Table of Contents

1 Port Isolation Configuration· 1-1

Introduction to Port Isolation· 1-1

Configuring the Isolation Group· 1-2

Assigning a Port to the Isolation Group· 1-2

Specifying the Uplink Port for the Isolation Group· 1-2

Displaying and Maintaining Isolation Groups· 1-3

Port Isolation Configuration Example· 1-3

 

When configuring port isolation, go to these sections for information you are interested in:

l          Introduction to Port Isolation

l          Configuring the Isolation Group

l          Displaying and Maintaining Isolation Groups

l          Port Isolation Configuration Example

Introduction to Port Isolation

Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN resources, port isolation is introduced to isolate ports within a VLAN, allowing for great flexibility and security.

Currently:

l          S3610&S5510 series Ethernet switches support only one isolation group that is created automatically by the system as isolation group 1. You can neither remove the isolation group nor create other isolation groups on such devices.

l          There is no restriction on the number of ports assigned to an isolation group.

 

 

Usually, Layer 2 traffic cannot be forwarded between ports in different VLANs. However, the Layer-2 traffic from an isolated port can pass through the uplink port in the same isolation group unidirectionally even if they belong to different VLANs.

Within the same VLAN, the supported Layer 2 data transmission between different types of ports is shown in Figure 1-1.

Figure 1-1 Layer 2 traffic forwarding for an isolation group (with an uplink port)

 

 

Configuring the Isolation Group

Assigning a Port to the Isolation Group

Follow these steps to add a port to the isolation group:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Enter interface view or, port group view	Enter Layer 2 Ethernet port view	interface interface-type interface-number	Required Use one of the commands. l      In Layer 2 Ethernet port view, the subsequent configurations apply to the current port. l      In Layer-2 aggregate interface view, the subsequent configurations apply to the Layer-2 aggregate interface and all its member ports. l      In port group view, the subsequent configurations apply to all ports in the port group.
	Enter Layer-2 aggregate interface view	interface bridge-aggregation interface-number
	Enter port group view	port-group manual port-group-name
Assign the port or ports to the isolation group as an isolated port or ports		port-isolate enable	Required No ports are added to the isolation group by default.

 

Specifying the Uplink Port for the Isolation Group

Follow these steps to specify the uplink port for the isolation group:

To do…	Use the command…		Remarks
Enter system view	system-view		—
Enter Ethernet or Layer-2 aggregate interface view	Enter Layer 2 Ethernet port view	interface interface-type interface-number	Required Use either command. l      In Layer 2 Ethernet port view, the subsequent configurations apply to the current port l      In Layer-2 aggregate interface view, only the Layer-2 aggregate interface is configured as the uplink port of the isolation group. You can configure the member ports of the aggregation group corresponding to the Layer-2 aggregate interface as isolated ports of the isolation group. Thus configured, these ports are set to the unselected state in the aggregation group, that is, these ports cannot forward user traffic.
	Enter Layer-2 aggregate interface view	interface bridge-aggregation interface-number
Configure the current port as the uplink port of the isolation group	port-isolate uplink-port		Required An isolation group has no uplink port by default.

 

 

Displaying and Maintaining Isolation Groups

To do…	Use the command…	Remarks
Display the isolation group information on a single-isolation-group device	display port-isolate group	Available in any view

 

Port Isolation Configuration Example

Network requirements

l          Users Host A, Host B, and Host C are connected to Ethernet 1/0/1, Ethernet 1/0/2, and Ethernet 1/0/3 of Device.

l          Device is connected to the Internet through Ethernet 1/0/4.

l          Ethernet 1/0/2, Ethernet 1/0/3, and Ethernet 1/0/4 belong to VLAN 2 and Ethernet 1/0/1 carries VLAN 2.

It is required that Host A, Host B, and Host C can access the Internet while being isolated from one another.

Figure 1-2 Networking diagram for port isolation configuration

 

Configuration procedure

# Add ports Ethernet 1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3 to the isolation group.

<Device> system-view

[Device] interface ethernet 1/0/1

[Device-Ethernet1/0/1] port-isolate enable

[Device-Ethernet1/0/1] quit

[Device] interface ethernet 1/0/2

[Device-Ethernet1/0/2] port-isolate enable

[Device-Ethernet1/0/2] quit

[Device] interface ethernet 1/0/3

[Device-Ethernet1/0/3] port-isolate enable

# Configure port Ethernet 1/0/4 as the uplink port of the isolation group.

[Device-Ethernet1/0/3] quit

[Device] interface ethernet 1/0/4

[Device-Ethernet1/0/4] port-isolate uplink-port

[Device-Ethernet1/0/4] return

# Display the information about the isolation group.

<Device> display port-isolate group

 Port-isolate group information:

 Uplink port support: YES

 Group ID: 1

 Uplink port: Ethernet1/0/4

 Group members:

    Ethernet1/0/1     Ethernet1/0/2     Ethernet1/0/3