Advanced port isolation / QinQ / Something Else

[PMTech]

Hi,

I've had a read about port isolation and QinQ however I can't figure out how to split the Netonnix into 'multiple switches'. Here's our setup :

I think we need to be able to have multiple port groups so that the switch can be truly isolated and perform as per the diagram.

We have sector antennas on ports 1 & 2. These antennas are considered infrastructure and we have them on VLAN 10 for their management.

Clients have their own CPE radio and these are configured on VLAN 15

All traffic ends up at the Mikrotik for this particular tower where they authenticate with PPPoE traffic.

To protect from rogue users / people connecting their DHCP server to the CPE we do the following :

* Put the sector antennas into isolation mode so no 2 clients on the same sector can talk to each other [/*]

* VLAN 10 is dropped at the sector antenna so users can’t just put themselves on VLAN 10 and get access to infrastructure

* Each sector antenna has its own port on the Netonix which tags any untagged traffic. So with antenna 1, all untagged traffic gets tagged with VLAN 20, all traffic from sector 2 gets VLAN 21. The Netonix also only allows VLANs 10,15 & 20 on port 1 and VLANs 10,15,21 on port 2

* The Netonix ports 1 & 2 are also in isolation mode so any VLAN 15/21/22 traffic can’t make its way to the other sectors


The PPPoE server listens on port 1 of the Mikrotik on VLANS 20 and 21. It also passes traffic on VLAN 15 and 10 for management of kit, along with some firewall rules.
That all works OK.

The only thing that the users can do now is to put themselves on VLAN 15 and access their own CPE radio. If they want to try and break that then that’s up to them, we keep that open so we have diagnostic access if we need it from their location.

My issue now is how to stop ports 1/2/3 accessing my backhaul kit on ports 10/11/12 (or whichever). I need to split the switch into 2 so that I can then have separate isolation zones. If the sector antennas are bridged with the backhaul in any way then VLAN 15 will be allowed through and users could potentially get to VLAN 15 shared from other towers.

Is this possible and how do I achieve it ?

Many thanks in advance, apologies if this is really easy and I've missed some docs.

[PMTech]

Maybe it's better for me to ask if there is a CLI reference for the QinQ functions or advanced port isolation ?

Thanks

[jluthman]

Did you ever figure this out? I'm trying to do exactly this.

[sirhc]

This can be done in the UI

In fact I do just this on every one of my towers and is in the video

I have several posts on here discussing this and I talk about in the 1.5 hour video on YouTube, search Netonix on YouTube

[PMTech]

Hi Chris,

It's great it can be done, I can revisit the video but in general a quick WIKI on this would be easier than trawling through 1.5 hours' worth of footage. Just a simple :
1. Select port 1, put in VLAN 1000 and add Q in the GUI
2. Select port 2, repeat
3. Watch all your traffic going into port 1 come out of port 2 with all VLANs intact
4. See that none of your traffic comes out of port 3/4/5/6 etc.

Or whatever the process is. I don't need specifics, just how to do it.

Sorry if I've missed this list elsewhere, if you know it's already answered then please just show me the link.

[sirhc]

Hi Chris,

It's great it can be done, I can revisit the video but in general a quick WIKI on this would be easier than trawling through 1.5 hours' worth of footage. Just a simple :
1. Select port 1, put in VLAN 1000 and add Q in the GUI
2. Select port 2, repeat
3. Watch all your traffic going into port 1 come out of port 2 with all VLANs intact
4. See that none of your traffic comes out of port 3/4/5/6 etc.

Or whatever the process is. I don't need specifics, just how to do it.

Sorry if I've missed this list elsewhere, if you know it's already answered then please just show me the link.

So yea if you created a VLAN with any number as the number means nothing in this application, just pick one you are not using anywhere else on this switch or through the switch.

Then on Port 1 and 2 you put a Q and E on all other ports

Then on all other VLAN definitions Port 1 and 2 has an E so those ports are excluded.

Now Ports 1 and 2 are basically a little logical 2 port switch and could be used as a midspan injector.

Now any packet coming in port 1 will go out 2 as it was sent in.

Since I have a router at every tower all packets between towers are routed with no VLAN tags so I simply use U instead of Q as all packets will be Untagged packets to make my midspan injector for my back hauls. One port goes to radio with POE the other to a routed port in router.

http://community.ubnt.com/t5/Installati ... 783#M99814

[PMTech]

Thanks Chris, that worked for us in the end once we understood it from your previous post.

For anyone else, if you have sector PtMP on ports 1,2,3 and then your Mikrotik (or whatever) on port 10 then :

Create VLAN 500 - "Q" Port 1 and "T" port 10
Create VLAN 501 - "Q" Port 2 and "T" port 10
Create VLAN 502 - "Q" Port 3 and "T" port 10

Then on your Mikrotik create VLANs 500/501/502 all on the interface connected to the Netonix. That is now your equivalent of the Netonix not being there. Any previous VLANs remain intact Inside so if you previously have VLAN 2450 on the sector plugged into Netonix port 2 then you will now still have VLAN 2450 but it will be on your VLAN 501 interface.

Hope it makes sense, it's working for us.
Thanks again