Hi,
I am using software based VLANs for a management network and to separate departments. This part works fine, however, the issue I am having is certain broadcasts and multicasts seems to be escaping the VLANs are appearing on the untagged network.
Here is a simple config from a RB750GL running ROS 6.39.2
/interface bridge
add name=bridge1
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=192.168.100.1/24 interface=vlan10 network=192.168.100.0
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
In this config, I can have everything unplugged except for my computer. Then I open WinBox and within 15 seconds I will see an entry for 192.168.100.1 on the Neighbors tab of WinBox. However, I can’t access it by IP but MAC telnet works fine. Also, when I run Wireshark on my network I see a lot of entries for CDP packets from other devices on VLANs I shouldn’t be seeing.
This isn’t an issue when I assign the VLAN to a specific Ethernet port and I have another MikroTik plugged into that port that also has the same VLAN assigned to that port. The problem is that I cannot do this on a large scale since my network is spread between buildings. Everything is on the same physical network and separated by VLANs.
A couple questions:
- Is this normal behavior, if not, can it be fixed by a bridge or firewall filter or some other setting?
- Besides filling my Neighbors tab on WinBox with entries that I shouldn’t be able to see and I can’t log into, can this network traffic affect my main network in any way?
- Is there a better method I should be using that will meet my requirements?