Hi guys,
I’ve just deployed a CRS125 to a new rack and ran into some issues. Being used to stock switches and doing network-engineering stuff only ocassionally it took me quite some time to get things settled 
I’ve got the following setup
/interface> ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether01-WAN 1500 4C:5E:XX enabled none switch1
1 RS ether02-srv 1500 4C:5E:XX enabled ether01-WAN switch1
2 S ether03-srv 1500 4C:5E:XX enabled ether01-WAN switch1
3 RS ether04-srv 1500 4C:5E:XX enabled ether01-WAN switch1
...
10 S ether11-srv 1500 4C:5E:XX enabled ether01-WAN switch1
11 R ether12-priv-master 1500 4C:5E:XX enabled none switch1
12 S ether13-priv 1500 4C:5E:XX enabled ether12-priv-master switch1
...
ether1 is the DC Uplink
Ports 2-11 (NET) get public addresses from the range 78.xx.yy.zz/27
Ports 12-24 (LAN) got the private range 10.10.0.1/24 with PPP (openVPN) for remote access
I want to do the following:
a) Is there a way to simply limit internet access to specific ports on the private network (LAN ports: 12-24) without VLAN configuration (not required here). At the moment the ports can reach the net via 10.10.0.1. The point is that at least one port needs internet access (NAS) for software updates and warning mails while I don’t want the rest to reach the net.
b) I’d like to enable port isolation on ports 2-11 (NET) so that the hosts there can only reach the gateway. I assume that port isolation will require a VLAN config then. What is the most simple way to set this up for the few hosts on that segment?