[All About Switches] 16 VLAN Isolation

Latest reply: Sep 18, 2016 07:46:38 4499 2 2 0

The last issue describes multiple scenarios and modes of VLAN interworking. There is another question. How are users in a VLAN isolated? How to implement interworking in some VLANs and isolation in other VLANs? How to isolate a users or users on a network segment?

[All About Switches] 16 VLAN Isolation-1242419-1Scenario 1: How are users in the same VLAN isolated?

You can configure port isolation to implement isolation of users in the same VLAN.

I will use an example to explain how to implement port isolation.

As shown in the following figure, three PCs belong to the same VLAN and the same network segment. The requirements are as follows:

l   PC1 and PC2 cannot communicate with each other.

l   PC1 and PC3 can communicate with each other.

l   PC2 and PC3 can communicate with each other.

[All About Switches] 16 VLAN Isolation-1242419-2

 

Perform the following configurations.

[All About Switches] 16 VLAN Isolation-1242419-3

Verify the configurations.

PC1 fails to ping PC2.

[All About Switches] 16 VLAN Isolation-1242419-4

PC1 can ping PC3.

[All About Switches] 16 VLAN Isolation-1242419-5

The configurations are successful.

[All About Switches] 16 VLAN Isolation-1242419-6 Scenario 2: To implement interworking between some VLANs, isolation between some VLANs, and isolation of users in a VLAN, configure the MUX VLAN.

The MUX VLAN applies to only Layer 2 networks and is used to implement interworking and isolation of users on the same network segment.

The MUX VLAN falls into the principal and subordinate VLANs. The subordinate VLAN falls into the separate and group VLANs.

l   Users in the principal VLAN can communicate with users in all VLANs.

l   Users in the group VLAN can communicate with each other and users in the principal VLAN.

l   Users in the separate VLAN can communicate with only users in the principal VLAN. Users in the separate VLAN cannot communicate with each other.

I will use an example to describe how to implement VLAN interworking and isolation through the MUX VLAN. As shown in the following figure, different PCs belong to different departments. Users need to communicate with each other and be isolated.

l   All PCs can access the server. That is, users in VLAN 20 and VLAN 30 can communicate with users in VLAN 10.

l   PC1 and PC2 can communicate with each other, and PC3 and PC4 cannot communicate with each other. That is, users in VLAN 20 and VLAN 30 cannot communicate with each other.

l   PC3 and PC4 are isolated from each other. That is, user in VLAN 30 cannot communicate with each other.

[All About Switches] 16 VLAN Isolation-1242419-7

The detailed configurations are as follows.

[All About Switches] 16 VLAN Isolation-1242419-8

The configurations are complete. Let's verify the configuration result.

?  All PCs can communicate with the server in the principal VLAN.

PC1 pings the server.

[All About Switches] 16 VLAN Isolation-1242419-9

PC3 pings the server.

[All About Switches] 16 VLAN Isolation-1242419-10

?  PCs in all group VLANs can communicate with each other, but cannot communicate with PCs in the separate VLAN.

PC1 pings PC2.

[All About Switches] 16 VLAN Isolation-1242419-11

PC1 pings PC3.

[All About Switches] 16 VLAN Isolation-1242419-12

?  PCs in the separate VLAN cannot communicate with each other.

PC3 pings PC4.

[All About Switches] 16 VLAN Isolation-1242419-13

[All About Switches] 16 VLAN Isolation-1242419-14Scenario 3: After interworking of different VLANs is implemented, how to isolate users in some VLANs or some users? A traffic policy can be used to meet this requirement.

The principle of the traffic policy is not described here. For more information, see the QoS manual. The following example is used to describe how to implement VLAN isolation.

 

[All About Switches] 16 VLAN Isolation-1242419-15

 

As shown in the preceding figure, the FTP server belongs to network segment 192.168.1.0/24, PC1 and PC2 belong to network segment 192.168.10.0/24, and PC3 and PC4 belong to network segment 192.168.20.0/24.

Assume that interworking between VLANs is implemented using the VLANIF interface. For the detailed configuration, see All About Switches - VLAN Communication.

The gateway address of the FTP server is set to 192.168.1.1, the gateway address of PC1 and PC2 is set to 192.168.10.1, and the gateway address of PC2 and PC4 is set to 192.168.20.1. All devices in VLAN 10, VLAN 20, and VLAN 100 can communicate with each other, for example, PC1 can ping the FTP server.

[All About Switches] 16 VLAN Isolation-1242419-16

It is required that devices on the network segment of PC1 and PC2 can access the FTP server and devices on the network segment of PC3 and PC4 resides on network segment prevented from accessing the FTP server.

Configure the ACL and traffic policy on SwitchA to prevent devices on network segment 192.168.10.0/24 from accessing the FTP server. The detailed configuration procedure is as follows.

[All About Switches] 16 VLAN Isolation-1242419-17

After the configurations are complete, check whether PC1 can ping the FTP server.

[All About Switches] 16 VLAN Isolation-1242419-18

PC3 can still ping the FTP server.

[All About Switches] 16 VLAN Isolation-1242419-19

The configurations are successful.[All About Switches] 16 VLAN Isolation-1242419-20

The ACL and traffic policy are flexible to implement VLAN isolation. As long as the ACL matches the IP address of a single user, the user can be isolated.

[All About Switches] 16 VLAN Isolation-1242419-21The four issues describe the VLAN technology. For details of other VLAN assignment modes, visit http://support.huawei.com/enterprise/productNewOffering?idAbsPath=7919710|9856733|7923144|20985028&pid=20985028.

Issue

Name

Description

First issue

[All About Switches - Beginner] VLAN Basics

This issue describes the definition and purpose of VLAN technology and modes in which interfaces are added to VLANs.

Second issue

[All About Switches - Beginner] VLAN Assignment

This issue describes VLAN assignment modes and applicable scenarios, and mainly describes the configuration and scenario of interface-based assignment.

Third issue

[All About Switches - Beginner]

VLAN Communication

This issue describes main technologies and applicable scenarios of inter-VLAN communication, including the VLANIF interface, sub-interface, and super-VLAN. This issue also describes common VLANIF interface configuration.

Fourth issue

[All About Switches - Beginner] VLAN Isolation

This issue describes main technologies and applicable scenarios of VLAN isolation, such as MUX VLAN and ACL.

★★★Summary★★★ All About Huawei Switch Features and Configurations

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

liuliuliu
Created Jul 28, 2015 07:14:33 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

yaba_mobhe
Created Sep 7, 2016 09:34:46 Helpful(0) Helpful(0)

thank you

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login