Community discussions

MikroTik App
 
iowh3r
just joined
Topic Author
Posts: 6
Joined: Fri Jan 31, 2020 11:26 am

CSS326 Port/VLAN Isolation breaks VLANs completely

Fri Jan 21, 2022 10:21 pm

Hi,
hope all is great.
Recently I bought a CSS326-24G-2S+RM, upgraded to SwOS 2.13.
There is a strange behavior when I want to configure VLANs. If I change Port Isolation on Any port even the ones without VLANs or change the members of VLANs (again the ports shouldn't have VLAN). VLANs don't work at all ! Seems the only possible way to use VLANs is not to set any limitations!
Is there something wrong with CSS326/SwOS 2.13 or there is a config somewhere that needs to be change ?

Thank you,
Regards.
 
User avatar
k6ccc
Forum Veteran
Forum Veteran
Posts: 919
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: CSS326 Port/VLAN Isolation breaks VLANs completely

Sat Jan 22, 2022 1:44 am

If you are using VLANs, you likely have little need for the port isolation feature. I have two CSS326 switches running SwOS 2.13 that are mostly VLANs and pretty sure I have enabled some port isolation for a test I was doing a while back. I can do a test on it this evening - don't want to do something that might break the switch when I am 26 miles away!
What exactly breaks (so I know what to test)?
RB4011iGS+, RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
iowh3r
just joined
Topic Author
Posts: 6
Joined: Fri Jan 31, 2020 11:26 am

Re: CSS326 Port/VLAN Isolation breaks VLANs completely

Sat Jan 22, 2022 12:18 pm

If you are using VLANs, you likely have little need for the port isolation feature.
Yeah I agree that is not necessarily needed but it would be like an extra pseudo security to isolate ports and members of VLANs, gives you more control on network.
What exactly breaks (so I know what to test)?
In my use case I'm using something like this:
Port 1 -> Just for managing switch and this port is isolated from all other ports.
Port 2 -> Trunk port with 2 VLANs (100 & 200) both VLANs have DHCP servers.
Port 3 -> Untagged with Default VLAN 100, connected to a computer for using VLAN100 Network.
Port 4 -> Untagged with Default VLAN 200, connected to NVR for using VLAN200 Network.

Isolations :
Port 1 -> Fully isolated
Port 2 -> Access to Port 3 & Port 4
Port 3 -> Access to Port 2
Port 4 -> Access to Port 2

VLANs Member:
VLAN 100 -> Port2 & Port3
VLAN 200 -> Port2 & Port4

as I said before when there is no port isolation and all ports can access to all VLANs it works perfectly (DHCP work and can ping devices), but with limitations it breaks and VLANs don't work at all (DHCP doesn't work, even with static IP can't ping devices).

Thank you in advance.

Who is online

Users browsing this forum: No registered users and 0 guests