Bridging #
Within this section we will:
- Examine the fundamentals of “bridging”, laying out more clearly what this function is within our network.
- Familiarize with Mikrotik RouterOS management/configuration idiosyncrasies
Fundamentals #
TODO
- What is a bridge (Switch)? Why is it a special purpose computer?
- Serial Console/RS-232
- Bridging
- VLAN(s), tagging, untagging, and filtering
- Wireless Standards and planning
- Port Security
Serial Console #
The serial console is an extremely useful but archaic technology that facilitates out of bound access to devices. In the case of these hardwares (CRS312-4C+8XG-RM, and CRS328-24P-4S+RM) each have a “console” port that you can use to control them directly (without requiring network access). This is an useful technique if you:
- need to control the early boot of the system
- have mucked up your networking (likely mis-configuring this device) and want to fix it
You can connect the FW6D to each of these devices with a “USB Rollover FTDI Cable” which has an FTDI chip that converts RS-232 to USB signals. Connecting to the FW6D via these console cables allows you to feel more confidence in remotely managing these devices.
Single Line Diagram #
It’s common to communicate how something is connected via a SLD, or, One Wire, or One-Line Diagram.
We will wire the devices up in the following way:
graph TD ISP == CAT6A === router router[FW6D] == CAT6A === crs328[CRS328-24P-4S+RM] router == CONSOLE === crs328 crs328 == CAT6A === ap[cAP XL ac]
Now let’s start using the console to configure devices:
[root@router ~]# ls /dev/ | grep ttyU
ttyUSB0
You can use screen to access each of the devices:
[root@router ~]# screen /dev/ttyUSB0 115200
Hit enter to change the screen input, the default login for the Mikrotik devices is admin
with no password.
To exit the screen session you type CTRL+A, K
Wired Bridging #
We configure the switch, via console, so we do not have to worry about ensuring we maintain connection to the device.
[root@router ~]# screen /dev/ttyUSB0 115200
We first fully reset the device:
[admin@mikrotik] > /system/reset-configuration no-defaults=yes
We set the identity of the system:
[admin@mikrotik] > /system identity set name=core
We construct a bridge:
[admin@core] > /interface bridge
add admin-mac=[/interface/ethernet/get value-name=mac-address ether1] \
auto-mac=no dhcp-snooping=yes frame-types=admit-only-vlan-tagged \
igmp-snooping=yes name=BRIDGE priority=0 vlan-filtering=yes
- set the bridge mac from the first port on the device
- turn off auto-mac
- turn on DHCP Snooping
- turn on IGMP Snooping
- We set the priority of the bridge to
0
, this is to uniquely identify the “root bridge” in STP. - only allow VLAN tagged frames
- turn on
vlan-filtering
which enables VLAN functionality for the bridge.
We define some VLAN(s):
/interface vlan
add interface=BRIDGE name=MANAGEMENT vlan-id=220
add interface=BRIDGE name=LAB vlan-id=222
add interface=BRIDGE name=HOME vlan-id=224
add interface=BRIDGE name=GUESTS vlan-id=226
add interface=BRIDGE name=THINGS vlan-id=228
We define some Interface Lists:
TODO
- Explain how Interface Lists can save time
[admin@core] > /interface list
add name=LIST-MANAGEMENT
add name=LIST-LAB
add name=LIST-HOME
add name=LIST-GUESTS
add name=LIST-THINGS
We add interfaces to those Lists:
[admin@core] > /interface list member
add interface=ether1 list=LIST-HOME
add interface=ether2 list=LIST-HOME
add interface=ether3 list=LIST-HOME
add interface=ether4 list=LIST-HOME
add interface=ether5 list=LIST-HOME
add interface=ether6 list=LIST-HOME
add interface=ether7 list=LIST-HOME
add interface=ether8 list=LIST-HOME
add interface=ether9 list=LIST-HOME
add interface=ether10 list=LIST-HOME
add interface=ether11 list=LIST-HOME
add interface=ether12 list=LIST-HOME
add interface=ether13 list=LIST-HOME
add interface=ether14 list=LIST-HOME
add interface=ether15 list=LIST-HOME
add interface=ether16 list=LIST-HOME
add interface=ether17 list=LIST-LAB
add interface=ether18 list=LIST-LAB
add interface=ether19 list=LIST-LAB
add interface=ether20 list=LIST-LAB
add interface=ether21 list=LIST-MANAGEMENT
add interface=ether22 list=LIST-MANAGEMENT
We now add interfaces to the bridge:
[admin@core] > /interface bridge port
add bridge=BRIDGE comment="LINK-ROUTER" frame-types=admit-only-vlan-tagged interface=ether23 trusted=yes
add bridge=BRIDGE comment="LINK-WIRELESS" frame-types=admit-only-vlan-tagged interface=ether24
add bridge=BRIDGE comment="LINK-SERVER" frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bpdu-guard=yes bridge=BRIDGE comment="MANAGEMENT INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-MANAGEMENT pvid=220
add bpdu-guard=yes bridge=BRIDGE comment="LAB INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-HOME pvid=222
add bpdu-guard=yes bridge=BRIDGE comment="HOME INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-HOME pvid=224
add bpdu-guard=yes bridge=BRIDGE comment="GUEST INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-GUESTS pvid=226
add bpdu-guard=yes bridge=BRIDGE comment="THINGS INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-THINGS pvid=228
TODO
- Explain what is happening
We now express what ports should allow tagged frames to pass:
[admin@core] > /interface bridge vlan
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=220
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=222
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=224
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=226
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=228
TODO
- Explain what is happening
We now set the system time zone so that NTP can eventually synchronize time:
[admin@core] > /system clock set time-zone-autodetect=no time-zone-name=America/Detroit
[admin@core] > /system ntp client set enabled=yes
We now will add a DHCP client to the management interface, this effectively allows for an address to be assigned to the bridge management interface:
[admin@core] > /ip dhcp-client add interface=MANAGEMENT disabled=no
TODO
- Check this, show diagnostic printout
We now turn off services we don’t plan to use on the switch, effectively “hardening” the device by reducing the attack surface:
[admin@core] > /ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh set strong-crypto=yes
We now can check for updates:
[admin@core] > /system package update check-for-updates
channel: stable
installed-version: 6.48.3
latest-version: 6.48.4
status: New version is available
Install them if they are available:
[admin@core] > /system package update install
To update to RouterOS 7 you have to set the upgrade channel:
[admin@core] > /system package update set channel=upgrade
[admin@core] > /system package update install
You now have your first fully configured network bridge running on specialized hardware and passing frames real fast!
Wireless Bridging #
Spectrum & Standards #
TODO
- 2.4
- 5
- other, like LTE, LORA
- AC/AX
Planning #
TODO
- Good initial rules
- Tools, like wifiman for walk around analysis
CAPsMAN #
TODO
- configure CAPsMAN
- “reset start” your first Audience device
- see if CAPsMAN works with force tagged frames
- show how to set specific channels for specific CAPs