Community discussions

 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Traffic isolation with VLANs

Thu Mar 20, 2014 12:22 pm

I've got the following setup:
A MikroTik router, connected to other two switches on ports ether4 and ether5.

1. I would like to configure Vlans so both ports ether4 and ether5 has carry traffic for all the different vlans in the LAN segment.
2. The Vlan configuration will overlap on both ports, i.e. I'll would like to associate the same vlans on both ether4 and ether5

I realized that I cannot associate a VLAN interface to more than one physical interface. So in order to achieve 2. I'll have to configure bridge interface for each vlan and than associate both ports (ether4 and ether5) for all bridge interfaces associated with any vlan.
This is how I should be able to use a VLAN tag on both interfaces, thorough its respective bridge. But than... what about the isolation? If I have multiple bridges associated with ports ether4 and ether5, will I have an isolation between the VLANs?
Or to put it differently, when I have a bridge interface associated with a VLAN, when the traffic is moved from one physical interface to another, does the Ethernet frame keep its tag?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Traffic isolation with VLANs

Thu Mar 20, 2014 1:54 pm

Which RouterBoard is this on? If there is a switch chip you may have other options.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Traffic isolation with VLANs

Thu Mar 20, 2014 2:12 pm

It is on CCR-1036...
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Traffic isolation with VLANs

Thu Mar 20, 2014 2:34 pm

If you want exactly the same VLANs on each of the two ether ports then you can:

Create a bridge
Add both ether ports as ports on the bridge
Create your VLAN sub interfaces on the bridge

You will then have the same VLANs on both ports and the router can access the VLANs via the VLAN sub interfaces.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
lz1dsb
Member Candidate
Member Candidate
Topic Author
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Traffic isolation with VLANs

Thu Mar 20, 2014 3:08 pm

But than... If I need more Vlans over both ports? Because they're supposed to be trunk ports.
So if I put them in a bridge with a vlan, can I also put them on another bridge with another vlan etc. And will this isolate the traffic between the vlans?
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: Traffic isolation with VLANs

Thu Mar 20, 2014 3:18 pm

You can add as many VLANs as you like to the bridge and they will appear on both ports. You can add other ether ports to the bridge and they will become trunk ports with the same VLANs. If you want the VLANs isolated at layer 3 you need to use forwarding filters in IP Firewall.

If you have a particular requirement in mind describe that in more detail.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
m3a2r1
just joined
Posts: 19
Joined: Sat Mar 29, 2014 12:11 pm

Re: Traffic isolation with VLANs

Thu Apr 03, 2014 5:08 pm

If you want the VLANs isolated at layer 3 you need to use forwarding filters in IP Firewall.
So that means that VLANs are not isolated and are visible to each other with default configuration?

Who is online

Users browsing this forum: MSN [Bot] and 102 guests