Table of Contents

Chapter 1 Port Isolation Configuration. 1-1

1.1 Introduction to Port Isolation. 1-1

1.2 Configuring an Isolation Group. 1-3

1.2.1 Assigning Ports to an Isolation Group. 1-3

1.2.2 Configuring the Uplink Port of an Isolation Group. 1-4

1.3 Displaying and Maintaining Isolation Groups. 1-4

1.4 Port Isolation Configuration Example. 1-5

1.4.1 Networking Requirements. 1-5

1.4.2 Networking Diagram.. 1-5

1.4.3 Configuration procedure. 1-5

 

Chapter 1  Port Isolation Configuration

When configuring port isolation, go to these sections for information you are interested in:

l           Introduction to Port Isolation

l           Configuring an Isolation Group

l           Displaying and Maintaining Isolation Groups

l           Port Isolation Configuration Example

1.1  Introduction to Port Isolation

Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN resources, port isolation is introduced to isolate ports within a VLAN, allowing for great flexibility and security.

The idea is to isolate ports in the same VLAN by assigning them to a port isolation group. For the isolated ports to communicate with a port outside isolation groups at Layer 2, you are allowed to configure one uplink port for an isolation group. Layer-2 traffic of all the isolated ports can pass through the uplink port. In addition, to forward traffic from the uplink port to an isolated port, you must ensure that the uplink port carries the VLAN to which the isolated port belongs.

At present, the S9500 series switches support a maximum of 64 isolation groups and the number of ports you can assign to an isolation group is not limited.

 

 

For ports belonging to different VLANs, Layer 2 traffic can pass from an isolated port to the uplink port in the same isolation group unidirectionally but not in any other cases, as shown in Figure 1-1.

Figure 1-1 Layer-2 communication between ports in different VLANs when port isolation is used

For ports belonging to the same VLAN, Layer 2 communication is carried out as shown in Figure 1-2:

Figure 1-2 Layer-2 communication in the same VLAN when port isolation is used

 

 

1.2  Configuring an Isolation Group

1.2.1  Assigning Ports to an Isolation Group

Follow these steps to assign a port or a group of ports to an isolation group:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Create an isolation group		port-isolate group group-number	Required
Enter Ethernet interface view or port group view	Enter Ethernet interface view	interface interface-type interface-number	To assign a port to the isolation group, enter Ethernet interface view; to assign multiple ports to the isolation group, enter port group view.
	Enter port group view	port-group { manual port-group-name | aggregation agg-id }
Assign the port(s) to the isolation group		port-isolate enable group group-number	Required No ports are assigned to an isolation group by default.

 

1.2.2  Configuring the Uplink Port of an Isolation Group

Follow these steps to configure the uplink port of an isolation group:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter Ethernet interface view	interface interface-type interface-number	—
Configure the current port as the uplink port of the isolation group	port-isolate uplink-port group group-number	Required An isolation group has no uplink port by default.

 

 

1.3  Displaying and Maintaining Isolation Groups

To do…	Use the command…	Remarks
Display information about isolation groups	display port-isolate group [ group-number ]	Available in any view

 

1.4  Port Isolation Configuration Example

1.4.1  Networking Requirements

l           Users Host A, Host B, and Host C are connected to Ethernet 1/1/2, Ethernet 1/1/3, and Ethernet 1/1/4 of the switch.

l           The switch provides access to the Internet through Ethernet 1/1/1.

l           Ethernet 1/1/2, Ethernet 1/1/3, and Ethernet 1/1/4 belong to VLAN 2 and Ethernet 1/1/1 carries VLAN 2.

It is required that Host A, Host B, and Host C can access the Internet while being isolated from one another at Layer 2.

1.4.2  Networking Diagram

Figure 1-3 Networking diagram for port isolation configuration

1.4.3  Configuration procedure

# Create a VLAN and assign ports to this VLAN.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] port ethernet 1/1/1 to ethernet 1/1/4

[Sysname-vlan2] quit

# Create isolation group 2.

[Sysname] port-isolate group 2

# Assign Ethernet 1/1/2, Ethernet 1/1/3, and Ethernet 1/1/4 to isolation group 2 as isolated ports.

[Sysname] interface ethernet 1/1/2

[Sysname-Ethernet1/1/2] port-isolate enable group 2

[Sysname-Ethernet1/1/2] interface ethernet 1/1/3

[Sysname-Ethernet1/1/3] port-isolate enable group 2

[Sysname-Ethernet1/1/3] interface ethernet 1/1/4

[Sysname-Ethernet1/1/4] port-isolate enable group 2

# Configure port Ethernet1/1/1 as the uplink port of isolation group 2.

[Sysname-Ethernet1/1/4] interface ethernet 1/1/1

[Sysname-Ethernet1/1/1] port-isolate uplink-port group 2

[Sysname-Ethernet1/1/1] return

# Display the information of isolation group 2.

<Sysname> display port-isolate group 2

Port-isolate group information:

Uplink port support: YES

Group ID: 2

Uplink port: Ethernet1/1/1

   Ethernet1/1/2     Ethernet1/1/3     Ethernet1/1/4