topic RE: Isolate hosts in the same vlan in ExtremeSwitching (EXOS/Switch Engine)

Isolate hosts in the same vlan

Localhost — Tue, 27 Oct 2015 09:54:00 GMT

Hi

this is the scenario:

- one single vlan
- I need hosts that access this vlan to be able only to reach the gateway. Communication between hosts in the same vlan should be blocked. Is it possible in Xos?

thanks

RE: Isolate hosts in the same vlan

Jeremy_Gibbs — Tue, 27 Oct 2015 10:13:00 GMT

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2077275

RE: Isolate hosts in the same vlan

Baskar — Tue, 27 Oct 2015 10:14:00 GMT

Hi,

Private VLAN, helps to achieve this scenario (port isolation), is a technique where a VLAN contains switch ports that are restricted such that they can only communicate with a given "uplink"

thanks

RE: Isolate hosts in the same vlan

Localhost — Tue, 27 Oct 2015 10:17:00 GMT

thanks !

RE: Isolate hosts in the same vlan

Alexandr_P — Tue, 27 Oct 2015 12:50:00 GMT

Hi!

Also (as workaround) you can try ACL (but this have to be tested).
For example:
ports 1,2,3 - hosts.
#edit pol XXX
entry permit_def_gate {
if {
destination-address 172.16.0.1/24; #default gateway
} then {
permit;
} }
entry deny_inter-hosts {
if {
destination-address 172.16.0.0/24; #other hosts
} then {
deny;
} }

#conf access-list XXX ports 1-3 ingress

RE: Isolate hosts in the same vlan

BrandonC — Tue, 27 Oct 2015 12:50:00 GMT

One quick tweak to the ACL:

entry permit_def_gate {
if {
destination-address 172.16.0.1/32; #default gateway
} then {
permit;
} }
entry deny_inter-hosts {
if {
destination-address 172.16.0.0/24; #other hosts
} then {
deny;
} }If this line had a /24 mask, it would match on all hosts in the subnet, rather than just the gateway.

RE: Isolate hosts in the same vlan

Stephane_Grosj1 — Tue, 27 Oct 2015 13:23:00 GMT

To summarize a bit:

- if this requirement is local to a single switch (stack), then Port Isolation is certainly the best way to go.
- if the VLAN spans multiple switches, the usual Private VLAN is the way to go.
- ACL can be a workaround, especially if you want some lattitude in your initial requirement

RE: Isolate hosts in the same vlan

Paul_Russo — Tue, 27 Oct 2015 22:13:00 GMT

Hello there is another potential but it depends on your network and what features you actually need. There is a feature called Upstream Forwarding or Upstream Forwarding Only (UFO) that allows ports to be on the same VLAN but their traffic can only go up the uplink port. We disable flooding to the other ports so that a user on one port can't see traffic from another user on another port. This features is used mainly in MAN networks or Fiber to the Home designs where SPs want to restrict user traffic.

It is in the user guide search for upstream forwarding here's s snippet

"Figure 87: Upstream Forwarding or Disabling Egress Flooding Example"
"In this example, the three ports are in an ISP-access VLAN. Ports 1 and 2 are connected to clients 1 and"
"2, respectively, and port 3 is an uplink to the ISP network. Because clients 1 and 2 are in the same VLAN, client 1 could possibly learn about the other client’s traffic by sniffing client 2’s broadcast traffic; client 1 could then possibly launch an attack on client 2."
"However, when you disable all egress flooding on ports 1 and 2, this sort of attack is impossible, for the"
"following reasons:"
"• Broadcast and multicast traffic from the clients is forwarded only to the uplink port."
"• Any packet with unlearned destination MAC addresses is forwarded only to the uplink port."
"• One client cannot learn any information from the other client. Because egress flooding is disabled on the access ports, the only packets forwarded to each access port are those packets that are specifically targeted for one of the ports. There is no traffic leakage."
"In this way, the communication between client 1 and client 2 is controlled. If client 1 needs to"
"communicate with client 2 and has that IP address, client 1 sends out an ARP request to resolve the IP"
"address for client 2."

There are pros and cons with using this over private VLAN and really comes down with what you need to do but it is an option

Thanks
P

RE: Isolate hosts in the same vlan

Localhost — Wed, 28 Oct 2015 02:52:00 GMT

very valuable information. I will keep this thread in mind even for the future.

thanks everybody!

RE: Isolate hosts in the same vlan

MartinS1 — Tue, 05 Jul 2016 16:42:00 GMT

Hi guys,

is there a way to realise this on EOS (S-Series) Switches as well?

Thanks in advance,
Martin

RE: Isolate hosts in the same vlan

Erik_Auerswald — Tue, 05 Jul 2016 19:16:00 GMT

Hello Martin,

you can use policies on the S-Series, the same idea as the ACL solution for EXOS above.

Br,
Erik

Re: RE: Isolate hosts in the same vlan

jeronimo — Thu, 19 Jan 2023 23:25:04 GMT

I'm a little late to the show but anyway.

Why do you need to specify the default gateway? Traffic exiting the VLAN uses the def GW's MAC address but not its IP address.

You can just deny dst 172.16.0.0/24 and for the rest permit all IPv4