Login
- Table of Contents
-
- 06-Layer 2—LAN Switching Configuration Guide
- 00-Preface
- 01-MAC address table configuration
- 02-Ethernet link aggregation configuration
- 03-Port isolation configuration
- 04-VLAN configuration
- 05-QinQ configuration
- 06-VLAN termination configuration
- 07-Loop detection configuration
- 08-Spanning tree configuration
- 09-LLDP configuration
- 10-Layer 2 forwarding configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-Port isolation configuration | 61.91 KB |
Contents
Assigning a port to the isolation group
Verifying and maintaining port isolation
Port isolation configuration examples
Example: Configuring port isolation (for single-isolation group devices)
Configuring port isolation
About port isolation
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.
Ports in an isolation group cannot communicate with each other. However, they can communicate with ports outside the isolation group.
Assigning a port to the isolation group
About this task
The device supports only one isolation group that is automatically created as isolation group 1. You cannot remove the isolation group or create other isolation groups on the device. The number of ports assigned to the isolation group is not limited.
Restrictions and guidelines
· The configuration in Layer 2 Ethernet interface view applies only to the interface.
· The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface and its aggregation member ports. If the device fails to apply the configuration to the aggregate interface, it does not assign any aggregation member port to the isolation group. If the failure occurs on an aggregation member port, the device skips the port and continues to assign other aggregation member ports to the isolation group.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Assign the port to the isolation group.
port-isolate enable
By default, the port is not in the isolation group.
Verifying and maintaining port isolation
To display the information about an isolation group, execute the following command in any view.
display port-isolate group
Port isolation configuration examples
Example: Configuring port isolation (for single-isolation group devices)
Network configuration
As shown in Figure 1:
· LAN users Host A, Host B, and Host C are connected to Ten-GigabitEthernet 0/0/6, Ten-GigabitEthernet 0/0/7, and Ten-GigabitEthernet 0/0/8 on the device, respectively.
· The device connects to the Internet through Ten-GigabitEthernet 0/0/9.
Configure the device to provide Internet access for all the hosts, and isolate them from one another.
Procedure
# Assign Ten-GigabitEthernet0/0/6, Ten-GigabitEthernet0/0/7, and Ten-GigabitEthernet0/0/8 to the isolation group.
<Device> system-view
[Device] interface ten-gigabitethernet 0/0/6
[Device-Ten-GigabitEthernet0/0/6] port-isolate enable
[Device-Ten-GigabitEthernet0/0/6] quit
[Device] interface ten-gigabitethernet 0/0/7
[Device-Ten-GigabitEthernet0/0/7] port-isolate enable
[Device-Ten-GigabitEthernet0/0/7] quit
[Device] interface ten-gigabitethernet 0/0/8
[Device-Ten-GigabitEthernet0/0/8] port-isolate enable
[Device-Ten-GigabitEthernet0/0/8] quit
Verifying the configuration
# Display information about the isolation group.
[Device] display port-isolate group
Port isolation group information:
Group ID: 1
Group members:
Ten-GigabitEthernet0/0/6 Ten-GigabitEthernet0/0/7 Ten-GigabitEthernet0/0/8
The output shows that Ten-GigabitEthernet 0/0/6, Ten-GigabitEthernet 0/0/7, and Ten-GigabitEthernet 0/0/8 are assigned to the isolation group. As a result, Host A, Host B, and Host C are isolated from one another at Layer 2.
