Did anyone achieve hardware per-VLAN port isolation on a CRS 3xx?
For example, to isolate unicast and broadcast layer 2 traffic on VLAN 10 among the RJ45 ethernet (access) ports, thereby allowing it to the SFP/QSFP (trunk) ports, we’d use something like:
/interface ethernet switch rule add switch=switch1 vlan-id=10 ports=ether1,..,ether24 new-dst-ports=""
Anyone?
The solution was retrospectively obvious; override the destination port to the trunk port(s):
/interface ethernet switch rule add switch=switch1 vlan-id=10 ports=ether1,..,ether48 new-dst-ports="sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4"
If the new-dst-ports parameter is left empty, then you drop the packets matching the rule.
What i don’t understand is, VLANs are used to isolate Layer 2 Broadcast Domains, so your VLAN10 is isolated from the rest of the Layer 2 Networks configured on your Switch ( other VLANs ), so unless you need to isolate certain ports of VLAN10 from some other ports of VLAN10 again, then i don’t really understand what you achieved with that rule…
This is commonly called private VLAN by other vendors. It’s pretty nice if you have a bunch of untrusted devices like IoT sensors and you don’t want them having access to anything except the router. This seems to be supported natively with “interface ethernet switch port-isolation” rather than custom rules.
Sure, forwarding-override could be a solution too…
It is called Private VLAN by MikroTIK too…
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Port_isolation