Community discussions

 
mailalert
just joined
Topic Author
Posts: 12
Joined: Thu Aug 08, 2019 5:33 pm

VLAN or port isolation?

Tue Aug 13, 2019 9:15 am

Hello guys,
I need to create network with MIKROTIK RB4011iGS+RM and few Mikrotik CSS326-24G-2S+RM. But I need to separate each LAN connections from each other and I am wondering if better solution would be creating as many VLAN as many active connections or just simply port isolating, what would mikrotik experts reccommend? :) thx for any help!
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN or port isolation?

Tue Aug 13, 2019 10:08 am

Hi

I would think that this will depend on the setting:
are the networks / devices in these networks isolated or to they share same spaces
port isolation might provide more guarantees from security point of view
vlan are more flexible
kind of port isolation dictates complexity of configuration: on router is simpler while on switch, requires more configuration

In general I would go for vlans, since you have the hardware for it (CSS3xx) and is more flexible.

Note that the 4011 doesn't doe vlan filtering in hardware.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 11:39 am

There are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN

I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.
 
mailalert
just joined
Topic Author
Posts: 12
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 12:07 pm

Hi

I would think that this will depend on the setting:
are the networks / devices in these networks isolated or to they share same spaces
port isolation might provide more guarantees from security point of view
vlan are more flexible
kind of port isolation dictates complexity of configuration: on router is simpler while on switch, requires more configuration

In general I would go for vlans, since you have the hardware for it (CSS3xx) and is more flexible.

Note that the 4011 doesn't doe vlan filtering in hardware.
thx for answer!
devices are on separate floors if you think this and each ethernet socket has it's own room
I've tried to configure port isolation only on router yet, how big difference is to do it on switches?! I dont have it yet ..
what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
 
mailalert
just joined
Topic Author
Posts: 12
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 12:07 pm

There are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN

I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.
yes, but I would like to use mikrotik switches, but thx :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 12:46 pm

yes, but I would like to use mikrotik switches, but thx :)
IMHO MikroTik switches are toys... but of course they are cheap.
I'm not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance.
You could investigate that.
 
mailalert
just joined
Topic Author
Posts: 12
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 1:02 pm

yes, but I would like to use mikrotik switches, but thx :)
IMHO MikroTik switches are toys... but of course they are cheap.
I'm not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance.
You could investigate that.
yes, but I cannot use very expensive solution (cisco etc)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN or port isolation?

Tue Aug 13, 2019 3:59 pm

what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.
 
mailalert
just joined
Topic Author
Posts: 12
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 4:08 pm

what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.
so it means network will run slower? or should I just use different HW instead of RB4011iGS+RM?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN or port isolation?

Tue Aug 13, 2019 4:44 pm

Yes it will be slower, if enabled.

But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem
 
mailalert
just joined
Topic Author
Posts: 12
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 5:16 pm

Yes it will be slower, if enabled.

But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem
but I think I need to do it, dont I? Because as I wrote, I need to create separate VLANs on each port of switch (or port isolate)

or maybe I dont understand what you wrote at all :) but if network will be slower just a little bit, this shouldnt be a problem ..
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 7:12 pm

Yes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two.

And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS.
But I do not know if using those features in the CRS326 will make it use the CPU instead of the switch hardware.
 
mailalert
just joined
Topic Author
Posts: 12
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 8:23 pm

Yes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two.

And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS.
But I do not know if using those features in the CRS326 will make it use the CPU instead of the switch hardware.
ok, at least I can do it with such a HW, dont know how yet, but hope I will figure it out :)
maybe little bit slower than Cisco, but that's price for lower costs

Who is online

Users browsing this forum: Majestic-12 [Bot] and 76 guests