CRS125-24G-1S - HOW TO VLAN BYPASS WITH PORT ISOLATON?

arturportella · Wed Dec 09, 2015 9:22 pm

Hello guys!

I have created rules to isolate ports on CRS in this following scenario:

FROM 1 to 8 -> UPLINK PORTS
FROM 9 TO 24 + SFP -> ISOLATED PORTS (they can see uplink ports but no traffic between them)

Well, my doubt is about port to port vlan bypass. I have a group of isolated ports, so, how can I allow (with those isolated ports) for example, the VLAN ID 3500 to pass from eth10 to eth14 to not be blocked from port isolation rules?

The isolation was made by adding ethernet from 1 to 8 on isolation profile override 0 (promiscuous), and ethernet from 9 to 24 in isolation profile 1.

I want those ports (10 -> 14) to still isolating untagged traffic and allow vlan 3500 to pass normally between them, is this possible? There is any way to do this?

Regards!

Artur Portella.

PS: Sorry for my bad grammar. (Brazil)

arturportella · Thu Dec 10, 2015 1:35 pm

Let me add some details, or just simplify my question

I want every interface from ether1 to ether8 to be uplink ports (they can see every interface of the switch), and from ether9 to ether24 + sfp1 to be isolated between them. But, what if I want to get untagged traffic accessing uplink ports and allow for example "VLAN10" to be an exception in this isolated port group? To be more specific, how can I do, for example, a VLAN with id 10 to go from "ether10" to "ether11" in the following scenario?

Here we go (My atual configuration):

/interface ethernet
set [ find default-name=ether1 ] comment=RESERVE master-port=ether2
set [ find default-name=ether2 ] comment="MANAGEMENT"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether2
set [ find default-name=ether8 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether2
set [ find default-name=ether10 ] master-port=ether2
set [ find default-name=ether11 ] master-port=ether2
set [ find default-name=ether12 ] master-port=ether2
set [ find default-name=ether13 ] master-port=ether2
set [ find default-name=ether14 ] master-port=ether2
set [ find default-name=ether15 ] master-port=ether2
set [ find default-name=ether16 ] master-port=ether2
set [ find default-name=ether17 ] master-port=ether2
set [ find default-name=ether18 ] master-port=ether2
set [ find default-name=ether19 ] master-port=ether2
set [ find default-name=ether20 ] master-port=ether2
set [ find default-name=ether21 ] master-port=ether2
set [ find default-name=ether22 ] master-port=ether2
set [ find default-name=ether23 ] master-port=ether2
set [ find default-name=ether24 ] master-port=ether2
set [ find default-name=sfp1 ] master-port=ether2 disabled=yes

/interface ethernet switch port-isolation
add port-profile=1 ports=ether4,ether3,ether5,ether6,ether7,ether8,ether2 type=dst

/interface ethernet switch port
set 0 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=0
set 1 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=0
set 2 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=0
set 3 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=0
set 4 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=0
set 5 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=0
set 6 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=0
set 7 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=0
set 8 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 9 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 10 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 11 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 12 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 13 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 14 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 15 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 16 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 17 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 18 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 19 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 20 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 21 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 22 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 23 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1
set 24 dscp-based-qos-dscp-to-dscp-mapping=no isolation-leakage-profile-override=1

Any help would be very apreciated! (My head is about to roll

)

Regards,

Artur Portella

arturportella · Fri Dec 11, 2015 2:16 pm

I guess that with a diagram the problem will be more easy to solve:

DOUBT.png

In this scenario, I have 1 to 8 acting as promiscuous isolated ports in port profile 0 as uplink ports, and from 9 to 24 + sfp as isolated ports in port profile 1. But, what if I want to create a rule to bypass from port 9 to 10 only vlan 10 and keep all other traffic isolated? Thats my huge problem

Regards,

Artur Portella

CRS125-24G-1S - HOW TO VLAN BYPASS WITH PORT ISOLATON?

CRS125-24G-1S - HOW TO VLAN BYPASS WITH PORT ISOLATON?

Re: CRS125-24G-1S - HOW TO VLAN BYPASS WITH PORT ISOLATON?

Re: CRS125-24G-1S - HOW TO VLAN BYPASS WITH PORT ISOLATON?