[All About Switches] 11 Interface Configuration Tip 2 - Port Isolation

Created Jun 02, 2015 14:25:19Latest reply Jan 15, 2018 02:21:36 6046 5 5 1

Captain David does not know how to complete the task of ensuring the information security of the general's tent. Captain Jack reminds him of the second tip from General William. They open the yellow bag and find the second tip: information security is of great importance and can only be ensured through isolation.

Captain David is puzzled, "Jack, do you know what does this tip mean?"

Captain Jack smiles, "Don't worry. Let me explain the tip to you. The following figure shows the tent distribution of our army.


 

David, our general's tent, soldiers' tent, and logistics tent are in the same VLAN and on the same network segment. By default, the three tents can communicate. General William has two requirements. First, the general's tent and soldiers' tent cannot communicate. Second, the logistics tent and soldiers' tent can communicate, the general's tent can access the logistics tent, but the logistics tent cannot access the general's tent. You have to meet the requirements without changing the current network segment planning and VLAN planning.

How to complete the task?

We need to use the port isolation function. You can definitely complete the task using this function. General William will praise you then."

Captain Jack laughs happily.

 Captain David pretends that he is angry, "Jack, stop laughing, tell me how to configure port isolation."

122.GIF

 

"OK. Let me explain the port isolation group to you first. Switch ports can be added to port isolation groups. Ports in the same port isolation group are isolated. Ports in different port isolation groups are not isolated. It is easy to complete General William's task. As shown in the following figure, add GE0/0/1 and GE0/0/2 to the same port isolation group. Do not add GE0/0/3 to the port isolation group or add it to another port isolation group.


 

The configuration is as follows:

<Huawei> system-view

[Huawei] sysname Switch

[Switch] interface gigabitEthernet 0/0/1

[Switch-GigabitEthernet0/0/1] port link-type access

[Switch-GigabitEthernet0/0/1] port default vlan 10

[Switch-GigabitEthernet0/0/1] port-isolate enable group 5  // Add GE0/0/1 to port isolation group 5.

[Switch-GigabitEthernet0/0/1] quit

[Switch] interface gigabitEthernet 0/0/2

[Switch-GigabitEthernet0/0/2] port link-type access

[Switch-GigabitEthernet0/0/2] port default vlan 10

[Switch-GigabitEthernet0/0/2] port-isolate enable group 5  // Add GE0/0/2 to port isolation group 5.

[Switch-GigabitEthernet0/0/2] quit

[Switch] interface gigabitEthernet 0/0/3

[Switch-GigabitEthernet0/0/3] port link-type access

[Switch-GigabitEthernet0/0/3] port default vlan 10    // Do not add GE0/0/3 to any port isolation group.

[Switch-GigabitEthernet0/0/3] quit

 

After the configuration is complete, GE0/0/1 and GE0/0/2 are added to the same port isolation group, and GE0/0/3 is not in any port isolation group. In this way, the general's tent and soldiers' tent cannot communicate, the general's tent and logistics tent can communicate, and the soldiers' tent and logistics tent can communicate."

FAQ 1: How to view the configuration of port isolation groups?

You can run the display port-isolate group { group-id | all } command to view the configuration of port isolation groups.

123.gif

 

Captain David is glad but still has a question, "Jack, General William requires that the general's tent can access the logistics tent, but the logistics tent cannot access the general's tent. Can you use port isolation to meet the requirement?"

Captain Jack smiles, "Port isolation is a powerful function. In addition to port isolation group, you can also use unidirectional isolation to solve the problem."

Captain David is full of doubt, "What is unidirectional isolation? Is it so powerful?"

Captain Jack smiles, "Unidirectional isolation is used to isolate data unidirectionally. For example, if interface A is isolated from interface B unidirectionally, packets sent from interface A cannot reach interface B, but packets sent from interface B can reach interface A. In General William's second requirement, the general's tent can access the logistics tent, but the logistics tent cannot access the general's tent. We can use unidirectional isolation to meet the requirement. As shown in the following figure, configure unidirectional isolation on GE0/0/3 to isolate it from GE0/0/1 unidirectionally. This configuration ensures that packets sent from GE0/0/3 cannot reach GE0/0/1, but packets sent from GE0/0/1 can reach GE0/0/3. In this way, the general's tent can access the logistics tent, but the logistics tent cannot access the general's tent.

 

The configuration is as follows:

[Switch] interface GigabitEthernet 0/0/3

[Switch-GigabitEthernet0/0/3] am isolate gigabitethernet 0/0/1   // Isolate GE0/0/3 from GE0/0/1 unidirectionally.

[Switch-GigabitEthernet0/0/3] quit

 

The unidirectional isolation configuration is complete. How simple it is!"

With General William's second tip, Captain David easily configures port isolation on the switch. The general's tent and soldiers' tent cannot communicate, and the logistics tent cannot access the general's tent.

