thx for any help!thx for answer!Hi
I would think that this will depend on the setting:
are the networks / devices in these networks isolated or to they share same spaces
port isolation might provide more guarantees from security point of view
vlan are more flexible
kind of port isolation dictates complexity of configuration: on router is simpler while on switch, requires more configuration
In general I would go for vlans, since you have the hardware for it (CSS3xx) and is more flexible.
Note that the 4011 doesn't doe vlan filtering in hardware.
yes, but I would like to use mikrotik switches, but thxThere are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN
I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.
IMHO MikroTik switches are toys... but of course they are cheap.yes, but I would like to use mikrotik switches, but thx
yes, but I cannot use very expensive solution (cisco etc)IMHO MikroTik switches are toys... but of course they are cheap.yes, but I would like to use mikrotik switches, but thx
I'm not sure what is possible with bridge filters, bridge horizon value etc in those switches without killing the performance.
You could investigate that.
If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
so it means network will run slower? or should I just use different HW instead of RB4011iGS+RM?If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
but I think I need to do it, dont I? Because as I wrote, I need to create separate VLANs on each port of switch (or port isolate)Yes it will be slower, if enabled.
But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem
but if network will be slower just a little bit, this shouldnt be a problem ..ok, at least I can do it with such a HW, dont know how yet, but hope I will figure it outYes there really is a difference between MikroTik and Cisco switches, however when you look e.g. at that Private VLAN wiki page you can see that there are others inbetween the two.
And as I wrote, you can look at bridge filtering and at bridge (port) horizon in RouterOS.
But I do not know if using those features in the CRS326 will make it use the CPU instead of the switch hardware.
Actually, RouterOS supports private VLANs via port isolation: https://help.mikrotik.com/docs/display/ ... tisolationThere are standard solutions for this in switches.
E.g. enterprise switches offer this: https://en.wikipedia.org/wiki/Private_VLAN
I don't think MikroTik provides this feature (and many others that you would want to have in a hostile network, like DHCP snooping, ARP spoofing protection, etc)
but as I never use MikroTik switches I am not really well informed about those details, maybe tricks exist to implement it.
