Skip to content
MikroTik RouterOS Docs

Switch Port Isolation

Switch Port Isolation

Section titled “Switch Port Isolation”

TL;DR (Quick Start)

Section titled “TL;DR (Quick Start)”
TL;DR (Quick Start) diagram

Isolate client ports (ether1-3) so they can only communicate with the uplink (sfp1), not each other:

# Create bridge with all ports
/interface bridge add name=bridge1
/interface bridge port
add interface=ether1 bridge=bridge1
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1
add interface=sfp1 bridge=bridge1


# Configure port isolation to uplink only
/interface ethernet switch port-isolation
set ether1 forwarding-override=sfp1
set ether2 forwarding-override=sfp1
set ether3 forwarding-override=sfp1

Verify with:

/interface ethernet switch port-isolation print

Switch port isolation only works between ports on the same switch chip. Use bridge horizon for ports across different chips or for dynamic interfaces (PPP, VPLS).

Overview

Section titled “Overview”

What this does: Prevents direct Layer 2 communication between specific switch ports while allowing traffic to designated uplink ports. This creates Private VLAN (PVLAN)-like behavior where isolated hosts can reach the router/gateway but not each other.

Two methods available:

FeatureSwitch Port IsolationBridge Horizon
Menu path/interface ethernet switch port-isolation/interface bridge port
PerformanceWire-speed (hardware)CPU-dependent (software)
Hardware offloadYesNo (disables HW offload)
Works withSame switch chip portsAny bridge ports
Dynamic portsNoYes (with limitations)

When to use Switch Port Isolation:

  • Server isolation (PVLAN) where performance matters
  • Hotel/apartment/co-location networks
  • Guest WiFi isolation with hardware offload
  • Any scenario requiring wire-speed isolation on same switch chip

When to use Bridge Horizon:

  • PPPoE client isolation (dynamic interfaces)
  • Ports on different switch chips
  • Mixed interface types (wireless, tunnels, VLANs)
  • When flexibility matters more than performance

Prerequisites

Section titled “Prerequisites”
  • RouterOS 6.43 or later for switch port isolation
  • Ports must be on the same switch chip for hardware isolation
  • Bridge must exist with ports added
  • Understanding of your device’s switch chip layout (check /interface ethernet switch print)

Configuration Steps

Section titled “Configuration Steps”

Method 1: Switch Port Isolation (Hardware)

Section titled “Method 1: Switch Port Isolation (Hardware)”

Step 1: Create Bridge with Ports

Section titled “Step 1: Create Bridge with Ports”
/interface bridge add name=bridge1
/interface bridge port
add interface=ether1 bridge=bridge1
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1
add interface=sfp1 bridge=bridge1

Step 2: Configure Port Isolation

Section titled “Step 2: Configure Port Isolation”

Set forwarding-override on each isolated port to specify which port(s) it can communicate with:

/interface ethernet switch port-isolation
set ether1 forwarding-override=sfp1
set ether2 forwarding-override=sfp1
set ether3 forwarding-override=sfp1

Result: ether1, ether2, and ether3 can only send traffic to sfp1 (uplink). They cannot communicate directly with each other.

Step 3: Verify Configuration

Section titled “Step 3: Verify Configuration”
/interface ethernet switch port-isolation print

Expected output:

 # NAME   FORWARDING-OVERRIDE
 0 ether1 sfp1
 1 ether2 sfp1
 2 ether3 sfp1
 3 sfp1

Note: sfp1 has no forwarding-override set, so it can send to all ports (acts as uplink).

