Community discussions

MikroTik App
 
mailalert
just joined
Topic Author
Posts: 21
Joined: Thu Aug 08, 2019 5:33 pm

VLAN or port isolation?

Tue Aug 13, 2019 9:15 am

Hello guys,
I need to create network with MIKROTIK RB4011iGS+RM and few Mikrotik CSS326-24G-2S+RM. But I need to separate each LAN connections from each other and I am wondering if better solution would be creating as many VLAN as many active connections or just simply port isolating, what would mikrotik experts reccommend? :) thx for any help!
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN or port isolation?

Tue Aug 13, 2019 10:08 am

Hi

I would think that this will depend on the setting:
are the networks / devices in these networks isolated or to they share same spaces
port isolation might provide more guarantees from security point of view
vlan are more flexible
kind of port isolation dictates complexity of configuration: on router is simpler while on switch, requires more configuration

In general I would go for vlans, since you have the hardware for it (CSS3xx) and is more flexible.

Note that the 4011 doesn't doe vlan filtering in hardware.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 11:39 am

There are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN

I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.
 
mailalert
just joined
Topic Author
Posts: 21
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 12:07 pm

Hi

I would think that this will depend on the setting:
are the networks / devices in these networks isolated or to they share same spaces
port isolation might provide more guarantees from security point of view
vlan are more flexible
kind of port isolation dictates complexity of configuration: on router is simpler while on switch, requires more configuration

In general I would go for vlans, since you have the hardware for it (CSS3xx) and is more flexible.

Note that the 4011 doesn't doe vlan filtering in hardware.
thx for answer!
devices are on separate floors if you think this and each ethernet socket has it's own room
I've tried to configure port isolation only on router yet, how big difference is to do it on switches?! I dont have it yet ..
what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
 
mailalert
just joined
Topic Author
Posts: 21
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 12:07 pm

There are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN

I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.
yes, but I would like to use mikrotik switches, but thx :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 12:46 pm

yes, but I would like to use mikrotik switches, but thx :)
IMHO MikroTik switches are toys... but of course they are cheap.
I'm not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance.
You could investigate that.
 
mailalert
just joined
Topic Author
Posts: 21
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 1:02 pm

yes, but I would like to use mikrotik switches, but thx :)
IMHO MikroTik switches are toys... but of course they are cheap.
I'm not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance.
You could investigate that.
yes, but I cannot use very expensive solution (cisco etc)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN or port isolation?

Tue Aug 13, 2019 3:59 pm

what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.
 
mailalert
just joined
Topic Author
Posts: 21
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 4:08 pm

what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.
so it means network will run slower? or should I just use different HW instead of RB4011iGS+RM?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN or port isolation?

Tue Aug 13, 2019 4:44 pm

Yes it will be slower, if enabled.

But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem
 
mailalert
just joined
Topic Author
Posts: 21
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 5:16 pm

Yes it will be slower, if enabled.

But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem
but I think I need to do it, dont I? Because as I wrote, I need to create separate VLANs on each port of switch (or port isolate)

or maybe I dont understand what you wrote at all :) but if network will be slower just a little bit, this shouldnt be a problem ..
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 7:12 pm

Yes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two.

And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS.
But I do not know if using those features in the CRS326 will make it use the CPU instead of the switch hardware.
 
mailalert
just joined
Topic Author
Posts: 21
Joined: Thu Aug 08, 2019 5:33 pm

Re: VLAN or port isolation?

Tue Aug 13, 2019 8:23 pm

Yes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two.

And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS.
But I do not know if using those features in the CRS326 will make it use the CPU instead of the switch hardware.
ok, at least I can do it with such a HW, dont know how yet, but hope I will figure it out :)
maybe little bit slower than Cisco, but that's price for lower costs
 
gsauthof
just joined
Posts: 9
Joined: Fri May 28, 2021 8:00 pm
Contact:

Re: VLAN or port isolation?

Sun May 30, 2021 6:31 pm

There are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN

I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.
Actually, RouterOS supports private VLANs via port isolation: https://help.mikrotik.com/docs/display/ ... tisolation

It also supports DHCP-snooping: https://help.mikrotik.com/docs/display/ROS/Bridge
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: VLAN or port isolation?

Mon May 31, 2021 10:29 am

Yes, it appears that things have changed after I originally wrote that.
However, always be aware that some features on RouterOS are done in software and can only be enabled when the entire switch is done in software (bridge).
I.e. once you enable them, all traffic passes through the CPU. That depends on the type of router or switch you use it on.
 
GreenFirefly
just joined
Posts: 19
Joined: Tue Dec 11, 2018 12:55 pm

Re: VLAN or port isolation?

Thu Aug 05, 2021 8:58 am

It's written here https://wiki.mikrotik.com/wiki/Manual:L ... figuration that port isolation couldn't be done on other hardware than CRS1xx/CRS2xx series devices.
First topic: "Bridges on a single switch chip"
 
Tiger45
just joined
Posts: 2
Joined: Thu Aug 05, 2021 6:37 pm

Re: VLAN or port isolation?

Thu Aug 05, 2021 6:59 pm

Pardon me as i am new to Mikrotik and this forum.
I have a css326-24G-25-RM Cloud Smart Switch.
What I am attempting to accomplish is simply Divide or segregate the Switch in two different networks. when i setup VLAN lets say 1 and VLAN 2 Vlan 2 will take down network 1 down.
i have tried force vlan id, i tried different vlan modes, i have tagged and untagged. i guess as a newbie i just do not understand the process.
if anyone can help it would be greatly appreciated.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN or port isolation?

Thu Aug 05, 2021 7:46 pm

One thing: don't use VLAN ID 1 unless you know all the pitfalls waiting for you (and you don't seem to know them).
 
Tiger45
just joined
Posts: 2
Joined: Thu Aug 05, 2021 6:37 pm

Re: VLAN or port isolation?

Thu Aug 05, 2021 8:11 pm

thanks for the replay mkx. True i know nothing about this particular product or it's pitfalls.
i will move off vlan1

Who is online

Users browsing this forum: baragoon, duartev, menyarito, sergejs and 96 guests