Configuring port isolation· 1

Overview·· 1

Port isolation· 1

Non-isolated VLAN·· 2

Port isolation configuration task list 3

Assigning ports to an isolation group· 3

Specifying the uplink port for an isolation group· 3

Configuring non-isolated VLANs 4

Displaying and maintaining port isolation· 5

Port isolation configuration examples 5

Port isolation configuration example· 5

Non-isolated VLAN configuration example· 7

 

 

NOTE: ·       The switch operates in IRF or standalone (the default) mode. The port isolation configuration is available when the switch operates in standalone mode or operates in IRF mode with the enhanced IRF mode disabled. For more information about IRF, see IRF Configuration Guide. ·       You cannot configure the port isolation feature together with the MAC-based VLAN feature when the switch operates in non-hybrid mode. For more information about MAC-based VLANs, see the chapter “Configuring VLANs.” For more information about the system working modes, see Fundamentals Configuration Guide.

 

Overview

Port isolation

Assigning access ports to different VLANs is a typical way to isolate Layer 2 traffic for data privacy and security, but this approach is VLAN resource demanding. To save VLAN resources, you can use the port isolation feature, which can isolate ports on the switch or IRF member switch basis without using VLANs and allows for flexibility and security.

The feature isolates ports regardless of the VLANs that the ports are assigned to. In an isolation group, only one isolated port can unidirectionally connect to the uplink port, whereas all other ports are isolated at Layer 2. To enable ports in the isolation group to communicate with outside ports that belong to the same VLAN as the isolation group ports, follow these guidelines:

·           When the switch operates in hybrid mode, you must specify an uplink port for the isolation group. Figure 1 shows traffic communication among those ports.

·           When the switch operates in non-hybrid mode, the isolation group ports can communicate with the outside ports at Layer 2 bidirectionally without other configuration requirements.

Figure 1 Communication between ports in the same VLAN in port isolation

 

NOTE: The arrows in the previous figure indicate the directions that Layer 2 traffic is permitted to flow.

 

NOTE: ·       The isolated ports in an isolation group support the following functions only: MAC address learning, QoS actions (such as accounting, filter deny, car cir committed-information-rate red discard, and traffic mirroring) in the incoming direction of the ports, and link aggregation. ·       Do not configure Layer 2 protocols (such as GVRP) or Layer 3 protocols (such as multicast and routing) on the isolated ports in an isolation group. Doing so can cause network malfunction.

 

Non-isolated VLAN

A non-isolated VLAN allows the ports in an isolation group to communicate with each other within the VLAN at Layer 2.

Figure 2 shows a network scenario that requires the non-isolated VLAN configuration.

·           Switch B and Switch C communicate with a public server cluster through Switch A.

·           Switch A connects to Switch B through GigabitEthernet 3/0/2, and connects to Switch C through GigabitEthernet 3/0/3.

·           Both GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to VLAN 2 and VLAN 3.

After GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to isolation group 1, Switch B cannot communicate with Switch C at Layer 2, Host A cannot communicate with Host C although they both belong to VLAN 2, and Host B cannot communicate with Host D although they both belong to VLAN 3.

To enable Layer 2 communication between Host B and Host D, you can configure VLAN 3 as a non-isolated VLAN for isolation group 1.

Figure 2 Non-isolated VLAN in an isolation group

 

Port isolation configuration task list

Complete these tasks to configure port isolation:

 

Task	Remarks
Assigning ports to an isolation group	Required
Specifying the uplink port for an isolation group	Required only when the switch operates in hybrid mode.
Configuring non-isolated VLANs	Optional

 

Assigning ports to an isolation group

 

NOTE: The number of ports that can be assigned to an isolation group is not limited.

 

To assign ports to an isolation group:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Create an isolation group and enter isolation group view when the switch operates in non-hybrid mode.	port-isolate group group-number	When the switch operates in non-hybrid mode, you can use this command to directly enter the view of an existing isolation group.
3.     Exit isolation group view.	quit	This operation is required only when the switch operates in non-hybrid mode.
4.     Enter interface view.	·       Enter Ethernet interface view: interface interface-type interface-number ·       Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number ·       Enter port group view: port-group manual port-group-name	Use one of the commands.
5.     Assign the ports to the isolation group as isolated ports.	port-isolate enable group group-number	No ports are assigned to an isolation group by default.

 

Specifying the uplink port for an isolation group

 

NOTE: You must specify the uplink port for an isolation group when the switch operates in hybrid mode.

 

Configuration guidelines

When you specify the uplink port for an isolation group, follow these guidelines:

·           An isolation group can have only one uplink port. The uplink port you configured for an isolation group can overwrite the previous one, if any.

·           You cannot configure an isolated port in an isolation group as the uplink port of any isolation group. However, you can assign the port in one isolation group to another isolation group. In this case, the port leaves the previous group and joins the new one.

·           You cannot configure the uplink port of an isolation group as an isolated or uplink port of any other isolation group.

·           The member port of an aggregation group cannot be configured as the uplink port of an isolation group and vice versa. If you assign a port to an aggregation group and to an isolation group as the uplink port at the same time, the aggregation group configuration will take effect and the isolation group configuration will be removed for backward configuration file compatibility. For more information about link aggregation, see the chapter “Ethernet link aggregation configuration.”

Configuration procedure

To specify the uplink port for an isolation group:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Enter interface view.	·       Enter Ethernet interface view: interface interface-type interface-number ·       Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	Use either command.
3.     Configure the port as the uplink port of an isolation group.	port-isolate uplink-port group group-number	An isolation group has no uplink port by default.

 

Configuring non-isolated VLANs

 

NOTE: ·       This configuration is available only when the switch operates in non-hybrid mode. ·       This configuration is available when the switch operates in standalone mode or operates in IRF mode with the enhanced IRF mode disabled.

