Hello, I have the following configuration: an ESXi 6.7 server running vCenter 6.7, connected directly to the CCR2004-1G-2XS-PCIe router via SFP ports (trunk). Private VLAN is configured on the server (screenshots of the settings in the attachment), virtual machines are added to this group of ports (Isolated 100, 1001). Task: block all connections between virtual machines, but allow connections to the gateway (VLAN 100 interface on the router). A Google search only offers instructions on how to configure Private VLAN on switches. Is it possible to set up such a scheme?
This is rather question for DSwitch … traffic within same VLAN between those VMs will not even reach CRS. And if it does, it won’t go back. Routing between the two VLANs is different topic though.
Thank you for your answer, I found the information on the vmware website: “For this reason, it is a requirement that each physical switch, where ESX with PVLANs are connected, must be PVLAN aware.”, but in my case the router does not have a switch chip, is it possible to configure this?
Every ROS device is capable of VLANs. Either use bridge with vlan-filtering enabled (read this tutorial to get inspiration) or, if your CRS is pure router, configure VLAN interfaces directly off physical ports. Which oštion is the right one depends on topology of the rest of network.
Perhaps we misunderstand each other, I have classic VLANs configured and working, but I need to configure a Private VLAN (when one VLAN contains several others, but they are all located on the same IP network).
I found information only about switches: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Private_VLAN
Again: since all VMs are behind single CRS port, it’s not something to be done on CRS … it’s ESXi Dswitch that has to perform it.
If there were multiple ESXi hosts, connected to same CRS (via multiple physical ports, members of same bridge), then you would have to set horizon property on affected bridge ports to separate different ESXi machines.
I apologize for reviving an old thread, but it’s the second result when googling “mikrotik pvlan” and the latest reply is misleading.
Split horizon bridging is not the solution.
https://knowledge.broadcom.com/external/article/311718/private-vlan-pvlan-on-vnetwork-distribut.html
- Private VLAN is an extension to the VLAN standard, already available in several (most recent) physical switches. It adds a further segmentation of the logical broadcast domain, to create Private groups.
- Traffic between virtual machines on the same PVLAN but on different ESX hosts go through the Physical Switch. Therefore, the Physical Switch must be PVLAN aware and configured appropriately, to allow the secondary PVLANs to reach destination.
- Switches discover MAC addresses per VLAN. This can be a problem for PVLANs because each virtual machine appears to the physical switch to be in more than one VLAN, or at least, it appears that there is no reply to the request, because the reply travels back in a different VLAN. For this reason, it is a requirement that each physical switch, where ESX with PVLANs are connected, must be PVLAN aware.
I can’t find any evidence that Mikrotik supports PVLANs. Cisco does tho.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/pvlans.pdf
You can start by reading these and then come back here if you have any futher questions.
- Mikrotik Help > RouterOS > Bridging and Switching
- Mikrotik Help > RouterOS > Bridging and Switching > Switch Chip Features
- Mikrotik Help > RouterOS > Bridging and Switching > Switch Chip Features > Private VLAN
- Mikrotik Help > RouterOS > Bridging and Switching > Bridging and Switching Case Studies
–
IDK about CCR2004 card. But do you have “promiscuous mode” enabled on the ESXi adapter interface for it? Typically that’s needed.