Hello All,

Just a quick question to ask if someone knows how I ought to be going about configuring the RB260GSP units for VLAN-node isolation when nested (i.e. a switch downstream of a switch)? Previously I had been using port isolation which worked very well, though neglected to think of a scenario where traffic can flow through the uplink/(downlink) direction and then pass-over into adjacent ports of the downstream switch. I will try to illustrate this scenario below:

For example, in my present configuration, I make use of two VLANS on the network - call these 50 for Management Network and 60 for Customer Access Network. Typically, a switch in our environment might be configured like so:

Port 1: Local customer access for customer at host site (packets tagged for VLAN 60).
Port 2: Uplink microwave bridge to tower (no VLAN tagging changes).
Port 3: Microwave access point for customers at this host location (no VLAN tagging changes).
Port 4: Secondary access point (as above).
Port 5: Local management access for radios, the switch or the direct connection of a managed UPS (packets tagged for VLAN 50).

Customer radios connected to the access points on Port 3 or 4 tag all their traffic with VLAN 60 at the CPE and clients are isolated at the Access Point as well as the switch with port isolation. In the case of local customer access (Port 1), traffic is tagged VLAN 60 by the switch and again, isolated using port isolation at the switch. In theory, all customer traffic can only flow in the direction of the Uplink (Port 2) however, where a switch is nested (ie beneath another switch via Port 3, for example), devices within the same VLAN begin to see each other and the port isolation technique breaks down (I do hope this makes sense)!

In essence, what I would like to achieve is the following: All nodes within VLAN 60 (Customer Access Network) cannot see one-another and can only reach the core Mikrotik router for the purposes of PPPoE login. All nodes within VLAN 50 (Management Network) can communicate freely with one-another. In this arrangement, customers cannot communicate with each other across the network - they can only pass PPPoE traffic to the core router and once authenticated, browse normally within the PPPoE tunnel. Management traffic can pass freely in any direction for the purposes of convenient network administration.

Here are some screenshots below of my present arrangement:
I presume a more complex configuration is required addressing VLANs specifically rather than physical ports? Thank you in advance for any help and advice you can offer. Configuration examples would be greatly appreciated.

Best regards,

Paul.

ACL might be able to do what you want. I have done some interesting things with ACL.
Completely untested:
If you've never worked with ACL, the light gray part is match condition and the medium gray is action (row that begins with "Redirect To")
First entry says "If ingress is port 1, tag or no tag, force egress to port 2 and set vlan id to 60."
Second entry says "If ingress is port 3 or 4, tagged 60, force egress to port 2 tagged 60."
Set VLAN ID may not be required in the second entry as the tag already exists.
This way only specific traffic is isolated and vlan 50 is free.

Thank you very much for your reply!

I presume I would then leave all of the settings as I presently have them, with the exception of reverting the 'Forwarding' tab back to factory defaults?

I will give this a whirl soon.

Best regards,

Paul.