Do any Mikrotik or other similarly-priced switches support trunking PVLAN promiscuous ports? The Ubiquiti Edgeswitch series do not which severely limits the usefulness of private vlans (each requires a dedicated promiscuous link to the router).
I’ve seen it in some Cisco switches, but I would like to avoid Cisco.
Or maybe there’s a way to tap into the layer 3 functionality of the switch? I don’t want the switch routing between the pvlans though as that traffic should be filtered.
Just in case it’s not clear, I am not asking a switch supports pvlans. Yes, Ubiquiti and other switches support pvlans, but they need a dedicated physical port for each promiscuous port.
Also, and I hate to be the stackoverflow guy here, but why are you using private VLANs? As a network engineer, I’ve always been hard press to find a good reason to use them.
Most recently, I was looking at it to segregate iscsi traffic so a bunch of hosts could see the NAS and get a dhcp reservation from the router but not see each other, or at least be isolated in communities (hypervisors). It seemed preferable to having a ton of vlan interfaces on the NAS and router for each host/community
I see that Mikrotik supports PVLANs but I don’t see anything about trunking. I think that’s my fault though, I wasn’t explicit enough. Generally, plvans can be trunked, but the promiscuous ports have to be dedicated physical ports.
I want to be able to tag an interface with multiple promiscuous pvlans (along with other normal vlans) to eliminate the need to have several router ports plugged into the aggregation switch.
You can see this illustrated in the GUI, only one promiscuous assignment is permitted on an interface.
Depends on what you have. I normally Just create a VLAN (which an SSID dumps it’s traffic on to) and then terminate the VLAN on a firewall. That isolates them well enough for me. If you don’t have a firewall you can use ACLs on a router. Usually good enough as well. If you have just a router and a dedicated internet line just for guests, you can VRF off the subinterface so it’s not even in the same routing table as the rest of your network. That’s the most ideal then there is no need to do ACLs since they’re not even on your production/default routing table.
As for this, I don’t know Mikrotik very well. There’s a possibility that you may have to end up going with a more fully-featured enterprise switch, like a Cisco or Juniper, etc.
I agree with xradeon, you’ll need enterprise hardware for this.
Why not split the network out, have each client on their own ip range, on separate VLANS. I use VLANS on the same Netgear switch to isolate networks at home, I don’t trust cheap cctv poe cameras.
I have all the layer3/4/5 filtering I need on the gateway, but there are instances where I want to isolate or otherwise control layer 2 traffic. On most subnets, there are a few performance or latency-sensitive services that need to be accessed directly on layer 2 (all file sharing be it smb, iscsi, nfs etc). For everything else, it should go through the firewall including all host-to-host traffic. There’s no reason for person A to directly connect to person B’s workstation, even if they’re in the same department sitting right next to each other. Same with servers, although in that case, each server should have its own firewall configured properly, so less of an issue there.
Regarding ACLs, I think the switch has some ACL functionality, so I’ll look into that.
Yeah, idk what the actual spec is for pvlans, but I think there may only be proprietary solutions for what I want to do. Have you used Juniper? How is compared to Cisco?
Unless I’m misunderstanding, this would involve creating a vlan, /29ish subnet, dhcp server configuration and NAS virtual interface for every client device.
Oh, I see where you’re coming from now. That’s a pretty good use case for pvlans actually. I personally wouldn’t do it, but only because I’d use SGT instead, which can accomplish the same thing without needing pvlans (however it requires a Cisco environment and ISE plus expensive licenses and whatnot).
I’ve only tried Juniper once when we demoed them out at my old job. It’s a good switch, CLI is way different, but it’s better. I love the commit model instead of live after typing that Cisco does. They’re better on licensing, but it’s still going to be very expensive compared to Mikrotik and Ubiquity.
The more I think about it, I want it on almost every subnet. OOBM should never talk to each other. IP cameras shouldn’t talk to each other. Any IOT or network-connected peripheral shouldn’t communicate with anything without going through a firewall. So many successful breaches have relied on lateral hops…
on the same interface that’s connected to a router which is configured with vlans 100 and 200.