122.GIF

 

Captain David thinks that General William will definitely praise him. However, General William tells him, "David, GE0/0/1 and GE0/0/2 are isolated at Layer 2. ARP packets cannot be transparently transmitted between the two interfaces. However, the general's tent and soldiers' tent can still use the gateway to communicate at Layer 3 using intra-VLAN proxy ARP. That is to say, the two tents are isolated at Layer 2 but are not isolated at Layer 3."

Captain David is a little bit upset, "General William, data is isolated. Why should we care about Layer 2 isolation and Layer 3 isolation? I cannot find any difference between them."

General William says, "The facts speak for themselves. Let's perform an experiment. You will understand the difference."

The experiment procedure is as follows:

   Step 1      As shown in the following figure, PC1 is in the general's tent and PC2 is in the soldiers' tent. Add PC1 and PC2 to the same port isolation group. PC1 and PC2 cannot ping each other, indicating that the port isolation function takes effect.


 

When you ping PC2 from PC1, capture packets passing through GE0/0/1 and GE0/0/2 on the switch.

l   The following figure shows information about packets captured on GE0/0/1.


 

The packet capture information shows that PC1 does not receive ARP reply packets from PC2 after sending ARP request packets (marked in the green box).

l   The following figure shows information about packets captured on GE0/0/2.


  

The packet capture information shows that PC2 does not receive ARP request packets from PC1.

Conclusion: The packet capture information on GE0/0/1 and GE0/0/2 shows that the switch does not transparently transmit ARP request packets from PC1 to PC2. As a result, PC1 and PC2 cannot learn ARP entries from each other, and cannot communicate.

   Step 2      Assign IP address 10.10.10.250/24 to VLANIF 10, use this IP address as the gateway address for PC1 and PC2, and enable intra-VLAN proxy ARP on VLANIF 10. The configuration is as follows:

[Switch] interface vlanif 10

[Switch-Vlanif10] ip address 10.10.10.250 24

[Switch-Vlanif10] arp-proxy inner-sub-vlan-proxy enable   // Enable intra-VLAN proxy ARP on VLANIF 10.

[Switch-Vlanif10] quit

 

After the configuration is complete, PC1 and PC2 can ping each other, indicating that the port isolation function is invalid. What happened? Let's capture packets and find out what's going on.

l   The following figure shows information about packets captured on GE0/0/1.


 

1.         PC1 sends ARP request packets (marked with the yellow line) to obtain PC2's MAC address.

2.         VLANIF 10 functions as the ARP proxy to send ARP reply packets (marked with the blue line) for PC2. (Note that 4c1f-cc6b-263c is the MAC address of VLANIF 10.)

3.         PC1 receives ARP reply packets from VLANIF 10, and changes the MAC address of PC2 to that of VLANIF 10 in the ARP entry, as shown in the following figure.

ARP表项_PC1.png

 

4.         PC1 sends Ping Request packets (market with the green line) to PC2. The following figure shows information about Ping Request packets. The destination MAC address of the packets is the MAC address of VLANIF 10 (market with the yellow line). Therefore, the Ping Request packets will be sent to VLANIF 10 first.

Ping???????ì?_1.png

 

FAQ 2: How to check the MAC address of VLANIF 10?

You can run the display arp all command on the switch to check the ARP entry of VLANIF 10, which contains the MAC address of VLANIF 10, as shown in the following figure.

ARP显示信息.png

 

l   The following figure shows information about packets captured on GE0/0/2.

抓包_3.PNG

 

1.         VLANIF 10 sends ARP request packets (marked with the yellow line) to obtain PC2's MAC address.

2.         VLANIF 10 receives ARP reply packets from PC2 and obtains PC2's MAC address (marked with the blue line).

3.         VLANIF 10 sends ARP request packets from PC1 to PC2 (marked with the green line).

Conclusion: The packet capture information on GE0/0/1 and GE0/0/2 shows that the Ping Request packets from PC1 are sent to VLANIF 10 for Layer 3 forwarding instead of Layer 2 forwarding. The Ping Reply packets sent from PC2 to PC1 are also forwarded at Layer 3, which is not mentioned here.

Captain David says, "Wow, PC1 and PC2 do communicate at Layer 3. General William, how can we isolate PC1 and PC2 at both Layer 2 and Layer 3?"

General William smiles, "It's easy. We only need to run the port-isolate mode all command in the system view to isolate them at Layer 2 and Layer 3. Let's perform another experiment."

 

The experiment procedure is as follows:

   Step 1      Retain the intra-VLAN proxy ARP configuration on VLANIF 10, and run the port-isolate mode all command in the system view.

[Switch] port-isolate mode all   // Set the port isolation mode to isolation at both Layer 2 and Layer 3.

 

   Step 2      Configure PC1 and PC2 to ping each other. They cannot ping each other.

