Is port isolation the answer?

DOWNLOAD THE LATEST FIRMWARE HERE
User avatar
nelson05
Member
 
Posts: 47
Joined: Mon Nov 03, 2014 2:35 am
Location: Springville, CA
Has thanked: 11 times
Been thanked: 11 times

Is port isolation the answer?

Tue Feb 17, 2015 12:00 am

We are trying to set up a new WISP Switch and consolidate multiple switches (Tough Switches) in the process.

However, because of the way we have things setup through a Netequalizer (a bandwidth shaper that is essentially a transparent bridge with two Ethernet interfaces) we have had to use two separate switches to make everything work. The Netequalizer bridges all of the traffic from our internal network and connects it to our 'Internet' feed, managing our bandwidth in the process.

Basically we have one VLAN (1) that is untagged as well as several other tagged VLANs (100,120,140,160) that flow through two separate switches. We use an Edgerouter Pro for our Internet facing router which has its internal LAN interface (eth0 configured with VLAN 1 untagged; 100, 120,140, and 160 tagged) connected to port 1 on a ToughSwitch, which has the same configuration (VLAN 1 untagged; 100, 120,140, and 160 tagged) while port 2 has the same configuration (VLAN 1 untagged; 100, 120, 140, and 160 tagged) that is connected to the 'External' port on the Netequalizer. The 'Internal' port on the Netequalizer is connected to another ToughSwitch entirely with the same VLAN config I have referenced on every port (VLAN 1 untagged; 100,120,140, and 160 tagged) while port 2 on this ToughSwitch is configured identically (VLAN 1 untagged; 100, 120, 140, and 160 tagged) with an AirFiber plugged into it and then which backhauls the VLANs to another WISPSwitch on a port that has the same VLAN Configuration (VLAN 1 untagged; 100,120,140 and 160 tagged). The WISPSwitch at the other end of the AirFiber link, breaks out the VLANs and connects them to the respective Access Points so that VLAN 120 breaks out untagged on Port 5. The Netequalizer has proven to sometimes be finicky in linking up with the AirFiber and the EdgeRouter directly, which is why we have had the ToughSwitches in between.

I was thinking I could basically just set two ports in their own 'Untagged' VLAN (VLAN 500 for example) that wouldn't be shared with any other ports to eliminate the need for another switch with just two devices plugged in (the LAN port on the EdgeRouter and the 'External' port on the Netequalizer) along with the tagged VLANs, but keep going around and around in seeing a loop being created and the WISPSwitch not knowing the direction packets should flow (through the Netequalizer).

I realize I probably could do a better job in explaining but am hoping Port Isolation would allow this to work. Am I on the right track?

User avatar
sirhc
Employee
Employee
 
Posts: 7415
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Is port isolation the answer?

Tue Feb 17, 2015 12:12 am

I will have Rory work with you tomorrow on this for you.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

Rory
 

Re: Is port isolation the answer?

Tue Feb 17, 2015 11:32 am

First, I would like to apologize if I am not understanding your setup 100%. It can be a little confusing to envision this type of stuff from a text description, so please bear with me if I'm off in left field somewhere.

The problem here is the Vlan tagging. If everything passing through your U U Vlan was untagged it would work no problem. As you are passing tagged Vlans, really the only way to do this AFAIK would be to use QinQ. If we encapsulated your other Vlan traffic inside another Vlan, and that outer Vlan was different on the two sets of ports, things would flow normally. Without that you would get packets being forwarded out the port that is closest to its destination, in my opinion the largest issue would be the traffic flow bypassing your Bandwidth appliance altogether.

I'm not sure that port isolation will work in this application. Port isolation disallows communication between ports in a Vlan, I'm not sure that I can envision a setup where that would be useful in regards to your configuration. I can see how it would kinda work with traffic flowing in one direction, but it would fail in the reverse. Maybe I'm not envisioning that properly, but I'm almost 100% sure that isolation isn't the solution for this specific scenario.

If we did not have all that tagged traffic we could make this work as well, if for sake of argument we could allow the traffic between the Net Equalizer and the Edge Router to be completely untagged, I could suggest a setup that would work right now (its basically what you suggested in your initial post). If you HAVE to have your traffic tagged the only way I can envision this working is with QinQ.

The good news is that the switch supports QinQ in a general sense. The bad news is that it is not implemented in our current firmware. I do not have a concrete time-frame on adding that feature, but I am 100% certain that it is on the horizon.

User avatar
nelson05
Member
 
Posts: 47
Joined: Mon Nov 03, 2014 2:35 am
Location: Springville, CA
Has thanked: 11 times
Been thanked: 11 times

Re: Is port isolation the answer?

Tue Feb 17, 2015 12:38 pm

Thank you for the detailed reply. The tagged VLANs were my concern as well and we actually had this setup working as described when we were not using VLANs. QinQ definitely sounds like the solution and am very glad to hear it is coming at some point. For the moment, we will continue to use two switches.

Thanks again for the help!

Rory
 

Re: Is port isolation the answer?

Tue Feb 17, 2015 3:44 pm

I'm always glad to provide any assistance I can. We will definitely be communicative about our future feature support once the timeline is more clearly defined.

Thank you for your understanding.

Return to Hardware and software issues

Who is online

Users browsing this forum: No registered users and 29 guests