How to use port isolation to prevent users in the same VLAN from communicating with each other

20

Port isolation can isolate interfaces in the same VLAN. You can add interfaces to a port isolation group to prevent these interfaces from sending data packets to each other.

For example, GE0/0/1 and GE0/0/2 belong to VLAN10. You can configure port isolation to prevent users connected to GE0/0/1 and GE0/0/2 respectively from sending data packets to each other.
system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port link-type access
[HUAWEI-GigabitEthernet0/0/1] port default vlan 10
[HUAWEI-GigabitEthernet0/0/1] port-isolate enable
[HUAWEI-GigabitEthernet0/0/1] quit
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] port link-type access
[HUAWEI-GigabitEthernet0/0/2] port default vlan 10
[HUAWEI-GigabitEthernet0/0/2] port-isolate enable
[HUAWEI-GigabitEthernet0/0/2] quit

Other related questions:
Configure ACLs on S series switches to restrict communications between users
For details about the configuration on S series switches (except S1700 switches), click Typical Configuration Examples and choose Typical Security Configuration > Typical ACL Configuration > Example for Using ACLs to Restrict Mutual Access Between Network Segments.

Differences between IPSG and port security of S series switches
For S series switches (except S1700 switches), both IPSG and port security support bindings between MAC addresses and interfaces. Their differences are as follows: �?IPSG: Binds MAC addresses to interfaces in a binding table so that a host can only go online through a fixed port. The hosts of which MAC addresses are not in the binding table cannot go online through the switch. IPSG prevents IP address spoofing attacks. For example, it prevents a malicious host from stealing an authorized host's IP address to access or attack the network. �?Port security: Converts limited number of dynamic MAC entries learned by interfaces into secure MAC entries, so that a host can only go online through a fixed port. The hosts of which MAC addresses are not in the MAC address table cannot go online through the switch. Port security prevents access of unauthorized hosts and limits the number of access hosts. It is applicable to networks with a large number of hosts. If you just want to prevent hosts with unauthorized MAC addresses from communicating with each other and a large number of hosts reside on the network, port security is recommended.

How to control mutual access between network segments
On AR routers, you can configure advanced ACL and ACL-based traffic classifiers to control mutual access between users on different network segments.

Can Subnets Communicate with Each Other?

Subnets belong to VPCs. Subnets in the same VPC can communicate with each other. Subnets in different VPCs cannot communicate with each other by default. However, you can create VPC peering connections to enable subnets in different VPCs to communicate with each other.


Can VSs directly communicate with each other
Each VS can be considered an independent device. VSs cannot directly communicate even if they reside on the same physical device. VSs can directly communicate only when they are connected using physical ports, similar to the direct communication between physical devices.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top