Login
- Table of Contents
-
- 04-Layer 2 - LAN Switching Configuration Guide
- 00-Preface
- 01-MAC address table configuration
- 02-Ethernet link aggregation configuration
- 03-Port isolation configuration
- 04-Spanning tree configuration
- 05-Loop detection configuration
- 06-VLAN configuration
- 07-QinQ configuration
- 08-VLAN mapping configuration
- 09-LLDP configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-Port isolation configuration | 81.79 KB |
Contents
Assigning ports to an isolation group
Displaying and maintaining port isolation
Port isolation configuration example
|
|
IMPORTANT: When the switch is operating in IRF mode, adding ports on different member devices to the same isolation group cannot isolate their Layer 2 traffic. |
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. You can also use this feature to isolate the hosts in a VLAN from one another.
The switch supports multiple isolation groups, which can be configured manually. The number of ports assigned to an isolation group is not limited.
Layer 2 traffic cannot be forwarded between ports in different VLANs. Within the same VLAN, ports in an isolation group can communicate with those outside the isolation group at Layer 2.
Assigning ports to an isolation group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an isolation group. |
port-isolate group group-number |
N/A |
|
3. Enter interface view. |
· Enter Layer 2 Ethernet interface view: · Enter Layer 2 aggregate interface view: |
Use one of the commands. · The configuration in Layer 2 Ethernet interface view applies only to the interface. · The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface and its aggregation member ports. If the device fails to apply the configuration to the aggregate interface, it does not assign any aggregation member port to the isolation group. If the failure occurs on an aggregation member port, the device skips the port and continues to assign other aggregation member ports to the isolation group. |
|
4. Assign ports to the specified isolation group. |
port-isolate enable group group-number |
No ports are assigned to an isolation group by default. You can assign a port to only one isolation group. |
Displaying and maintaining port isolation
Execute display commands in any view.
|
Task |
Command |
|
Display isolation group information. |
display port-isolate group [ group-number ] |
Port isolation configuration example
By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command.
Network requirements
As shown in Figure 1, LAN users Host A, Host B, and Host C are connected to GigabitEthernet 3/0/1, GigabitEthernet 3/0/2, and GigabitEthernet 3/0/3 on the device, respectively. The device connects to the Internet through GigabitEthernet 3/0/4.
Configure the device to provide Internet access for the hosts, and isolate them from one another at Layer 2.
Configuration procedure
# Create isolation group 2.
<Device> system-view
[Device] port-isolate group 2
# Assign GigabitEthernet 3/0/1, GigabitEthernet 3/0/2, and GigabitEthernet 3/0/3 to isolation group 2.
[Device] interface GigabitEthernet 3/0/1
[Device-GigabitEthernet3/0/1] port-isolate enable group 2
[Device-GigabitEthernet3/0/1] quit
[Device] interface GigabitEthernet 3/0/2
[Device-GigabitEthernet3/0/2] port-isolate enable group 2
[Device-GigabitEthernet3/0/2] quit
[Device] interface GigabitEthernet 3/0/3
[Device-GigabitEthernet3/0/3] port-isolate enable group 2
Verifying configuration
# Display information about isolation group 2.
[Device-GigabitEthernet3/0/3] display port-isolate group 2
Port isolation group information:
Group ID: 2
Group members:
GigabitEthernet3/0/1 GigabitEthernet3/0/2 GigabitEthernet3/0/3
