Well, then it looks like all you need, is to find a place in cisco config where these two vlans are configured differentlyI had imagined it.
The problem that the other vlan work without problems.
Should it depend on a configuration on the interface of the cisco switch then?
Many thanks
Disabled ARP on switch could be the answer.Only difference
vlan 10 ARP:enabled
vlan 20 ARP:reply on.
Well, there must be something in Cisco switch that is configured differently for this two vlans, that makes the switch send frames in vlan20 to mikrotik instead of to send them directly to the recipient.hello.
ARP is configured on mikrotik interface.
cisco switch it used only at L2 (tagged port) using a trunk port.
Anyway, the answer has to be in cisco config.Simplistically I mentioned only 2 vlan.
Actually there are 8 vlan in the network and they all work like vlan20.
Thanks
Any PVLANs, or protected/isolated ports configured on the switch?I checked everything on the cisco configuration. Everything seems to be the same
Do you have any suggestions?
I'm still talking about cisco switch.Not, I didn't set any port to protected.
I remind you that normally in order not to communicate 2 hosts I have to set a "drop" in IP filter Firewall.
Could it possibly be that this was done for all vlans except vlan10?I cleared arp cache on vlan10 cisco switch.
Also, I disabled ip arp-proxy, with no success
It only works like this because you're using CCR which doesn't have switch chip and all traffic between two ether ports has to pass internal bridge. If you were using some other RB router which has switch chip with hardware offload enabled, it wouldn't work as RBs CPU would not see those packets.Access points via bridges always enter the mikrotik "forward chain" and can safely manage traffic through the integrated firewall.
Good to know that I am the problem ;-)@cdiedrich you've figured out you're that problem!
ACL ( in cisco switch) are probably a good solution but I would prefer to centralize the firewall rules within the mikrotik to avoid duplicating the rules or having strange behaviors.
We suggested you two solutions: either filter on the switch or make the switch to redirect traffic to mikrotik and filter there.@xvo Sorry ,your solution seems too complex and not easy to manage.At the moment all works correctly
@cdiedrich you've figured out you're that problem!
Access points via bridges always enter the mikrotik "forward chain" and can safely manage traffic through the integrated firewall.
ACL ( in cisco switch) are probably a good solution but I would prefer to centralize the firewall rules within the mikrotik to avoid duplicating the rules or having strange behaviors.
If you have any doubts about the configuration ask as well.
I got it: it's "don't make it worse" thing.Thanks xvo.
( "All work correctly") I mean that I do not want to change all the configuration of the network because everything currently works correctly. I also set several firewall rules (via mikrotik)
I only have the problem that the devices connected to the cisco switch do not pass through the miktrotik firewall inside the same subnet.
I would also like to add that a port on the CISCO switch is connected to a Vsphere Esxi, so isolating the ports on the switch does not solve the problem.
Actually the problem started because I wanted to isolate a vmware host from the rest of the vlan for security reasons, through Mikrotik firewall
Regards
This is actually against the idea of L2 network with switching where hosts are supposed to communicate directly. Surely there are ways around it but then any active L2 equipment (switch, hub, bridge, ...) has to implement it.ok
However, there is still the problem of being able to filter hosts in the same subnet through the cisco switch