Brief problem description:
I need to prevent devices from the ISP network from communicating with devices from the local network.
ISP support warned me that they were able to see 7 MAC addresses belonging to devices on my network. While in a normal situation they should only see the ether1 MAC address. All these devices are connected to either switch1 or switch2 of rb1100ahx4:
/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ether3 bridge1 yes 1 0x80 10 10 none
1 ether4 bridge1 yes 1 0x80 10 10 none
2 I ether5 bridge1 yes 1 0x80 10 10 none
3 ether6 bridge1 yes 1 0x80 10 10 none
4 ether7 bridge1 yes 1 0x80 10 10 none
5 I ether8 bridge1 yes 1 0x80 10 10 none
6 I ether9 bridge1 yes 1 0x80 10 10 none
7 ether10 bridge1 yes 1 0x80 10 10 none
switch:
/interface ethernet switch port print
Flags: I - invalid
# NAME SWITCH
0 ether1 switch1
1 ether2 switch1
2 ether3 switch1
3 ether4 switch1
4 ether5 switch1
5 ether6 switch2
6 ether7 switch2
7 ether8 switch2
8 ether9 switch2
9 ether10 switch2
ether1 and ether2 are reserved for ISPs 1 and 2.
Question:
- Do I understand correctly that the reason is that the ISP is connected to interface ether1 that belongs to the hardware switch 1?
- So I can solve this problem if I take the steps described in “Isolated switch groups” section here?
I.e. I should do this for switch 1:
/interface ethernet switch port-isolation
set ether3 forwarding-override=ether4,ether5
set ether4 forwarding-override=ether3,ether5
set ether5 forwarding-override=ether3,ether4
Thanks!