Consider feature "protected/isolated ports"
Consider this feature, possibly needs considerable HDL changes. In any case, contribution of interested party (GSI) is essential if this feature requires substantial development efforts.
---------- Forwarded message --------- From: Christoph Handel c.handel@gsi.de Date: Mon, 6 Jan 2020 at 11:08 Subject: Re: GSI WR Network 2.1 To: Dietrich Beck d.beck@gsi.de
To prevent end devices from cross talking with each other, could the white rabbit switches learn to use protected/isolated ports?
That would be a "normal" switch configuration/feature. A minimal implementation without security groups would be sufficient.
for example cisco
for h3c/hh3c/hpe/comware
Communication for protected (P) and unprotected (U) ports
P to P => denied P to U => allowed U to P => allowed
configure all end node ports (that would be an SCU at GSI) as protected. all upstream ports as unproteced. All Servers as unprotected.
--- switch1 ---
P P U
| | |
U SCU1 Server
--- switch2 --- P P P | | | SCU2 SCU3 SCU4
SCU2 to SCU3 => denied (same switch both ports protected)
SCU2 to SCU1 => denied (up to switch1 but inside switch one both ports protected)
SCU2 to Server => allowed (up to switch1, server is on unproteced port)
Server to SCU1 => allowed (same switch, source port is unprotected)
Server to SCU2 => allowed (down to switch2, coming in from unprotected port, can reach any other port)
Restriction: servers should be at/near the top level of the tree they can only talk to devices lower in the tree because uplinks must always end in a protected port higher up. Or a switch must be a dedicated server switch without protected devices.