Wired Intelligent Edge

Hi All,

My customer need to know how to enable "port isolation" in Aruba CX 6000 switch.
They are a service provider that providing internet connection in a highrise residential. Each room will be provided one ethernet port connected to CX 6000 switches in every floor. Each user that using the ethernet port must not be able to see other user in different ethernet port. They can only see the uplink.
I believe in Aruba OS switch series we can use "isolation-list", but how to do this in CX switch?

Best Regards,
David

------------------------------
David Soleiman
------------------------------

Hello,

I think the only option on this platform is portfilter. Please have a look at Chapter 11 Port Filtering, page 150

https://www.arubanetworks.com/techdocs/AOS-CX/10.09/PDF/fundamentals_4100i-6000-6100.pdf

------------------------------
Emil Gogushev
------------------------------

Original Message:
Sent: Jan 06, 2022 12:47 AM
From: David Soleiman
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi All,

My customer need to know how to enable "port isolation" in Aruba CX 6000 switch.
They are a service provider that providing internet connection in a highrise residential. Each room will be provided one ethernet port connected to CX 6000 switches in every floor. Each user that using the ethernet port must not be able to see other user in different ethernet port. They can only see the uplink.
I believe in Aruba OS switch series we can use "isolation-list", but how to do this in CX switch?

Best Regards,
David

------------------------------
David Soleiman
------------------------------

Hi Emil,

Thank you for the suggestion.
But do you think the "portfilter" can achieve the same goal of "port isolation", to isolated each ports in CX 6000 series to "see" each other except for the uplink port?


------------------------------
David Soleiman
------------------------------

Original Message:
Sent: Jan 07, 2022 03:18 AM
From: Emil Gogushev
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hello,

I think the only option on this platform is portfilter. Please have a look at Chapter 11 Port Filtering, page 150

https://www.arubanetworks.com/techdocs/AOS-CX/10.09/PDF/fundamentals_4100i-6000-6100.pdf

------------------------------
Emil Gogushev

Original Message:
Sent: Jan 06, 2022 12:47 AM
From: David Soleiman
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi All,

My customer need to know how to enable "port isolation" in Aruba CX 6000 switch.
They are a service provider that providing internet connection in a highrise residential. Each room will be provided one ethernet port connected to CX 6000 switches in every floor. Each user that using the ethernet port must not be able to see other user in different ethernet port. They can only see the uplink.
I believe in Aruba OS switch series we can use "isolation-list", but how to do this in CX switch?

Best Regards,
David

------------------------------
David Soleiman
------------------------------

Hello David, 

It is a some kind of a different approach but I think you can achieve the same thing. The configuration logic is different and I think also a bit more complicated.
You need to go to every single port that should be isolated and manually add a portfilter. The portfilter specifies to which ports a frame entering at the isolated port cannot be forwarded.
So this means you need to have a portfilter with different port IDs for every port and you cannot apply the same config to all the ports with a single command. 

Here is how you block access from port 1/1/1 to all ports from 1/1/2 to 1/1/24. Ports above 1/1/24 which can be for example uplinks, like 1/1/25, 1/1/26 etc are not in this list and traffic will be forwarded out of this ports.

switch(config)# interface 1/1/1
switch(config-if)# portfilter 1/1/2-1/1/24

For port 1/1/2 you need to adapt the portfilter list.

switch(config)# interface 1/1/2
switch(config-if)# portfilter 1/1/1,1/1/3-1/1/24

For port 1/1/3 it should look like this .

switch(config)# interface 1/1/3
switch(config-if)# portfilter 1/1/1-1/1/2,1/1/4-1/1/24

For port 1/1/4 etc

switch(config)# interface 1/1/4
switch(config-if)# portfilter 1/1/1-1/1/3,1/1/5-1/1/24

Another difference is that this applies at the port level and to all VLANs. It cannot be configured per VLAN.
SO this is how it should work for my understanding but I didn't have to chance to test this yet.

Usually you should use Private VLAN for such type of intra VLAN micro isolation in CX but PVLAN is not supported by Aruba 6000.



