Port isolation is a process in which you isolate a port (or group of ports) from another port (or group of ports). This means that the end device which is connected to one port will not be able to communicate with the end device connected to the other port.
Port Isolation is mostly used when you have a company having only 1 MikroTik CRS3xx switch. So instead of going through VLAN to segment the Layer2 network, you can use port isolation which is much easier to be configured and works perfectly.
On MikroTik CRS3xx, port isolation is available on the switch chip since RouterOS v6.43, which means it is hardware-offloaded and it doesn’t go to the CPU.
There are 2 different scenarios where you can use port isolation which is:
- Isolated Switch Groups
- Private VLAN
Both have the same idea as explained. But let’s start with the Isolated Switch Groups and do a LAB for it.
As you can see, I am grouping ports on the switch where it is possible for the devices to communicate with each other, but they cannot communicate with the other group.
Bear in mind that STP (when used) is not aware of the underlying port isolation configuration, therefore there are no separate spanning trees for each isolated network instead there is a single one for all isolated networks. This can cause some unwanted behavior (e.g. devices on isolated ports might select a root bridge from a different isolated network). That’s why I highly recommend using port isolation in case of only 1 Switch scenario and not more.
Another important notion is to remember to have HW-offload enabled on the ports that you want to use in the port isolation because if HW-offload is disabled then port isolation will not work and the RouterOS will not notify you about this.
Let’s move to the LAB now.
As you can see, the plan is to isolate 2 ports from each side, so Ether15 and Ether16 can communicate to each other but not to Ether17 and Ether18. Same will be done on the other side.
Let’s see how this can be applied.
1st we need to add all those ports to a bridge, and we should be sure that the HW-offload is enabled. I am sure by now you know how to add the ports to the bridge, so I will not show it again but here is the end result:
After having all the ports in a bridge and enabling the hardware-offload, we need to go to the Switch tab on Winbox and we have say that Ether15 speaks only to Ether16, and Ether17 speaks only to Ether18.
Let me show you how to do this:
Same process will be done between Ether17 and Ether18.
Very good, so the end result that we have is the following:
Now I will put 2 end devices one connected to Ether15 and another one connected to Ether16 with IPs from the same range and I will ping from one to another. Based on what we have configured, the ping should work. Let’s try.
As you can see, the ping is working. I will move the cable of my PC to Ether17 while keeping the other device plugged on Ether15 and will re-do the ping. Do you think it will work too? Let’s try:
As you can see, it is not working. So, the port isolation is perfectly working without any issue.