SecureNET Systems
    Sari la continutul principal

    Issue No. 35 · MAY 7, 2026 · NETWORKING

    VLAN pe Reteaua de Firma - Ghid Practic cu MikroTik

    Tutorial pas cu pas pentru configurare VLAN pe MikroTik si switch-uri enterprise: planificare, 802.1Q, trunk, access, troubleshooting in retea de firma.

    By Mihai Gavrilas · 12 min read
    Back · Editorial
    ~12 min remaining
    VLAN pe Reteaua de Firma - Ghid Practic cu MikroTik - ilustratie articol categoria Networking

    VLAN-uri retea companie nu mai sunt o optiune avansata - sunt baseline-ul oricarei retele profesionale in 2026. Acest ghid practic arata cum configurezi VLAN pentru firma pe MikroTik, de la planificarea schemei pana la troubleshooting in productie.

    Ce este un VLAN si de ce ai nevoie

    Un VLAN (Virtual LAN) este un domeniu broadcast logic separat in interiorul aceleiasi infrastructuri fizice. Doua statii in VLAN-uri diferite nu se vad direct, chiar daca sunt conectate la acelasi switch. Comunicarea intre VLAN-uri trece prin router (Layer 3), unde poti aplica firewall rules.

    Avantaje VLAN pentru firma: segmentare securitate (un compromise pe IoT camera nu da acces la fileserver), limitare broadcast (un VLAN cu 200 device-uri inseamna 200 broadcast/s pe switch in loc de mii), management simplificat (politici DHCP/firewall per VLAN), QoS per VLAN (Voice prioritar peste Workstations).

    Planificare schema VLAN

    Schema standard pe care o aplicam in office IMM:

    • VLAN 10 - Management (acces SSH/HTTPS la echipamente) - 10.0.10.0/24
    • VLAN 20 - Servers (Active Directory, fileserver, ERP) - 10.0.20.0/24
    • VLAN 30 - Workstations (statii utilizatori) - 10.0.30.0/24
    • VLAN 40 - Voice (telefoane VoIP) - 10.0.40.0/24
    • VLAN 50 - Printers (imprimante de retea) - 10.0.50.0/24
    • VLAN 60 - Security (camere CCTV, NVR) - 10.0.60.0/24
    • VLAN 70 - IoT (HVAC, alarme, lumini) - 10.0.70.0/24
    • VLAN 80 - Guests (Wi-Fi vizitatori, doar internet) - 10.0.80.0/24

    Schema scaleaza pana la 255 VLAN-uri inainte sa devina necesara renumerotare.

    802.1Q tagging - cum functioneaza

    Tag-ul 802.1Q adauga 4 bytes in header-ul Ethernet: 2 bytes TPID (0x8100), 2 bytes TCI continand priority (3 biti CoS), DEI (1 bit), VLAN ID (12 biti = 1-4094). Frame-urile tagged au lungime maxima 1522 bytes (1500 + 18 + 4).

    Porturile sunt configurate ca:

    • Access - untagged, intr-un singur VLAN, tipic catre statii
    • Trunk - tagged, multiple VLAN-uri, intre switch-uri si catre router
    • Hybrid - mix tagged si untagged

    Native VLAN pe trunk = VLAN-ul untagged. Best practice: native VLAN = VLAN unfolosit (de exemplu 999) pentru a preveni VLAN hopping attacks.

    Configurare bridge VLAN filtering pe MikroTik

    Pe RouterOS 7 folosim bridge cu vlan-filtering=yes:

    /interface bridge add name=br1 vlan-filtering=no
/interface bridge port add bridge=br1 interface=ether2 pvid=30
/interface bridge port add bridge=br1 interface=ether3 pvid=30
/interface bridge port add bridge=br1 interface=ether4 pvid=40
/interface bridge port add bridge=br1 interface=ether10
/interface bridge vlan add bridge=br1 vlan-ids=10 tagged=br1,ether10
/interface bridge vlan add bridge=br1 vlan-ids=20 tagged=br1,ether10
/interface bridge vlan add bridge=br1 vlan-ids=30 tagged=ether10 untagged=ether2,ether3
/interface bridge vlan add bridge=br1 vlan-ids=40 tagged=ether10 untagged=ether4
/interface bridge set br1 vlan-filtering=yes

    Important: activezi vlan-filtering=yes ULTIMUL, dupa ce ai adaugat toate entries, ca sa nu te deconectezi accidental.

