Login
- Table of Contents
-
- 04-Layer 2 - LAN Switching Configuration Guide
- 00-Preface
- 01-VLAN Configuration
- 02-MAC Address Table Configuration
- 03-Spanning Tree Configuration
- 04-Ethernet Link Aggregation Configuration
- 05-Port Isolation Configuration
- 06-QinQ Configuration
- 07-VLAN Mapping Configuration
- 08-BPDU Tunneling Configuration
- 09-GVRP Configuration
- 10-Loopback Detection Configuration
- 11-VLAN Termination Configuration
- 12-MAC-in-MAC Configuration
- 13-LLDP Configuration
- 14-MVRP Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Port Isolation Configuration | 149.57 KB |
Contents
Configuration restrictions and guidelines
Port isolation configuration task list
Assigning ports to an isolation group
Displaying and maintaining port isolation
Port isolation configuration examples
Port isolation without community VLAN configuration example
Port isolation with community VLAN configuration example
Overview
Assigning access ports to different VLANs is a typical way to isolate Layer 2 traffic for data privacy and security, but this method is VLAN resource demanding. To save VLAN resources, you can use the port isolation feature, which can isolate ports on the switch or IRF member switch basis without using VLANs and allows for flexibility and security.
Operating mechanism
The feature isolates ports regardless of the VLANs that the ports are assigned to. The ports in the same isolation group cannot communicate with each other at Layer 2, but they can communicate with the ports outside the isolation group bidirectionally if the outside ports belong to the same VLAN as the isolation group ports.
|
|
IMPORTANT: · The ports in an isolation group support the following functions only: MAC address learning, QoS actions (such as accounting, filter deny, car cir committed-information-rate red discard, and traffic mirroring) in the incoming direction of the ports, and link aggregation. · Do not configure Layer 2 protocols (such as GVRP) or Layer 3 protocols (such as multicast and routing) on the ports in an isolation group. Doing so can cause network malfunction. |
Community VLAN
A community VLAN allows the ports in an isolation group to communicate with each other within the VLAN at Layer 2.
Figure 1 shows a network scenario that requires the community VLAN configuration.
· Switch B and Switch C communicate with a public server cluster through Switch A.
· Switch A connects to Switch B through GigabitEthernet 3/0/2, and connects to Switch C through GigabitEthernet 3/0/3.
· Both GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to VLAN 2 and VLAN 3.
After GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to isolation group 1, Switch B cannot communicate with Switch C at Layer 2, Host A cannot communicate with Host C although they both belong to VLAN 2, and Host B cannot communicate with Host D although they both belong to VLAN 3.
To enable Layer 2 communication between Host B and Host D, you can configure VLAN 3 as a community VLAN for isolation group 1.
Figure 1 Community VLAN in an isolation group
Configuration restrictions and guidelines
· Port isolation is available when the switch is operating in standalone mode or in IRF mode with enhanced-IRF disabled. For more information about IRF, see IRF Configuration Guide.
· You cannot configure the port isolation feature together with the MAC-based VLAN feature. For more information about MAC-based VLANs, see "Configuring VLANs."
Port isolation configuration task list
|
Task |
Remarks |
|
Required. |
|
|
Optional. |
Assigning ports to an isolation group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an isolation group and enter isolation group view. |
port-isolate group group-number |
You can use this command to directly enter the view of an existing isolation group. |
|
3. Exit isolation group view. |
quit |
N/A |
|
4. Enter interface view. |
· Enter Ethernet interface view: · Enter Layer 2 aggregate interface view: · Enter port group view: |
Use one of the commands. |
|
5. Assign the ports to the isolation group. |
port-isolate enable group group-number |
No ports are assigned to an isolation group by default. |
|
|
NOTE: The number of ports that can be assigned to an isolation group is not limited. |
Configuring community VLANs
To configure community VLANs for an isolation group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create an isolation group and enter isolation group view. |
port-isolate group group-number |
You can use this command to directly enter the view of an existing isolation group. |
|
3. Configure community VLANs. |
community-vlan vlan { vlan-id-list | all } |
By default, an isolation group does not contain any community VLANs. |
Displaying and maintaining port isolation
|
Task |
Command |
Remarks |
|
Display the port isolation information. |
display port-isolate group [ group-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
Port isolation configuration examples
|
|
IMPORTANT: By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. Before configuring these interfaces, bring them up with the undo shutdown command. |
Port isolation without community VLAN configuration example
Network requirements
As shown in Figure 2, the switch provides access to the Internet through GigabitEthernet 4/0/1. Ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/4 belong to VLAN 2.
Configure port isolation, so the switch prevents Host A, Host B, and Host C from communicating with one another at Layer 2, but allows them to access the Internet.
