MikroTik

Posted: **Mon May 19, 2014 9:29 pm**

Using VLANs in 6.11, I noticed that data seemed to be being forwarded out all ports instead of just the VLAN port it was bound for, much like a hub instead of a switch.

Example:
ether1 = Trunk - VLAN1
ether2 = Downstream network - VLAN5
ether24 = Canary Device - VLAN1

With the above, I would notice that ether2 and ether24 get the same Tx bandwidth, as if they were being mirrored. And when I would packet sniff on ether24, I'd see data bound for ether2. I figured this was a leaking/isolation issue, as something on ether24 shouldn't see anything bound for ether2, due to the different vlans. I read somewhere on here that someone found a fix for this (/interface ethernet switch port set [find] learn-restricted-unknown-sa=yes) in 6.11, but it is not working in 6.13?

I saw that 6.12 overhauled a lot of the CRS VLAN code, but due to the reboot crashing ("Starting services") error with 6.12 I waited until 6.13 to work on this. In looking at the new VLAN code, namely the "Port-level Isolation" section of the newly updated CRS VLAN examples wiki page, I noticed that there are now options for said port-level isolation, like this:

/interface ethernet switch port
set ether2 isolation-leakage-profile-override=0

/interface ethernet switch port
set ether5 isolation-leakage-profile-override=1
set ether6 isolation-leakage-profile-override=1

/interface ethernet switch port-isolation
add port-profile=1 ports=ether2 type=dst

I am curious in noticing the above command "Leakage-profile-override" if anyone knows what the defaults for these port isolations are? I would think every port assigned to a VLAN would only talk to the trunk by default (profile 1 in the above), but I am guessing maybe there are no defaults, and they have to be manually set? Would that be the fix for these seemingly leaky VLANs?

Posted: **Tue May 20, 2014 9:06 am**

By default override of isolation or leakage is disabled (!isolation-leakage-profile-override) and ports can communicate with each other within switched port group. The port isolation from that example has to configured manually and it could help limiting traffic, but it may not fix the real cause of hub behaviour, because generally it is related to MAC learning.

Posted: **Tue May 20, 2014 8:31 pm**

Would that be in regards to the "sa-learning=yes" in the below VLAN code:

/interface ethernet switch ingress-vlan-translation
add port=ether2 customer-vid=0 new-customer-vid=801 sa-learning=yes

Posted: **Thu Jun 12, 2014 1:02 pm**

Hi!

Did you get this issue solved? I'm trying to address it, but I've had no luck yet...

Thanks!

Posted: **Fri Jun 13, 2014 3:26 am**

Hi!

Did you get this issue solved? I'm trying to address it, but I've had no luck yet...

Thanks!

This was resolved in 6.12, (6.13 really, since 6.12 crashes on startup with some specific VLAN code). See my thread in Beginner Basics about trunk to trunk VLAN configuration to see Mikrotik support's official response with the updated VLAN code that they added in 6.12.

I hope this helps!

Posted: **Fri Jun 13, 2014 12:01 pm**

Following your post there I just found yet another bug, settings in:

drop-if-no-vlan-assignment-on-ports
drop-if-invalid-or-src-port-not-member-of-vlan-on-ports

made from command line do not show in Winbox. Also, if you change those settings in Winbox they overwrite the ones set from the command line... I have already sent an email to support.

Thanks

MikroTik

CRS125 acting like hub with VLANs: port isolation defaults?

CRS125 acting like hub with VLANs: port isolation defaults?

Re: CRS125 acting like hub with VLANs: port isolation defaul

Re: CRS125 acting like hub with VLANs: port isolation defaul

Re: CRS125 acting like hub with VLANs: port isolation defaul

Re: CRS125 acting like hub with VLANs: port isolation defaul

Re: CRS125 acting like hub with VLANs: port isolation defaul