Community discussions

MUM Europe 2020
 
levak
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Thu Feb 21, 2013 8:47 pm
Contact:

CRS: troubles understanding port isolations and vlans

Mon Aug 18, 2014 12:32 pm

Hello!

I'm having some troubles understanding how port isolation and vlans work...

I have used VLANs before on HP switches but I'm having some troubles in new CRS serie.

What I want to achieve is 2 VLANs, isolated from each other, so they have go through main cpu and apply firewall rules, have separate DHCP servers on each VLAN and use one port for connecting to WAN(PPPoE).

So, how I've done it:
- set ether1 port as master
- set ether2-22 as slave
- set ether24 as master-port=none
- set dhcp-client on ether24 to get WAN IP
- created 2 vlans under interfaces->VLAN (VLAN10 and VLAN20) and attached those two VLANs to ether1

ros code

/interface vlan
add interface=ether1 l2mtu=1584 name=vlan10-zaposleni vlan-id=10
add interface=ether1 l2mtu=1584 name=vlan20-bralci vlan-id=20
- added addresses, dhcp server... to vlans
- under Switch->VLAN->VLAN I created 2 VLANs and added ports(8 ports to each vlan)

ros code

/interface ethernet switch vlan
add ports=\
    ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,switch1-cpu \
    vlan-id=20
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,switch1-cpu \
    vlan-id=10
- Under Switch->VLAN Tagging I added switch-cpu to vlan 10 and 20

ros code

/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=20
add tagged-ports=switch1-cpu vlan-id=10
- In VLAN translattion I created two entries containing ports in each vlan

ros code

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=20 \
    ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 \
    sa-learning=yes service-vlan-format=untagged-or-tagged
add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=10 \
    ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 sa-learning=\
    yes service-vlan-format=untagged-or-tagged
- under Switch->Port I set isolation-leakage-profile-override=2 for ports 1-8 and isolation-leakage-profile-override=3 for ports 9-16

ros code

/interface ethernet switch port
set 0 isolation-leakage-profile-override=2
set 1 isolation-leakage-profile-override=2
.
.
- under Switch->Port isolation I created 2 entries and added each port group to it's own entry

ros code

/interface ethernet switch port-isolation
add port-profile=2 ports=ether1,ether2,ether4,ether5,ether6,ether7,ether8 type=dst
add port-profile=3 ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 type=dst
So according to my settings I should achieve the following:
- clients can communicate inside VLAN
- they can't reach clients in other VLANs and can't reach DHCP server, since there is no uplink (all ports should be isolated)
But it doesn't seems that this works. I can reach clients in other vlans and almost (all) clients get IP from DHCP. Why?

As far as uplink goes, what do I specify as a uplink in port-isolation page? Switch1-cpu?
Do I have to set isolation-leakage-profile-override=0 to switch1-cpu?
I currently don't have that set and everything seems to work anyway. Why? There isn't suppose to be any uplink...
Also, there is still a dynamic port-isolation entry containing all ports. Why is that? Shouldn't ports be removed from here and moved to "overwritten" profiles

ros code

2  D ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,
      ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,switch1-cpu 
      type=dst forwarding-type=bridged,routed traffic-type=unicast,multicast,broadcast 
      registration-status=known,unknown protocol-type=arp,nd,dhcpv4,dhcpv6,ripv1 port-profile=29
Thanks, MAtej
 
levak
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Thu Feb 21, 2013 8:47 pm
Contact:

Re: CRS: troubles understanding port isolations and vlans

Tue Aug 19, 2014 1:12 pm

Anyone?

Matej
 
becs
MikroTik Support
MikroTik Support
Posts: 481
Joined: Thu Jul 07, 2011 8:26 am

Re: CRS: troubles understanding port isolations and vlans

Wed Aug 20, 2014 10:44 am

As far as uplink goes, what do I specify as a uplink in port-isolation page? Switch1-cpu?
Yes
Do I have to set isolation-leakage-profile-override=0 to switch1-cpu?
It is according to the best practice and wiki example and would prevent other unexpected results.
I currently don't have that set and everything seems to work anyway. Why? There isn't suppose to be any uplink...
Reboot CRS after changing ports in isolation profiles, there seems to be a problem with saving them. After reboot everything should work as you expect. Now we are looking how to fix it.
Also, there is still a dynamic port-isolation entry containing all ports. Why is that? Shouldn't ports be removed from here and moved to "overwritten" profiles
Dynamic entries are for internal switch use and all user defined entries already override them, you should not worry about them.
 
levak
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Thu Feb 21, 2013 8:47 pm
Contact:

Re: CRS: troubles understanding port isolations and vlans

Wed Aug 20, 2014 12:09 pm

Thanks for your help...

