Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Vlan setup for a multi tenant office

Status
Not open for further replies.

vbhoj74

Technical User
Apr 18, 2010
4
IN
Please excuse me if I'm on the wrong section, this is my 1st post. :)

Okay, I'm trying to configure a Extreme 450e and couple of X150 for a multi tenant office which houses 5 separate companies. I've created vlan10 to vlan15 for these 5 offices,
which should be isolated, i.e. no inter-vlan communication.
I've another vlan100 which has common shared equipment like printers which needs to be shared on all other vlans.

If I enable inter vlan routing by issuing "enable ipf" or selectively "enable ipf vlan10", "enable ipf vlan11".. etc, this enables inter vlan routing between my supposed to be isolated companies. What needs to be done so that all my vlans can see only vlan100 & their own vlan traffic and nothing else ?

thanks.
 
vbhoj74,

What you are trying to accomplish is tricky, but possible using the model switches you have.

There are two ways you could do this.

Method 1: You could just leave IP Forwarding enabled and use Dynamic Access Control Lists to prevent vlan10 and vlan15 from reaching one another.

Method 2: (This is software version dependent - you'll need to have at least 12.2 on all the switches to do this) You can use Private VLANS. You'll want to download ExtremeXOS Software Guide version 12.2 here:
The Private VLAN featuer is available on the following platforms:
Summit X150, X250e, X350, X450a, X450e,and X650 series switches
BlackDiamond 8800 a-series, c-series, and eseries modules
BlackDiamond 10808 Series
BlackDiamond 12800 Series

It's a little tricky when you trunk out between switches. Basically, for vlan10 and vlan15 you'll create them as Non-isolated subscriber VLANs. This means that hosts on VLan10 can speak with hosts on VLAN10. Hosts on VLAN15 can speak with Hosts on VLAN15, but Hosts on Vlan10 CANNOT speak with hosts on VLAN15. However, both VLan10 and VLAn15 will be able to communicate with vlan100, which is known as the "Network VLAN".

Here is basically how it works. Ports in a non-isolated subscriber VLANs cannot communicate with ports in other non-isolated subscriber VLANs. However, ports within each non-isolated subscriber VLAN can communicate with one another. Lastly, all non-isolated VLANs can communincate with the Network VLAN. THIS IS EXACTLY WHAT YOU ARE LOOKING TO ACHIEVE IN YOUR CONFIGURATION. EXACTLY! But you need the appropriate version of software to do it. I think they introduced it beginning in ExtremeXOS 12.2.

There are examples on page 434 of the concepts guide listed for download above.

This should get you started.

Warm Regards,
ExtremeTek

Evil will always triumph, because good is dumb.
 
Thanks for the reply.

I've 12.3 running on all my switches and I've given a look at PVlans, but I did no give it a try because I was not sure of few things:

1) I also had to setup extreme wireless controllers and APs with the same network which should authenticate users and assign them their proper vlans from the built in radius server. I was not sure if the Wm3400 could talk to pvlans on the switch.

2) as per the documentation the network vlan was basically a method to trunk between switches and to host public routers available to all. I wanted to host the printers in another vlan, maybe another network vlan, but I was not sure if I could have multiple network vlans.

Lastly since I had already configured the switches using normal vlans, changing the same to pvlan concept seemed a big task, the number of actual vlans in the production environment is around 35. So Im presently getting my hands dirty with pol files to achieve this.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top