------------------------------
Emil Gogushev
------------------------------

Original Message:
Sent: Jan 07, 2022 06:27 AM
From: David Soleiman
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi Emil,

Thank you for the suggestion.
But do you think the "portfilter" can achieve the same goal of "port isolation", to isolated each ports in CX 6000 series to "see" each other except for the uplink port?


------------------------------
David Soleiman

Original Message:
Sent: Jan 07, 2022 03:18 AM
From: Emil Gogushev
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hello,

I think the only option on this platform is portfilter. Please have a look at Chapter 11 Port Filtering, page 150

https://www.arubanetworks.com/techdocs/AOS-CX/10.09/PDF/fundamentals_4100i-6000-6100.pdf

------------------------------
Emil Gogushev

Original Message:
Sent: Jan 06, 2022 12:47 AM
From: David Soleiman
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi All,

My customer need to know how to enable "port isolation" in Aruba CX 6000 switch.
They are a service provider that providing internet connection in a highrise residential. Each room will be provided one ethernet port connected to CX 6000 switches in every floor. Each user that using the ethernet port must not be able to see other user in different ethernet port. They can only see the uplink.
I believe in Aruba OS switch series we can use "isolation-list", but how to do this in CX switch?

Best Regards,
David

------------------------------
David Soleiman
------------------------------

Hi Emil,

Thank you for the example.
I will ask my partner to try it.

Best Regards,
David

------------------------------
David Soleiman
------------------------------

Original Message:
Sent: Jan 07, 2022 07:37 AM
From: Emil Gogushev
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hello David, 

It is a some kind of a different approach but I think you can achieve the same thing. The configuration logic is different and I think also a bit more complicated.
You need to go to every single port that should be isolated and manually add a portfilter. The portfilter specifies to which ports a frame entering at the isolated port cannot be forwarded.
So this means you need to have a portfilter with different port IDs for every port and you cannot apply the same config to all the ports with a single command. 

Here is how you block access from port 1/1/1 to all ports from 1/1/2 to 1/1/24. Ports above 1/1/24 which can be for example uplinks, like 1/1/25, 1/1/26 etc are not in this list and traffic will be forwarded out of this ports.

switch(config)# interface 1/1/1
switch(config-if)# portfilter 1/1/2-1/1/24

For port 1/1/2 you need to adapt the portfilter list.

switch(config)# interface 1/1/2
switch(config-if)# portfilter 1/1/1,1/1/3-1/1/24

For port 1/1/3 it should look like this .

switch(config)# interface 1/1/3
switch(config-if)# portfilter 1/1/1-1/1/2,1/1/4-1/1/24

For port 1/1/4 etc

switch(config)# interface 1/1/4
switch(config-if)# portfilter 1/1/1-1/1/3,1/1/5-1/1/24

Another difference is that this applies at the port level and to all VLANs. It cannot be configured per VLAN.
SO this is how it should work for my understanding but I didn't have to chance to test this yet.

Usually you should use Private VLAN for such type of intra VLAN micro isolation in CX but PVLAN is not supported by Aruba 6000.



------------------------------
Emil Gogushev

Original Message:
Sent: Jan 07, 2022 06:27 AM
From: David Soleiman
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi Emil,

Thank you for the suggestion.
But do you think the "portfilter" can achieve the same goal of "port isolation", to isolated each ports in CX 6000 series to "see" each other except for the uplink port?


------------------------------
David Soleiman

Original Message:
Sent: Jan 07, 2022 03:18 AM
From: Emil Gogushev
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hello,

I think the only option on this platform is portfilter. Please have a look at Chapter 11 Port Filtering, page 150

https://www.arubanetworks.com/techdocs/AOS-CX/10.09/PDF/fundamentals_4100i-6000-6100.pdf

------------------------------
Emil Gogushev

Original Message:
Sent: Jan 06, 2022 12:47 AM
From: David Soleiman
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi All,

My customer need to know how to enable "port isolation" in Aruba CX 6000 switch.
They are a service provider that providing internet connection in a highrise residential. Each room will be provided one ethernet port connected to CX 6000 switches in every floor. Each user that using the ethernet port must not be able to see other user in different ethernet port. They can only see the uplink.
I believe in Aruba OS switch series we can use "isolation-list", but how to do this in CX switch?

