Do you have policy manager? Since the network is in one subnet, you obviously cannot use ACLs. I suppose you could type the policy commands at the CLI (if the IP addresses are statically assigned and not subject to change) or you could use a software firewall on the machines.

Jimmy Payne
Information Systems and Technology Department
Network Manager
770-205-4558

-----Original Message-----
From: ***@listserv.unc.edu [mailto:***@listserv.unc.edu] On Behalf Of Johannsb
Sent: Wednesday, September 10, 2014 1:10 PM
To: Enterasys Customer Mailing List
Subject: [enterasys] Switch B3 - VLANs

Hello guys,

I have two switches Enterasys and four computers as below:

switch 1 - Enterasys B3 with:

Computer A in port ge.1.1
Computer B in port ge.1.2

switch 2 - Entreasys B3 with:

Computer C in port ge.1.1
Computer D in port ge.1.2


The two switches are linked by port ge.1.48.

All computers are in same network 10.0.0.X/255.255.255.0.



I need this result:

Among Computer A, B and D: comunication it's permited

Between Computer A and C: comunication it's permited too

But among Computer B, C and D: no comunication it's permited



In ohter words:

If in machine A I type "ping 10.0.0.A" or "ping 10.0.0.B" or "ping 10.0.0.D" or "ping 10.0.0.C", the result must to be a answer

If in machine A or B or D, I type "ping 10.0.0.C", the result must to be no answer

If in machine C I type "ping 10.0.0.A", the result must to be a answer

If in machine C I type "ping 10.0.0.B" or "ping 10.0.0.D", the result must to be no answer



The question:

I tried to create a VLAN for machines A, B e D and other for C, but the result it isn't the above.

What I have to type in each switch for get the objective with success?



Tranks,

Rogerio

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys ***@forsythco.com

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe ent

If it was just on one switch, you might be able to use protected ports,
however it doesn't work across multiple switches:

"Ports that are configured to be protected cannot forward traffic to
other protected ports in the same group, regardless of having the same
VLAN membership. However, protected ports can forward traffic to ports
which are unprotected (not listed in any group). Protected ports can
also forward traffic to protected ports in a different group, if they
are in the same VLAN. Unprotected ports can forward traffic to both
protected and unprotected ports. A port may belong to only one
group of protected ports.

This feature only applies to ports within a switch or a stack. It does
not apply across multiple switches in a network."

Because of this, policy is probably your best bet, however buying policy
licenses for B3s is quite hard these days.

You could maybe also experiment with having multiple untagged egress
VLANs, but that's probably not going to work without policy anyway.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Hi Rogerio,

If I understand that correct, you want that
- A can talk to B,C,D.
- B not to C
- C not to D
- B not to D

The Enterasys B3 unfortunately does not support private vlans, but you can play around with the ingress and egress vlans to create kind of pseudo private-vlans.
Something like this may work for you :

Port of Host A :
set port vlan ge.1.1 100 mod
set vlan egress 101 ge.1.1 un
set vlan egress 102 ge.1.1 un
set vlan egress 103 ge.1.1 un

Port of Host B :
set port vlan ge.1.2 101 mod
set vlan egress 100 ge.1.2 untagged

Port of Host C :
set port vlan ge.1.1 102 mod
set vlan egress 100 ge.1.1 untagged

Port of Host D :
set port vlan ge.1.2 103 mod
set vlan egress 100 ge.1.2 untagged

Uplink ports :
set vlan egress 100 ge.1.48 tagged
set vlan egress 101 ge.1.48 tagged
set vlan egress 102 ge.1.48 tagged
set vlan egress 103 ge.1.48 tagged


HTH and kind regards
Dennis



Mit freundlichen GrÌßen / Best regards

Dennis Flemmig (Dipl.-Ing.)
Senior System Engineer




CANCOM DIDAS GmbH
Elisabeth-Selbert-Str. 4a<x-apple-data-detectors://0>
40764 Langenfeld<x-apple-data-detectors://0>
Deutschland<x-apple-data-detectors://0>

Phone +49 2173 5966-470<tel:+49%202173%205966-470>
Fax +49 2173 5966-610<tel:+49%202173%205966-610>
Mobile +49 172 5219729<tel:+49%20172%205219729>
***@cancom.de<mailto:***@cancom.de>
www.cancom-didas.de<http://www.cancom-didas.de/>



CANCOM DIDAS GmbH
Sitz der Gesellschaft: Langenfeld
AG DÃŒsseldorf HRB 63231, USt-Id Nr.: DE811548338
GeschÀftsfÌhrer: Dirk Kiefer, Thorsten Eska

Diese E-Mail und alle mitgesendeten Dateien sind vertraulich und ausschließlich fÃŒr den Gebrauch durch den EmpfÀnger bestimmt!
This e-mail and any files transmitted with it are confidential intended solely for the use of the addressee!

