Page 1 of 1
Port Isolation
Posted: Wed Feb 21, 2018 5:14 pm
by LRL
Quick question on the intended functionality of port isolation. We presently have several customers will install a CPE router with OSPF enabled and then install multiple CPEs and connect them to multiple towers to provide redundancy and failover using OSPF. As we begin to implement larger layer 2 bridges at our towers we've been making use of port isolation more and more. We put all APs at a specific tower on the same VLAN and then just isolate the ports between the AP so that the AP and their customers can't talk to one another.
The problem that were running into is that because port isolation is checked for the ports to the APs and not to the router it's still blocking the broadcast OSPF updates from the router. As a result we end up with CPE routers with adjacencies formed but no updates to the routing tables. The short question is should port isolation block broadcast traffic between isolated ports and nonisolated ports such as in this case?
Re: Port Isolation
Posted: Wed Feb 21, 2018 5:24 pm
by sirhc
Not sure that feature allows granularity, remember we simply turn features on and off from the core. If it does allow granularity then we would need to allow configuration as most times people want all traffic blocked from isolated ports to protect against MC and broadcast packets would they not?
Re: Port Isolation
Posted: Wed Feb 21, 2018 6:04 pm
by LRL
Indeed, I think you would want traffic blocked between ports that are isolated, but not between isolated ports and ports that are not isolated.
For instance, having an AP in client isolation does not prohibit OSPF from working in this fashion.
Re: Port Isolation
Posted: Wed Feb 21, 2018 6:53 pm
by sirhc
LRL wrote:Indeed, I think you would want traffic blocked between ports that are isolated, but not between isolated ports and ports that are not isolated.
For instance, having an AP in client isolation does not prohibit OSPF from working in this fashion.
I think that is how it works now?
Is say port 2 is isolated but port 1 is not port 1 will talk to port 2 and allow BPDU and MC packets to pass?
Either way Stephen is working on getting up to speed, hopefully in a couple months and if this can be done I would ask him to do it.
Eric is splitting his time between WS and WS2 firmware for now but will lease WS and Manager to Stephen sometime this early summer.
Re: Port Isolation
Posted: Wed Feb 21, 2018 7:14 pm
by LRL
Not presently. There appears to be some multicast/broadcast traffic issues between the two ports. I have not had time to fully investigate, but before I dive into it I wanted to make sure what the intended function was.
Re: Port Isolation
Posted: Thu Feb 22, 2018 12:45 pm
by mike99
Make sure the OSPF DR device is without isolation. If you didn't set DR priority, the DR will be the one with the highest IP address, so often a customer device.