Reply
Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Port Isolation not working - Not blocking Broadcast

[ Edited ]

Unifi.JPG

 

The SFP ports are trunk ports trunking vlan 50,51,and 52. Isolation is turned on all ports but the uplinks (51, 51 and 25) the problem is isolation is working on the same switch but it seems like as soon at the vlan hit a trunk port where it goes to tagged - isolation no longer works. 

 

For example port 20 on switch 2 can talk to port 20 on switch 3 and switch 1, even though the only 3 ports without isolation are the uplinks. (51, 51, and 25) (52 and 52 both have isolation turned on).

Senior Member
Posts: 2,674
Registered: ‎04-21-2015
Kudos: 396
Solutions: 104

Re: Port Isolation not working - Vlans

Are you using the below logic:

 

Screenshot 2019-03-07 at 22.11.43.png

Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Veteran Member
Posts: 4,697
Registered: ‎10-13-2012
Kudos: 1280
Solutions: 208

Re: Port Isolation not working - Vlans

Which firmware are your switches on?

This is a topic for UniFi switching and routing (this here is WiFi centric).

 

General explanation of port isolation:

https://community.ubnt.com/t5/UniFi-Wireless/Client-isolation-vs-port-isolation-is-it-just-a-differe...

 

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

[ Edited ]

@Myky  that is correct..  isolation seems to be working on a switch by itself but from one switch to another allow for things to talk.. even though they should not.

 

Only think I can think of is that once a vlan reaches a port when it is tagged.. it is no longer isolating. (Vlan is tagged on all uplink ports between switches)

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

I am going to try to have the one vlan I need isolated to be untagged through the whole switch. Then tag the management vlan. I think the problem is the isolation is breaking on ports where the vlans are trunked. (Just a theory)

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

So before i had it where through the trunk ports the management was untagged and the wired network (vlan51) was tagged. Isolation was not working on those ports. I changed it and moved management onto vlan52 and made it tagged throught the trunk ports but made the wired network was untagged through the trunk ports. This then fixed the isolation. 

 

Is my understaning of isolation wrong? I thought ports that were isolated could not talk to each other reguardless of vlans or trunk status. Unifi appears to not work this way.  

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

@ub40  my switches are on 4.0.21.9965 and i am running server 5.10.19

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

Support thinks it may be an issue with the model. I am using UniFi Switch 48 and UniFi Switch 24.  Isolation is working on my other setups using US-L2-48-POE

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

Sorry to keep replying to myself but i have done more testing and it looks like isolation is just not working at all. 

Senior Member
Posts: 2,674
Registered: ‎04-21-2015
Kudos: 396
Solutions: 104

Re: Port Isolation not working - Vlans

Unfortunately I can not verify this for you (I have only one switch). This is Meraki’s port isolation logic, I would assume that Ubnt has similar one:

 

323B2DEE-2865-4BD1-8B5D-C6AE006390ED.png

Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

So i have pulled the config off one of the switches... all ports are set to "switchport protected 0" except the uplinks, which is correct. But when a rouge DHCP server is pluged into port 20, i can still pull dhcp from it on port 47, which are supposed to be isolated from each other. 

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

I have done more testing. Port isolation seems to be stoping devices from talking, but it does not stop DHCP from passing through the ports. 

 

I have tested this by pluging a router into port 3 on a switch and a client into port 5. I turned isolation on both ports. The client pulls an IP address from the router but it can not ping or get access through.

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

[ Edited ]

Have made a simple lab at my office.

 

Port Isolation on port 1 and 48

 

Router (192.168.0.254) plugged into port 1

Mikrotik pulling DHCP plugged into port 48

 

Mikrotik pulls 192.168.0.145 from router in port 1 but can not ping it.

 

Attached is a screenshot showing the router plugged into port 48. The Config Dump of the switch shows port 1 and 48 are “switchport protected 0”. I also attached a visio drawing of the setup.Setup.JPGTest Mikrotik.PNG

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

Tested with both mikrotik and edge X routers, with both a Mikrotik client and a laptop. Both allow for the client to pull dhcp.

 

 

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

[ Edited ]

@UBNT-MikeD is anyone available to look at ticket 1701250? I feel like I am not really getting anywhere. There is an issue not isolating broadcast. I have a packet capture that it wont let me upload.. it is from port 48 pulling DHCP from an Edge Router X. It is attached to the ticket.

 

Thanks

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

@UBNT-DavidS @amishgenius told me to try to reach out to you. 

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

Ubiquiti Support is able to reproduce the issue. Waiting on a resolution update. 

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Vlans

I am told this will be addressed in a future update. 

Veteran Member
Posts: 4,697
Registered: ‎10-13-2012
Kudos: 1280
Solutions: 208

Re: Port Isolation not working - Vlans

I'd be surprised if it were to be adressed in the past. ;-) *scnr*.

 

Thanks for keeping us informed.

Member
Posts: 227
Registered: ‎03-22-2012
Kudos: 18
Solutions: 5

Re: Port Isolation not working - Not blocking Broadcast

I wanted to see if it was working at one point but broke during FW upgrades. I roolled back to 3.9.54 and 3.8.3. Rolling back, broadcast still makes it through the isolation. 

Reply