This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Isolating clients in the same VLAN/service from each other (FabricEngine/NAC)

Isolating clients in the same VLAN/service from each other (FabricEngine/NAC)

jeronimo
Contributor III

‎01-19-2023 03:29 PM

How would you go about this when using Extremecontrol?
What kind of policies would you be pushing?
I'm currently not sure whether L2 or L3 would be appropriate.
Something generic would be great, so you don't need to specify different policies with different IP subnets for each service.

Maybe some generic L2 rule would be possible but I couldn't come up with one yet. Like only allowing access to the MAC address of the def GW, but it's more complicated than that (broadcasts, multicasts, etc.)

I know there is the possibility of private VLANs, but that has always seemed very complex to me.

Or is there some setting that I can just click enabled that I have missed?

Of course in any case exceptions need to be possible like excluding some TCP/UDP ports from the ban.

Thanks for any feedback.

0 Kudos
1 REPLY 1

Roger_Lapuh
Extreme Employee

‎01-23-2023 08:52 AM

You can create PVLANs with ETREEs on VOSS through a Radius VSA response. This is very straight forward and can be done while a device is logging in. For isolated ports make sure you do this on auto-sense ports or configure isolated ports through other means.

Radius VSA: 

create=vlan¦pvlan, pv=Primary VLANID, sv=[secondary VLANID], vni=[ISID], ev= [EGRESS-VLAN-tag], vn=[vlan-name], vnin=[isid-name] 

  

0 Kudos
GTM-P2G8KFN