Vlan Isolation


Userlevel 2
Hello Community,

I'm wondering if it's possible to do something like "port isolation" for vlan.

I want that one particular vlan doesn't communicate to another port with the same vlan tagged,
is that possible?

12 replies

Userlevel 1
Have you looked at the option of using a private vlan? Not sure of other design goals, but that might provide what you're looking for.
Userlevel 2
BigRic wrote:

Have you looked at the option of using a private vlan? Not sure of other design goals, but that might provide what you're looking for.

Does private vlan work well with VPLS?
The packet incoming from one port, should go throught the VPLS but not to some ports.
Userlevel 6
Hi Julian, please take a look at the article below regarding Private Vlan:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-private-vlan
Userlevel 7
EXOS has port isolation: http://documentation.extremenetworks.com/exos_22.1/exos_21_1/slots_and_ports/c_port-isolation.shtml
http://documentation.extremenetworks.com/exos_commands_22.2/exos_21_1/exos_commands_all/r_configure-...
Userlevel 2
Hello Drew,
The problem of port isolation, is that I'm going to block every single vlan.
I just want that one vlan doesnt communicate from one port to another.
Userlevel 4
Julian, can you provide a bit more detail on the design goals. Your initial comment states that you want a particular vlan to NOT communicate with a port that is a tagged member of that VLAN. What are you trying to accomplish overall? The description is a bit confusing. Thanks!
Userlevel 2
Sorry Eric, let me try be more clear.

For example, the vlan 100 is tagged on ports 20-30 and also to the uplink 48.
The packets are coming from ports 20-30 and they will have to communicate to a BRAS server and the path to the BRAS server is only port 48.

The packets coming from the particular port 20 with vlan 100 do not have to talk to the ports 21-30 just to 48.
But others vlans will.
Userlevel 4
Julian Eble wrote:

Sorry Eric, let me try be more clear.

For example, the vlan 100 is tagged on ports 20-30 and also to the uplink 48.
The packets are coming from ports 20-30 and they will have to communicate to a BRAS server and the path to the BRAS server is only port 48.

The packets coming from the particular port 20 with vlan 100 do not have to talk to the ports 21-30 just to 48.
But others vlans will.

read again about port isolation -- i beleive that is what you need
Userlevel 2
Julian Eble wrote:

Sorry Eric, let me try be more clear.

For example, the vlan 100 is tagged on ports 20-30 and also to the uplink 48.
The packets are coming from ports 20-30 and they will have to communicate to a BRAS server and the path to the BRAS server is only port 48.

The packets coming from the particular port 20 with vlan 100 do not have to talk to the ports 21-30 just to 48.
But others vlans will.

Nick,

The port isolation will block all vlans, I don't want that...
Just one vlan should be blocked.
Userlevel 4
Julian Eble wrote:

Sorry Eric, let me try be more clear.

For example, the vlan 100 is tagged on ports 20-30 and also to the uplink 48.
The packets are coming from ports 20-30 and they will have to communicate to a BRAS server and the path to the BRAS server is only port 48.

The packets coming from the particular port 20 with vlan 100 do not have to talk to the ports 21-30 just to 48.
But others vlans will.

you have more than one vlan between BRAS and customers on ports 20-30?
Userlevel 2
Julian Eble wrote:

Sorry Eric, let me try be more clear.

For example, the vlan 100 is tagged on ports 20-30 and also to the uplink 48.
The packets are coming from ports 20-30 and they will have to communicate to a BRAS server and the path to the BRAS server is only port 48.

The packets coming from the particular port 20 with vlan 100 do not have to talk to the ports 21-30 just to 48.
But others vlans will.

yes, there are more 9 vlans who needs to communitcate betwen them.
Userlevel 4
I would agree with Nick that port isolation sounds like the right solution. Port 48 would live in the primary VLAN and all other ports would have access to it, but not to eachother. You would have to move your other ports to isolated VLAN's, but they would all have access to the promiscuous port in the primary vlan.

Reply