Wired Intelligent Edge

 View Only
last person joined: 15 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

How to do Port Isolation in Aruba CX 6000 switch?

This thread has been viewed 29 times
  • 1.  How to do Port Isolation in Aruba CX 6000 switch?

    Posted 11 days ago
    Hi All,

    My customer need to know how to enable "port isolation" in Aruba CX 6000 switch.
    They are a service provider that providing internet connection in a highrise residential. Each room will be provided one ethernet port connected to CX 6000 switches in every floor. Each user that using the ethernet port must not be able to see other user in different ethernet port. They can only see the uplink.
    I believe in Aruba OS switch series we can use "isolation-list", but how to do this in CX switch?

    Best Regards,
    David

    ------------------------------
    David Soleiman
    ------------------------------


  • 2.  RE: How to do Port Isolation in Aruba CX 6000 switch?

    Posted 10 days ago
    Hello,

    I think the only option on this platform is portfilter. Please have a look at Chapter 11 Port Filtering, page 150

    https://www.arubanetworks.com/techdocs/AOS-CX/10.09/PDF/fundamentals_4100i-6000-6100.pdf

    ------------------------------
    Emil Gogushev
    ------------------------------



  • 3.  RE: How to do Port Isolation in Aruba CX 6000 switch?

    Posted 10 days ago
    Hi Emil,

    Thank you for the suggestion.
    But do you think the "portfilter" can achieve the same goal of "port isolation", to isolated each ports in CX 6000 series to "see" each other except for the uplink port?


    ------------------------------
    David Soleiman
    ------------------------------



  • 4.  RE: How to do Port Isolation in Aruba CX 6000 switch?

    Posted 10 days ago
    Hello David, 

    It is a some kind of a different approach but I think you can achieve the same thing. The configuration logic is different and I think also a bit more complicated.
    You need to go to every single port that should be isolated and manually add a portfilter. The portfilter specifies to which ports a frame entering at the isolated port cannot be forwarded.
    So this means you need to have a portfilter with different port IDs for every port and you cannot apply the same config to all the ports with a single command. 

    Here is how you block access from port 1/1/1 to all ports from 1/1/2 to 1/1/24. Ports above 1/1/24 which can be for example uplinks, like 1/1/25, 1/1/26 etc are not in this list and traffic will be forwarded out of this ports.

    switch(config)# interface 1/1/1
    switch(config-if)# portfilter 1/1/2-1/1/24

    For port 1/1/2 you need to adapt the portfilter list.

    switch(config)# interface 1/1/2
    switch(config-if)# portfilter 1/1/1,1/1/3-1/1/24

    For port 1/1/3 it should look like this .

    switch(config)# interface 1/1/3
    switch(config-if)# portfilter 1/1/1-1/1/2,1/1/4-1/1/24

    For port 1/1/4 etc

    switch(config)# interface 1/1/4
    switch(config-if)# portfilter 1/1/1-1/1/3,1/1/5-1/1/24

    Another difference is that this applies at the port level and to all VLANs. It cannot be configured per VLAN.
    SO this is how it should work for my understanding but I didn't have to chance to test this yet.

    Usually you should use Private VLAN for such type of intra VLAN micro isolation in CX but PVLAN is not supported by Aruba 6000.



    ------------------------------
    Emil Gogushev
    ------------------------------



  • 5.  RE: How to do Port Isolation in Aruba CX 6000 switch?

    Posted 7 days ago
    Hi Emil,

    Thank you for the example.
    I will ask my partner to try it.

    Best Regards,
    David

    ------------------------------
    David Soleiman
    ------------------------------



  • 6.  RE: How to do Port Isolation in Aruba CX 6000 switch?

    Posted 10 days ago
    This port isolation behavior sounds like Private VLAN behavior to me.

    This functionality was being introduced into AOS-CX with 10.08, although some platforms were not receiving the feature until 10.09.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: How to do Port Isolation in Aruba CX 6000 switch?

    Posted 9 days ago
    Hi.

    If you know a command in ArubaOS-Switching (AOS-S) and you find the CLI equal for ArubaOS-CX in this Guide
    https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c04793912

    ------------------------------
    Tom Roholm
    ------------------------------