Difference between port isolation and ACLs on S series switches

3

For S series switches (except S1700 switches):
The port isolation function isolates interfaces in a VLAN, providing secure and flexible networking solutions.
To implement Layer 2 isolation between interfaces, you can add each interface to a different VLAN. This method, however, wastes VLAN resources. Port isolation can isolate interfaces in the same VLAN, and a port isolation group can effectively implement Layer 2 isolation between these interfaces. It provides secure and flexible networking solutions.
An ACL is a packet filter that filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied.
For example, after an ACL is applied to a traffic policy or simplified traffic policy, access rights of the users on different network segments are restricted, preventing security risks caused by uncontrolled mutual access between different network segments.

Other related questions:
What are the differences between port isolation and ACL on a WLAN device
For WLAN devices: The port isolation function isolates interfaces in a VLAN, providing secure and flexible networking solutions. To implement Layer 2 isolation between interfaces, you can add these interfaces to different VLANs. However, this approach wastes VLAN resources. Port isolation can isolate interfaces in the same VLAN, and a port isolation group can effectively implement Layer 2 isolation between these interfaces. Port isolation offers secure and flexible networking solutions. An ACL is a packet filter that filters packets based on rules. A device with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. Uncontrolled mutual access between different network segments brings security risks. After an ACL is applied to a QoS traffic policy or simplified traffic policy, the access rights between the users on different network segments are restricted.

Differences between IPSG and port security of S series switches
For S series switches (except S1700 switches), both IPSG and port security support bindings between MAC addresses and interfaces. Their differences are as follows: �?IPSG: Binds MAC addresses to interfaces in a binding table so that a host can only go online through a fixed port. The hosts of which MAC addresses are not in the binding table cannot go online through the switch. IPSG prevents IP address spoofing attacks. For example, it prevents a malicious host from stealing an authorized host's IP address to access or attack the network. �?Port security: Converts limited number of dynamic MAC entries learned by interfaces into secure MAC entries, so that a host can only go online through a fixed port. The hosts of which MAC addresses are not in the MAC address table cannot go online through the switch. Port security prevents access of unauthorized hosts and limits the number of access hosts. It is applicable to networks with a large number of hosts. If you just want to prevent hosts with unauthorized MAC addresses from communicating with each other and a large number of hosts reside on the network, port security is recommended.

Differences between an NNI optical port and an isolated node
Question: What is an NNI optical port and an isolated node? Can a non-transmission device be regarded as an isolated node? Answer: The NNI optical port is used for communication with external networks. For example, if a Huawei device is interconnected with a device of another company, or a service traverses multiple subnets but the T2000 can manage only a part of the subnets, the T2000 only identifies that a service is transmitted out from a certain slot of an NE. In this case, you need to create an NNI optical port as an identifier. A TM without protection or an isolated node without optical fiber connections can be created as an NNI optical port. An NNI optical port is a logical system that does not belong to any protection subnet and has no protection TM. An isolated node is configured on the NE side but cannot form or has not yet formed a protection subnet with other nodes.

Differences between mirrored ports and observing ports on S series switches
For S series switches: - A mirrored port is a monitored port. All the packets that pass through a mirrored port are copied to a port connected to a monitoring device. - An observing port is connected to a monitoring device and used to send packets from a mirrored port to the monitoring device.

Difference between the S series switch and router
The S series switch and router are different in the following aspects: 1. Functions �?data switching or routing Although both Layer 3 switches and routers provide the routing function, they are not the same. For example, many broadband routers provide not only the routing function, but also switch and firewall functions. However, these routers are equated with switches or firewalls. because routing is their main function while others are additional functions. This rule also applies to Layer 3 switches. They are switching products that mainly provide the data switching function, as well as additional routing function. 2. Applicable environment �?LAN or WAN The routing function of a Layer 3 switch is simple for connection of LANs. Therefore, the routes of a Layer 3 switch are simple and less complex than those of a router. The Layer 3 switch provides quick data switching to allow frequent exchange of data traffic in the LAN. The router is designed to connect different types of networks. Although a router can be applied to the connection of LANs, the routing function is mainly provided for connection of different types of networks, such as connection between the LAN and WAN, and between networks with different protocols. The main purpose of a router is to connect multiple networks with complex routes. With powerful routing function, the router is applied to not only LANs with same protocols, but also LAN and WAN with different protocols. To connect different types of networks, the router provides various interface types. However, the Layer 3 switch only provides LAN interfaces of the same type. 3. Performance �?data packet exchange Technically, the major difference between a router and a Layer 3 switch is to forward data packets. The router uses the software engine with a micro-processor to forward data packets, while the Layer 3 switch uses hardware. After a Layer 3 switch forwards the first packet of a data flow, it generates a mapping between MAC addresses and IP addresses. When the same data flow passes, the Layer 3 switch forwards the packets without searching in the routing table. This prevents the delay caused by route selection and improves the efficiency of forwarding data packets. Therefore, in terms of performance, the Layer 3 switch is better than the router and is applied to the LAN with frequent data exchange. With a powerful routing function and low forwarding efficiency of data packets, the router is applied to the connection of different types of networks without frequent data exchange, such as the connection between the LAN and Internet. If the router is used on a LAN, its powerful routing function is wasted and it cannot meet the communication requirements of the LAN and influences subnet communication.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top