There is considerable confusion as to what is meant by ‘private VLAN’, so let me clarify.
Private VLANs are defined in RFC 5517 and are implemented on many brands of switches, most notably Cisco, so they are not unusual.
It is possible to implement a private VLAN on MikroTik routers, but there’s a catch. The following example shows how.
Let ether2 be a promiscuous port, ether6 an isolated host port, and ether7 and ether8 community host ports. VLAN 100 is the primary VLAN, VLAN 200 is an isolated secondary VLAN, and VLAN 300 is a community secondary VLAN.
The following commands implement the private VLAN.
So, what’s the catch? Because the last command activates independent VLAN learning (IVL), the MAC addresses of the hosts connected to ether6, ether7, and ether8 don’t appear in the MAC forwarding table for VLAN 100. Consequently, the promiscuous port broadcasts to all three host ports. This consumes bandwidth and reduces security.
Implementing shared VLAN learning (SVL) would fix the problem, but MikroTik seems to be dumbing down its switches by eliminating many of the commands under /interface ethernet switch. (Compare the CRS3xx/5xx series switches with the CRS1xx/2xx series switches, which appear to be being phased out.) Consequently, this catch is unlikely to go away.
Private VLANs are defined in RFC 5517 and are implemented on many brands of switches, most notably Cisco, so they are not unusual.
It is possible to implement a private VLAN on MikroTik routers, but there’s a catch. The following example shows how.
Let ether2 be a promiscuous port, ether6 an isolated host port, and ether7 and ether8 community host ports. VLAN 100 is the primary VLAN, VLAN 200 is an isolated secondary VLAN, and VLAN 300 is a community secondary VLAN.
The following commands implement the private VLAN.
Code:
/interface bridgeadd name=bridge1 vlan-filtering=no/interface bridge portadd bridge=bridge1 interface=ether2 pvid=100 frame-types=admit-only-untagged-and-priority-taggedadd bridge=bridge1 interface=ether6 pvid=200 frame-types=admit-only-untagged-and-priority-taggedadd bridge=bridge1 interface=ether7 pvid=300 frame-types=admit-only-untagged-and-priority-taggedadd bridge=bridge1 interface=ether8 pvid=300 frame-types=admit-only-untagged-and-priority-tagged/interface bridge vlanadd bridge=bridge1 untagged=ether6,ether7,ether8 vlan-ids=100add bridge=bridge1 untagged=ether2 vlan-ids=200add bridge=bridge1 untagged=ether2 vlan-ids=300/interface bridge set bridge1 vlan-filtering=yesImplementing shared VLAN learning (SVL) would fix the problem, but MikroTik seems to be dumbing down its switches by eliminating many of the commands under /interface ethernet switch. (Compare the CRS3xx/5xx series switches with the CRS1xx/2xx series switches, which appear to be being phased out.) Consequently, this catch is unlikely to go away.
Statistics: Posted by ath — Fri Jan 26, 2024 4:56 am