- Table of Contents
- 03-Layer 2—LAN Switching Configuration Guide
- 01-MAC address table configuration
- 02-Bulk interface configuration
- 03-Ethernet interface configuration
- 04-Ethernet link aggregation configuration
- 05-DRNI configuration
- 06-Port isolation configuration
- 07-VLAN configuration
- 08-MVRP configuration
- 09-Loopback, null, and inloopback interface configuration
- 10-QinQ configuration
- 11-VLAN mapping configuration
- 12-Loop detection configuration
- 13-Spanning tree configuration
- 14-LLDP configuration
- 15-Service loopback group configuration
- 16-Cut-through Layer 2 forwarding configuration
- Related Documents
|06-Port isolation configuration||52.14 KB|
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.
Ports in an isolation group cannot communicate with each other. However, they can communicate with ports outside the isolation group.
About port assignment to an isolation group
The device supports multiple isolation groups, which can be configured manually. The number of ports assigned to an isolation group is not limited.
Restrictions and guidelines
· You can assign a port to only one isolation group. If you execute the port-isolate enable group command multiple times, the most recent configuration takes effect.
· The configuration in Layer 2 Ethernet interface view applies only to the interface.
· The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface and its aggregation member ports. If the device fails to apply the configuration to the aggregate interface, it does not assign any aggregation member port to the isolation group. If the failure occurs on an aggregation member port, the device skips the port and continues to assign other aggregation member ports to the isolation group.
1. Enter system view.
2. Create an isolation group.
port-isolate group group-id
3. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
4. Assign the port to the isolation group.
port-isolate enable group group-id
By default, the port is not in any isolation group.
Execute display commands in any view.
Display isolation group information.
display port-isolate group [ group-id ]
Example: Configuring port isolation
As shown in Figure 1:
· LAN users Host A, Host B, and Host C are connected to HundredGigE 1/0/1, HundredGigE 1/0/2, and HundredGigE 1/0/3 on the device, respectively.
· The device connects to the Internet through HundredGigE 1/0/4.
Configure the device to provide Internet access for the hosts, and isolate them from one another at Layer 2.
By default, interfaces on the device are disabled (in ADM or Administratively Down state). To have an interface operate, you must use the undo shutdown command to enable that interface.
# Create isolation group 2.
[Device] port-isolate group 2
# Assign HundredGigE 1/0/1, HundredGigE 1/0/2, and HundredGigE 1/0/3 to isolation group 2.
[Device] interface hundredgige 1/0/1
[Device-HundredGigE1/0/1] port-isolate enable group 2
[Device] interface hundredgige 1/0/2
[Device-HundredGigE1/0/2] port-isolate enable group 2
[Device] interface hundredgige 1/0/3
[Device-HundredGigE1/0/3] port-isolate enable group 2
Verifying the configuration
# Display information about isolation group 2.
[Device] display port-isolate group 2
Port isolation group information:
Group ID: 2
HundredGigE1/0/1 HundredGigE1/0/2 HundredGigE1/0/3
The output shows that HundredGigE 1/0/1, HundredGigE 1/0/2, and HundredGigE 1/0/3 are assigned to isolation group 2. As a result, Host A, Host B, and Host C are isolated from one another at layer 2.