I have the following scenario:
I have two uplinks (ether1 and ether2),
several customers which have the default untagged VLAN used for Internet and a tagged VLAN (4040) used for internal communication,
and others customers which have the default untagged VLAN only.
My goal is to isolate the untagged VLAN with the two uplinks,
and, simultaneously, isolate the ports with VLAN 4040 between themselves (I believe this would be a community?), without having to send this traffic to the uplinks.
The thing is that I can’t do port based isolation, because it doesn’t do VLAN discrimination. That’s why I need VLAN based isolation, but I couldn’t find any example on the net.
Thanks.
Do you mean isolating router1/2 4040 vlan legs between them?
I think you’ll had to resort to software mode and use bridges with same horizon values for that.
Exactly, to isolate the vlan between them, i.e., the VLAN traffic flows normally on these ports (3 and 4), but keeping the default untagged VLAN isolated also, i.e., not seeing each other expect the uplink.
Using bridges with horizon can be done with any device, right?
In the documentation of the CRS says that it supports VLAN-level isolation, isn’t this scenario what is meant for?
Thanks.
Not sure I’m getting what you want to achieve…
Exactly, to isolate the vlan between them, i.e., the VLAN traffic flows normally on these ports (3 and 4), but keeping the default untagged VLAN isolated also, i.e., not seeing each other expect the uplink.
Do you mean isolate untagged from the VLAN 4040 while leaving traffic between VLAN 4040 to flow between ports 3,4?
Check http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Isolation
I need the untagged traffic to flow only to the uplinks, while the VLAN traffic flows only between them like this:
.- the untagged traffic from port 5 flows only to uplinks port 1 and port 2.
.- the untagged traffic from port 3 flows only to uplinks port 1 and port 2.
.- the untagged traffic from port 4 flows only to uplinks port 1 and port 2.
But the ports 3 and 4 have also tagged VLAN so:
.- the tagged VLAN4040 traffic from port 3 flows only to port 4.
.- the tagged VLAN4040 traffic from port 4 flows only to port 3.
Then that’s what port isolation profiles / communities are for, and same use case explained in the Wiki articled I linked to.
I looked again at http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Isolation, but couldn’t see anything about VLAN level isolation, which is only mentioned on http://wiki.mikrotik.com/wiki/Manual:CRS_features#Port_Isolation.2FLeakage.
In the examples, only port level isolation is described, which I can’t use in this scenario (I believe).
I can’t figure out how to do it, I mean, in the menu Port Isolation there is a VLAN Profile, but I don’t know what it refers to.
I was hoping you could give me a hint (a couple of lines would be great) so I can start from there.
I’m really lost right now.
Is there a case study which can be resolved by vlan level isolation so I can compare with my situation?
Thanks.
I received a response from Mikrotik support, and they said that VLAN level isolation is not fully supported on CSR switches. I’ve already achieve it with ACLs and it is wire speed also.
Thanks anyway.
Ouch sorry, I can’t see why but I implied vlan ports could be equally useable on those configs.
So there’s still a hardware accelerated way of doing it by ACLs…
Sorry again, I think it’s time to grab a CRS and spend some time labbing with it.