    Interfete VLAN si IP

    /interface vlan add interface=br1 name=vlan10-mgmt vlan-id=10
/interface vlan add interface=br1 name=vlan20-servers vlan-id=20
/interface vlan add interface=br1 name=vlan30-ws vlan-id=30
/ip address add address=10.0.10.1/24 interface=vlan10-mgmt
/ip address add address=10.0.20.1/24 interface=vlan20-servers
/ip address add address=10.0.30.1/24 interface=vlan30-ws

    DHCP per VLAN

    /ip pool add name=pool-ws ranges=10.0.30.100-10.0.30.200
/ip dhcp-server add name=dhcp-ws interface=vlan30-ws address-pool=pool-ws lease-time=8h
/ip dhcp-server network add address=10.0.30.0/24 gateway=10.0.30.1 dns-server=10.0.20.10

    Repeti pentru fiecare VLAN unde vrei DHCP. Pentru servers VLAN (statice), nu activezi DHCP.

    Switch chip vs CPU

    MikroTik CRS-uri au switch chip dedicat care procesa VLAN tagging la wire-speed (zeci de Gbps), independent de CPU. Pentru a folosi switch chip, configurezi VLAN prin /interface ethernet switch (RouterOS 6) sau prin bridge VLAN filtering hardware-accelerated (RouterOS 7 pe modele compatibile - CRS3xx, CRS5xx).

    Verificare hardware offload:

    /interface bridge port print where hw=yes

    Daca hw=no, traffic-ul trece prin CPU - inacceptabil pentru retele cu trafic mare.

    Firewall intre VLAN-uri

    VLAN-urile fara firewall = orice VLAN vede orice VLAN, inseamna degeaba ai segmentat. Aplici filter rules pe forward:

    /ip firewall filter add chain=forward in-interface=vlan80-guests out-interface=!ether1 action=drop comment="Guests can only access internet"
/ip firewall filter add chain=forward in-interface=vlan70-iot out-interface=vlan20-servers action=drop comment="IoT can not reach servers"
/ip firewall filter add chain=forward in-interface=vlan60-security out-interface=!vlan20-servers action=drop comment="Cameras only to NVR"

    Troubleshooting VLAN

    Probleme frecvente:

    1. Statia nu primeste IP - verifici DHCP server activ pe VLAN-ul respectiv si pvid-ul corect pe portul access.

    2. Statiile in VLAN-uri diferite nu se vad - normal daca firewall blocheaza forward intre VLAN-uri. Verifici cu /ip firewall filter print where chain=forward.

    3. Trunk nu transmite VLAN-uri - verifici tagged list:

    /interface bridge vlan print
/interface bridge port-vlan-table print

    4. Hardware offload pierdut dupa update - dupa orice modificare la vlan filtering, verifici:

    /interface bridge port print where hw=no

    Daca apar entries, restartezi bridge-ul.

    5. STP loops dupa adaugare VLAN nou - asigura-te ca STP/RSTP este activ pe bridge si verifica priority pentru a controla root election.

    Integrarea cu Wi-Fi (CAPsMAN)

    Pentru wireless multi-SSID per VLAN cu MikroTik:

    /caps-man datapath add name=dp-corp bridge=br1 vlan-id=30 vlan-mode=use-tag
/caps-man datapath add name=dp-guests bridge=br1 vlan-id=80 vlan-mode=use-tag
/caps-man configuration add name=corp-cfg datapath=dp-corp ssid=Corp security=...
/caps-man configuration add name=guests-cfg datapath=dp-guests ssid=Guest-WiFi security=...

    Astfel SSID-ul "Corp" pune utilizatorii in VLAN 30 si SSID-ul "Guest-WiFi" in VLAN 80, fara alta configurare pe AP.

    Pentru servicii complete vezi pagina MikroTik RouterOS si hub-ul de Networking Enterprise care acopera toate aspectele de retea.

    Concluzie

    VLAN pentru firma pe MikroTik este matur, performant si simplu de operat odata configurat corect. Investitia initiala de 2-3 zile pentru planificare si implementare salveaza zeci de incidente pe an si simplifica radical securitatea retelei. Pentru retele de companie cu peste 25 utilizatori, VLAN-uri retea companie este obligatoriu, nu optional.

    Etichete:#VLAN#MikroTik#Networking#802.1Q#Bridge
    Distribuie:LinkedInX

    Continue reading

    Articole conexe selectate dupa tag-uri si categorie.

    Contact prin WhatsApp