how did S switch isolate L2 traffic ?

28

S Switch can implement layer 2 isolation through traffic policy and port isolation.please refer http://support.huawei.com/ehedex/hdx.do?lib=DOC100000847031185721&docid=DOC1000008470&v=05&tocLib=DOC100000847031185721&tocV=05&id=dc_s_web_090157&tocURL=resources%252fs%252fdc%255fs%255fweb%255f090157%255fx7%252ehtml&p=t&fe=1&ui=3&keyword=isol&clientWidth=1325&browseTime=1490106452862

Other related questions:
How does an S series switch process UDP packets when it functions as a Layer 2 switch
If an S series switch (except the S1700) functions as a Layer 2 switch, it does not identify UDP or TCP packets by default. The switch only forwards packets based on its original MAC address table.

Difference between port isolation and ACLs on S series switches
For S series switches (except S1700 switches): The port isolation function isolates interfaces in a VLAN, providing secure and flexible networking solutions. To implement Layer 2 isolation between interfaces, you can add each interface to a different VLAN. This method, however, wastes VLAN resources. Port isolation can isolate interfaces in the same VLAN, and a port isolation group can effectively implement Layer 2 isolation between these interfaces. It provides secure and flexible networking solutions. An ACL is a packet filter that filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. For example, after an ACL is applied to a traffic policy or simplified traffic policy, access rights of the users on different network segments are restricted, preventing security risks caused by uncontrolled mutual access between different network segments.

How did the Switch generate MAC for vlan interface ?
For S switch, before V1R6, all the vlan interface share one MAC address from system,after V1R6, the different vlan interface has different MAC, you can check through "display interface vlanif vlanid" For E switch, the different vlan interface has different MAC.

Precautions for configuring port isolation on S series switches
Precautions for configuring port isolation on S series switches (except the S1700) are as follows: 1. Port isolation takes effect only for interfaces on the same switch, and cannot take effect for interfaces on different switches. 2. Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate. If the group-id parameter is not specified, interfaces are added to port isolation group 1 by default. 3. For S series switches, the default port isolation mode is Layer 2 isolation and Layer 3 interworking. To configure Layer 2 and Layer 3 isolation, run the port-isolate mode all command in the system view.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top