PORT isolation stopped work - Omada SW controller
PORT isolation stopped work - Omada SW controller
Hi,
first i try port isolation future and it work.
After that, i try setup some VLANs on network with OMADA software Controller.
VLAN works, but i decide to return to configuration without VLAN and use PORT ISOLATION, so i switch to default PORT configuration (LAN1).
After removing all my "custom" vlan settings, PORT ISOLATION not work. So Port with isolation turned on, can see other isolated ports.
What i set wrong, when remove all custom vlans? Where is problem?
First, this is about Omada controller windows, not switch. So sorry for this.
So, for all ports set port profile to LAN1 (default profile, not editable). Have assigned VLAN1 by default.
1. set Port Isolation on two ports on 2 switch devices
2. connect to these ports 2 PCs
3. normally, this 2 PCs cant ping or RDP to each other. But, i CAN.
I sended some pictures about my config:
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Port isolation does not work between switches. It will only work on devices connected to the same switch.
- Copy Link
- Report Inappropriate Content
Try googling this string, I'm not allowed to post urls on the forum, it's possible you can follow this recipe to get it to work.
Goolge 17699729143453-Understanding-Port-Isolation
- Copy Link
- Report Inappropriate Content
Thx, for your time.
Hm, but how to setup "proper configuration, traffic isolation can be maintained across a chain of switches". my goal is to isolate some group PCs and some not. So, isolated PCs can access only unisolated group of PCs but cant access any PCs in isolation.
I tray VLANs (20), but when i use taged trafic between switches and untaged ports i lost speed on network 10 times.... SO i decided to use port isolation, but i dont know, that this work only per swtich basis.
also, i have only one subnet on network and 3rd party router (FGT).
- Copy Link
- Report Inappropriate Content
I don't know how, I only have isolated ports on the same switch so I googled a bit when I saw your problem. You can try configuring it as described in the example I sent you to see if it will work. It should be easy to test.
Try and isolate link port on switch A
- Copy Link
- Report Inappropriate Content
I did a test here. It didn't work. When you isolate the link port, you also block other isolated ports so the communication stops at the link port. No, I don't know. Initially, only ports on the same switch are isolated.
- Copy Link
- Report Inappropriate Content
@MR.S OK, thx for your time.
I cant do what was sended later with uplink port isolation, because i use all SFP+ ports on all switch for fileservers and othe shared workstations. So if i isolate whole switch i cant access these shared stations, servers for other clients on network.
So, only solution is to use VLAN. But, as i wrote, when i setup segmentation of my network to twenty vlans, my real network transmission drop.
My questions are:
1. is network transmission drop normal for too meny vlans (taged uplink ports. untaged port)?
2. if yes, is solution to use one or two vlan, not 10 or 20?
3. what happens if I put all the stations that I need to isolate into one VLAN and next set up port isolation on these stations? Still is active only on switch and not on other switches?
- Copy Link
- Report Inappropriate Content
port isolation wont necessarily stop devices on the same lan communicating, it might be getting hairpinned by the router. You need to remember port isolation is there to prevent a port directly communicating with another isolated port. ANYTHING that traverses the gateway, or switch SVI acting as a gateway, or any other device or IP on any non-isolated port will pass through. Any device (like a client PC) that is on a LAN, that tries to reach an IP on the same LAN will arp. that arp reaches the switch, and because the target device is on an isolated port, it wont get a response. Then, because of the null response, the client device will instead just send the request to the gateway which will route it back to the switch, to the target device. Hence, port isolation wont block lan<>lan in most cases.
Port isolation is really intended for other things, like multiple uplinks to a device with the same MAC but different interfaces to prevent direct port-to-port loops forming (eg, DSL modems in GRE mode serving multiple public IPs)
VLANs are definitely the way to go to segment stuff, then using switch ACLs to prohibit connumincation between things.
You should not see any noticeable performance drop with a sane number of VLANs (like, less than a thousand), but what might happen is you start throttling or saturating individual switch links - LAG or SFP+ between switches will help with this.
On particularly busy, or saturated inter switch links, especiall if you only have a single 1gbit link enabling flow control on both sides of it may help, a bit.
- Copy Link
- Report Inappropriate Content
Today i tested 10 vlans.
