MikroTik

Posted: **Tue Aug 13, 2019 9:15 am**

Hello guys,
I need to create network with MIKROTIK RB4011iGS+RM and few Mikrotik CSS326-24G-2S+RM. But I need to separate each LAN connections from each other and I am wondering if better solution would be creating as many VLAN as many active connections or just simply port isolating, what would mikrotik experts reccommend?

thx for any help!

Posted: **Tue Aug 13, 2019 10:08 am**

Hi

I would think that this will depend on the setting:
are the networks / devices in these networks isolated or to they share same spaces
port isolation might provide more guarantees from security point of view
vlan are more flexible
kind of port isolation dictates complexity of configuration: on router is simpler while on switch, requires more configuration

In general I would go for vlans, since you have the hardware for it (CSS3xx) and is more flexible.

Note that the 4011 doesn't doe vlan filtering in hardware.

Posted: **Tue Aug 13, 2019 11:39 am**

There are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN

I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.

Posted: **Tue Aug 13, 2019 12:07 pm**

Hi

I would think that this will depend on the setting:
are the networks / devices in these networks isolated or to they share same spaces
port isolation might provide more guarantees from security point of view
vlan are more flexible
kind of port isolation dictates complexity of configuration: on router is simpler while on switch, requires more configuration

In general I would go for vlans, since you have the hardware for it (CSS3xx) and is more flexible.

Note that the 4011 doesn't doe vlan filtering in hardware.

thx for answer!
devices are on separate floors if you think this and each ethernet socket has it's own room
I've tried to configure port isolation only on router yet, how big difference is to do it on switches?! I dont have it yet ..
what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?

Posted: **Tue Aug 13, 2019 12:07 pm**

There are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN

I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.

yes, but I would like to use mikrotik switches, but thx

Posted: **Tue Aug 13, 2019 12:46 pm**

yes, but I would like to use mikrotik switches, but thx

IMHO MikroTik switches are toys... but of course they are cheap.
I'm not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance.
You could investigate that.

Posted: **Tue Aug 13, 2019 1:02 pm**

yes, but I would like to use mikrotik switches, but thx
IMHO MikroTik switches are toys... but of course they are cheap.
I'm not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance.
You could investigate that.

yes, but I cannot use very expensive solution (cisco etc)

Posted: **Tue Aug 13, 2019 3:59 pm**

what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?

If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.

Posted: **Tue Aug 13, 2019 4:08 pm**

what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.

so it means network will run slower? or should I just use different HW instead of RB4011iGS+RM?

Posted: **Tue Aug 13, 2019 4:44 pm**

Yes it will be slower, if enabled.

But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem

Posted: **Tue Aug 13, 2019 5:16 pm**

Yes it will be slower, if enabled.

But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem

but I think I need to do it, dont I? Because as I wrote, I need to create separate VLANs on each port of switch (or port isolate)

or maybe I dont understand what you wrote at all

but if network will be slower just a little bit, this shouldnt be a problem ..

Posted: **Tue Aug 13, 2019 7:12 pm**

Yes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two.

And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS.
But I do not know if using those features in the CRS326 will make it use the CPU instead of the switch hardware.

Posted: **Tue Aug 13, 2019 8:23 pm**

Yes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two.

And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS.
But I do not know if using those features in the CRS326 will make it use the CPU instead of the switch hardware.

ok, at least I can do it with such a HW, dont know how yet, but hope I will figure it out

maybe little bit slower than Cisco, but that's price for lower costs

Posted: **Sun May 30, 2021 6:31 pm**

There are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN

I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.

Actually, RouterOS supports private VLANs via port isolation: https://help.mikrotik.com/docs/display/ ... tisolation

It also supports DHCP-snooping: https://help.mikrotik.com/docs/display/ROS/Bridge

Posted: **Mon May 31, 2021 10:29 am**

Yes, it appears that things have changed after I originally wrote that.
However, always be aware that some features on RouterOS are done in software and can only be enabled when the entire switch is done in software (bridge).
I.e. once you enable them, all traffic passes through the CPU. That depends on the type of router or switch you use it on.

Posted: **Thu Aug 05, 2021 8:58 am**

It's written here https://wiki.mikrotik.com/wiki/Manual:L ... figuration that port isolation couldn't be done on other hardware than CRS1xx/CRS2xx series devices.
First topic: "Bridges on a single switch chip"

Posted: **Thu Aug 05, 2021 6:59 pm**

Pardon me as i am new to Mikrotik and this forum.
I have a css326-24G-25-RM Cloud Smart Switch.
What I am attempting to accomplish is simply Divide or segregate the Switch in two different networks. when i setup VLAN lets say 1 and VLAN 2 Vlan 2 will take down network 1 down.
i have tried force vlan id, i tried different vlan modes, i have tagged and untagged. i guess as a newbie i just do not understand the process.
if anyone can help it would be greatly appreciated.

Posted: **Thu Aug 05, 2021 7:46 pm**

One thing: don't use VLAN ID 1 unless you know all the pitfalls waiting for you (and you don't seem to know them).

Posted: **Thu Aug 05, 2021 8:11 pm**

thanks for the replay mkx. True i know nothing about this particular product or it's pitfalls.
i will move off vlan1

MikroTik

VLAN or port isolation?

VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?

Re: VLAN or port isolation?