{"id":621,"date":"2025-07-19T14:29:12","date_gmt":"2025-07-19T12:29:12","guid":{"rendered":"https:\/\/schoppe.it\/wiki\/?p=621"},"modified":"2025-07-19T14:29:12","modified_gmt":"2025-07-19T12:29:12","slug":"mikrotik-crs112-8p-4s-vlan-konfiguration-mit-hardware-offloading","status":"publish","type":"post","link":"https:\/\/schoppe.it\/wiki\/mikrotik-crs112-8p-4s-vlan-konfiguration-mit-hardware-offloading\/","title":{"rendered":"MikroTik CRS112-8P-4S \u2013 VLAN-Konfiguration mit Hardware-Offloading"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Ziel der Konfiguration<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VLAN 5<\/strong> f\u00fcr das Management-Netz<\/li>\n\n\n\n<li><strong>VLAN 10<\/strong> f\u00fcr interne WLAN-Ger\u00e4te<\/li>\n\n\n\n<li><strong>VLAN 20<\/strong> f\u00fcr das Gast-WLAN<\/li>\n\n\n\n<li><strong>Trennung der VLANs<\/strong> auf Layer 2<\/li>\n\n\n\n<li><strong>Automatische VLAN-Zuweisung<\/strong> f\u00fcr Management-Ports (PVID \u2192 VLAN 5)<\/li>\n\n\n\n<li><strong>Out-of-Band-Port<\/strong> (OOB) f\u00fcr lokalen Zugriff ohne VLAN<\/li>\n\n\n\n<li><strong>Nutzung des Switch-Chips (FastPath)<\/strong> zur vollen Performance<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Hardwarebasis<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Switch:<\/strong> MikroTik CRS112-8P-4S<\/li>\n\n\n\n<li><strong>RouterOS:<\/strong> Version 7.19.3<\/li>\n\n\n\n<li><strong>Uplink-Port:<\/strong> <code>ether8::UPLINK<\/code><\/li>\n\n\n\n<li><strong>OOB-Port:<\/strong> <code>ether7::OOB<\/code> (direkt ohne VLAN)<\/li>\n\n\n\n<li><strong>DHCP f\u00fcr Management:<\/strong> \u00fcber VLAN 5<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Konfigurations\u00fcberblick<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Bridge anlegen<\/h3>\n\n\n\n<p>Die Bridge verbindet alle Ports, wird aber <strong>nicht<\/strong> f\u00fcr VLAN-Processing auf Layer 3 verwendet.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/interface bridge\nadd name=bridge\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">2. Ports benennen (optional f\u00fcr \u00dcbersicht)<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/interface ethernet\nset &#x5B; find default-name=ether1 ] name=ether1::PC-ADMIN\nset &#x5B; find default-name=ether2 ] name=ether2::PC\nset &#x5B; find default-name=ether3 ] name=ether3::AP\nset &#x5B; find default-name=ether7 ] name=ether7::OOB\nset &#x5B; find default-name=ether8 ] name=ether8::UPLINK\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">3. VLAN-Interface f\u00fcr Management<\/h3>\n\n\n\n<p>Das VLAN-Interface wird ben\u00f6tigt, um DHCP \u00fcber VLAN 5 zu beziehen.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/interface vlan\nadd interface=bridge name=vlan5::MGMT vlan-id=5\n\n\/ip dhcp-client\nadd default-route-tables=main interface=vlan5::MGMT\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">4. Ports der Bridge hinzuf\u00fcgen<\/h3>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/interface bridge port\nadd bridge=bridge interface=ether1::PC-ADMIN\nadd bridge=bridge interface=ether2::PC\nadd bridge=bridge interface=ether3::AP\nadd bridge=bridge interface=ether4\nadd bridge=bridge interface=ether5\nadd bridge=bridge interface=ether6\nadd bridge=bridge interface=ether8::UPLINK\nadd bridge=bridge interface=sfp9\nadd bridge=bridge interface=sfp10\nadd bridge=bridge interface=sfp11\nadd bridge=bridge interface=sfp12\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">5. VLAN-Zuweisung per Switch-Chip<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Ingress VLAN Translation (PVID)<\/h4>\n\n\n\n<p>Hier wird untagged Traffic auf bestimmten Ports automatisch ins Management-VLAN 5 eingeordnet:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/interface ethernet switch ingress-vlan-translation\nadd customer-vid=0 new-customer-vid=5 ports=ether1::PC-ADMIN\n<\/pre><\/div>\n\n\n<p>\u2192 Untagged Ger\u00e4te am Admin-Port erhalten automatisch VLAN 5 (Management).