Community discussions

MikroTik App
 
User avatar
DanielJB
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon May 27, 2013 3:05 pm

CRS3xx VLAN port isolation switch rule

Wed Nov 17, 2021 4:57 pm

Did anyone achieve hardware per-VLAN port isolation on a CRS 3xx?

For example, to isolate unicast and broadcast layer 2 traffic on VLAN 10 among the RJ45 ethernet (access) ports, thereby allowing it to the SFP/QSFP (trunk) ports, we'd use something like:
/interface ethernet switch rule add switch=switch1 vlan-id=10 ports=ether1,..,ether24 new-dst-ports=""
Anyone?
 
User avatar
DanielJB
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon May 27, 2013 3:05 pm

Re: CRS3xx VLAN port isolation switch rule  [SOLVED]

Sat Nov 20, 2021 1:08 pm

The solution was retrospectively obvious; override the destination port to the trunk port(s):
/interface ethernet switch rule add switch=switch1 vlan-id=10 ports=ether1,..,ether48 new-dst-ports="sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4"
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS3xx VLAN port isolation switch rule

Sat Nov 20, 2021 2:06 pm

If the new-dst-ports parameter is left empty, then you drop the packets matching the rule.

What i don't understand is, VLANs are used to isolate Layer 2 Broadcast Domains, so your VLAN10 is isolated from the rest of the Layer 2 Networks configured on your Switch ( other VLANs ), so unless you need to isolate certain ports of VLAN10 from some other ports of VLAN10 again, then i don't really understand what you achieved with that rule...
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: CRS3xx VLAN port isolation switch rule

Mon Nov 22, 2021 1:38 am

This is commonly called private VLAN by other vendors. It's pretty nice if you have a bunch of untrusted devices like IoT sensors and you don't want them having access to anything except the router. This seems to be supported natively with "interface ethernet switch port-isolation" rather than custom rules.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: CRS3xx VLAN port isolation switch rule

Mon Nov 22, 2021 2:58 pm

Sure, forwarding-override could be a solution too...
It is called Private VLAN by MikroTIK too...
https://wiki.mikrotik.com/wiki/Manual:S ... _isolation

Who is online

Users browsing this forum: DanMos79, fposavec and 58 guests