Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 00-S12500_Port_Isolation_Configuration_Examples | 87.44 KB |
Introduction
This document provides port isolation configuration examples.
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. You can also use this feature to isolate the hosts in a VLAN from one another.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of the port isolation feature.
Example: Configuring port isolation
Network requirements
As shown in Figure 1:
· Ports GigabitEthernet 3/0/1, GigabitEthernet 3/0/2, GigabitEthernet 3/0/3, and GigabitEthernet 3/0/4 of Device A belong to VLAN 10.
· Device A connects to the Internet through port GigabitEthernet 3/0/4.
Configure port isolation to isolate Host A, Host B, and Host C at Layer 2 and allow them to access the Internet.
Requirements analysis
To allow these hosts to access the Internet, make sure port GigabitEthernet 3/0/4 can communicate with the customer-side ports at Layer 2, and do not assign port GigabitEthernet 3/0/4 to the isolation group.
Software version used
This configuration example was created and verified on S12500-CMW520-R1825P01.
Configuration procedures
# Assign IP addresses in the 1.1.1.0/24 network segment to hosts A, B, and C. Specify the gateway address for them as 1.1.1.11/24. (Details not shown.)
# Create VLAN 10 on Device A and assign ports GigabitEthernet 3/0/1, GigabitEthernet 3/0/2, GigabitEthernet 3/0/3, and GigabitEthernet 3/0/4 to the VLAN.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] quit
[DeviceA] interface range GigabitEthernet 3/0/1 to GigabitEthernet 3/0/4
[DeviceA-if-range] undo shutdown
[DeviceA-if-range] port access vlan 10
[DeviceA-if-range] quit
# Create VLAN-interface 10, and assign an IP address to the VLAN-interface.
[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] undo shutdown
[DeviceA-Vlan-interface10] ip address 1.1.1.11 255.255.255.0
[DeviceA-Vlan-interface10] quit
# Create port isolation group 1.
[DeviceA] port-isolate group 1
[DeviceA-port-isolate-group1] quit
# Assign ports GigabitEthernet 3/0/1, GigabitEthernet 3/0/2, and GigabitEthernet 3/0/3 to port isolation group 1.
[DeviceA] interface GigabitEthernet 3/0/1
[DeviceA-GigabitEthernet3/0/1] port-isolate enable group 1
[DeviceA-GigabitEthernet3/0/1] quit
[DeviceA] interface GigabitEthernet 3/0/2
[DeviceA-GigabitEthernet3/0/2] port-isolate enable group 1
[DeviceA-GigabitEthernet3/0/2] quit
[DeviceA] interface GigabitEthernet 3/0/3
[DeviceA-GigabitEthernet3/0/3] port-isolate enable group 1
[DeviceA-GigabitEthernet3/0/3] quit
Verifying the configuration
1. Display information about isolation group 1.
[DeviceA] display port-isolate group 1
Port-isolate group information:
Uplink port support: NO
Group ID: 1
Group members:
GigabitEthernet3/0/1 GigabitEthernet3/0/2 GigabitEthernet3/0/3
The output shows that customer-side ports GigabitEthernet 3/0/1, GigabitEthernet 3/0/2, and GigabitEthernet 3/0/3 have been assigned to isolation group 1.
2. Perform ping operations between Host A, Host B, and Host C.
Each ping operation fails.
3. View the ARP entries of each host.
The output ARP entries show shat each host has not learned the MAC address of any other host. These hosts are isolated from each other at Layer 2.
4. Ping the network to which the uplink port GigabitEthernet 3/0/4 is connected (for example, a device whose IP address is on the network segment 1.1.1.0/24) from Host A, Host B, and Host C, respectively.
Each ping operation succeeds.
Configuration files
#
vlan 10
#
port-isolate group 1
#
interface Vlan-interface10
ip address 1.1.1.11 255.255.255.0
#
interface GigabitEthernet3/0/1
port link-mode bridge
port access vlan 10
port-isolate enable group 1
#
interface GigabitEthernet3/0/2
port link-mode bridge
port access vlan 10
port-isolate enable group 1
#
interface GigabitEthernet3/0/3
port link-mode bridge
port access vlan 10
port-isolate enable group 1
#
interface GigabitEthernet3/0/4
port link-mode bridge
port access vlan 10
#
Related documentation
· H3C S12500 Routing Switch Series Layer 2—LAN Switching Configuration Guide
· H3C S12500 Routing Switch Series Layer 2—LAN Switching Command Reference
