Community discussions

MikroTik App
 
Vori
just joined
Topic Author
Posts: 4
Joined: Sat May 30, 2020 2:30 am

Private VLAN

Fri Jun 12, 2020 6:19 pm

Hi! First post on these forums :)

It is my understanding that a PVLAN is a good option to achieve better security through isolation, but it seems I need some help with setting it up on my new RB4011 :)

I have a TP Link T2600G that I already set up with a primary VLAN (ID and PVID 111) and a secondary community VLAN (ID and PVID 3540).
Primary VLAN is on trunk port 1/0/24 and connected to port ether5 on a RB4011.

DHCP servers are set up on the RB4011 - as soon as I switch from VLAN to Private VLAN the hosts connected to the switch can't get an IP.

The info in the manual (https://help.mikrotik.com/docs/display/ ... VLAN+Table) is not really helpful as the PVLAN is set up on the switch without any mention of the router set up.
I tried following the info on VLAN tunnelling and Tag stacking but I didn't get results.

What I'm trying to achieve is
- a promiscous port on ehter5 and 1/0/24
- DHCP server only on the RB4011


Any help or pointer or tuts on a similar setup are most appreciated :)
 
User avatar
gazingbazooka
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Mon Feb 10, 2020 7:10 pm
Location: Toronto, Canada

Re: Private VLAN

Fri Jun 12, 2020 8:07 pm

Have you checked the gold standard: viewtopic.php?t=143620
 
Vori
just joined
Topic Author
Posts: 4
Joined: Sat May 30, 2020 2:30 am

Re: Private VLAN

Sat Jun 13, 2020 12:10 am

Have you checked the gold standard: viewtopic.php?t=143620
Hi, yes, I did check that series of posts but haven't found any reference to Private VLANs, tunnelling, tag stacking, etc.

I was able to set up a RoaS, and checking what pcunite wrote I have almost exactly the same setup for that but PVLAN takes it a step further nesting multiple secondary VLANs into a single primary VLAN.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Private VLAN

Sat Jun 13, 2020 12:24 am

I had to Google "Private VLAN" to see what you were talking about - never heard that term before.

The thread on VLAN setup likely does not mention "Private VLAN" because PVLAN really has nothing to do with VLANs. A so called PVLAN is using switch port isolation in order to sort of give VLAN isolation when you can't do real VLANs. If you have real VLAN capability, use it.

After thinking about it for a while, I did do that once while testing something, but had not heard of the PVLAN term.
 
Vori
just joined
Topic Author
Posts: 4
Joined: Sat May 30, 2020 2:30 am

Re: Private VLAN

Sat Jun 13, 2020 1:10 am

I had to Google "Private VLAN" to see what you were talking about - never heard that term before.

The thread on VLAN setup likely does not mention "Private VLAN" because PVLAN really has nothing to do with VLANs. A so called PVLAN is using switch port isolation in order to sort of give VLAN isolation when you can't do real VLANs. If you have real VLAN capability, use it.

After thinking about it for a while, I did do that once while testing something, but had not heard of the PVLAN term.
Am I mistaken into assuming PVLAN is some sort of tag stacking?
I assumed 2 different set of tags would be added, 0x8100 and 0x88a8 if I'm not mistaken.

I keep finding topologies as below in both Cisco and TP-Link materials:
Image

Also, PVLANs are referenced in MikroTik manual (but still only as the switch config):
https://wiki.mikrotik.com/wiki/Manual:S ... ivate_VLAN

If it helps this is an older Cisco document that goes a bit more in depth:
https://www.cisco.com/c/en/us/support/d ... 01-90.html

If a PVLAN is a sort of port isolation on my TP-Link switch, and considering both the VLAN and PVID of primary and secondaries VLANs are assigned to specific ports, how do I make the RB4011 understand it?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Private VLAN

Sat Jun 13, 2020 1:24 am

 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Private VLAN  [SOLVED]

Thu Jun 18, 2020 1:45 am

IIRC, only the CRS3xx switches support private vlan config.

The RB4011 switch chip is very limited
 
Vori
just joined
Topic Author
Posts: 4
Joined: Sat May 30, 2020 2:30 am

Re: Private VLAN

Mon Jul 20, 2020 7:22 pm

Thanks everyone for the help!

RB4011 can't PVLAN so I stuck with a few VLANs, switch port isolation, and router firewall rules, good enough for this setup :)
 
User avatar
LatinSuD
Member Candidate
Member Candidate
Posts: 181
Joined: Wed Jun 29, 2005 1:05 pm
Location: Spain
Contact:

Re: Private VLAN

Thu May 04, 2023 12:51 pm

I think you could emulate the functionality using bridging on top of VLAN, and a lot of bridge filter rules.

Who is online

Users browsing this forum: h1ghrise, lifeboy, phascogale, RobertsN and 62 guests