Port Isolation

User avatar
adairw
Associate
Associate
 
Posts: 465
Joined: Wed Nov 05, 2014 11:47 pm
Location: Amarillo, TX
Has thanked: 98 times
Been thanked: 132 times

Port Isolation

Thu Nov 06, 2014 11:00 pm

Hello,
I've been told twice that the WS supports some form of port isolation. It clearly does not, at least from what I can tell.

Lets say for example, I have port 1 connected to my router, running both tagged and untagged vlans.

Lets say I have three AP's connected to ports 2, 3 & 4 on the WS, trunked back to my router, using vlans, 9, 8 & 7. (every AP in it's own network) fine.

Now lets say I have VLAN's my customer traffic rides in. The CPE is immaterial, just assume it's tagging a VLAN up to the AP to get it's public IP. (see attached image)

The problem I have is the three customer vlans are now in what is basically a four port switch between port 1-4. So IF a customer on port 4 had their CPE in bridge mode and plugged in to their routers LAN port, a customer on port 2 requesting dhcp might get an address from the customer on port 4.
I want to be able to tell the tagged vlans on ports 2,3 &4 they can only talk to port 1 and not to each other.
I do this now using spit horizon bridging on mikrotik and it works awesome.

All this said.... I'm getting to be less worried about this feature since all new customer CPE's go in to router mode instead of bridge mode. Additionally, with this setup at least it would be isolated to the one tower/switch because my VPLS tunnels from the tower router to the core will still have SPB running.. But I think for WISP this would be an awesome feature and will prove to be very useful. I'm not sure it's going to be easy to add and keep "simple" theme or not though. I'd be happy if I could enable it from the CLI even.

Thanks for taking the time to read this lengthy post. I'm very hopeful and excited about these switches.
Attachments
WS VLAN Config.PNG
WS VLAN Config.PNG (26.52 KiB) Viewed 36187 times

User avatar
sirhc
Employee
Employee
 
Posts: 7415
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Port Isolation

Thu Nov 06, 2014 11:23 pm

Port isolation is called 802.11QinQ or PVLAN which our switch core does support but we have not yet implemented it into the firmware but it is planned to be at some point. mhoppes just asked about this earlier today on the forums.

Currently we support 802.1Q known as VLAN, pretty much the exact same VLAN ability as the Ubiquiti ToughSwitch.

Currently if you have a port set as U or un-tag we are not accepting or filter out ingress tagged packets and it strips the VLAN tag on packets as they egress that port.

We wanted to get the switch out there and most WISPs do not use PVLANs or 802.1QinQ, plus we want to come up with a simple interface for PVLANs as most switch UI's are complex in this area.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

User avatar
adairw
Associate
Associate
 
Posts: 465
Joined: Wed Nov 05, 2014 11:47 pm
Location: Amarillo, TX
Has thanked: 98 times
Been thanked: 132 times

Re: Port Isolation

Fri Nov 07, 2014 7:51 am

I don't think Q in Q and PVLAN/Port isolation are the same thing. However, I'm glad to hear that the switch may support it in the future.
Just so there is no confusion, here is what I am talking about. http://en.wikipedia.org/wiki/Private_VLAN
Here is how TP-Link does it. http://www.tp-link.us/article/?faqid=525
It was the only quick example I could find with someone doing it from a web interface.
If I had this feature, I would literally buy 10 WS switches right now. :)

Thanks Chris, yer doing all the good. Just trying to get ideas out there.

User avatar
mike99
Associate
Associate
 
Posts: 837
Joined: Tue Nov 25, 2014 10:53 am
Location: Quebec, Canada
Has thanked: 95 times
Been thanked: 245 times

Re: Port Isolation

Wed Jan 07, 2015 12:02 pm

I would also like to see this feature on netonix.
In combinason with client isolation on the AP, it would make it impossible to sniff other member of the same VLAN with antenna in bridge mode so no need for of PPPoE. For neighbors that want to communicate together, you put arp proxy and Layer3+ are still working. That would be a nice option for those who don't want to add the PPPoE overhead to their network.
Last edited by mike99 on Wed Jan 07, 2015 1:27 pm, edited 2 times in total.

User avatar
lligetfa
Associate
Associate
 
Posts: 1191
Joined: Sun Aug 03, 2014 12:12 pm
Location: Fort Frances Ont. Canada
Has thanked: 307 times
Been thanked: 381 times

Re: Port Isolation

Wed Jan 07, 2015 12:18 pm

sirhc wrote:Currently we support 802.1Q known as VLAN, pretty much the exact same VLAN ability as the Ubiquiti ToughSwitch.

At this point, the TS may no longer be the yardstick for comparison since the ES is maturing. I read that Ubiquiti has this feature now called Protected Ports.

User avatar
sirhc
Employee
Employee
 
Posts: 7415
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Port Isolation

Wed Jan 07, 2015 2:05 pm

QnQ will eventually be done but is not on the "immediate" road map.
We will soon be putting what Ubiquiti "improperly" calls a "Trunk Port" so that the VLAN ability of the WISP Switch is in line with the ToughSwitch ability but in reality the best way to describe what they call "Trunk" port is "Allow all VLANs"

Yes the WISP Switch is essentially capable of every feature the Edge Switch does EXCEPT Static Routes but I did not feel that was needed for WISPs so I did not get a switch core chip that did that but rather spent the money in different areas like current sensors and higher operating temperature components.

We do NOT intend to implement all these features as it makes for a Switch UI that drives like a Mack Truck in my opinion. We will slowly add more features that our Forum members request so long as they are not a feature that 1 in 100 people will use so that we can keep the UI simple.

We do plan to do a Layer 4 Switch capable of OSPF, BGP, and other high level routing protocols but with an interface designed for the WISP industry only not every IT profession so the UI is kept simple that way there would be no need for a router at every tower but that is the future so lets talk about the present and near future.

There is a thread called "Firmware Road Map" which is the feature sets we are currently working towards.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

User avatar
adairw
Associate
Associate
 
Posts: 465
Joined: Wed Nov 05, 2014 11:47 pm
Location: Amarillo, TX
Has thanked: 98 times
Been thanked: 132 times

Re: Port Isolation

Fri Jan 09, 2015 3:05 am

Lets be clear. QinQ is not protected ports, if that's what you're referring to.
I really want to see true protected ports or port isolation/vlan isolation. :)

User avatar
TheHox
Experienced Member
 
Posts: 107
Joined: Sat Sep 13, 2014 10:59 am
Location: WI
Has thanked: 11 times
Been thanked: 18 times

Re: Port Isolation

Tue Jan 13, 2015 12:54 am

I as well would be excited to see Private VLANs/port isolation as well.

User avatar
sirhc
Employee
Employee
 
Posts: 7415
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Port Isolation

Tue Jan 13, 2015 1:52 am

ctak99 wrote:I as well would be excited to see Private VLANs/port isolation as well.


In the works
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

User avatar
anvilcom
Member
 
Posts: 22
Joined: Wed May 13, 2015 5:28 pm
Location: Texas
Has thanked: 0 time
Been thanked: 2 times

Re: Port Isolation

Tue Jul 11, 2017 11:25 am

Using a WS-8-150-DC with FW 1.4.8rc7. On the Ports tab, there is a column near the end of the row labeled "Iso". When the mouse is floated over the column heading, a popup appears with "Enable Port Isolation"

Does this checkbox enable real port isolation, or is it not implemented yet? Can you explain the current behavior of this feature?

Next
Return to General Discussion

Who is online

Users browsing this forum: No registered users and 8 guests