Netonix Forums

Hello,
I've been told twice that the WS supports some form of port isolation. It clearly does not, at least from what I can tell.

Lets say for example, I have port 1 connected to my router, running both tagged and untagged vlans.

Lets say I have three AP's connected to ports 2, 3 & 4 on the WS, trunked back to my router, using vlans, 9, 8 & 7. (every AP in it's own network) fine.

Now lets say I have VLAN's my customer traffic rides in. The CPE is immaterial, just assume it's tagging a VLAN up to the AP to get it's public IP. (see attached image)

The problem I have is the three customer vlans are now in what is basically a four port switch between port 1-4. So IF a customer on port 4 had their CPE in bridge mode and plugged in to their routers LAN port, a customer on port 2 requesting dhcp might get an address from the customer on port 4.
I want to be able to tell the tagged vlans on ports 2,3 &4 they can only talk to port 1 and not to each other.
I do this now using spit horizon bridging on mikrotik and it works awesome.

All this said.... I'm getting to be less worried about this feature since all new customer CPE's go in to router mode instead of bridge mode. Additionally, with this setup at least it would be isolated to the one tower/switch because my VPLS tunnels from the tower router to the core will still have SPB running.. But I think for WISP this would be an awesome feature and will prove to be very useful. I'm not sure it's going to be easy to add and keep "simple" theme or not though. I'd be happy if I could enable it from the CLI even.

Thanks for taking the time to read this lengthy post. I'm very hopeful and excited about these switches.

Port isolation is called 802.11QinQ or PVLAN which our switch core does support but we have not yet implemented it into the firmware but it is planned to be at some point. mhoppes just asked about this earlier today on the forums.

Currently we support 802.1Q known as VLAN, pretty much the exact same VLAN ability as the Ubiquiti ToughSwitch.

Currently if you have a port set as U or un-tag we are not accepting or filter out ingress tagged packets and it strips the VLAN tag on packets as they egress that port.

We wanted to get the switch out there and most WISPs do not use PVLANs or 802.1QinQ, plus we want to come up with a simple interface for PVLANs as most switch UI's are complex in this area.

I don't think Q in Q and PVLAN/Port isolation are the same thing. However, I'm glad to hear that the switch may support it in the future.
Just so there is no confusion, here is what I am talking about. http://en.wikipedia.org/wiki/Private_VLAN
Here is how TP-Link does it. http://www.tp-link.us/article/?faqid=525
It was the only quick example I could find with someone doing it from a web interface.
If I had this feature, I would literally buy 10 WS switches right now. :)

Thanks Chris, yer doing all the good. Just trying to get ideas out there.

I would also like to see this feature on netonix.
In combinason with client isolation on the AP, it would make it impossible to sniff other member of the same VLAN with antenna in bridge mode so no need for of PPPoE. For neighbors that want to communicate together, you put arp proxy and Layer3+ are still working. That would be a nice option for those who don't want to add the PPPoE overhead to their network.

sirhc wrote:Currently we support 802.1Q known as VLAN, pretty much the exact same VLAN ability as the Ubiquiti ToughSwitch.

At this point, the TS may no longer be the yardstick for comparison since the ES is maturing. I read that Ubiquiti has this feature now called Protected Ports.

QnQ will eventually be done but is not on the "immediate" road map.
We will soon be putting what Ubiquiti "improperly" calls a "Trunk Port" so that the VLAN ability of the WISP Switch is in line with the ToughSwitch ability but in reality the best way to describe what they call "Trunk" port is "Allow all VLANs"

Yes the WISP Switch is essentially capable of every feature the Edge Switch does EXCEPT Static Routes but I did not feel that was needed for WISPs so I did not get a switch core chip that did that but rather spent the money in different areas like current sensors and higher operating temperature components.

We do NOT intend to implement all these features as it makes for a Switch UI that drives like a Mack Truck in my opinion. We will slowly add more features that our Forum members request so long as they are not a feature that 1 in 100 people will use so that we can keep the UI simple.

We do plan to do a Layer 4 Switch capable of OSPF, BGP, and other high level routing protocols but with an interface designed for the WISP industry only not every IT profession so the UI is kept simple that way there would be no need for a router at every tower but that is the future so lets talk about the present and near future.

There is a thread called "Firmware Road Map" which is the feature sets we are currently working towards.

Lets be clear. QinQ is not protected ports, if that's what you're referring to.
I really want to see true protected ports or port isolation/vlan isolation. :)

I as well would be excited to see Private VLANs/port isolation as well.

ctak99 wrote:I as well would be excited to see Private VLANs/port isolation as well.

In the works

Using a WS-8-150-DC with FW 1.4.8rc7. On the Ports tab, there is a column near the end of the row labeled "Iso". When the mouse is floated over the column heading, a popup appears with "Enable Port Isolation"

Does this checkbox enable real port isolation, or is it not implemented yet? Can you explain the current behavior of this feature?