EdgeRouter - InterVLAN Walkthrough with ERLite-3 using Sample Enterprise Topology


In this article, readers will learn how to configure the EdgeRouter to route packets between Virtual LANs (VLANs). In the networking world, this is commonly referred to as "Router-on-a-Stick" configuration, where one Ethernet port carries multiple VLANs.

 

InterVLAN-routing requires a layer-3 device capable of routing packets, usually a router (like EdgeRouter) or a multi-layer switch (like EdgeSwitch). Per IEEE 802.1Q, layer-2 frame headers are tagged with VLAN information so that VLAN-aware devices (e.g., switches, access points) can forward the packet (frame) accordingly.

 

Before deploying VLANs in your network, commit the following ideas to memory:

  1. Although VLANs are typically paired with a unique subnet (layer-3 IP), VLANs are inherently a layer-2 concept, since VLAN information is contained in the header of frames (the PDU that encapsulates the IP packet).
  2. Inter-VLAN routing requires a router (or routing on a multi-layer switch). Google "Router-on-a-Stick" to learn more.
  3. Access ports connect to hosts (who themselves are unaware of VLAN tagging). The VLAN header is always removed as the frame passes from the switch to the host. 
  4. Trunk ports receive and carry traffic between multiple VLANs, like when two switches are connected (or a switch and an access point). The VLAN configuration on both sides of the trunk should be identical in such cases.

Topology


The following topology is an example of a network with several different VLANs:

  1. Management (VLAN1-default, untagged, black)
  2. Video (VLAN2, tagged, red)
  3. VoIP (VLAN3 tagged, yellow)
  4. Corporate (VLAN4, tagged, green)
  5. Guest (VLAN5, tagged, blue)

 

 

Device Information (Addresses, SSIDs, Description)

 

Router 1 (r1, ERLite-3)

  • eth0: 192.168.1.1
  • eth0.2: 192.168.2.1
  • eth0.3: 192.168.3.1
  • eth0.4: 192.168.4.1
  • eth0.5: 192.168.5.1

Switch 1 (sw1, ES-24-500W)

  • 192.168.1.2

Switch 2 (sw2, ES-48, 750W)

  • 192.168.1.3

Access Point 1 (ap1, UAP-PRO)

  • 192.168.1.4
  • WLAN-Corporate (VLAN4)
  • WLAN-Guest (VLAN5)

Note: Trunks carry VLANs 1-5 from r1 to sw1 to sw2, and VLANs 1, 4, & 5 to ap1. ap1 receives management traffic on VLAN1 while broadcasting WLANs associated with VLAN4 and VLAN5. 

 

Admin Computer (MBA 13")

  • 192.168.1.10

Note: We assume that this computer is responsible for centrally managing all equipment (e.g., controllers) while also configuring equipment per this walkthrough, and running ping tests for connectivity.

 

Camera 1 (UVC-Dome)

  • 192.168.2.23

Camera 2 (UVC)

  • 192.168.2.24

IP Phone (UVP)

  • 192.168.3.33

Wi-Fi Client 1 (iPhone)

  • 192.168.4.11

Wi-Fi Client 2 (iPod)

  • 192.168.5.11

 

Note: It is recommended that you configure the equipment from the topology in the following order:

  1. EdgeSwitch (but only Static IPs, Device Name and PoE Configuration to power devices)
  2. Cameras, Phones, etc. (but only with Static IPs & Gateway for testing)
  3. EdgeRouter (e.g., DHCP servers, virtual interfaces to allow inter-VLAN routing for testing)
  4. UniFi AP (e.g., Static IP for AP and VLAN tags to match created WLANs)
  5. EdgeSwitch (VLANs, see next section)

EdgeRouter Configuration


Configure via CLI

 

The following CLI commands can be issued assuming you are configuring the default ERLite-3 to work in the above topology. However, only the italicized code below relates to Virtual Interfaces (VIFs). The sample code also configures the ERLite-3 as a DHCP server for DHCP clients on VLAN4 and VLAN5 (wireless clients). There is no firewall configured!

 

Note: Routes to Connected Networks are automatically added upon defining the network IP of a router interface (whether physical, virtual, etc.). Ethernet interface eth1 is the outside WAN interface, that has a public IP of 192.0.199.254, and a Gateway of Last Resort of 192.0.199.253.

 

configure
set interfaces ethernet eth0 vif 2 address 192.168.2.1/24
set interfaces ethernet eth0 vif 3 address 192.168.3.1/24
set interfaces ethernet eth0 vif 4 address 192.168.4.1/24
set interfaces ethernet eth0 vif 5 address 192.168.5.1/24
set interfaces ethernet eth1 address 192.0.199.254/30
set service dhcp-server shared-network-name vlan4 description "vlan4-dhcp-pool"
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 default-router 192.168.4.1
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 start 192.168.4.11
set service dhcp-server shared-network-name vlan4 subnet 192.168.4.0/24 end 192.168.4.254
set service dhcp-server shared-network-name vlan5 description "vlan5-dhcp-pool"
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 default-router 192.168.5.1
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 start 192.168.5.11
set service dhcp-server shared-network-name vlan5 subnet 192.168.5.0/24 end 192.168.5.254
set service dns forwarding listen-on eth0
set service dns forwarding listen-on eth0.2
set service dns forwarding listen-on eth0.3
set service dns forwarding listen-on eth0.4
set service dns forwarding listen-on eth0.5
set service nat rule 5010 description "masquerade from all LANs to eth1 WAN"
set service nat rule 5010 source address 192.168.0.0/16
set service nat rule 5010 type masquerade
set service nat rule 5010 outbound-interface eth1
set service nat rule 5010 protocol all
set service nat rule 5010 log disable
set system name-server 8.8.8.8
set system gateway-address 192.0.199.253
commit
save

 

EdgeSwitch & UniFi Integration


To see how the EdgeSwitch is configured, visit this KB article.

To see how the UniFi is configured, visit this KB article.

Powered by Zendesk