1. created 10 vlans and 10 port configurations, but i use only 3 for testing, one is vlanPC, another vlanNAS and vlanUPLINK
2. create port configuration for UPLINK switch port (vlanUPLINK), where all vlans are tagged and default vlan is LAN1 (with network IP subnet) and also as untaged
3. create port configuration for NAS port (vlanNAS), where all vlans are untaged, default vlan is vlanNAS
4. create port configuration for PC port (vlanPC), where are these vlans: vlanNAS, vlanPC as untaged, default vlan is vlanPC
5. NAS is on switch1 and have port config for all vlans
6. PC1 is on switch1
7. PC2 is on switch2
all can ping to each other.
Next speed test (real copying 4GB file):
1. between PC1 and NAS - 140MBps (not Mbps)
2. between PC2 and NAS - 20MBps (not Mbps)
So next step, delete all vlans and set default port configuration
Next speed test (real copying 4GB file):
1. between PC1 and NAS - 248MBps (not Mbps)
2. between PC2 and NAS - 240MBps (not Mbps)
On switch i use 10Gbps SFP+ optic for uplinks and switch have 24x ETH 2,5Gbps ports, NAS have also SFP+ 2x10Gbps LACP, PCs Intel 226 2,5gbps and Realtek 2,5Gbps...
So, i use only 3 device on netwotk, and if i turn VLANs on in uplik, between switches, and VLANs on port to NAS, this will kill network speed between switches and also kill speed on same switch between ports.
What i did wrong? Is Tp-Link Omada switchs uselles for VLANs?
M.
- Copy Link
- Report Inappropriate Content
Although it is possible, you should not have multiple untagged vlans on a port - anything that isnt "native" should be tagged.
In Omada, all vlans can communicate with each other by default, you need ACL rules to prevent communication between them as needed
I suspect that having multiple untagged vlans on NAS and PC ports are causing your performance issues since there is no real way for the switch or gateway to know what untagged traffic coming into that port is for what vlan. Sure, you have set a "native", but this still isnt ideal. You dont need to set the PC or NAS to have all vlans going to the ports for them - they are quite able to communicate between vlans directly through the switch or router, you dont need to pipe every vlan you want them to access to them.
TPLink switches handle VLANS absolutely fine, the issue here is you dont really understand how to implement what you want to do properly.
There are multiple guides here, on yourtube, all over the place on how to structure VLANs, tagging and untagging, how to properly set trunking - i suggest you do some reading!
- Copy Link
- Report Inappropriate Content
I use howto from tp-link (google), i have same setup: How to configure 802.1Q VLAN on Omada Switches when used with a third-party router
If you can, send me, some howto, how to properly setup VLANs in Omada controller (L2 type vlans) with 3rd party gateway.
Or i can post screenshots from my setup, so you can correct my mistakes....
edit:
my first steps, before port isolation and vlans, go to switch ACLs. And i want set grups of IP-port per server, NAS and setup PC access. But there is problem in config page, where i cant in Group set more than 8/16 rows per IP/subnet/ports. So next i want decide to use MAC ACLs, but i use LACP on NAS/servers, so there is problem to setup for me.
Omada controller allow ONLY:
1. IP-port group - 8 subnets and 8 port group
2. IP group - 16 IP/subnet
3. also missing Ip ranges, only subnets
Why? Why not 255 rows? Or 64 rows?
For me, that is too few for configuring ports for server/NAS where is for example 20 port groups (like Kodak, Esko products).
Also, if i have more than 8 servers per same port gruop, i must separate to more IP-port groups.
Also switch ACLs are by default permit all and cant setup to default deny all, so must add extra rule at end each group of rule.
So i decide use port isolations, but for my setup is not solution (more switches with SFP+ NAs/servers). Next L2 vlans, where i use TP-Link manual for creating. VLANs work, but network speed is big problem, with this setup on controller.
I want to thank you again for your time and help.
So if you have a working guide on how to properly set up vlans and trunk ports with ACLs, without a big performance drop, I would be happy to study it.
For now, i will setup ACLs base on MAC adresses with DENY rules.
EDIT2:
MAC group - only 8 rows of groups...WHY?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 188
Replies: 11
Voters 0
No one has voted for it yet.