PORT isolation stopped work - Omada SW controller
Hi,
first i try port isolation future and it work.
After that, i try setup some VLANs on network with OMADA software Controller.
VLAN works, but i decide to return to configuration without VLAN and use PORT ISOLATION, so i switch to default PORT configuration (LAN1).
After removing all my "custom" vlan settings, PORT ISOLATION not work. So Port with isolation turned on, can see other isolated ports.
What i set wrong, when remove all custom vlans? Where is problem?
First, this is about Omada controller windows, not switch. So sorry for this.
So, for all ports set port profile to LAN1 (default profile, not editable). Have assigned VLAN1 by default.
1. set Port Isolation on two ports on 2 switch devices
2. connect to these ports 2 PCs
3. normally, this 2 PCs cant ping or RDP to each other. But, i CAN.
I sended some pictures about my config:
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Please list the actual IP ranges of clients and servers otherwise nobody can assist you. And Omada is perfectly capable of managing hundreds of clients across many vlans, as long as you are smart and working within the (admittedly not ideal) group limitations.
My networks controls hundreds of clients, across 9 vlans, 3 remote sites, and client VPNs, with very strict segmentation and ACL rules. And no, there is no performance drop with multiple vlans.
- Copy Link
- Report Inappropriate Content
lan subnet: 192.168.0.0/24
example:
servergroup1
server1 - 192.168.0.10
server2 - 192.168.0.20
server3 - 192.168.0.30
server4 - 192.168.0.40
servergroup2
server50 - 192.168.0.50
server60 - 192.168.0.60
server70 - 192.168.0.70
server80 - 192.168.0.80
servergroup3
server900 - 192.168.0.90
server1000 - 192.168.0.100
printer1 - 192.168.0.15
printer2 - 192.168.0.25
printer3 - 192.168.0.35
printer4 - 192.168.0.45
printer5 - 192.168.0.55
iot1 - 192.168.0.14
iot2 - 192.168.0.15
iot3 - 192.168.0.16
clients:
group1
client11 - 192.168.0.110
client12 - 192.168.0.130
client13 - 192.168.0.140
client14 - 192.168.0.53
client15 - 192.168.0.22
client16 - 192.168.0.98
client17 - 192.168.0.87
client18 - 192.168.0.56
client19 - 192.168.0.43
client20 - 192.168.0.29
....
group2
client101 - 192.168.0.48
client102 - 192.168.0.212
client103 - 192.168.0.222
client104 - 192.168.0.54
client105 - 192.168.0.41
....
group3
client1001 - 192.168.0.91
client1002 - 192.168.0.213
client1003 - 192.168.0.223
client1004 - 192.168.0.74
client1005 - 192.168.0.76
....
group1 isolate from group1
group2 isolate from group2
group2 isolate from group1
group1 isolate from servergroup2 and 3
group2 isolate servergroup1
group3 isolate from servegroup1
group1 isolate but access to servergrou1 to SMB, servergroup3 RDP
group2 isolate but access to servergroup2 to SMB and SQL
group3 not isolate, access to servergroup2 to SQL and servergroup3
and other combination for example.....
ports:
SMB: 445,139
RDP:3389
other services1: 80,443,1520, 23000-32000, 33025, 45263, 47852, 5623, 4582-4595, 1975, 56894, 10004, 5900, 44123-44223
other services2: 88,4430,15200, 2300-3200, 3325, 4523, 4782, 56230, 45820-45950, 19750, 5694, 1004, 590, 4423-4423
SQL: 1433
servergroup1 allow ports RDP, SMB
servergroup2 allow ports RDP, SQL, other services1
servergroup3 allow ports SMB, SQL, other services2
servergroup1 allow RDP for management ip (192.168.0.5)
servergroup2 allow RDP for management ip (192.168.0.5)
servergroup3 allow RDP for management ip (192.168.0.5)
- Copy Link
- Report Inappropriate Content
Im pretty sure i could build a rule set for all this that fits inside the number of groups that can be made, its not particurlarly complicated or expansive ... but... ONLY if they are separated on vlans.
Having everything all one one vlan forces us to have to make IP groups for every single little grouping of clients and servers. If you have them on router interface vlans, we get extra room opened up by them existing as "networks" and not needing a group at all.
However, im not here to do your job for you, and this would take a considerable amount of time to lay down the matrix and work out the rule groups - im happy to assist with small tasks like the other guy who asked about ACLs yesterday, but it seems that this is your actual paid job to do and im not going to sit here for 8 hours working this out for you, and then inevitably have to hold your hand through it and answer all your questions on it in the future.
There are tons of resources that can help you figure out how to properly segment this stuff. Port isolation wont get you anywhere at all, and neither will MAC isolation and you have too many cross-linked paths to do that in any sensible way.
Good luck!
- Copy Link
- Report Inappropriate Content
this was example, pleas multiply all 3x for servers and 7x for clients, other services multiply 3x.
I cant you send you my whole network :), IP adresses, MAC adresses. I wrote only examle.
- Copy Link
- Report Inappropriate Content
1) you need vlans, having everything on a single network is crazy, for both management and security
2) if it truly is 3x as large, i dont think any non-enterprise SDN gear can do what you actually want this to do
3) Why did you buy consumer / small business grade gear for a network of such magnitude ?
4) It is still clear that you really dont understand what you are getting yourself into. Nor do you understand how your own design choices are going to severely limit you. Take a step back and do some actual research.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 468
Replies: 25
Voters 0
No one has voted for it yet.