Community discussions

MikroTik App
 
Dande
just joined
Topic Author
Posts: 5
Joined: Sun Jan 22, 2023 1:34 pm
Location: Germany

"Allow from Ports" and "Allow from VLAN"

Thu Feb 02, 2023 8:37 pm

Hi,
I hope somebody can quickly answer my question as I don't want to risk locking myself out the switch at the moment and I could not find the answer in the documentation or the forum. If I am using "Allow from Ports" to restrict the access to certain ports and "Allow from VLAN" at the same time, is this an or combination or an and one.
Example to make my question clear:
  1. set "Allow from ports" to only ports 1,2,3 and 4 and "Allow from VLAN" to 127
  2. Is management access granted from port 5 with VLAN ID 127?
  3. Is management access granted from port 1 with VLAN ID 10?
  4. Only from ports 1,2,3 or 4 with VLAN ID 127?
Thanks a lot in advance
Daniel
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: "Allow from Ports" and "Allow from VLAN"  [SOLVED]

Fri Feb 03, 2023 12:52 am

It's an AND. So your option 4 is the correct answer. Also note that if you have VLAN selected, it must be tagged traffic entering the switch - can't be untagged that is set to become tagged in the switch. I know that because I got caught with that one recently. Fortunately I had a trunk port allowed that had the required VLAN (actually the normal way to manage that switch).
 
Dande
just joined
Topic Author
Posts: 5
Joined: Sun Jan 22, 2023 1:34 pm
Location: Germany

Re: "Allow from Ports" and "Allow from VLAN"

Fri Feb 03, 2023 7:31 am

Thanks a lot. I feared it would be an AND. Now I need to figure out how to realize my emergency management access through the last ethernet port. Most probably by using an old Netgear switch to get the VLAN ID on the packets.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: "Allow from Ports" and "Allow from VLAN"

Fri Feb 03, 2023 7:37 am

Don't require the VLAN. Set the IP so that the only place that IP is found is on the trunk (or the emergency management port). ACL might also be able to limit access for you (never played with it).
 
User avatar
lawe
just joined
Posts: 18
Joined: Fri Jun 04, 2021 12:06 am
Contact:

Re: "Allow from Ports" and "Allow from VLAN"

Sun Feb 05, 2023 11:23 pm

Also keep in mind that if you have assigned a VLAN to the "Allow From VLAN" setting and you want the Switch obtaining an IP from some DHCP-Server, that server needs to be in the same VLAN.

Who is online

Users browsing this forum: No registered users and 14 guests