Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3678
Views
0
Helpful
6
Replies

40+ VLANs for user isolation ?

Go to solution
jpoldoian
Level 1
Level 1

‎11-18-2010 07:30 AM

I need to construct a wired network that achieves only two purposes:  a) Allows 40+ users to access Internet only;  b) establishes user isolation preventing any user from viewing the files of others users. There is no LAN to LAN communication. Initial thought is to use VLANs or ACLs for user isolation.  But which 24 port switches and router will support this many VLANs/ACLs?  Need to avoid Enterprise products to minimize cost.  Network does not have a server and computer MAC addresses frequently change.  Already have SLM224G smart switches, if they can be used.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
David Hornstein
Level 7
Level 7
In response to jpoldoian

‎11-20-2010 07:25 AM

Hi

You are dead right, but we have had a simpler way of achieving way you want, without configuring 48 VLANs but still leaving all the end users within the same vlan for easy administration.

The new SF/SG 300 series can quickly do what you want.  The old term of it was Private Vlan Edge (PVE), the new term,  on this range of low cost product is Protected port.  I have copied a link to the product comparison page below so you can see the extensive range of product that we offer than can perform that task. But every managed Small Business switch has that functionality.

http://www.cisco.com/en/US/products/ps10898/prod_models_comparison.html

Here's how protected or PVE works on this switch family,(taken from Admin guide)

  • Protected Port— A protected port is also referred as a Private VLAN Edge (PVE). The characteristics of a protected port are as follows:
  • Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and Link Aggregation Groups (LAGs)) that share the same Broadcast domain (VLAN).
  • Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications.
  • Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN.
  • -Both ports and LAGs can be defined as protected or unprotected.

So where can protected ports or PVE be used, as an example,

  1. student in a dorm or
  2. Multiple dwelling Units (MDU)
  3. reduce broadcast storm  damage by limiting the broadcast storm traffic to a single  switch port and uplink. Makes diagnosis pretty easy

Here 's a screen capture below,  taken from SKU ordering  p/n SRW248G4P-K9-NA.

Note also that I am managing this device via IPv6.

Cool stuff.  It took me longer to write this post than configure the settings.

regards Dave

View solution in original post

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to jpoldoian

‎11-20-2010 11:05 AM

Hi

No nothing to be done at the RV082 level.  It sorta like having layer 2 filtering rules built in for each switch port..

So,  even at routing level at layer 3, the packets might hit the ingress port of the switch from the router,  switch says Oh Oh , you want to go from switch port 1 Host  MAC address  still to switch port 2's Host MAC address, that's a no no.

PVE  setup is like having 48 seperate Layer 2 untagged  vlans terminating at the untagged uplink port .

So Ok, it wont take long to test..hang in there............ and I'll test the functionality.

OK here we go.

I am using a UC520 Integrated Services Router as my layer 3  WAN router.  My WAN router, ethernet expansion port is connected to switch port  G4 of the SRW248G4P-K9-NA.  As you can see from a screen capture below, this is a POE switch, you probably don't need the POE version.

I plugged two IP hosts into the switch,

Host PC 1 = 192.168.10.61  in switch port e31

Host PC 2 = 192.168.10.14  in switch port e37

I had a third host plugged into the ISR router switch port, so this Host is on the router and not the switch.

Host PC 3 = 192.168.10.13  on switch port 0/1/0 of UC520

Host 3, which is outside the switch  could always ping host 1 and Host 2

Host 1 could ping Host 2 and 3 before i enabled  protection on  switch ports 1 to 48.

I left the four Uplink ports unprotected.

After I protected switch ports 1-48, as you would expect;

Host 1 could NOT  ping Host 2

Host 2 could NOT ping Host 1

Host 1 and Host 2 could ping Host 3 . What follows is the splash screen on my switch so you can see the active ports;

My system was quickly configured via the GUI, but i copied  the relevant section off the running config and will pasted it below;

interface range ethernet e(1-48)

switchport protected-port

exit

interface vlan 1

ipv6 enable no-autoconfig

ipv6 address 2001:1:1:1::224/64

exit

interface vlan 1

ip address 192.168.10.223 255.255.255.0

exit

ip default-gateway 192.168.10.1

It stops dead the  protected ports from communicating with other protected ports in both a Layer 2 and Layer 3 environment.

It's Saturday here in Raleigh NC, I gotta get out and pretend to do some gardening.

regards Dave

View solution in original post

Preview file
245 KB
0 Helpful
6 Replies 6

Go to solution
David Carr
Level 6
Level 6

‎11-19-2010 12:48 PM

Unfortunately, there is no small business router that supports 40 vlans.  Most of our devices will support up to 4 vlans and the SA500 series routes will support up to 16 vlans.  It seems you will need an enterprise solution for the vlans your wanting to utilize.  If you created everyone on a flat network and created acl's you might could accomplish this, however it will cause alot of overhead per packet checking against acl's.  The best and easiest way to set this up, would be get a layer 3 switch and create a static route to a enterprise router with routes back to the switch for each network.  And in the router make sure intervlan routing is disabled that way each vlan/network will be separated by the switch and allowed through the router and not being checked by 100 acl's.  Hope this helps you out.

