Example for Configuring Port Isolation

50 0 0 0

Overview

To implement Layer 2 isolation between interfaces, you can add each interface to a different VLAN. However, this method wastes VLAN resources. Port isolation can isolate interfaces in the same VLAN, and a port isolation group can effectively implement Layer 2 isolation between these interfaces. Port isolation provides secure and flexible networking solutions.

The port isolation mode can be Layer 2 isolation and Layer 3 interworking or Layer 2 and Layer 3 isolation.
  • To isolate broadcast packets in the same VLAN but allow users connecting to different interfaces to communicate at Layer 3, you can set the port isolation mode to Layer 2 isolation and Layer 3 interworking.
  • To prevent interfaces in the same VLAN from communicating at both Layer 2 and Layer 3, you can set the port isolation mode to Layer 2 and Layer 3 isolation.

Configuration Notes

  • This example applies to all versions of all S series switches.
  • Do not add both the uplink and downlink interfaces to the same port isolation group unless required. Otherwise, the uplink and downlink interfaces cannot communicate.
  • S series switches support Layer 2 isolation and Layer 3 interworking.
  • All S series chassis switches support Layer 2 and Layer 3 isolation. S series box switches support Layer 2 and Layer 3 isolation excluding the S2700SI and S2700EI running V100R006C05 and the S2720EI, S5720LI, S6720LI, S6720S-LI, S5710-C-LI, and S5720S-LI running V200R001 and later versions.

Networking Requirements

An R&D office of a company contains employees from the company, partner company A, and partner company B. As shown in Figure 5-4, PC1 and PC2 are used by two employees from partner companies A and B respectively, and PC3 is used by an R&D employee from the company. The requirements are as follows:

  • VLAN resources need to be saved.
  • Employees from partner companies A and B cannot communicate with each other.
  • Employees from partner companies A and B can communicate with the company's employees.
Figure 5-4  Networking diagram for configuring port isolation 
imgDownload?uuid=001b5cbec9984eac97fd6aa

Configuration Roadmap

The configuration roadmap is as follows:

  1. Add interfaces to a VLAN.

  2. Add the interfaces to a port isolation group to implement Layer 2 isolation between these interfaces. The default port isolation mode is Layer 2 isolation and Layer 3 interworking.

Procedure

  1. Configure port isolation.

    # Configure port isolation on GE1/0/1.

    <HUAWEI> system-view[HUAWEI] sysname Switch[Switch] vlan 10[Switch-vlan10] quit[Switch] interface gigabitethernet 1/0/1[Switch-GigabitEthernet1/0/1] port link-type access   //Set the interface type of GE1/0/1 to access.[Switch-GigabitEthernet1/0/1] port default vlan 10   //Add GE1/0/1 to VLAN 10.[Switch-GigabitEthernet1/0/1] port-isolate enable   //By default, the interface is added to port isolation group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.[Switch-GigabitEthernet1/0/1] quit

    # Configure port isolation on GE1/0/2.

    [Switch] interface gigabitethernet 1/0/2[Switch-GigabitEthernet1/0/2] port link-type access   //Set the interface type of GE1/0/2 to access.[Switch-GigabitEthernet1/0/2] port default vlan 10   //Add GE1/0/2 to VLAN 10.[Switch-GigabitEthernet1/0/2] port-isolate enable   //By default, the interface is added to port isolation group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.[Switch-GigabitEthernet1/0/2] quit

    # Add GE1/0/3 to VLAN 10.

    [Switch] interface gigabitethernet 1/0/3[Switch-GigabitEthernet1/0/3] port link-type access   //Set the interface type of GE1/0/3 to access.[Switch-GigabitEthernet1/0/3] port default vlan 10   //Add GE1/0/3 to VLAN 10.[Switch-GigabitEthernet1/0/3] quit

  2. Verify the configuration.

    # PC1 and PC2 cannot communicate with each other.

    # PC1 and PC3 can communicate with each other.

    # PC2 and PC3 can communicate with each other.

Configuration File

Switch configuration file

#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet1/0/1
 port link-type access         
 port default vlan 10 
 port-isolate enable group 1
#
interface GigabitEthernet1/0/2
 port link-type access                                                          
 port default vlan 10 
 port-isolate enable group 1
#
interface GigabitEthernet1/0/3
 port link-type access                                                          
 port default vlan 10 
#
return

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login