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Egress-VLAN-Tagging<\/h4>\n\n\n\n<p>Hier wird festgelegt, welche Ports VLAN-Tags erhalten:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/interface ethernet switch egress-vlan-tag\nadd tagged-ports=switch1-cpu,ether3::AP,ether8::UPLINK vlan-id=5\nadd tagged-ports=ether3::AP,ether8::UPLINK vlan-id=10\nadd tagged-ports=ether3::AP,ether8::UPLINK vlan-id=20\n<\/pre><\/div>\n\n\n<p>\u2192 Diese Ports senden getaggte VLAN-Pakete.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">VLAN-Mitgliedschaften definieren<\/h4>\n\n\n\n<p>Alle relevanten Ports werden den jeweiligen VLANs zugeordnet:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/interface ethernet switch vlan\nadd ports=switch1-cpu,ether1::PC-ADMIN,ether3::AP,ether8::UPLINK vlan-id=5\nadd ports=ether3::AP,ether8::UPLINK vlan-id=10\nadd ports=ether3::AP,ether8::UPLINK vlan-id=20\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\">6. Sicherheit: VLAN Enforcement<\/h3>\n\n\n\n<p>Um sicherzustellen, dass keine VLAN-fremden Pakete akzeptiert werden:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n\/interface ethernet switch\nset drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1::PC-ADMIN,ether3::AP,ether8::UPLINK\n<\/pre><\/div>\n\n\n<h2 class=\"wp-block-heading\">Ergebnis<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Volle Performance<\/strong> durch Hardware-Offloading<\/li>\n\n\n\n<li><strong>Klare VLAN-Trennung<\/strong> auf Layer 2<\/li>\n\n\n\n<li><strong>Automatische VLAN-Zuweisung<\/strong> f\u00fcr Admin-PCs<\/li>\n\n\n\n<li><strong>OOB-Port<\/strong> bietet direkten Zugriff ohne VLAN<\/li>\n\n\n\n<li><strong>DHCP f\u00fcr Management-Netz<\/strong> funktioniert zuverl\u00e4ssig<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Fazit<\/h2>\n\n\n\n<p>Mit dem richtigen Setup kann auch ein g\u00fcnstiger MikroTik Switch wie der <strong>CRS112-8P-4S<\/strong> professionell eingesetzt werden \u2013 ohne CPU-Overhead und mit sauberem VLAN-Handling auf Layer 2. Besonders durch die Nutzung von <strong>Ingress VLAN Translation<\/strong> und <strong>Switch-Chip VLAN-Regeln<\/strong> bleibt die Konfiguration performant und flexibel.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In diesem Beitrag zeige ich, wie ich auf meinem MikroTik CRS112-8P-4S eine performante VLAN-Konfiguration umgesetzt habe. Ziel war es, verschiedene Netzwerke sauber zu trennen, dabei ausschlie\u00dflich Layer 2 Switching zu verwenden und die CPU m\u00f6glichst zu entlasten \u2013 also Hardware-Offloading voll auszusch\u00f6pfen.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[222],"tags":[224,223,225],"powershell":[],"wordpress":[],"exchange":[],"linux":[],"class_list":["post-621","post","type-post","status-publish","format-standard","hentry","category-netzwerk","tag-crs112","tag-mikrotik","tag-vlan","entry"],"_links":{"self":[{"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/posts\/621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/comments?post=621"}],"version-history":[{"count":4,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/posts\/621\/revisions"}],"predecessor-version":[{"id":625,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/posts\/621\/revisions\/625"}],"wp:attachment":[{"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/media?parent=621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/categories?post=621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/tags?post=621"},{"taxonomy":"powershell","embeddable":true,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/powershell?post=621"},{"taxonomy":"wordpress","embeddable":true,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/wordpress?post=621"},{"taxonomy":"exchange","embeddable":true,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/exchange?post=621"},{"taxonomy":"linux","embeddable":true,"href":"https:\/\/schoppe.it\/wiki\/wp-json\/wp\/v2\/linux?post=621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}