Every now and then I (re)decide to learn VLANs. And it always ends in frustration.

Yes, I've read and watched and listened and thought....

I'm thinking maybe I need a real world task to get the concepts and techniques to sink in to my brain.

Maybe some kind soul would help me.

Below is simplified diagram of a system.

An RB5009 connected directly to both workstations and a CSS326 switch.

On the switch are workstations.

How would I create 2 separate VLANS that accomplished the following:

1) Workstations on ports 20 and 21 can communicate only with the Internet (port 1 on the RB5009 and with workstation on port 3 of the RB5009
2) Workstation on port 3 can communicate with every other device including devices on ports 20 and 21 (and vice-versa)
3) Every other workstation can communicate with every other device (except ports 20 and 21) including the Internet

Thank you very much!

.

The first thing you should do is write clear requirements and not try to compress requirements into one line.
Secondly communicate is horrible term. In networking its better to talk about, originating traffic to.............
Replies are permitted in firewall rules, and its all about who is allowed to send/originate traffic. Communicate has different connotations one being two way traffic.

For example
1) Workstations on ports 20 and 21 can communicate only with the Internet (port 1 on the RB5009 and with workstation on port 3 of the RB5009
2) Workstation on port 3 can communicate with every other device including devices on ports 20 and 21 (and vice-versa)
3) Every other workstation can communicate with every other device (except ports 20 and 21) including the Internet\

I have no clue what you really mean in para 2 or 3.
Separate out the requirements, so there is no confusion.

Finally, dont predispose the solution, maybe it takes 5 vlans....
State the requirements, the solution will fall out gracefully.

+++++++++++++++++++++++++++++++

Overall this is a case of handling two things properly
Vlan filtering
firewall rules.
The diagram is very good and helpful
THe requirements need work.

Thank you so much for the help/education in how to ask for help -- nothing more valuable!

I understand that there are 2 main components of the solution: VLAN filters and firewall rules.

Here's my attempt to put to use your advice. I hope I've at least come somewhat close to doing it well.

My goal is to isolate the traffic going to, and coming from, the workstations on CSS ports 20 and 21 (hereinafter "WS-20/21") from all other devices on the LAN.

1) WS-20/21 should be able to originate traffic bound for the Internet

2) Incoming traffic from the Internet (forwarded packets) should be able to reach WS-20/21

3) Workstation on RB5009-port-3 should be able to originate traffic to WS-20/21

4) All other workstations (other than WS-20/21) should be able to initiate traffic to any other device (other than WS-20/21) and to the Internet

Bump

I just watched:

https://www.youtube.com/watch?v=4Z32oOPqCqc

Fantastic video.

Too bad my head overheated and melted down 1/2 way through.

viewtopic.php?t=143620

Well you have one bridge ( and no address assigned to bridge, no dhcp etc)
two vlans with interface bridge.
assign bridge ports
assign bridge vlans
assign firewall rules as required.
done.

Up to you to do the work..........

Replying for the updates.

Not responding, may be in jail

In terms of the switch, the main difference is
a. only need to create and identify the management vlan on the switch
b. only the management vlan is tagged to the bridge in /interface bridge vlans
c. only need single MGMT interface list and the only member is the management vlan (normally, unless one port is off bridge for emerg access or general config purposes )
d. use interface list in neighbours discovery, and mac-server winbox-server line.
e. make a single route out management vlan gateway
f. allow remote dns server=management vlan gateway
g. address of switch is as assigned by the main router and attached to management vlan interface.