Configuration procedure
# Create VLAN 2 and assign ports to the VLAN.
<Switch> system-view
[Switch] vlan 2
[Switch-vlan2] port gigabitethernet 4/0/1 to gigabitethernet 4/0/4
[Switch-vlan2] quit
# Create isolation group 2.
[Switch] port-isolate group 2
# Assign ports GigabitEthernet 4/0/2, GigabitEthernet 4/0/3, and GigabitEthernet 4/0/4 to isolation group 2 as isolated ports.
[Switch] interface gigabitethernet 4/0/2
[Switch-GigabitEthernet4/0/2] port-isolate enable group 2
[Switch-GigabitEthernet4/0/2] quit
[Switch] interface gigabitethernet 4/0/3
[Switch-GigabitEthernet4/0/3] port-isolate enable group 2
[Switch-GigabitEthernet4/0/3] quit
[Switch] interface gigabitethernet 4/0/4
[Switch-GigabitEthernet4/0/4] port-isolate enable group 2
[Switch-GigabitEthernet4/0/4] quit
Verifying the configuration
# Display information about isolation group 2.
[Switch] display port-isolate group 2
Port-isolate group information:
Uplink port support: NO
Group ID: 2
Group members:
GigabitEthernet4/0/2 GigabitEthernet4/0/3 GigabitEthernet4/0/4
Port isolation with community VLAN configuration example
Network requirements
As shown in Figure 3, Switch A accesses the Internet through GigabitEthernet 3/0/1. The company branches Site 1 and Site 2 transfer service traffic in VLAN 2 and VLAN 3, and are connected to Switch A through Switch B and Switch C, respectively.
Configure port isolation and community VLANs, so the switches allow the company hosts to access the Internet, enable Host B and Host D to exchange video conferencing traffic in VLAN 3, and isolate other Layer 2 traffic between Switch B and Switch C.
Configuration procedure
1. Configuring Switch A:
# Create VLAN 2 and VLAN 3, and assign trunk ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 to the VLANs.
<SwitchA> system-view
[SwitchA] vlan 2 to 3
[SwitchA] interface GigabitEthernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] port link-type trunk
[SwitchA-GigabitEthernet3/0/2] port trunk permit vlan 2 3
[SwitchA-GigabitEthernet3/0/2] quit
[SwitchA] interface GigabitEthernet 3/0/3
[SwitchA-GigabitEthernet3/0/3] port link-type trunk
[SwitchA-GigabitEthernet3/0/3] port trunk permit vlan 2 3
[SwitchA-GigabitEthernet3/0/3] quit
# Create isolation group 1.
[SwitchA] port-isolate group 1
[SwitchA-port-isolate-group1] quit
# Assign ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 that connect to Switch B and Switch C to isolation group 1.
[SwitchA] interface GigabitEthernet 3/0/2
[SwitchA-GigabitEthernet3/0/2] port-isolate enable group 1
[SwitchA-GigabitEthernet3/0/2] quit
[SwitchA] interface GigabitEthernet 3/0/3
[SwitchA-GigabitEthernet3/0/3] port-isolate enable group 1
[SwitchA-GigabitEthernet3/0/3] quit
# Configure VLAN 3 as a community VLAN in isolation group 1.
[SwitchA] port-isolate group 1
[SwitchA-port-isolate-group1] community-vlan vlan 3
[SwitchA-port-isolate-group1] quit
2. Configuring Switch B:
# Create VLAN 2 and VLAN 3, assign GigabitEthernet 2/0/2 to VLAN 2, and assign GigabitEthernet 2/0/3 to VLAN 3.
<SwitchB> system-view
[SwitchB] vlan 2
[SwitchB-vlan2] port GigabitEthernet 2/0/2
[SwitchB-vlan2] vlan 3
[SwitchB-vlan3] port GigabitEthernet 2/0/3
[SwitchB-vlan3] quit
# Configure GigabitEthernet 2/0/1 as a trunk port and assign the port to VLAN 2 and VLAN 3.
[SwitchB] interface GigabitEthernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] port link-type trunk
[SwitchB-GigabitEthernet2/0/1] port trunk permit vlan 2 3
3. Configure Switch C in the same way Switch B is configured.
Verifying the configuration
# Display information about isolation group 1 on Switch A.
[SwitchA] display port-isolate group 1
Port-isolate group information:
Uplink port support: NO
Group ID: 1
Group members:
GigabitEthernet3/0/2 GigabitEthernet3/0/3
The output shows that ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to isolation group 1.
# Display the configuration of isolation group 1.
[SwitchA] port-isolate group 1
[SwitchA -port-isolate-group1] display this
#
port-isolate group 1
community-vlan vlan 3
#
return
The output shows that Switch A contains isolation group 1, in which VLAN 3 is a community VLAN.
