ranges=192.168.120.2-192.168.120.254
add name=dhcp_pool2 ranges=192.168.100.2-192.168.100.254
#
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface="VLAN-10" name=\
dhcp1
add address-pool=dhcp_pool1 disabled=no interface="VLAN-20" name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface="bridge-common" name=\
dhcp3
#
/interface bridge port
add bridge=bridge-VLAN interface=sfp-sfpplus1
add bridge=bridge-VLAN interface=combo1
add bridge=bridge-VLAN interface=ether2
add bridge=bridge-VLAN interface=ether3
add bridge=bridge-VLAN interface=ether4 pvid=10
add bridge=bridge-VLAN interface=ether5 pvid=10
add bridge="bridge-common" interface=ether6
add bridge="bridge-common" interface=ether7
#
/interface bridge vlan
add bridge=bridge-VLAN tagged=sfp-sfpplus1,combo1,ether2,ether3,bridge-VLAN \
untagged=ether4,ether5 vlan-ids=10
add bridge=bridge-VLAN tagged=\
sfp-sfpplus1,combo1,ether2,ether3,ether4,ether5,bridge-VLAN vlan-ids=20
add bridge=bridge-VLAN tagged=\
sfp-sfpplus1,combo1,ether2,ether3,ether4,ether5,bridge-VLAN vlan-ids=99
#
/ip address
add address=192.168.110.1/24 interface="VLAN-10" network=\
192.168.110.0
add address=192.168.120.1/24 interface="VLAN-20" network=192.168.120.0
add address=192.168.199.1/24 interface="VLAN-99" network=\
192.168.199.0
add address=192.168.100.1/24 interface="bridge-common" network=\
192.168.100.0
#
/ip dhcp-client
add disabled=no interface=ether1
#
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
add address=192.168.110.0/24 gateway=192.168.110.1
add address=192.168.120.0/24 gateway=192.168.120.1
#
/ip firewall address-list
add address=192.168.110.0/24 list=Shindoch-VLAN
add address=192.168.120.0/24 list=Shindoch-VLAN
#
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid packet" connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=drop chain=forward comment="Block User Traffic to Management Vlan" dst-address=192.168.199.0/24 src-address-list=UserNetwork
#
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="Link to Media Server (NAS)" dst-address=190.10.0.2 dst-port=80 protocol=tcp to-addresses=192.168.110.200 to-ports=3927
<스위치 CRS-326-1 Configuration>
/interface bridge
#add name=bridge-CRS326-1 vlan-filtering=no
add name=bridge-CRS326-1 vlan-filtering=yes
#
/interface vlan
add interface=bridge-CRS326-1 name="VLAN-99" vlan-id=99
#
/interface bridge port
add bridge=bridge-CRS326-1 interface=ether2 pvid=10
add bridge=bridge-CRS326-1 interface=ether3 pvid=10
add bridge=bridge-CRS326-1 interface=ether4 pvid=10
add bridge=bridge-CRS326-1 interface=ether5 pvid=10
add bridge=bridge-CRS326-1 interface=ether6 pvid=10
add bridge=bridge-CRS326-1 interface=ether7 pvid=10
add bridge=bridge-CRS326-1 interface=ether8 pvid=10
add bridge=bridge-CRS326-1 interface=ether9 pvid=10
add bridge=bridge-CRS326-1 interface=ether10 pvid=10
add bridge=bridge-CRS326-1 interface=ether11 pvid=10
add bridge=bridge-CRS326-1 interface=ether12 pvid=10
add bridge=bridge-CRS326-1 interface=ether13 pvid=10
add bridge=bridge-CRS326-1 interface=ether14 pvid=10
add bridge=bridge-CRS326-1 interface=ether15 pvid=10
add bridge=bridge-CRS326-1 interface=ether16 pvid=10
add bridge=bridge-CRS326-1 interface=ether17 pvid=20
add bridge=bridge-CRS326-1 interface=ether18 pvid=20
add bridge=bridge-CRS326-1 interface=ether19 pvid=20
add bridge=bridge-CRS326-1 interface=ether20 pvid=20
add bridge=bridge-CRS326-1 interface=ether21 pvid=20
add bridge=bridge-CRS326-1 interface=ether22 pvid=20
add bridge=bridge-CRS326-1 interface=ether23 pvid=20
add bridge=bridge-CRS326-1 interface=ether24 pvid=20
add bridge=bridge-CRS326-1 interface=ether1
add bridge=bridge-CRS326-1 interface=sfp-sfpplus1
add bridge=bridge-CRS326-1 interface=sfp-sfpplus2
