I have a scenario where a client is providing Internet access to the residents in an apartment complex.  I have a TT1600G-28TS switch in each building with a fiber link back to the main clubhouse IT room.  In each building IT room, each apartment unit will be connected to the T1600G-28TS switch by an assigned port.  There are 12 buildings and 250 apartment units.  I need to setup so that each apartment unit can see the Internet and only the Internet(firewall/router).  They should not be able to see any device on any other switch.  I also need to make sure they can not see the interface of the switch they are connected to.

 

 

My final setup will be this:

Switch 1, port 1 ----- Apt 101 (same setup for all apartment units in each building)

Switch 1, port 25 ---- Switch 13, port 25

Switch 2, port 25 ---- Switch 13, port 26

Switch 3, port 25 ---- Switch 13, port 27

Switch 4, port 25 ---- Switch 13, port 28

Switch 5, port 25 ---- Switch 14, port 25

Switch 6, port 25 ---- Switch 14, port 26

Switch 7, port 25 ---- Switch 14, port 27

Switch 8, port 25 ---- Switch 14, port 28

Switch 9, port 25 ---- Switch 15, port 25

Switch 10, port 25 ---- Switch 15, port 26

Switch 11, port 25 ---- Switch 15, port 27

Switch 12, port 25 ---- Switch 15, port 28

Switch 13, port 23 ---- Switch 14, port 24

Switch 14, port 23 ---- Switch 15, port 24

Switch 15, port 23 ---- Switch 16, port 24

Switch 16, port 24 ---- Firewall/router

 

In order to work on this and figure it out, I broke it down to a more manageable test environment of just 3 switches and that looks like:

Switch 1, port 1 ----- my laptop (representing apartment unit)

Switch 1, port 23 ----- Switch 2, port 24

Switch 2, port 23 ----- Switch 3, port 24

Switch 3, port 24 ----- Firewall/router

 

 

I have tried port isolation, but had some difficulties.  I understand the basics and have port 1 set as isolated and port 23 set as the forwarding port for port 1.  With this setup, I can access my firewall as long as it is plugged in to port 23, which is what I expect.  I can not see the firewall in any other port.  Good so far.  When I put the 2nd switch into the picture, and move the firewall to any port on that switch, I can see the firewall.  It is like the port isolation is dropped once it crosses switches.  I am sure I am not configuring the ports between switches correctly.

 

I have aslo tried VLANs.  I believe this to be the worst scenario of the two options as if I put each apartment unit on it's own VLAN, there will be 250 VLANs just for units.  That doesn't count any for admin use.  In any case, I have setup the following in the VLAN.

VLAN 101 (ports 1, 23 and 24 all untagged)

VLAN 10 (ports 1 - 22 untagged and ports 23 and 24 tagged)

 

Any help would be greatly appreciated!!