Best Regards,
David

------------------------------
David Soleiman
------------------------------

This port isolation behavior sounds like Private VLAN behavior to me.

This functionality was being introduced into AOS-CX with 10.08, although some platforms were not receiving the feature until 10.09.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 06, 2022 12:47 AM
From: David Soleiman
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi All,

My customer need to know how to enable "port isolation" in Aruba CX 6000 switch.
They are a service provider that providing internet connection in a highrise residential. Each room will be provided one ethernet port connected to CX 6000 switches in every floor. Each user that using the ethernet port must not be able to see other user in different ethernet port. They can only see the uplink.
I believe in Aruba OS switch series we can use "isolation-list", but how to do this in CX switch?

Best Regards,
David

------------------------------
David Soleiman
------------------------------

Hi.

If you know a command in ArubaOS-Switching (AOS-S) and you find the CLI equal for ArubaOS-CX in this Guide
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c04793912

------------------------------
Tom Roholm
------------------------------

Original Message:
Sent: Jan 07, 2022 11:58 AM
From: Charlie Clemmer
Subject: How to do Port Isolation in Aruba CX 6000 switch?

This port isolation behavior sounds like Private VLAN behavior to me.

This functionality was being introduced into AOS-CX with 10.08, although some platforms were not receiving the feature until 10.09.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 06, 2022 12:47 AM
From: David Soleiman
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi All,

My customer need to know how to enable "port isolation" in Aruba CX 6000 switch.
They are a service provider that providing internet connection in a highrise residential. Each room will be provided one ethernet port connected to CX 6000 switches in every floor. Each user that using the ethernet port must not be able to see other user in different ethernet port. They can only see the uplink.
I believe in Aruba OS switch series we can use "isolation-list", but how to do this in CX switch?

Best Regards,
David

------------------------------
David Soleiman
------------------------------

Sadly that list is not very complete at all and does not cover the ArubaOS commands.  One I use is
vlan vid isolate-list port-list

Which is nice and works on a vlan AND port basis as well as switch downlinks.  So you can just have your vlan isolation/guest/whatnot and include every port except the uplink.  Works if vlan is assigned untagged or tagged to a switch or changes dynamically.  Works with 8021.x anything.  Very simple and easy to implement (compared to the nightmare of a port-filter example above).
https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8164_mrg/content/ch02s03.html

Problem I have is we have a very large arubaOS estate with aruba-CX core/dist.  So at the moment one area using that network can talk to another area on that same vlan.  So I want same thing for the core to stop this.  I have a number of vlans but no where near the same as number of ports being fed from the 8400X

The vlans are routed by a firewall so aruba-cx is only dealing at layer2 and only links with tagged vlans. 
So any solution needs to be vlan based not just port based.  

If anyone has a good way to achieve the isolate-list behaviour with Aruba-CX please let us know!

------------------------------
Chris Phillips
------------------------------

Original Message:
Sent: Jan 08, 2022 09:31 AM
From: Tom Roholm
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi.

If you know a command in ArubaOS-Switching (AOS-S) and you find the CLI equal for ArubaOS-CX in this Guide
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c04793912

------------------------------
Tom Roholm

Original Message:
Sent: Jan 07, 2022 11:58 AM
From: Charlie Clemmer
Subject: How to do Port Isolation in Aruba CX 6000 switch?

This port isolation behavior sounds like Private VLAN behavior to me.

This functionality was being introduced into AOS-CX with 10.08, although some platforms were not receiving the feature until 10.09.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 06, 2022 12:47 AM
From: David Soleiman
Subject: How to do Port Isolation in Aruba CX 6000 switch?

Hi All,

My customer need to know how to enable "port isolation" in Aruba CX 6000 switch.
They are a service provider that providing internet connection in a highrise residential. Each room will be provided one ethernet port connected to CX 6000 switches in every floor. Each user that using the ethernet port must not be able to see other user in different ethernet port. They can only see the uplink.
I believe in Aruba OS switch series we can use "isolation-list", but how to do this in CX switch?

Best Regards,
David

------------------------------
David Soleiman
------------------------------