In this article, readers will learn how to configure the EdgeRouter to route packets between Virtual LANs (VLANs). In the networking world, this is commonly referred to as "Router-on-a-Stick" configuration, where one Ethernet port carries multiple VLANs.
InterVLAN-routing requires a layer-3 device capable of routing packets, usually a router (like EdgeRouter) or a multi-layer switch (like EdgeSwitch). Per IEEE 802.1Q, layer-2 frame headers are tagged with VLAN information so that VLAN-aware devices (e.g., switches, access points) can forward the packet (frame) accordingly.
Before deploying VLANs in your network, commit the following ideas to memory:
- Although VLANs are typically paired with a unique subnet (layer-3 IP), VLANs are inherently a layer-2 concept, since VLAN information is contained in the header of frames (the PDU that encapsulates the IP packet).
- Inter-VLAN routing requires a router (or routing on a multi-layer switch). Google "Router-on-a-Stick" to learn more.
- Access ports connect to hosts (who themselves are unaware of VLAN tagging). The VLAN header is always removed as the frame passes from the switch to the host.
- Trunk ports receive and carry traffic between multiple VLANs, like when two switches are connected (or a switch and an access point). The VLAN configuration on both sides of the trunk should be identical in such cases.
The following topology is an example of a network with several different VLANs:
- Management (VLAN1-default, untagged, black)
- Video (VLAN2, tagged, red)
- VoIP (VLAN3 tagged, yellow)
- Corporate (VLAN4, tagged, green)
- Guest (VLAN5, tagged, blue)
Device Information (Addresses, SSIDs, Description)
Router 1 (r1, ERLite-3)
- eth0: 192.168.1.1
- eth0.2: 192.168.2.1
- eth0.3: 192.168.3.1
- eth0.4: 192.168.4.1
- eth0.5: 192.168.5.1
Switch 1 (sw1, ES-24-500W)
Switch 2 (sw2, ES-48, 750W)
Access Point 1 (ap1, UAP-PRO)
- WLAN-Corporate (VLAN4)
- WLAN-Guest (VLAN5)
Note: Trunks carry VLANs 1-5 from r1 to sw1 to sw2, and VLANs 1, 4, & 5 to ap1. ap1 receives management traffic on VLAN1 while broadcasting WLANs associated with VLAN4 and VLAN5.
Admin Computer (MBA 13")
Note: We assume that this computer is responsible for centrally managing all equipment (e.g., controllers) while also configuring equipment per this walkthrough, and running ping tests for connectivity.
Camera 1 (UVC-Dome)
Camera 2 (UVC)
IP Phone (UVP)
Wi-Fi Client 1 (iPhone)
Wi-Fi Client 2 (iPod)
Note: It is recommended that you configure the equipment from the topology in the following order:
- EdgeSwitch (but only Static IPs, Device Name and PoE Configuration to power devices)
- Cameras, Phones, etc. (but only with Static IPs & Gateway for testing)
- EdgeRouter (e.g., DHCP servers, virtual interfaces to allow inter-VLAN routing for testing)
- UniFi AP (e.g., Static IP for AP and VLAN tags to match created WLANs)
- EdgeSwitch (VLANs, see next section)
Configure via CLI
The following CLI commands can be issued assuming you are configuring the default ERLite-3 to work in the above topology. However, only the italicized code below relates to Virtual Interfaces (VIFs). The sample code also configures the ERLite-3 as a DHCP server for DHCP clients on VLAN4 and VLAN5 (wireless clients). There is no firewall configured!
Note: Routes to Connected Networks are automatically added upon defining the network IP of a router interface (whether physical, virtual, etc.). Ethernet interface eth1 is the outside WAN interface, that has a public IP of 18.104.22.168, and a Gateway of Last Resort of 22.214.171.124.
set interfaces ethernet eth0 vif 2 address 192.168.2.1/24
set interfaces ethernet eth0 vif 3 address 192.168.3.1/24
set interfaces ethernet eth0 vif 4 address 192.168.4.1/24
set interfaces ethernet eth0 vif 5 address 192.168.5.1/24
set interfaces ethernet eth1 address 126.96.36.199/30
set service dhcp-server shared-network-name vlan4 description "vlan4-dhcp-pool"
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 default-router 192.168.4.1
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 start 192.168.4.11
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 end 192.168.4.254
set service dhcp-server shared-network-name vlan5 description "vlan5-dhcp-pool"
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 default-router 192.168.5.1
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 start 192.168.5.11
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 end 192.168.5.254
set service dns forwarding listen-on eth0
set service dns forwarding listen-on eth0.2
set service dns forwarding listen-on eth0.3
set service dns forwarding listen-on eth0.4
set service dns forwarding listen-on eth0.5
set service nat rule 5010 description "masquerade from all LANs to eth1 WAN"
set service nat rule 5010 source address 192.168.0.0/16
set service nat rule 5010 type masquerade
set service nat rule 5010 outbound-interface eth1
set service nat rule 5010 protocol all
set service nat rule 5010 log disable
set system name-server 188.8.131.52
set system gateway-address 184.108.40.206
EdgeSwitch & UniFi Integration
To see how the EdgeSwitch is configured, visit this KB article.
To see how the UniFi is configured, visit this KB article.