When configuring port isolation, go to
these sections for information you are interested in:
l
Port
Isolation Overview
l
Port
Isolation Configuration
l
Displaying
and Maintaining Port Isolation Configuration
l
Port
Isolation Configuration Example
Through the port isolation feature, you can
add the ports to be controlled into an isolation group to isolate the Layer 2
and Layer 3 data between each port in the isolation group. Thus, you can construct
your network in a more flexible way and improve your network security.
Currently, you can create only one isolation
group on an S5600 Series Ethernet switch. The number of Ethernet ports in an
isolation group is not limited.
l
An isolation group only isolates the member ports
in it.
l
Port isolation is independent of VLAN
configuration.
1.2 Port Isolation Configuration
You can perform the following operations to
add an Ethernet ports to an isolation group, thus isolating Layer 2 and Layer 3
data among the ports in the isolation group.
Follow these steps to configure port
isolation:
|
To do ...
|
Use the command ...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Add the Ethernet port to the isolation
group
|
port isolate
|
Required
By default, an isolation group contains
no port.
|
l
When a member port of an aggregation group
joins/leaves an isolation group, the other ports in the same aggregation group on
the local unit will join/leave the isolation group at the same time.
l
For ports that belong to an aggregation group
and an isolation group simultaneously, removing a port from the aggregation
group has no effect on the other ports. That is, the rest ports remain in the
aggregation group and the isolation group.
l
Ports that belong to an aggregation group and an
isolation group simultaneously are still isolated even when you remove the
aggregation group in system view.
l
Adding a port of an isolation group to an
aggregation group causes all the ports in the aggregation group being added to
the isolation group.
l
S5600 series Ethernet switches support
cross-device port isolation if IRF fabric is enabled.
l
For S5600 series Ethernet switches belonging to
the same IRF Fabric, the port isolation configuration performed on a port of a
cross-device aggregation group cannot be synchronized to the other ports of the
aggregation group if the ports reside on other units. That is, to add multiple
ports in a cross-device aggregation group to the same isolation group, you need
to perform the configuration for each of the ports individually.
1.3 Displaying and Maintaining Port Isolation
Configuration
|
To do ...
|
Use the command ...
|
Remarks
|
|
Display information about the Ethernet
ports added to the isolation group
|
display isolate port
|
Available in any view
|
I. Network requirements
l
PC 2, PC 3 and PC 4 are connected to GigabitEthernet1/0/2,
GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports.
l
The switch connects to the Internet through GigabitEthernet1/0/1
port.
l
It is desired that PC 2, PC 3 and PC 4 cannot
communicate with each other.
II. Network diagram
Figure 1-1 Network diagram for port isolation
configuration
III. Configuration procedure
# Add GigabitEthernet1/0/2, GigabitEthernet1/0/3,
and GigabitEthernet1/0/4 ports to the isolation group.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface GigabitEthernet1/0/2
[Sysname-GigabitEthernet1/0/2] port
isolate
[Sysname-GigabitEthernet1/0/2] quit
[Sysname] interface GigabitEthernet1/0/3
[Sysname-GigabitEthernet1/0/3] port
isolate
[Sysname-GigabitEthernet1/0/3] quit
[Sysname] interface GigabitEthernet1/0/4
[Sysname-GigabitEthernet1/0/4] port
isolate
[Sysname-GigabitEthernet1/0/4] quit
[Sysname]
# Display the information about the ports
in the isolation group.
<Sysname> display isolate port
Isolated port(s) on UNIT 1:
GigabitEthernet1/0/2, GigabitEthernet1/0/3,
GigabitEthernet1/0/4
