Understand and configure Bridge Horizon on the MikroTik switch for port isolation

Another method of using port isolation is Bridge Horizon.

If you are using a MikroTik switch that doesn’t support HW-offload, you can still do port isolation but using the Bridge Horizon.

The bridge horizon option can be found on the ports inside a bridge as follows:

The idea is as follows: if you have the same bridge horizon on 2 or more ports, then they are not able to communicate with each other. In another word, traffic will not flow out of a port with a horizon value the same as it came in. Again remember, the ports in the bridge should have HW-offload disabled.

Let’s do a LAB to see if this is going to work or not.

LAB: Bridge Horizon

Let’s put Ether15, Ether17 and Ether18 in a bridge port and be sure that we have hardware offload disable. I will show you how to do that on Ether15 only and you can do the same for Ether17 and Ether18.

[mepr-show rules=”319″ unauth=”message”]

As you can see, Hardware offload is not checked. Now all ports have been added to the bridge and we have the following result:

Let’s assume that I want to enable Ether15 to communicate with Ether17 but not to Ether18. Remember, if you want to put the Bridge Horizon on the ports in the same way, then they won’t be able to speak to each other.

For this, I will put the following bridge horizon values on the interfaces:

  • Ether15 = 2
  • Ether17 = 3
  • Ether18 = 2

Doing so, Ether15 and Ether18 will not be able to communicate with each other, but Ether 15 and Ether17 will communicate.

Let’s do the change on Ether15:

I will change the Bridge Horizon on Ether17 to 3 as following:

And finally, will make the Bridge Horizon on Ether18 as 2:

Here is the end result:

I will connect 2 end devices: one from Ether15 and another one from Ether17. They both have IPs from the same range. Then I will ping from one to another. Based on the learned theory, they should be able to reach each other because the bridge horizons on Ether15 and Ether17 aren’t the same. Let’s try:

Here you go. You see the ping is working. Now I will move the device from Ether17 to Ether18 while keeping the 1st one on Ether15. That means we have one side on Ether15 and another side on Ether18. Both interfaces have the same Bridge Horizon which is 2, so they should not be able to reach each other. Let’s try:

Indeed, the 2 end devices aren’t able to reach each other. That’s what I was expecting.

So, this is all about Bridge Horizon and port isolation.

[/mepr-show]

Course Content

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

About