Capture packets to ***yze why the ping fails.

l   The following figure shows information about packets captured on GE0/0/1.


 

The packet capture information shows that PC1sends ARP request packets and receives ARP reply packets from VLANIF 10. The Ping Request packets from PC1 are sent to VLANIF 10 for Layer 3 forwarding.

l   The following figure shows information about packets captured on GE0/0/2.


 

The packet capture information shows that VLANIF 10 does not send ARP request packets to obtain PC2's MAC address or forward ARP request packets from PC1 to PC2.

Conclusion: VLANIF 10 does not forward ARP request packets from PC1. As a result, PC1 and PC2 cannot communicate at Layer 3.

----End

General William says, "David, the command makes port isolation take effect at both Layer 2 and Layer 3. How easy it is!"

Captain David is convinced and says, "General William, you are incredible! But I still have another question. We configure so many port isolation commands on the switch. If we do not need to use the port isolation function in the future, it will take us a lot of time to delete all these commands one by one. Can we easily delete all the commands?"

General William praises Captain David, "This is a good question. You can run the clear configuration port-isolate command to clear all port isolation configurations on the switch, including the port isolation group, unidirectional isolation, and isolation mode. David, the clear configuration port-isolate command clears all configurations of many commands and may affect other services. Therefore, you must exercise caution when deciding to run this command."

Captain David laughs, "General William, don't worry. You know that I am a careful person."

General William smiles, "David, you really make great progress. Our army purchases more Huawei switches with different models and transmission performance. These switches need to be deployed in different barracks and connected to the existing switch. The connected switch interfaces must use the same parameter values to ensure proper data transmission. David, do you know how to configure the switches?"

Captain David has no idea.

Captain Jack comes and says, "David, you forget that General William gives us three tips?"

Captain David laughs, "Give me the third tip quickly."

Do you want to know what happens? See you in the next episode.

Spoiler: The next episode describes interface management tip 3: auto-negotiation. Stay tuned!


★★★Summary★★★ All About Huawei Switch Features and Configurations 

  • x
  • convention:

user_2790689  Expert   Created Jun 02, 2015 15:16:28 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

phebvfjqsx_from_linkedin  Novice   Created Sep 23, 2015 22:37:01 Helpful(0) Helpful(0)

hi, good, couldn't download doc.

  • x
  • convention:

yaba_mobhe     Created Sep 06, 2016 17:21:20 Helpful(0) Helpful(0)

thank you


  • x
  • convention:

dm     Created Oct 19, 2017 17:36:33 Helpful(0) Helpful(0)

nice
  • x
  • convention:

marco2287     Created Jan 15, 2018 02:21:36 Helpful(0) Helpful(0)

Am practice Unidirectional isolation on Ensp. But only see ''bidirectional isolation'', this is. When both device are in the same switch, same vlan. PC1 to Gi0/0/0 of SWA and PC2 to Gi0/0/1 of SWA. The ping fail in both directions.

>display versionHuawei Versatile Routing Platform SoftwareVRP (R) software, Version 5.110 (S5700 V200R001C00)Copyright (c) 2000-2011 HUAWEI TECH CO., LTDQuidway S5700-28C-HI Routing Switch uptime is 0 week, 0 day, 1 hour, 42 minutes

#interface GigabitEthernet0/0/0 
port link-type access 
port default vlan 10 
am isolate GigabitEthernet0/0/1
#interface GigabitEthernet0/0/1 
port link-type access 
port default vlan 10
#

PC1>ping 192.168.1.2 -t
Ping 192.168.1.2: 32 data bytes, Press Ctrl_C to break
From 192.168.1.2: bytes=32 seq=1 ttl=128 time=31 ms
From 192.168.1.2: bytes=32 seq=2 ttl=128 time=47 ms
From 192.168.1.2: bytes=32 seq=3 ttl=128 time=47 ms
From 192.168.1.2: bytes=32 seq=4 ttl=128 time=31 ms
From 192.168.1.2: bytes=32 seq=5 ttl=128 time=32 ms
From 192.168.1.2: bytes=32 seq=6 ttl=128 time=47 ms
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
PC2>ping 192.168.1.1 -t
Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: bytes=32 seq=1 ttl=128 time=46 ms
From 192.168.1.1: bytes=32 seq=2 ttl=128 time=31 ms
From 192.168.1.1: bytes=32 seq=3 ttl=128 time=32 ms
From 192.168.1.1: bytes=32 seq=4 ttl=128 time=31 ms
From 192.168.1.1: bytes=32 seq=5 ttl=128 time=31 ms
From 192.168.1.1: bytes=32 seq=6 ttl=128 time=47 ms
From 192.168.1.1: bytes=32 seq=7 ttl=128 time=47 ms
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Somebody can help me. Please?
  • x
  • convention:

Telecomunication Engineer.  CCNA Cisco Instructor
Certified.

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top