03-Port Isolation Configuration
Chapters Download (68.89 KB)
Table of Contents
1 Port Isolation Configuration
Introduction to Port Isolation
Configuring the Isolation Group for a Isolation-Group Device
Assigning a Port to the Isolation Group
Specifying the Uplink Port for the Isolation Group
Displaying and Maintaining Isolation Groups
Port Isolation Configuration Example
When configuring port isolation, go to these sections for information you are interested in:
l Introduction to Port Isolation
l Configuring the Isolation Group for a Isolation-Group
l Displaying and Maintaining Isolation Groups
l Port Isolation Configuration Example
Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN resources, port isolation is introduced to isolate ports within a VLAN, allowing for great flexibility and security.
Currently:
l The device supports only one isolation group that is created automatically by the system as isolation group 1. You cannot remove the isolation group or create other isolation groups on the device.
l There is no restriction on the number of ports assigned to an isolation group.
The member port of an aggregation group cannot be configured as the uplink port of an isolation group and vice versa. If you assign a port to an aggregation group and to an isolation group as the uplink port at the same time, the aggregation group configuration will take effect and the isolation group configuration will be removed for backward configuration file compatibility. For detailed information about link aggregation, refer to Link Aggregation Configuration in the Access Volume.
l Usually, Layer 2 traffic cannot be forwarded between ports in different VLANs. However, the Layer 2 traffic from an isolated port can pass through the uplink port in the same isolation group unidirectionally even if they belong to different VLANs.
l Within the same VLAN, there are two types of connectivity of Layer 2 data on ports within and outside the isolation group is shown in Figure 1-1.
Figure 1-1 Layer 2 traffic forwarding for an isolation group
l The arrows in the above figure indicate the move direction of Layer 2 traffic.
l In the same VLAN, the Layer 2 traffic of an isolated port in an isolation group cannot reach a port outside the isolation group. This is because the Layer 2 traffic of the isolated port is sent to the uplink port of the same isolation group, in which case, the port outside the isolation group cannot receive the Layer 2 traffic of the isolated port.
Follow these steps to add a port to the isolation group:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter interface view or, port group view |
Enter Ethernet interface view |
interface interface-type interface-number |
Required Use one of the commands. l In Ethernet interface view, the subsequent configurations apply to the current port. l In Layer 2 aggregate interface view, the subsequent configurations apply to the Layer 2 aggregate interface and all its member ports. l In port group view, the subsequent configurations apply to all ports in the port group. |
|
Enter Layer 2 aggregate interface view |
interface bridge-aggregation interface-number |
||
|
Enter port group view |
port-group manual port-group-name |
||
|
Assign the port or ports to the isolation group as an isolated port or ports |
port-isolate enable |
Required No ports are added to the isolation group by default. |
|
Follow these steps to specify the uplink port for the isolation group:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter Ethernet or Layer 2 aggregate interface view |
Enter Ethernet interface view |
interface interface-type interface-number |
Required Use either command. l In Ethernet interface view, the subsequent configurations apply to the current port l In Layer 2 aggregate interface view, only the Layer 2 aggregate interface is configured as the uplink port of the isolation group. You can configure the member ports of the aggregation group corresponding to the Layer 2 aggregate interface as isolated ports of the isolation group. Thus configured, these ports are set to the unselected state in the aggregation group, that is, these ports cannot forward user traffic. |
|
Enter Layer 2 aggregate interface view |
interface bridge-aggregation interface-number |
||
|
Configure the current port as the uplink port of the isolation group |
port-isolate uplink-port |
Required An isolation group has no uplink port by default. |
|
l An isolation group can have only one uplink port. The uplink port you configured for an isolation group can overwrite the previous one, if any.
l When a port has already been configured as an isolated port for an isolation group, it cannot be configured as an uplink port, and vice versa.
l The member port of an aggregation group cannot be configured as the uplink port of an isolation group and vice versa.
|
To do… |
Use the command… |
Remarks |
|
Display the isolation group information on a isolation-group device |
display port-isolate group |
Available in any view |
l Users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, GigabitEthernet 1/0/3 of Device.
l Device is connected to the Internet through GigabitEthernet 1/0/4.
l GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 belong to VLAN 2.
It is required that Host A, Host B, and Host C can access the Internet while being isolated from one another.
Figure 1-2 Networking diagram for port isolation configuration
# Add ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 to the isolation group.
<Device> system-view
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port-isolate enable
[Device-GigabitEthernet1/0/1] quit
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port-isolate enable
[Device-GigabitEthernet1/0/2] quit
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] port-isolate enable
# Configure port GigabitEthernet 1/0/4 as the uplink port of the isolation group.
[Device-GigabitEthernet1/0/3] quit
[Device] interface gigabitethernet 1/0/4
[Device-GigabitEthernet1/0/4] port-isolate uplink-port
[Device-GigabitEthernet1/0/4] return
# Display the information about the isolation group.
<Device> display port-isolate group
Port-isolate group information:
Uplink port support: YES
Group ID: 1
Uplink port: GigabitEthernet1/0/4
Group members:
GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3