Method 2: Bridge Horizon (Software)

Section titled “Method 2: Bridge Horizon (Software)”

Step 1: Create Bridge with Ports

Section titled “Step 1: Create Bridge with Ports”
/interface bridge add name=bridge1
/interface bridge port
add interface=ether1 bridge=bridge1
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1

Step 2: Set Horizon on Client Ports

Section titled “Step 2: Set Horizon on Client Ports”

Ports with the same horizon value cannot communicate with each other:

/interface bridge port
set [find interface=ether1] horizon=1
set [find interface=ether2] horizon=1
set [find interface=ether3] horizon=1

Result: All ports in horizon=1 are isolated from each other. They can only reach the bridge IP (router) or ports with different/no horizon.

Step 3: Verify Configuration

Section titled “Step 3: Verify Configuration”
/interface bridge port print

Expected output:

Flags: I - INACTIVE; D - DYNAMIC; H - HW-OFFLOAD
 #    INTERFACE  BRIDGE   HW   PVID  PRIORITY  PATH-COST  HORIZON
 0    ether1     bridge1  no   1     0x80      10         1
 1    ether2     bridge1  no   1     0x80      10         1
 2    ether3     bridge1  no   1     0x80      10         1

Note: The “H” flag is missing because horizon disables hardware offloading.

Common Scenarios

Section titled “Common Scenarios”
Section titled “Scenario 1: Multiple Uplinks”

Allow isolated ports to reach multiple uplink ports:

/interface ethernet switch port-isolation
set ether1 forwarding-override=sfp1,sfp2
set ether2 forwarding-override=sfp1,sfp2

Scenario 2: Isolated Groups

Section titled “Scenario 2: Isolated Groups”
Scenario 2: Isolated Groups diagram

Create two groups that can communicate within their group but not across groups:

# Group 1: ether1, ether2, ether3 can talk to each other and uplink
/interface ethernet switch port-isolation
set ether1 forwarding-override=ether2,ether3,sfp1
set ether2 forwarding-override=ether1,ether3,sfp1
set ether3 forwarding-override=ether1,ether2,sfp1


# Group 2: ether4, ether5 isolated from Group 1
set ether4 forwarding-override=ether5,sfp1
set ether5 forwarding-override=ether4,sfp1

Scenario 3: PPPoE Client Isolation (Bridge Horizon)

Section titled “Scenario 3: PPPoE Client Isolation (Bridge Horizon)”

Isolate PPPoE clients so they cannot communicate directly:

# Set same horizon on all client-facing ports
/interface bridge port
set [find interface=ether1] horizon=1
set [find interface=ether2] horizon=1
set [find interface=ether3] horizon=1

Clients can only reach the router (PPPoE server), not each other.

Scenario 4: Partial Isolation with Bridge Horizon

Section titled “Scenario 4: Partial Isolation with Bridge Horizon”
Scenario 4: Partial Isolation with Bridge Horizon diagram

Create multiple isolation groups where each group can communicate internally:

# Group A: ether1-2 can talk to each other
/interface bridge port
set [find interface=ether1] horizon=1
set [find interface=ether2] horizon=1


# Group B: ether3-4 can talk to each other
set [find interface=ether3] horizon=2
set [find interface=ether4] horizon=2


# ether5 has no horizon (default), can communicate with all

Scenario 5: Remove Port Isolation

Section titled “Scenario 5: Remove Port Isolation”

Switch port isolation:

/interface ethernet switch port-isolation
set ether1 forwarding-override=""

Bridge horizon:

/interface bridge port
set [find interface=ether1] horizon=none

Verification

Section titled “Verification”

Check 1: View Switch Port Isolation Settings

Section titled “Check 1: View Switch Port Isolation Settings”
/interface ethernet switch port-isolation print

Expected: forwarding-override set on isolated ports, empty on uplink ports.

Check 2: View Bridge Port Horizons

Section titled “Check 2: View Bridge Port Horizons”
/interface bridge port print

Expected: HORIZON column shows configured values.

Check 3: Verify Hardware Offloading Status

Section titled “Check 3: Verify Hardware Offloading Status”
/interface bridge port print detail

Expected: hw=yes if offloading active; hw=no if horizon set.

