I'm having some troubles understanding how port isolation and vlans work...
I have used VLANs before on HP switches but I'm having some troubles in new CRS serie.
What I want to achieve is 2 VLANs, isolated from each other, so they have go through main cpu and apply firewall rules, have separate DHCP servers on each VLAN and use one port for connecting to WAN(PPPoE).
So, how I've done it:
- set ether1 port as master
- set ether2-22 as slave
- set ether24 as master-port=none
- set dhcp-client on ether24 to get WAN IP
- created 2 vlans under interfaces->VLAN (VLAN10 and VLAN20) and attached those two VLANs to ether1
/interface vlan add interface=ether1 l2mtu=1584 name=vlan10-zaposleni vlan-id=10 add interface=ether1 l2mtu=1584 name=vlan20-bralci vlan-id=20- added addresses, dhcp server... to vlans
- under Switch->VLAN->VLAN I created 2 VLANs and added ports(8 ports to each vlan)
/interface ethernet switch vlan add ports=\ ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,switch1-cpu \ vlan-id=20 add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,switch1-cpu \ vlan-id=10- Under Switch->VLAN Tagging I added switch-cpu to vlan 10 and 20
/interface ethernet switch egress-vlan-tag add tagged-ports=switch1-cpu vlan-id=20 add tagged-ports=switch1-cpu vlan-id=10- In VLAN translattion I created two entries containing ports in each vlan
/interface ethernet switch ingress-vlan-translation add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=20 \ ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 \ sa-learning=yes service-vlan-format=untagged-or-tagged add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=10 \ ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 sa-learning=\ yes service-vlan-format=untagged-or-tagged- under Switch->Port I set isolation-leakage-profile-override=2 for ports 1-8 and isolation-leakage-profile-override=3 for ports 9-16
/interface ethernet switch port set 0 isolation-leakage-profile-override=2 set 1 isolation-leakage-profile-override=2 . .- under Switch->Port isolation I created 2 entries and added each port group to it's own entry
/interface ethernet switch port-isolation add port-profile=2 ports=ether1,ether2,ether4,ether5,ether6,ether7,ether8 type=dst add port-profile=3 ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 type=dstSo according to my settings I should achieve the following:
- clients can communicate inside VLAN
- they can't reach clients in other VLANs and can't reach DHCP server, since there is no uplink (all ports should be isolated)
But it doesn't seems that this works. I can reach clients in other vlans and almost (all) clients get IP from DHCP. Why?
As far as uplink goes, what do I specify as a uplink in port-isolation page? Switch1-cpu?
Do I have to set isolation-leakage-profile-override=0 to switch1-cpu?
I currently don't have that set and everything seems to work anyway. Why? There isn't suppose to be any uplink...
Also, there is still a dynamic port-isolation entry containing all ports. Why is that? Shouldn't ports be removed from here and moved to "overwritten" profiles
2 D ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14, ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,switch1-cpu type=dst forwarding-type=bridged,routed traffic-type=unicast,multicast,broadcast registration-status=known,unknown protocol-type=arp,nd,dhcpv4,dhcpv6,ripv1 port-profile=29Thanks, MAtej