At our ISP's we use Huawei s5300 switches, and we want to upgrade our setup to accomplish the following:
- Place a number of different customers/users under same VLAN.
- Assign one static-public IP address per client/customer and prevent them use another IP address from the same subnet.
- Isolate each client/interface in the same VLAN, effectively having them as if they are part of different VLAN. The goal is to prevent broadcast-based network auto-discovery protocols that can locate all hosts under the same broadcast domain.
The idea is to: a) save on IP addresses since if we put each client in a separate VLAN we "lose" at least 3 IPs, and b) avoid using MUX VLAN (Private VLAN in Cisco terms) due to configuration complexity.
We are stuck at point 3. If customers terminate the public IP on a server, then for instance Customer A can see the server of Customer B,C,D in Windows network folder. Here is a sample configuration for clients connected to interface 0/0/3 and 0/0/4. As we learned from the net the command "port-isolate enable group 1" may do the trick but for us it had no effect.
interface Vlanif2 (The subnet is based on public IP addresses)
ip address X.X.X.X 255.255.255.0
..
user-bind static ip-address X.X.X.19 interface GigabitEthernet0/0/3
user-bind static ip-address X.X.X.20 interface GigabitEthernet0/0/4
..
interface GigabitEthernet0/0/3
port link-type access
port default vlan 2
port-isolate enable group 1
arp anti-attack check user-bind enable
interface GigabitEthernet0/0/4
port link-type access
port default vlan 2
port-isolate enable group 1
arp anti-attack check user-bind enable
Thanks in advance.