Is there an easy way to check if port isolation is working?

I'm having troubles understanding what port isolation actually does or what is it useful. Aren't ports already separated by VLANs(in my case of course)?
I mean, ports 1-8 are vlan10 and 9-16 are vlan20. My knowledge tells me that ports are already isolated and I can't see vlan20 traffic in ports 1-8.
Can traffic flow between vlan10 and vlan20 without going to main cpu in that case?
In that case port isolation forces traffic to go through main cpu and apply firewall and such?

I do understand the use of port-isolation type isolated, where you can have single port group(or vlan), but all ports must communicate via uplink (good for public access, client isolation and such).
But why would someone need community isolation, if I already separated them via vlan?

In case I don't apply port isolation and only use VLAN and assign them to certain ports, what are the downsides?
What security issues can rise from that configuration?

Matej
 
becs
MikroTik Support
MikroTik Support
Posts: 481
Joined: Thu Jul 07, 2011 8:26 am

Re: CRS: troubles understanding port isolations and vlans

Wed Aug 20, 2014 12:53 pm

Since you have different VLANs for each group, you have already ensured isolation and do not need isolation profiles in this case. Communication between VLAN10 and VLAN20 can occur only through CPU and there will not be any security issues or other downsides within switch-chip. I think it answers most of your questions.

Port isolation including community isolation configurations can be useful if the same VLAN needs to be used in multiple port groups which have to be isolated from each other. For example, split CRS in half and use it as two independent switches, each side could have the same VLANs, but they would be separated. For that you would need two different community profiles, because multiple master-ports do not allow such VLAN configuration.
 
levak
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Thu Feb 21, 2013 8:47 pm
Contact:

Re: CRS: troubles understanding port isolations and vlans

Wed Aug 20, 2014 12:58 pm

Hey!

Thanks for clarifying things for me...

I just want to check the last part, if I understand it correctly:
I split my switch to 2 independent switches by setting first 16 ports with port-isolation 2 and second 16 ports with port-isolation 3.
Now I want to have the same VLAN on some ports in 1st "switch" and on some ports in 2nd "switch". I go to Switch->VLAN and assign VLANs to ports I want to.

In case I wouldn't have port isolation, all traffic inside VLAN would happen in switch chip.
In case I have port isolation, traffic from the same VLAN in one switch have to go through switch cpu to reach vlan in the other switch. Is that correct?

Matej
 
becs
MikroTik Support
MikroTik Support
Posts: 481
Joined: Thu Jul 07, 2011 8:26 am

Re: CRS: troubles understanding port isolations and vlans

Wed Aug 20, 2014 1:54 pm

In case I wouldn't have port isolation, all traffic inside VLAN would happen in switch chip.
In case I have port isolation, traffic from the same VLAN in one switch have to go through switch cpu to reach vlan in the other switch. Is that correct?
Correct. But since there is only one CPU port and in the second case traffic needs to go back and forth from it, there would be need for Local Proxy ARP.
Currently in RouterOS it is possbile with bridge NAT. Here is example which shows how ensure routing for the same VLAN between two isolated groups:

ros code

/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
/ip address
add address=10.0.0.1/24 interface=vlan10 network=10.0.0.0
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=vlan10
/interface bridge nat
add action=arp-reply chain=dstnat mac-protocol=arp to-arp-reply-mac-address=<bridge1-MAC>
 
levak
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 72
Joined: Thu Feb 21, 2013 8:47 pm
Contact:

Re: CRS: troubles understanding port isolations and vlans

Wed Aug 20, 2014 2:02 pm

Thanks for help.

Matej
 
babbage
Trainer
Trainer
Posts: 37
Joined: Mon Jul 12, 2010 5:55 pm

Re: CRS: troubles understanding port isolations and vlans

Mon Nov 17, 2014 8:17 pm

Correct. But since there is only one CPU port and in the second case traffic needs to go back and forth from it, there would be need for Local Proxy ARP.
Currently in RouterOS it is possbile with bridge NAT. Here is example which shows how ensure routing for the same VLAN between two isolated groups:

ros code

/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
/ip address
add address=10.0.0.1/24 interface=vlan10 network=10.0.0.0
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=vlan10
/interface bridge nat
add action=arp-reply chain=dstnat mac-protocol=arp to-arp-reply-mac-address=<bridge1-MAC>
This dst-nat rule for local proxy-arp captures all incoming arp message types. This code doesn't work well in case of running DHCP server on the same interface. Also windows machine on the LAN sometimes get false alarm as if there is a duplicate IP.

Who is online

Users browsing this forum: martinclaro, nkalfov and 37 guests