Check 4: Test Isolation (from isolated device)

Section titled “Check 4: Test Isolation (from isolated device)”

From a device connected to an isolated port, ping another isolated device:

/ping <other-isolated-device-ip>

Expected: Timeout (isolated) - packets should not reach the destination.

Section titled “Check 5: Test Uplink Connectivity”

From a device connected to an isolated port, ping the router:

/ping <router-ip>

Expected: Successful replies (uplink should work).

Troubleshooting

Section titled “Troubleshooting”
SymptomCauseSolution
Ports not isolatedPorts on different switch chipsUse bridge horizon instead
Performance dropped after enabling horizonHorizon disables HW offloadUse switch port isolation if HW offload needed
”Cannot change dynamic port” errorDynamic bridge ports are read-onlyUse firewall rules or accept limitation
Port isolation not working with VLANsVLAN lookup takes precedenceUse switch rules with new-dst-ports for VLAN+isolation
STP not detecting loopsBPDUs can’t traverse isolated groupsEnsure uplink ports relay BPDUs; or disable STP on isolated ports
Devices can ping router but not each otherHorizon accidentally set, or expected behaviorCheck horizon values; this is normal for isolated ports

Problem: Switch Port Isolation Only Works on Same Chip

Section titled “Problem: Switch Port Isolation Only Works on Same Chip”

Cause: Switch port isolation is a per-switch-chip feature. Ports on different switch chips cannot be isolated using this method.

Solution:

# Check which ports are on which switch chip
/interface ethernet switch port print


# Use bridge horizon for cross-chip isolation
/interface bridge port set [find interface=ether1] horizon=1

Problem: VLAN Mode Overrides Port Isolation

Section titled “Problem: VLAN Mode Overrides Port Isolation”

Cause: When using VLAN-aware switching, VLAN lookup (vlan-mode=check or vlan-mode=secure) takes precedence over port isolation.

Solution: Use switch rules with new-dst-ports to achieve combined VLAN and isolation behavior:

/interface ethernet switch rule
add ports=ether1 new-dst-ports=sfp1 switch=switch1

Problem: STP Issues with Isolated Groups

Section titled “Problem: STP Issues with Isolated Groups”

Cause: BPDU frames cannot traverse between isolated groups, preventing proper loop detection.

Solution:

  • Ensure uplink ports are not isolated and can relay BPDUs
  • Or disable STP on isolated edge ports if no loops are possible:
/interface bridge port set [find interface=ether1] edge=yes
Section titled “Related Topics”

Switch & bridge

Section titled “Switch & bridge”

Wireless

Section titled “Wireless”

Security

Section titled “Security”

Reference

Section titled “Reference”

Key Properties Reference

Section titled “Key Properties Reference”

Switch Port Isolation Properties (/interface ethernet switch port-isolation)

Section titled “Switch Port Isolation Properties (/interface ethernet switch port-isolation)”
PropertyTypeDefaultDescription
forwarding-overrideinterface(s)emptyForce ingress traffic to specified interface(s) only

Bridge Port Properties (/interface bridge port)

Section titled “Bridge Port Properties (/interface bridge port)”
PropertyTypeDefaultDescription
horizoninteger (0-255)noneSplit-horizon group; ports with same value cannot communicate

How It Works

Section titled “How It Works”

Switch Port Isolation (forwarding-override):

  • Ingress-only: Only affects incoming traffic on the port
  • Override behavior: Traffic is forced to specified port(s) only, ignoring normal forwarding
  • Unset ports: Can send to all ports (acts as uplink)
  • Hardware level: Processed in switch chip at wire-speed

Bridge Horizon (Split-Horizon):

  • Group-based: Ports with same horizon value cannot communicate
  • Different horizons: Can communicate freely (horizon=1 ↔ horizon=2 is allowed)
  • None value: Can communicate with all ports regardless of their horizon
  • Software level: Processed by CPU, disables hardware offloading on affected ports