Got it

REPRINT: how to isolate interfaces layer 2 communication on s switch.

670 0 0 0 0

authorized reprint by author zhushigeng(Vinsoney)

Hello everyone,

Today I will share with you how to isolate interfaces layer2 communication on S switch. 

1 The basic overview


In the figure above, PCs 1, 2, and 3 belong to the same VLAN (assumed to be VLAN 10) and use the same IP subnet. By default, three PCs can access each other. This is a typical Layer 2 visit.

Now there is such a requirement that PC1-PC2 cannot communicate with each other without modifying the IP subnet and VLAN planning, while PC1 and PC3 can communicate with each other, but PC2 and PC3 can't. This can be achieved by port isolation.

The concept of a port isolation group is required. The ports of the switch can be added to a specific isolation group. The ports of the same port isolation group are isolated from each other. The ports of different port isolation groups are not isolated.

Therefore, to implement the above requirements, the configuration idea is very simple. On the switch, ports 1 and 2 are placed in the same isolation group. Port 3 is not configured as an isolation group or placed in another isolation group, and then enable the port isolation.


2 Implementation


1. PC1, PC2, and PC3 belong to vlan10, and the same subnet. The IP is as shown in the figure above.

2. Configure port isolation so that PC1 and PC2 cannot communicate with each other, while PC1 and PC3, PC2 and PC3 can access each other.

The configuration of the switch is as follows:


#Set the port isolation mode to Layer 2 isolation and Layer 3 interworking:


[SW] port-isolate mode l2

[SW] interface GigabitEthernet 0/0/1

[SW-GigabitEthernet0/0/1] port link-type access

[SW-GigabitEthernet0/0/1] port default vlan 10

[SW-GigabitEthernet0/0/1] port-isolate enable group 1         #interface joins into isolation group 1


[SW] interface GigabitEthernet 0/0/2

[SW-GigabitEthernet0/0/2] port link-type access

[SW-GigabitEthernet0/0/2] port default vlan 10

[SW-GigabitEthernet0/0/2] port-isolate enable group 1        #interface joins into isolation group 1


[SW] interface GigabitEthernet 0/0/3

[SW-GigabitEthernet0/0/3] port link-type access

[SW-GigabitEthernet0/0/3] port default vlan 10                     #interface g0/0/3 doesn't joins into isolation group.


<SW> display port-isolate group all

The ports in isolate group 1:

<SW> GigabitEthernet0/0/1     GigabitEthernet0/0/2



Add port 1 and port 2 to isolation group 1, so that PC1 and PC2 are isolated from each other on the layer 2, and they cannot access each other.

However, both PC1 and PC2 can communicate with PC3.

Command port-isolate mode l2 sets the isolation mode to Layer 2 isolation, while Layer 3 doesn't. The so-called three-layer non-isolation means that the nodes of the same isolation group can still communicate through IP address, for example:


The IP address of PC1 is, and the gateway is vlanif10 IP address

The IP address of PC1 is, and the gateway is vlanif10 subbordinate IP address

Vlanif10 is configured with two IP addresses, that is, two IP subnets are used in a same vlan.

Then, although port 1 and port 2 are now Layer 2 isolated, ARP traffic cannot be passed through, but PC1 and PC2 can still communicate through Layer 3 IP address. This is called Layer 2 isolation but Layer 3 is not isolated.

What if we want to completely isolate port 1 and port 2, both on layer 2 and layer 3? Command port-isolate mode all can help us achieve the goal.

That is all I want to share with you! Thank you!

  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.