04-Layer 2 - LAN Switching

HomeSupportResource CenterH3C Access Controllers Configuration Guides(E5208P03 E5215P01 R5215P01)-6W10204-Layer 2 - LAN Switching
09-Port isolation configuration
Title Size Download
09-Port isolation configuration 48.10 KB

Configuring port isolation

The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.

Ports in an isolation group cannot communicate with each other. However, they can communicate with ports outside the isolation group.

Feature and hardware compatibility

Hardware series

Model

Port isolation compatibility

WX1800H series

WX1804H

WX1810H

WX1820H

No

WX2500H series

WX2510H

WX2540H

WX2560H

No

WX3000H series

WX3010H

WX3010H-X

WX3024H

WX3010H-L

WX3024H-L

Yes:

·     WX3010H

·     WX3010H-X

·     WX3024H

No:

·     WX3010H-L

·     WX3024H-L

WX3500H series

WX3508H

WX3510H

WX3520H

WX3540H

No

WX5500E series

WX5510E

WX5540E

No

WX5500H series

WX5540H

WX5560H

WX5580H

No

Access controller modules

EWPXM1MAC0F

EWPXM1WCME0

EWPXM2WCMD0F

LSQM1WCMX20

LSQM1WCMX40

LSUM1WCME0

LSUM1WCMX20RT

LSUM1WCMX40RT

No

 

Assigning a port to the isolation group

The device supports only one isolation group that is automatically created as isolation group 1. You cannot remove the isolation group or create other isolation groups on the device. The number of ports assigned to the isolation group is not limited.

To assign a port to the isolation group:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

·     Enter Layer 2 Ethernet interface view:
interface interface-type interface-number

·     Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·     The configuration in Layer 2 Ethernet interface view applies only to the interface.

·     The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface and its aggregation member ports. If the device fails to apply the configuration to the aggregate interface, it does not assign any aggregation member port to the isolation group. If the failure occurs on an aggregation member port, the device skips the port and continues to assign other aggregation member ports to the isolation group.

3.     Assign the port to the isolation group.

port-isolate enable

By default, the port is not in the isolation group.

 

Displaying and maintaining port isolation

Execute display commands in any view.

 

Task

Command

Display port isolation group information.

display port-isolate group

 

Port isolation configuration example

Network requirements

As shown in Figure 1:

·     AP1, AP2, and AP3 are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the AC, respectively.

·     The AC connects to the Internet through GigabitEthernet 1/0/4.

Configure the AC to provide Internet access for all the APs, and isolate them from one another.

Figure 1 Network diagram

 

Configuration procedure

# Assign ports GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3 to the isolation group.

<AC> system-view

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port-isolate enable

[AC-GigabitEthernet1/0/1] quit

[AC] interface gigabitethernet 1/0/2

[AC-GigabitEthernet1/0/2] port-isolate enable

[AC-GigabitEthernet1/0/2] quit

[AC] interface gigabitethernet 1/0/3

[AC-GigabitEthernet1/0/3] port-isolate enable

[AC-GigabitEthernet1/0/3] quit

Verifying the configuration

# Display information about the isolation group.

[AC] display port-isolate group

 Port isolation group information:

 Group ID: 1

 Group members:

    GigabitEthernet1/0/1     GigabitEthernet1/0/2     GigabitEthernet1/0/3

The output shows that ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 are assigned to the isolation group. As a result, AP1, AP2, and AP3 are isolated from one another at Layer 2.