VLan Mikrotik vs managed switches

RouterOS General
1

hi guys,
We’re going to provide cable internet to certain condominiums,
I want to use 24 or 48 port LAN managed switch for this purpose.

however I was wondering if I get a managed switch will I be able
to do this task that let’s say:

  • Port 1 > Mikrotik Server

  • Port 2 to 24 > customers

  • 23 VLAN per switch, which each vlan contain a pair of
    of Port 1 and customer’s port, for example:

VLAN 1 : Port 1 / Port 2
VLAN 2 : Port 1 / Port 3
VLAN 3 : Port 1 / Port 4
VLAN 4 : Port 1 / Port 5
VLAN 5 : Port 1 / Port 6
VLAN 6 : Port 1 / Port 7


so by this we want to isolate all users in the network so they won’t
have phisycal network access to other customer and only be able
to passthrough our gateway’s firewall

Plus, we want to bind customer’s mac address to his own port so
he won’t be able to do MAC cloning.

and how can I do this mac binding with this features:

  • everytime there is a new device with new mac address
    it will be added to the list to associate with the port

  • each mac address in the list can only connect through
    the port it was connected firt time.

  • each user can have web interface access to flash its mac
    address list in case he wanted to connect in his friend’s house
    with same laptop and using LAN port.

however I would like add for the last part, the web interface.
at this moment I have absolutely no idea how to accomplish
this task, which switch do you recommend? and what routerOS
can do in each task to faciliate the switch? or should I use a backup
Linux box with perl scripts to monitor each links?

any idea on this is highly appreciated

Thanks.

2

why are you scared the customer will clone macs?

It seems a little redundant. I f a customer is on the port then they should be allowed access. By doing port based VLAN, spoofing a MAC will not let one user see anothers traffic. If they did not pay the bill, turn off the port.

If you are still worried, use PPOE.

If you are still worried, get a layer 3 switch and route every port. YOu can get a Cabletron/Riverstone routeswitch on ebay for about the same as an MT box.

3

Just set each port to their own vlan and then configure port 1 as a trunk port.

As for automatically binding mac addresses to the port - your looking at implementing something like 802.1x. Which means installing some sort of suplicant on the customers equipment or updating the radius somehow. If you can do this then you’re not far from having a GVRP style dynamic VLAN arrangement, in which case users can shift from port to port and it will automatically assign their VLAN. Now I’m just speculating tho.

4

Hi all,

I simply use managed switch with VLAN port-based policy and MT with a hotspot. we bind ip-mac addresses and then fix user’s pairs of usernames/password into the hotspot.
you can read the documentation-there is possible to bind several MACs for an ip and so on. just use MT ROS.
Its a good working configuration, works 2 years without any problems there. and we have 6 hotspot MT devices like that.
managed switches we use because they are cost effective, not because the management. you can build vlan scheme with a firewall rules of MT.

regards,
C. G.