Hello guys,
I need to create network with MIKROTIK RB4011iGS+RM and few Mikrotik CSS326-24G-2S+RM. But I need to separate each LAN connections from each other and I am wondering if better solution would be creating as many VLAN as many active connections or just simply port isolating, what would mikrotik experts reccommend? 
thx for any help!
Hi
I would think that this will depend on the setting:
are the networks / devices in these networks isolated or to they share same spaces
port isolation might provide more guarantees from security point of view
vlan are more flexible
kind of port isolation dictates complexity of configuration: on router is simpler while on switch, requires more configuration
In general I would go for vlans, since you have the hardware for it (CSS3xx) and is more flexible.
Note that the 4011 doesn’t doe vlan filtering in hardware.
There are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN
I don’t think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.
thx for answer!
devices are on separate floors if you think this and each ethernet socket has it’s own room
I’ve tried to configure port isolation only on router yet, how big difference is to do it on switches?! I dont have it yet ..
what do you mean by “Note that the 4011 doesn’t doe vlan filtering in hardware.”? It could make this any trouble? Or it’s just for info?
yes, but I would like to use mikrotik switches, but thx 
IMHO MikroTik switches are toys… but of course they are cheap.
I’m not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance.
You could investigate that.
yes, but I cannot use very expensive solution (cisco etc)
If you enable “vlan-filtering=yes” on 4011, all vlans will need to pass over cpu. On CSS3xx it’s in hardware.
so it means network will run slower? or should I just use different HW instead of RB4011iGS+RM?
Yes it will be slower, if enabled.
But if you won’t do vlan filtering on 4011 (= selective vlan bridging) that won’t be a problem
but I think I need to do it, dont I? Because as I wrote, I need to create separate VLANs on each port of switch (or port isolate)
or maybe I dont understand what you wrote at all but if network will be slower just a little bit, this shouldnt be a problem ..
Yes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two.
And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS.
But I do not know if using those features in the CRS326 will make it use the CPU instead of the switch hardware.
ok, at least I can do it with such a HW, dont know how yet, but hope I will figure it out
maybe little bit slower than Cisco, but that’s price for lower costs
Actually, RouterOS supports private VLANs via port isolation: Switch Chip Features - RouterOS - MikroTik Documentation
It also supports DHCP-snooping: https://help.mikrotik.com/docs/display/ROS/Bridge
Yes, it appears that things have changed after I originally wrote that.
However, always be aware that some features on RouterOS are done in software and can only be enabled when the entire switch is done in software (bridge).
I.e. once you enable them, all traffic passes through the CPU. That depends on the type of router or switch you use it on.
It’s written here https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration that port isolation couldn’t be done on other hardware than CRS1xx/CRS2xx series devices.
First topic: “Bridges on a single switch chip”
Pardon me as i am new to Mikrotik and this forum.
I have a css326-24G-25-RM Cloud Smart Switch.
What I am attempting to accomplish is simply Divide or segregate the Switch in two different networks. when i setup VLAN lets say 1 and VLAN 2 Vlan 2 will take down network 1 down.
i have tried force vlan id, i tried different vlan modes, i have tagged and untagged. i guess as a newbie i just do not understand the process.
if anyone can help it would be greatly appreciated.
One thing: don’t use VLAN ID 1 unless you know all the pitfalls waiting for you (and you don’t seem to know them).
thanks for the replay mkx. True i know nothing about this particular product or it’s pitfalls.
i will move off vlan1