Enterprise Lockdown

Reply
Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

private vlans

Has anyone used private vlans to isolate users on layer 2? I just was curious if there were any problems with vlan switching from the Arubas to the core switches.
MVP
Posts: 498
Registered: ‎04-03-2007

Re: private vlans

Not exactly sure what you mean. If you're saying having dedicated vlans for wireless, then yes, that is supported and works just fine. If your saying to have users' vlans change on aruba (e.g., users come into the controller on vlan A and get "retagged" (maybe via a user-role) to vlan B), we had run into problems doing this.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: private vlans

Well we do have dedicated vlans for wireless but these are not private vlans, meaning you have a primary vlan and a secondary vlan within the primary for isolation. We have 16 vlans and they work fine with switching, but they are not private at the moment. There is only the primary vlan.
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Switching Vlans




Somebody Vlan switching to work by making the DHCP server lease on the initial VLAN (CP vlan) down to like 10 seconds... That way the user will re-dhcp every 10 seconds and will get his new address and a proper lease when he gets switched to his target VLAN. MS Windows DHCP server does not support leases in seconds, but ISC does...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: private vlans

This is actually a vlan inside a vlan. It is used primarily to segment your network even further than just 1 vlan. There are 3 types of private vlans: community, isolated, and promiscuous. We are looking at isolated private vlans since they stop all clients from communicating at the L2 level.

I guess i'll just try it and see what happens!
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Private VLAN

Gwilliams, if you just want to keep clients from contacting each other, the firewall option "deny inter user bridging" Configuration > Advanced Services> Stateful Firewall> Deny Inter user Bridging has that functionality. Is that what you had in mind?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: private vlans

Yes, but it doesn't work accross controllers. Only the controller you are on.
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Across Controllers

You are right, it doesn't work across controllers. You can put a firewall rule in the user role saying that users cannot send any traffic destined for any user subnets. The most efficient way is to create a rule pointed to an alias denying traffic destined to that alias, and just adding/removing subnets from that alias for maintenence.

Would that work?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base