0 Helpful

Go to solution
jpoldoian
Level 1
Level 1
In response to David Carr

‎11-20-2010 05:18 AM

Thanks for response.  I'm very disappointed to hear Cisco SB products can't handle my problem.  Netgear informed me that all of their smart switches will solve problem because they handle 255 VLANs on a 24 port switch.  ACLs while available, are not needed.  Their FS726T smart switch was recommended as it priced under $200. Gee, why would I want to spend thousands of $ on an enterprise solution when $200 solves it?   I'm perplexed why Cisco SB is not competitive in this market.  Due to today's security concerns, user isolation is a very common networking problem.  As a systems integrator, we have over 25 similar applications.

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to jpoldoian

‎11-20-2010 07:25 AM

Hi

You are dead right, but we have had a simpler way of achieving way you want, without configuring 48 VLANs but still leaving all the end users within the same vlan for easy administration.

The new SF/SG 300 series can quickly do what you want.  The old term of it was Private Vlan Edge (PVE), the new term,  on this range of low cost product is Protected port.  I have copied a link to the product comparison page below so you can see the extensive range of product that we offer than can perform that task. But every managed Small Business switch has that functionality.

http://www.cisco.com/en/US/products/ps10898/prod_models_comparison.html

Here's how protected or PVE works on this switch family,(taken from Admin guide)

  • Protected Port— A protected port is also referred as a Private VLAN Edge (PVE). The characteristics of a protected port are as follows:
  • Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and Link Aggregation Groups (LAGs)) that share the same Broadcast domain (VLAN).
  • Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications.
  • Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN.
  • -Both ports and LAGs can be defined as protected or unprotected.

So where can protected ports or PVE be used, as an example,

  1. student in a dorm or
  2. Multiple dwelling Units (MDU)
  3. reduce broadcast storm  damage by limiting the broadcast storm traffic to a single  switch port and uplink. Makes diagnosis pretty easy

Here 's a screen capture below,  taken from SKU ordering  p/n SRW248G4P-K9-NA.

Note also that I am managing this device via IPv6.

Cool stuff.  It took me longer to write this post than configure the settings.

regards Dave

0 Helpful

Go to solution
jpoldoian
Level 1
Level 1
In response to David Hornstein

‎11-20-2010 09:48 AM

Mr. Horstein, you are a hero

Our company's  market is MDU applications so PVE sounds perfect !   So if I buy/configure 3 - SF300 switches using PVE and connect each uplink port to a different VLAN port on Cisco RV082 router, will we have total isolation?  Or will interlan communications occur at router since there's only one DHCP server providing a single subnet?  Anything special needed at router level ?

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to jpoldoian

‎11-20-2010 11:05 AM

Hi

No nothing to be done at the RV082 level.  It sorta like having layer 2 filtering rules built in for each switch port..

So,  even at routing level at layer 3, the packets might hit the ingress port of the switch from the router,  switch says Oh Oh , you want to go from switch port 1 Host  MAC address  still to switch port 2's Host MAC address, that's a no no.

PVE  setup is like having 48 seperate Layer 2 untagged  vlans terminating at the untagged uplink port .

So Ok, it wont take long to test..hang in there............ and I'll test the functionality.

OK here we go.

I am using a UC520 Integrated Services Router as my layer 3  WAN router.  My WAN router, ethernet expansion port is connected to switch port  G4 of the SRW248G4P-K9-NA.  As you can see from a screen capture below, this is a POE switch, you probably don't need the POE version.

I plugged two IP hosts into the switch,

Host PC 1 = 192.168.10.61  in switch port e31

Host PC 2 = 192.168.10.14  in switch port e37

I had a third host plugged into the ISR router switch port, so this Host is on the router and not the switch.

Host PC 3 = 192.168.10.13  on switch port 0/1/0 of UC520

Host 3, which is outside the switch  could always ping host 1 and Host 2

Host 1 could ping Host 2 and 3 before i enabled  protection on  switch ports 1 to 48.

I left the four Uplink ports unprotected.

After I protected switch ports 1-48, as you would expect;

Host 1 could NOT  ping Host 2

Host 2 could NOT ping Host 1

Host 1 and Host 2 could ping Host 3 . What follows is the splash screen on my switch so you can see the active ports;

My system was quickly configured via the GUI, but i copied  the relevant section off the running config and will pasted it below;

interface range ethernet e(1-48)

switchport protected-port

exit

interface vlan 1

ipv6 enable no-autoconfig

ipv6 address 2001:1:1:1::224/64

exit

interface vlan 1

ip address 192.168.10.223 255.255.255.0

exit

ip default-gateway 192.168.10.1

It stops dead the  protected ports from communicating with other protected ports in both a Layer 2 and Layer 3 environment.

It's Saturday here in Raleigh NC, I gotta get out and pretend to do some gardening.

regards Dave

Preview file
245 KB
0 Helpful

Go to solution
jpoldoian
Level 1
Level 1
In response to David Hornstein

‎11-21-2010 03:43 AM

This solution exceeds my expectations.  I will cancel order for 3 netgear boxes and place order for 3 - FS300-24s.

While thrilled to receive a positive answer, it's very disappointing that the 6 engineers contacted at SB support didn't know about Private VLAN Edge or Protected Port capability of SF300 series products.  Each time they were pressed for an answer, recommendation was to buy an Enterprise product for $$$$.  More training is obviously needed.

0 Helpful
Customers Also Viewed These Support Documents