Vlan Isolation

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hello Community,

I`m wondering if it`s possible to do something like "port isolation" for vlan.

I want that one particular vlan doesn`t communicate to another port with the same vlan tagged,
is that possible?
Photo of Julian Eble

Julian Eble

  • 1,394 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of BigRic

BigRic

  • 354 Points 250 badge 2x thumb
Have you looked at the option of using a private vlan?  Not sure of other design goals, but that might provide what you're looking for.
Photo of Julian Eble

Julian Eble

  • 1,394 Points 1k badge 2x thumb
Does private vlan work well with VPLS?
The packet incoming from one port, should go throught the VPLS but not to some ports.
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Julian, please take a look at the article below regarding Private Vlan:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-private-vlan
Photo of Drew C.

Drew C., Community Manager

  • 39,516 Points 20k badge 2x thumb
Photo of Julian Eble

Julian Eble

  • 1,394 Points 1k badge 2x thumb
Hello Drew,
The problem of port isolation, is that I`m going to block every single vlan.
I just want that one vlan doesnt communicate from one port to another.
Photo of Eric Burke

Eric Burke

  • 3,168 Points 3k badge 2x thumb
Julian, can you provide a bit more detail on the design goals.  Your initial comment states that you want a particular vlan to NOT communicate with a port that is a tagged member of that VLAN.  What are you trying to accomplish overall?  The description is a bit confusing.  Thanks!
Photo of Julian Eble

Julian Eble

  • 1,394 Points 1k badge 2x thumb
Sorry Eric, let me try be  more clear.

For example, the vlan 100 is tagged on ports 20-30 and also to the uplink 48.
The packets are coming from  ports 20-30 and they will have to communicate to a BRAS server and the path to the BRAS server is only port 48.

The packets coming from the particular port 20 with vlan 100 do not have to talk to the ports 21-30 just to 48.
But others vlans will.
(Edited)
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,426 Points 2k badge 2x thumb
read again about port isolation -- i beleive that is what you need
Photo of Julian Eble

Julian Eble

  • 1,394 Points 1k badge 2x thumb
Nick,

The port isolation will block all vlans, I don`t want that...
Just one vlan should be blocked.
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,426 Points 2k badge 2x thumb
you have more than one vlan between BRAS and customers on ports 20-30?
Photo of Julian Eble

Julian Eble

  • 1,394 Points 1k badge 2x thumb
yes, there are more 9 vlans who needs to communitcate betwen them.
Photo of Eric Burke

Eric Burke

  • 3,168 Points 3k badge 2x thumb
I would agree with Nick that port isolation sounds like the right solution.  Port 48 would live in the primary VLAN and all other ports would have access to it, but not to eachother.  You would have to move your other ports to isolated VLAN's, but they would all have access to the promiscuous port in the primary vlan.