I've configured one Extreme Networks X440-48t switch stack as a router connecting to switches at different buildings over metro ethernet circuits.
Each building switch can see the routing switch on a /30 like so:
Routing Switch Stack X440-48t: Building Switches X440-8p's:
VLAN 311: 192.168.252.1/30 -> 192.168.252.2
VLAN 512: 192.168.252.5/30 -> 192.168.252.6
VLAN 242: 192.168.252.9/30 -> 192.168.252.10
Default VLAN: 192.168.2.236/24
Core switching stack
Internal Core Router
I want IP traffic coming from 192.168.2.0 network to have access to all VLAN's with those /30 addresses but I do not want each of the switches to be able to communicate with each other.
192.168.252.2/30 should not be able to communicate with 192.168.252.6/30 or 192.168.252.10/30.
What would be the most efficient and manageable way to do achieve this goal using EXOS ACL's while also planning for the fact that there could be endless VLAN interfaces configured this way in the future?
Thanks in advance for any assistance.
I am assuming you want the switches with the /30 to send route updates correct?
The ACLs in the 440 work from top to bottom so you would need to permit the traffic between the /30s first then deny source 192.168.252.0/24 destined to 192.168.252.0/24 You will need another ACL to deny ICMP for those subnets as well.
after the deny any other traffic should flow as normal.
Does that make sense? do you need the actual layout of the ACL or did you get that from the concepts guide.
If I am misunderstanding please let me know
a rudimentary illustration:
independent summit 24 port aggregator
24p1->/30-> 8p location 1
24p2->/30-> 8p location 2
24p3->/30-> 8p location 3
As you can see I want traffic going into the 24 port to have access to the 24 port and all of the 8 port switches at different locations with the 24 port acting as the default gw to the 8s.
What I dont want is for the 8 ports to be able to get to each other through the 24.
The 24 is acting as a forwarding gateway.
Im just looking for the easiest way to do this as a policy because I dont want to update the ACL evertime we add a new location.
Is this possible?
If so could you point me in the right direction and maybe throw an example in?
Im not announcing routes in this scenario.
I was thinking the solution to this would be as simple as configuring the ports on 24p switch connecting to every 8p switch as isolation ports.
Following is an explanation about this feature:
The Port Isolation feature blocks accidental and intentional inter-communication between different customers residing on different physical ports. This feature provides a much simpler blocking mechanism without the use of ACL hardware. The fundamental requirements are as follows:
Blocking Rules: All traffic types received on a isolation port is blocked from being forwarded
through other ‘isolation’ ports.
All traffic types received on an isolation port can be forwarded to any other port.
All traffic types received on non-isolation ports are permitted to be forwarded to isolation ports.
There is no access-list hardware use. The blocking mechanism is a set of one or two table memories. These resources are not shared with other features, nor do they have any scaling limits that can be reached by configuring this feature. Port isolation can be configured in conjunction with other features, including VPLS, IDM, and XNV. However, you cannot configure a mirror-to port to be an isolated port.
configure port <port number> isolation on.
Let me know your thoughts.
if the ports of 24p connecting to 8p will have only the /30 VLAN, this should meet your requirement.
Based off of the description in the docs only *isolated* ports should not be able to forward to each other. port 12 is not isolated it is the trunk uplink back to the colo.
Port 11 has 3 tagged VLAN's none untagged, and port 12 has 1 untagged VLAN and 3 tagged VLAN's.
When I enabled port isolation packet forwarding stopped between 11 & 12.
Am I missing a step in the configuration?
How about between the ports 1 to 11, are they working as expected?
It would be good to explain the exact traffic that you have tested between the ports 11 and 12. In which VLAN did the traffic flow?
Does the show fdb output display the source and destination mac-address?
Please share these outputs as well.
1. show port 11-12 information detail
2. show fdb port 11-12
I will also test this in parallel and let you know.
I tested multiple scenarios with port isolation.
It really does not matter if the port is tagged or untagged. If I make the ports of the core switches connecting to access switches as isolated ports, the access switches do not communicate with each other. But they are able to reach the gateway.
In your network too, it would be ideal to only configure the port isolation in the 24p switch which will do the ipforwarding. Hope this helps!
Please share more details about the issue that you are facing as requested above.
The 24t needs its firmware updated so I'll have to schedule an outage
The switch that I ran the initial test on does not have ipforwarding enabled and that could explain why it didn't work.
I'll update the firmware this week and confirm.