• November 23, 2020, 05:53:44 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: BayStack 5520-24T-PWR private vlan (port isolation)  (Read 3675 times)

0 Members and 1 Guest are viewing this topic.

Offline marekm

  • Rookie
  • **
  • Posts: 5
BayStack 5520-24T-PWR private vlan (port isolation)
« on: November 20, 2014, 07:11:30 PM »
I'm looking for how to isolate a group of ports so they don't see each other, but see everything else.
It would be nice if it works with tagged VLANs as well.  Some newer switches allow setting up a matrix (with rows and columns for each port) to specify from/to which ports traffic can be forwarded, others allow specifying a list of protected ports to block traffic between them (all non-protected ports are uplink ports).

I've found the "Private VLAN Edge Technical Configuration Guide" (remove spaces from the URL):
h t t p : / / downloads.avaya.com/css/P8/documents/100123893
but it only shows how to force traffic from a group of ports to just one specific egress port.
Is there a way to block traffic only if both ingress and egress are in a group (say, ports 1-8), and allow otherwise?

BTW, does anyone know what is the cost of the cheapest possible service contract to be able to download the latest (currently v6.3.4) firmware?  My switches were purchased at an auction site from a company that recycles old hardware; they appear to work fine but came with very old 5.x firmware.
Some time ago I tried to contact an Avaya representative in my country via a web form, but got no response at all - either they don't care, or they already know I can't afford it ;-).


Offline marekm

  • Rookie
  • **
  • Posts: 5
Re: BayStack 5520-24T-PWR private vlan (port isolation)
« Reply #1 on: November 28, 2014, 03:54:56 PM »
I'm sorry but I don't understand these responses, what do you both mean, could you be more specific?  Thanks.

Offline TankII

  • Hero Member
  • *****
  • Posts: 556
Re: BayStack 5520-24T-PWR private vlan (port isolation)
« Reply #2 on: December 01, 2014, 05:41:01 PM »
There appears to be a bunch of jokers showing up on the board, ignore them.

On your version of code, you could build separate VLANS and assign ports to them.  Then you can create a policy that handles the traffic flow between the VLANS.
With 6.3.X code, you can create separate VRF's on the switches.
We ahve started testing scenarios like this, but have not gotten too far as we are finishing up the last of our Analog lines in our VOIP conversion.

TankII

Offline marekm

  • Rookie
  • **
  • Posts: 5
Re: BayStack 5520-24T-PWR private vlan (port isolation)
« Reply #3 on: December 02, 2014, 08:41:17 PM »
Thanks, running 6.3.x now so I'll look into VRF - it's new to me, does it apply to an L2 setup (I'm doing L3 with a mix of MikroTik for PPPoE and Vyatta for BGP, with OSPF between them)?  Running a small local WISP in rural area for 400+ customers, six 60deg sectors with UBNT RocketM5-Ti APs which I'd like to isolate from each other (extending their built-in L2 isolation to work between different sectors too) as all customers' traffic is PPPoE going through the server.

Offline TankII

  • Hero Member
  • *****
  • Posts: 556
Re: BayStack 5520-24T-PWR private vlan (port isolation)
« Reply #4 on: December 04, 2014, 10:00:57 AM »
If you build each connection as a /30, VLAN'd through to the ports as required, you would require routing to have each customer talk with each other.  Assuming, of course, they have the appropriate router hardware on their side to accept the one IP address.
If everything is PPOE as you state. then the client connections have to hit the PPOE server/appliance to route to the Internet after they establish local IP addresses.  I would use 172.X.X.X IP's to prevent the non-PPOE connections from attempting to hit the internet just in case they do try to punch through your PPOE server.  Your performance bottleneck in any case would be the PPOE device.

VRF will allow you to build a virtual router platform on the box, so you can isolate by more than just VLANs.  To get the two sides to talk to each other, you will probably need an external router/firewall connected to each VRF physically.  It's a great way to build multiple Multicast domains, but might be overkill unless you are that concerned with isolation techniques.  Most VLANning should work for your needs from what I read from your last post.  Maybe a Visio or even a scanned paper drawing would help.
TankII