Port Isolation

zerounu · September 15, 2015, 11:51pm

Hello,

I have a building with 5 switches (non cisco) connected to a mikrotik router . Every port on these switches belong to an apartment and I use the mikrotik router to offer them internet access .
From time to time, some users started to offer dhpc services on the network, creating me problems : clients get different ip’s by dhcp .

I read on some similar posts that I should use port isolation if the switch provides it, but unfortunately I couldn’t find this feature - they have only classic vlans .
As im new to vlan area, I started to dig and I found 2 features that a cisco switch can provide : dhcp snooping and port isolation . So I’m into changing my old switches with cisco ones .
Can someone with experience on this field tell me which solution will be more efficient or maybe if there is an alternative (and elegant) way to isolate clients using classic vlans ?

Thank you for your answers and please excuse my poor English .

andyanthoine · September 16, 2015, 5:03am

You don’t even have to bother with vlan man.

Let’s say your modem is connected on port 1, and your pppoe configured on it.

To separate everyone, just bridge the port you want

Let’s say port 2 and 3 need to be “together”, just bridge them in a bridge called bridge-lan1

For port 4 and 5, bridge-lan2

And that’s it

Don’t forget to mascarade your pppoe and it’s done, the two bridge will be separated, no dhcp problems, and they will have internet

bajodel · September 16, 2015, 5:49am

zerounu:

Hello,

I have a building with 5 switches (non cisco) connected to a mikrotik router . Every port on these switches belong to an apartment and I use the mikrotik router to offer them internet access .
From time to time, some users started to offer dhpc services on the network, creating me problems : clients get different ip’s by dhcp .

I read on some similar posts that I should use port isolation if the switch provides it, but unfortunately I couldn’t find this feature - they have only classic vlans .
As im new to vlan area, I started to dig and I found 2 features that a cisco switch can provide : dhcp snooping and port isolation . So I’m into changing my old switches with cisco ones .
Can someone with experience on this field tell me which solution will be more efficient or maybe if there is an alternative (and elegant) way to isolate clients using classic vlans ?

Port isolation is probably the more elegant way, avoid vlans and offload the isolation stuff on access switches, but you must swap 5 switches!!

If you can switch off that network for some hours, I’d try to:

put customers onto separate switch vlans (different access port >> different vlan)
switch-to-router uplinks must be trunks (all tagged vlans traffic go to router)
on mikrotik router create the corresponding vlans on incoming uplinks ports
put all vlans created on mikrotik into a new bridge interface setting same horizon (http://wiki.mikrotik.com/wiki/Manual:MPLSVPLS#Split_horizon_bridging )
from mikrotik router point of view, the bridge interface now is the new “inside isolated LAN” interface where to put dhcp and refer to for firewall rules (masquerading included)

It can become hard to maintain this setup if you often have to edit it