08-28-2024 03:12 AM
Hello,
we want to deploy private vlans in our fabric attach infrastructure, in order to limit the traffic in the same subnet.
All the endpoints are connected to access switches (that are in SwitchEngine/EXOS), while core switches are used only as distribution layer.
For EXOS, I had this link as a reference
https://documentation.extremenetworks.com/exos_30.4/GUID-56B81F2C-8A3B-4303-A212-92322613EFAA.shtml
Where it is possible to extend the private vlans between switches. My question is, which configuration is needed on backbone switches (fabric engine), to extend the private vlans between access switches?
Solved! Go to Solution.
2 weeks ago
08-29-2024 05:42 AM
Private VLANs (PVLANs) are always defined using 2 VLAN-ids, a primary & secondary (and additional VLAN-ids if implemented with PVLAN communities which EXOS supports but VOSS does not).
If you want to extend a PVLAN between 2 switches, you always need to trunk all those VLAN-ids between the 2 switches. On VOSS the port can be configured as private-vlan isolated|promiscuous|trunk; trunk is what you need.
Now, if you have Fabric Engine/VOSS in the core/distribution but Switch Engine/EXOS as the access, you are most likely using Fabric Attach (FA) between the two. And there's the problem, FA was never designed to handle PVLANs. FA TLVs can only signal a single VLAN-id associated to an I-SID and cannot signal PVLAN vs. regular VLAN.
If you want to use PVLANs in such a setup you will need to do away with FA and manually configure your Switch Engine/EXOS, at both ends. The PVLAN will also need to be configured manually on all switches (XIQ-SE has no PVLAN support).
A better approach, if you have universal hardware, is to go completely fabric to the edge, and run Fabric Engine on you access switches as well. Now you can have the PVLAN only created on these (the creation and assignment to access ports as well as I-SID association can be fully automated via RADIUS VSA, this XIQ-SE can do) and in fabric a PVLAN with an I-SID assigned becomes an ETREE service which can be extended anywhere else in the fabric (no need to set any ports to trunk mode, no need for FA).
08-30-2024 05:31 AM
Hi Ludovico,
thanks for your answer. Very interesting. I will set up a lab and try what you said. Since the goal is to limit traffic in the same subnet, could another approach be to configure policies in XIQ-SE specifying services to allow and not and push them to EXOS switches? Are there any limitation for this feature with EXOS switches (except TCAM limitations)?