Disable InterVLAN routing
Posted: Wed Apr 29, 2015 12:50 pm
Hello.
I have CRS125 switch. Its configure with 2 VLANs created in switch ASIC, a trunk port (ether1+ether2) with both trunked VLANs. I've also created VLAN IP interfaces on CPU and attached them for the purpose of managing switch from both VLANs. Only 1 master port, no bridge.
I know that this will also enable InterVLAN routing inside CPU. I want to disable it, but keep CPU VLANs interfaces. I've tried using /ip firewall, but probmlem is I don't getting any packets on FORWARD chain at all. Even "log everything on FORWARD chain" rule doesn't logs anything.
What am I doing wrong? I've even set ip-forward to no under /ip settings. Yet still if I add routes on hosts on 91 and 92 VLANs to route via switch VLAN IPs I can reach other VLAN.
I have CRS125 switch. Its configure with 2 VLANs created in switch ASIC, a trunk port (ether1+ether2) with both trunked VLANs. I've also created VLAN IP interfaces on CPU and attached them for the purpose of managing switch from both VLANs. Only 1 master port, no bridge.
I know that this will also enable InterVLAN routing inside CPU. I want to disable it, but keep CPU VLANs interfaces. I've tried using /ip firewall, but probmlem is I don't getting any packets on FORWARD chain at all. Even "log everything on FORWARD chain" rule doesn't logs anything.
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] master-port=ether3
set [ find default-name=ether2 ] master-port=ether3
...
/interface vlan
add interface=ether3 l2mtu=1584 name=vlan91 vlan-id=91
add interface=ether3 l2mtu=1584 name=vlan92 vlan-id=92
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether3,ether4,eth\
er5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,et\
her15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ethe\
r24" forward-unknown-vlan=no
/interface ethernet switch trunk
add member-ports=ether1,ether2 name=trunk1
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=91 ports=\
ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 \
sa-learning=yes
add new-customer-vid=92 ports=\
ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 \
sa-learning=yes
/interface ethernet switch vlan
add ports="trunk1,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether\
16,switch1-cpu" vlan-id=91
add ports="trunk1,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ethe\
r24,switch1-cpu" vlan-id=92
/interface ethernet switch egress-vlan-tag
add tagged-ports=trunk1,switch1-cpu vlan-id=91
add tagged-ports=trunk1,switch1-cpu vlan-id=92
/ip settings
set ip-forward=no send-redirects=no
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes \
interface=sfp1 network=192.168.88.0
add address=192.168.91.46/24 interface=vlan91 network=192.168.91.0
add address=192.168.92.3/24 interface=vlan92 network=192.168.92.0