H3C MSR Routers Port Isolation Configuration Examples (Comware V7)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Introduction· 1

Prerequisites· 1

General configuration restrictions and guidelines· 1

Example: Configuring port isolation· 1

Network requirements· 1

Software version used· 2

Configuration restrictions and guidelines· 2

Configuration procedures· 2

Verifying the configuration· 2

Configuration files· 3

Related documentation· 3

 

Introduction

This document provides port isolation configuration examples.

Prerequisites

This document applies to Comware V7-based MSR routers. Procedures and information in the examples might be slightly different depending on the software or hardware version of the router.

The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

This document assumes that you have basic knowledge of port isolation.

General configuration restrictions and guidelines

This feature is supported only on the following hardware:

·     Interface modules SIC-4GSW, DSIC-9FSW, DSIC-9FSW-PoE, HMIM-24GSW, HMIM-24GSW-PoE, and HMIM-8GSW.

·     The fixed Layer 2 ports on the MSR 3600-28, and MSR 3600-51 routers.

Example: Configuring port isolation

Network requirements

As shown in Figure 1:

·     LAN users Host A and Host B are connected to GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2 on the device, respectively.

·     The device connects to the Internet through GigabitEthernet 2/1/3.

Configure the device to provide Internet access for Host A and Host B, and isolate them from each other at Layer 2.

Figure 1 Network diagram

 

Software version used

This configuration example was created and verified on R0106.

Configuration restrictions and guidelines

The device supports only one isolation group that is automatically created as isolation group 1. You cannot delete the isolation group or create other isolation groups on the device. The number of ports assigned to the isolation group is not limited.

Configuration procedures

# Assign ports GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2 to the isolation group.

<Device> system-view

[Device] interface gigabitethernet 2/1/1

[Device-GigabitEthernet1/0/1] port-isolate enable

[Device-GigabitEthernet1/0/1] quit

[Device] interface gigabitethernet 2/1/2

[Device-GigabitEthernet1/0/2] port-isolate enable

[Device-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify that ports GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2 are assigned to the isolation group.

[Device] display port-isolate group

Port isolation group information:

Group ID: 1

Group members:

 GigabitEthernet2/1/1   GigabitEthernet2/1/2

Community VLAN ID: None

# Ping Host B from Host A to verify that they are isolated from each other at Layer 2, as shown in Figure 2.

Figure 2 Failed to ping Host B from Host A

 

Configuration files

#

interface GigabitEthernet2/1/1

 port link-mode bridge

port-isolate enable

#

interface GigabitEthernet2/1/2

 port link-mode bridge

port-isolate enable

#

Related documentation

·     H3C MSR Series Routers Layer 2—LAN Switching Command Reference(V7)

·     H3C MSR Series Routers Layer 2—LAN Switching Configuration Guide(V7)