Von meinem iPhone gesendet

Am 10.09.2014 um 19:13 schrieb "Johannsb" <johannsb-***@yahoo.com.br<mailto:johannsb-***@yahoo.com.br>>:

Hello guys,

I have two switches Enterasys and four computers as below:

switch 1 - Enterasys B3 with:

Computer A in port ge.1.1
Computer B in port ge.1.2

switch 2 - Entreasys B3 with:

Computer C in port ge.1.1
Computer D in port ge.1.2


The two switches are linked by port ge.1.48.

All computers are in same network 10.0.0.X/255.255.255.0.



I need this result:

Among Computer A, B and D: comunication it's permited

Between Computer A and C: comunication it's permited too

But among Computer B, C and D: no comunication it's permited



In ohter words:

If in machine A I type "ping 10.0.0.A" or "ping 10.0.0.B" or "ping 10.0.0.D" or "ping 10.0.0.C", the result must to be a answer

If in machine A or B or D, I type "ping 10.0.0.C", the result must to be no answer

If in machine C I type "ping 10.0.0.A", the result must to be a answer

If in machine C I type "ping 10.0.0.B" or "ping 10.0.0.D", the result must to be no answer



The question:

I tried to create a VLAN for machines A, B e D and other for C, but the result it isn't the above.

What I have to type in each switch for get the objective with success?



Tranks,

Rogerio

---
To unsubscribe from enterasys, send email to ***@unc.edu<mailto:***@unc.edu> with the body: unsubscribe enterasys ***@didas.de<mailto:***@didas.de>

---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Hi Dennis,

I have tried your solution, but there are a problem.

I eliminate host D and I changed number of ports and vlan id, then I typed the commands below:

Port of Host A (switch 1 ge.1.7):
set port vlan ge.1.7 1 mod
set vlan egress 101 ge.1.7 untagged
set vlan egress 102 ge.1.7 untagged

Port of Host B (switch 1 ge.1.10):
set port vlan ge.1.10 101 mod
set vlan egress 1 ge.1.10 untagged

Port of Host C (switch 2 ge.1.24):
set port vlan ge.1.24 102 mod
set vlan egress 1 ge.1.24 untagged


Uplink ports (ge.1.48 on both switches):
set vlan egress 1 ge.1.48 tagged
set vlan egress 101 ge.1.48 tagged
set vlan egress 102 ge.1.48 tagged


After this configuration, if in host A I do a ping to
B, I have a answer, it's right, but if I do a ping to host C, I have no asnwer, it's undesirable. What is wrong?


Follow "show vlan" of the switches 1 and 2.


Switch_1(su)->show vlan

VLAN: 1 NAME: DEFAULT VLAN
VLAN Type: Default
Egress Ports
ge.1.1, ge.1.3-10, ge.1.13-15, ge.1.19-26, ge.1.28, ge.1.30, ge.1.32-34, ge.1.36-39, ge.1.45-48
Forbidden Egress Ports
None.
Untagged ports
ge.1.1, ge.1.3-10, ge.1.13-15, ge.1.19-26, ge.1.28, ge.1.30, ge.1.32-34, ge.1.36-39, ge.1.45-47

VLAN: 101 NAME:
VLAN Type: Permanent
Egress Ports
ge.1.7, ge.1.10
Forbidden Egress Ports
None.
Untagged ports
ge.1.7, ge.1.10

VLAN: 102 NAME:
VLAN Type: Permanent
Egress Ports
ge.1.7
Forbidden Egress Ports
None.
Untagged ports
ge.1.7



Switch_2(su)->show vlan

VLAN: 1 NAME: DEFAULT VLAN
VLAN Type: Default
Egress Ports
ge.1.3-4, ge.1.6-9, ge.1.11, ge.1.13-22, ge.1.24-26, ge.1.35-36, ge.1.38, ge.1.48
Forbidden Egress Ports
None.
Untagged ports
ge.1.3-4, ge.1.6-9, ge.1.11, ge.1.13-22, ge.1.24-26, ge.1.35-36, ge.1.38

VLAN: 101 NAME:
VLAN Type: Permanent
Egress Ports
ge.1.48
Forbidden Egress Ports
None.
Untagged ports
None.

VLAN: 102 NAME:
VLAN Type: Permanent
Egress Ports
ge.1.24, ge.1.48
Forbidden Egress Ports
None.
Untagged ports
ge.1.24


Thanks,
Rogerio



---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Hi Jimmy,

You said "I suppose you could type the policy commands at the CLI (if the IP addresses are statically assigned and not subject to change)".

The IP addresses are not subject to change and for simplification, I eliminated host D of the network.

What policy commands I must type at the CLI to get the desirable result?

Thanks,
Rogerio
---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org

Hi,

The problem have was solved.

The switches configuration are rigth. The problem was in interface of host C. I have corrected it and then all is OK.

Thank you.

Rogerio
---
To unsubscribe from enterasys, send email to ***@unc.edu with the body: unsubscribe enterasys gneu-***@gmane.org