#
/interface bridge vlan
add bridge=bridge-CRS326-1 tagged=ether1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=10
add bridge=bridge-CRS326-1 tagged=ether1,sfp-sfpplus1,sfp-sfpplus2 untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=20
add bridge=bridge-CRS326-1 tagged=ether1,sfp-sfpplus1,sfp-sfpplus2,bridge-CRS326-1 vlan-ids=99
#
/ip address
add address=192.168.199.2/24 interface="VLAN-99" network=192.168.199.0
#
/ip route
add distance=1 gateway=192.168.199.1
<스위치 CRS-326-2 Configuration>
/interface bridge
add name=bridge-CRS326-2 vlan-filtering=yes
#
/interface vlan
add interface=bridge-CRS326-2 name="VLAN-99" vlan-id=99
#
/interface bridge port
add bridge=bridge-CRS326-2 interface=ether1 pvid=10
add bridge=bridge-CRS326-2 interface=ether2 pvid=10
add bridge=bridge-CRS326-2 interface=ether3 pvid=10
add bridge=bridge-CRS326-2 interface=ether4 pvid=10
add bridge=bridge-CRS326-2 interface=ether5 pvid=10
add bridge=bridge-CRS326-2 interface=ether6 pvid=10
add bridge=bridge-CRS326-2 interface=ether7 pvid=10
add bridge=bridge-CRS326-2 interface=ether8 pvid=10
add bridge=bridge-CRS326-2 interface=ether9 pvid=10
add bridge=bridge-CRS326-2 interface=ether10 pvid=10
add bridge=bridge-CRS326-2 interface=ether11 pvid=10
add bridge=bridge-CRS326-2 interface=ether12 pvid=10
add bridge=bridge-CRS326-2 interface=ether13 pvid=10
add bridge=bridge-CRS326-2 interface=ether14 pvid=10
add bridge=bridge-CRS326-2 interface=ether15 pvid=10
add bridge=bridge-CRS326-2 interface=ether16 pvid=10
add bridge=bridge-CRS326-2 interface=ether17 pvid=20
add bridge=bridge-CRS326-2 interface=ether18 pvid=20
add bridge=bridge-CRS326-2 interface=ether19 pvid=20
add bridge=bridge-CRS326-2 interface=ether20 pvid=20
add bridge=bridge-CRS326-2 interface=ether21 pvid=20
add bridge=bridge-CRS326-2 interface=ether22 pvid=20
add bridge=bridge-CRS326-2 interface=ether23 pvid=20
add bridge=bridge-CRS326-2 interface=ether24 pvid=20
add bridge=bridge-CRS326-2 interface=sfp-sfpplus1
add bridge=bridge-CRS326-2 interface=sfp-sfpplus2
#
/interface bridge vlan
add bridge=bridge-CRS326-2 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=10
add bridge=bridge-CRS326-2 tagged=sfp-sfpplus1,sfp-sfpplus2 untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=20
add bridge=bridge-CRS326-2 tagged=sfp-sfpplus1,sfp-sfpplus2,bridge-CRS326-2 vlan-ids=99
#
/ip address
add address=192.168.199.3/24 interface="VLAN-99" network=192.168.199.0
#
/ip route
add distance=1 gateway=192.168.199.1
ÇÑ°¡Áö, ¶ó¿ìÅÍ¿¡¼ src-address-list=UserNetwork ºÎºÐÀÌ ÁöÁ¤ÀÌ ¾ÈµÇ¾î Àֳ׿ä. Shindoch-VLAN·Î ¼öÁ¤ÇÏ½Ã¸é µÇ°Ú½À´Ï´Ù.
±×¸®°í, Æ÷Æ®Æ÷¿öµù »ç¿ë½Ã, ¹æȺ® inputüÀο¡¼ ÇØ´çÆ÷Æ®¸¦ ¿¾îÁà¾ß ÇÕ´Ï´Ù.
add action=drop chain=forward comment="Block User Traffic to Management Vlan" dst-address=192.168.199.0/24 src-address-list=Shindoch-VLAN
Ãß°¡·Î FirewallÀ» º¸°Çϱâ À§Çؼ
"Building Your First Firewall" ¹®¼ (https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall) ¸¦ Âü°íÇÏ¿©, ´ÙÀ½°ú °°ÀÌ FirewallÇ׸ñÀ» Ãß°¡ÇÏ·Á°í ÇÕ´Ï´Ù. ±¦Âú°Ú´ÂÁö¿ä?
#¶ó¿ìÅÍ ÀÚü º¸È£
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.100.2-192.168.100.254 list=allowed_to_router
add address=192.168.110.2-192.168.110.254 list=allowed_to_router
add address=192.168.120.2-192.168.120.254 list=allowed_to_router
add address=192.168.199.2-192.168.199.254 list=allowed_to_router
#
#LAN ÀåÄ¡ º¸È£
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
#
#"icmp" üÀο¡¼ ÇÊ¿äÇÑ icmp Äڵ常 Çã¿ë:
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
¸ñ·Ï ¾÷µ¥ÀÌÆ®¸¸ ÇÏÁö, ½ÇÁ¦·Î ÇÊÅ͸µÇÏ´Â ºÎºÐÀÌ ¾ø±â¿¡, filter¿¡¼ blacklist ¸ñ·Ï¿¡ ´ëÇÏ¿© Ãß°¡ÇØÁÖ¸é µË´Ï´Ù.
http://www.2cpu.co.kr/network/2761
- http://www.2cpu.co.kr/network/2761
ÀÌ·¸°Ô Çϸé, ¾î´À Á¤µµ ¹æȺ® ¾È½ÉÀº µÇ´Â°Å°ÚÁÒ^^
°Åµì °¨»çµå¸³´Ï´Ù.