Isolating clients in the same VLAN/service from each other (FabricEngine/NAC)

jeronimo — Thu, 19 Jan 2023 23:29:40 GMT

How would you go about this when using Extremecontrol?
What kind of policies would you be pushing?
I'm currently not sure whether L2 or L3 would be appropriate.
Something generic would be great, so you don't need to specify different policies with different IP subnets for each service.

Maybe some generic L2 rule would be possible but I couldn't come up with one yet. Like only allowing access to the MAC address of the def GW, but it's more complicated than that (broadcasts, multicasts, etc.)

I know there is the possibility of private VLANs, but that has always seemed very complex to me.

Or is there some setting that I can just click enabled that I have missed?

Of course in any case exceptions need to be possible like excluding some TCP/UDP ports from the ban.

Thanks for any feedback.

Re: Isolating clients in the same VLAN/service from each other (FabricEngine/NAC)

Roger_Lapuh — Mon, 23 Jan 2023 16:52:07 GMT

You can create PVLANs with ETREEs on VOSS through a Radius VSA response. This is very straight forward and can be done while a device is logging in. For isolated ports make sure you do this on auto-sense ports or configure isolated ports through other means.

Radius VSA:

create=vlan¦pvlan, pv=Primary VLANID, sv=[secondary VLANID], vni=[ISID], ev= [EGRESS-VLAN-tag], vn=[vlan-name], vnin=[isid-name]

topic Re: Isolating clients in the same VLAN/service from each other (FabricEngine/NAC) in ExtremeSwitching (VSP/Fabric Engine)

Isolating clients in the same VLAN/service from each other (FabricEngine/NAC)

Re: Isolating clients in the same VLAN/service from each other (FabricEngine/NAC)