I have a CRS125-24G-S1
The configuration that I’m trying to achieve is:
port 1 trunk port to upstream Mikrotik.
ports 2-18 access ports for different vlans
ports 19-24 private lan with no routes out that only talks with itself.
The reason for this is some of my servers have public traffic on eth0’s and private traffic on eth1’s. I wan’t my servers eth0’s to have internet access and all the eth1’s to just be able to talk with other servers eth1’s(no communication to other ports on switch and no routes out).
My initial config works just fine…
ports 2-18 with master port 1, port based vlan config on 1-24.
ports 20-24 with master port 19 and no vlan conf for ports 19-24
Question #1) If I keep the above setup for the most part, what should I do to make sure traffic on ports 19-24 can only communication with ports 19-24? does having them all on a separated master port do this? or will they just follow the default route out?
…
I saw the following quote at http://forum.mikrotik.com/t/crs125-vlans-and-dhcp-not-working/79924/1 stating that Multiple master-port configurations are not the best way to go because they “limits part of VLAN functionality supported by CRS switch-chip”.
The wiki http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port-level_Isolation shows how to create port group community’s but those communities have a route out.(via “Uplink ports – Port-level isolation profile 0”)
Question #2) Is there any way to set up the isolated communities to not have routes out?
I would like to keep the config on the switch chip and not use firewall rules to do any of this.
Thanks for you help!
-Pete