- Table of Contents
-
- 04-Layer 2—LAN Switching Configuration Guide
- 00-Preface
- 01-MAC address table configuration
- 02-Ethernet link aggregation configuration
- 03-Port isolation configuration
- 04-VLAN configuration
- 05-MVRP configuration
- 06-QinQ configuration
- 07-VLAN mapping configuration
- 08-VLAN termination configuration
- 09-Loop detection configuration
- 10-Spanning tree configuration
- 11-LLDP configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
03-Port isolation configuration | 73.20 KB |
Contents
Assigning a port to an isolation group
Display and maintenance commands for port isolation
Port isolation configuration examples
Example: Configuring port isolation for multiple isolation groups
Configuring port isolation
About port isolation
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.
Ports in an isolation group cannot communicate with each other. However, they can communicate with ports outside the isolation group.
Restrictions and guidelines
This feature is available only for the following cards:
Card category |
Cards |
CEPC |
CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ8L1A, CEPC-CQ16L1 |
CSPEX |
CSPEX-1802X, CSPEX-1802XA, CSPEX-1812X-E, CSPEX-2304X-G, CSPEX-1502XA, CSPEX-2612XA |
SPE |
RX-SPE200-E |
The isolation group does not support the isolation of Layer 2 multicast packets. The port isolation feature does not take effect for Layer 2 multicast services.
If port isolation and MPLS L2VPN business are configured at the same time, MPLS L2VPN business takes precedence.
If port isolation and VPLS business are configured at the same time, VPLS business takes precedence.
Port isolation is mutually exclusive with the layer 2 forwarding function of the interface. The port-isolate enable command and the bridge-forwarding enable command cannot be configured at the same time.
Assigning a port to an isolation group
About this task
The device supports multiple isolation groups, which can be configured manually. The number of ports assigned to an isolation group is not limited.
Restrictions and guidelines
· You can assign a port to only one isolation group.
· The configuration in Layer 2 Ethernet interface view applies only to the interface.
· The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface and its aggregation member ports. If the device fails to apply the configuration to the aggregate interface, it does not assign any aggregation member port to the isolation group. If the failure occurs on an aggregation member port, the device skips the port and continues to assign other aggregation member ports to the isolation group.
Procedure
1. Enter system view.
system-view
2. Create an isolation group.
port-isolate group group-id
3. Enter interface view.
¡ Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
¡ Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
¡ Enter FlexE logical interface view.
interface flexe interface-number
4. Assign the port to the isolation group.
port-isolate enable group group-id
By default, the port is not in any isolation group.
Display and maintenance commands for port isolation
Execute display commands in any view.
Task |
Command |
Display isolation group information. |
display port-isolate group [ group-id ] |
Port isolation configuration examples
Example: Configuring port isolation for multiple isolation groups
Network configuration
As shown in Figure 1:
· LAN users Host A, Host B, and Host C are connected to Ten-GigabitEthernet 3/1/1, Ten-GigabitEthernet 3/1/2, and Ten-GigabitEthernet 3/1/3 on the device, respectively.
· The device connects to the Internet through Ten-GigabitEthernet 3/1/4.
Configure the device to provide Internet access for the hosts, and isolate them from one another at Layer 2.
Procedure
# Create isolation group 2.
<Device> system-view
[Device] port-isolate group 2
# Assign Ten-GigabitEthernet 3/1/1, Ten-GigabitEthernet 3/1/2, and Ten-GigabitEthernet 3/1/3 to isolation group 2.
[Device] interface ten-gigabitethernet 3/1/1
[Device-Ten-GigabitEthernet3/1/1] port-isolate enable group 2
[Device-Ten-GigabitEthernet3/1/1] quit
[Device] interface ten-gigabitethernet 3/1/2
[Device-Ten-GigabitEthernet3/1/2] port-isolate enable group 2
[Device-Ten-GigabitEthernet3/1/2] quit
[Device] interface ten-gigabitethernet 3/1/3
[Device-Ten-GigabitEthernet3/1/3] port-isolate enable group 2
[Device-Ten-GigabitEthernet3/1/3] quit
Verifying the configuration
# Display information about isolation group 2.
[Device] display port-isolate group 2
Port isolation group information:
Group ID: 2
Group members:
Ten-GigabitEthernet3/1/1 Ten-GigabitEthernet3/1/2 Ten-GigabitEthernet3/1/3
The output shows that Ten-GigabitEthernet 3/1/1, Ten-GigabitEthernet 3/1/2, and Ten-GigabitEthernet 3/1/3 are assigned to isolation group 2. As a result, Host A, Host B, and Host C are isolated from one another at layer 2.