 

To configure non-isolated VLANs:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Create an isolation group and enter isolation group view.	port-isolate group group-number	You can use this command to directly enter the view of an existing isolation group.
3.     Configure non-isolated VLANs.	community-vlan vlan { vlan-id-list | all }	By default, an isolation group does not contain any non-isolated VLANs.

 

Displaying and maintaining port isolation

 

Task	Command	Remarks
Display the port isolation information.	display port-isolate group [ group-number ] [ | { begin | exclude | include } regular-expression ]	Available in any view

 

Port isolation configuration examples

 

NOTE: By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in DOWN state. Before configuring these interfaces, bring them up with the undo shutdown command.

 

Port isolation configuration example

 

NOTE: This example assumes that the switch operates in hybrid mode.

 

Networking requirements

As shown in Figure 3:

·           The switch provides access to the Internet through GigabitEthernet 4/0/1.

·           Ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/4 belong to VLAN 2.

Configure port isolation, so that the switch prevents Host A, Host B, and Host C from communicating with one another at Layer 2, but allows them to access the Internet.

Figure 3 Network diagram

 

Configuration procedure

# Create VLAN 2 and assign ports to the VLAN.

<Switch> system-view

[Switch] vlan 2

[Switch-vlan2] port gigabitethernet 4/0/1 to gigabitethernet 4/0/4

[Switch-vlan2] quit

# Create isolation group 2.

[Switch] port-isolate group 2

# Assign ports GigabitEthernet 4/0/2, GigabitEthernet 4/0/3, and GigabitEthernet 4/0/4 to isolation group 2 as isolated ports.

[Switch] interface gigabitethernet 4/0/2

[Switch-GigabitEthernet4/0/2] port-isolate enable group 2

[Switch-GigabitEthernet4/0/2] quit

[Switch] interface gigabitethernet 4/0/3

[Switch-GigabitEthernet4/0/3] port-isolate enable group 2

[Switch-GigabitEthernet4/0/3] quit

[Switch] interface gigabitethernet 4/0/4

[Switch-GigabitEthernet4/0/4] port-isolate enable group 2

[Switch-GigabitEthernet4/0/4] quit

# Configure port GigabitEthernet 4/0/1 as the uplink port of isolation group 2.

[Switch] interface gigabitethernet 4/0/1

[Switch-GigabitEthernet4/0/1] port-isolate uplink-port group 2

[Switch-GigabitEthernet4/0/1] return

Verifying the configuration

# Display information about isolation group 2.

[Switch] display port-isolate group 2

Port-isolate group information:

Uplink port support: YES

Group ID: 2

Uplink port: GigabitEthernet4/0/1

Group members:

   GigabitEthernet4/0/2     GigabitEthernet4/0/3     GigabitEthernet4/0/4

Non-isolated VLAN configuration example

 

NOTE: This example assumes that the switch operates in non-hybrid mode.

 

Networking requirements

As shown in Figure 4:

·           Switch A can access to the Internet through GigabitEthernet 3/0/1.

·           The company branches Site 1 and Site 2 transfer service traffic in VLAN 2 and VLAN 3, and are connected to Switch A through Switch B and Switch C, respectively.

Configure port isolation and non-isolated VLANs, so that the switches allow the company hosts to access the Internet, enable Host B and Host D to exchange video conferencing traffic in VLAN 3, and isolate other Layer 2 traffic between Switch B and Switch C.

Figure 4 Network diagram

 

Configuring Switch A

# Create VLAN 2 and VLAN 3, and assign trunk ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 to the VLANs.

<SwitchA> system-view

[SwitchA] vlan 2 to 3

[SwitchA] interface GigabitEthernet 3/0/2

[SwitchA-GigabitEthernet3/0/2] port link-type trunk

[SwitchA-GigabitEthernet3/0/2] port trunk permit vlan 2 3

[SwitchA-GigabitEthernet3/0/2] quit

[SwitchA] interface GigabitEthernet 3/0/3

[SwitchA-GigabitEthernet3/0/3] port link-type trunk

[SwitchA-GigabitEthernet3/0/3] port trunk permit vlan 2 3

[SwitchA-GigabitEthernet3/0/3] quit

# Create isolation group 1.

[SwitchA] port-isolate group 1

[SwitchA-port-isolate-group1] quit

# Assign ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 that connect to Switch B and Switch C to isolation group 1.

[SwitchA] interface GigabitEthernet 3/0/2

[SwitchA-GigabitEthernet3/0/2] port-isolate enable group 1

[SwitchA-GigabitEthernet3/0/2] quit

[SwitchA] interface GigabitEthernet 3/0/3

[SwitchA-GigabitEthernet3/0/3] port-isolate enable group 1

[SwitchA-GigabitEthernet3/0/3] quit

# Configure VLAN 3 as a non-isolated VLAN in isolation group 1.

[SwitchA] port-isolate group 1

[SwitchA-port-isolate-group1] community-vlan vlan 3

[SwitchA-port-isolate-group1] quit

Configuring Switch B

# Create VLAN 2 and VLAN 3, assign GigabitEthernet 2/0/2 to VLAN 2, and assign GigabitEthernet 2/0/3 to VLAN 3.

<SwitchB> system-view

[SwitchB] vlan 2

[SwitchB-vlan2] port GigabitEthernet 2/0/2

[SwitchB-vlan2] vlan 3

[SwitchB-vlan3] port GigabitEthernet 2/0/3

[SwitchB-vlan3] quit

# Configure GigabitEthernet 2/0/1 as a trunk port and assign the port to VLAN 2 and VLAN 3.

[SwitchB] interface GigabitEthernet 2/0/1

[SwitchB-GigabitEthernet2/0/1] port link-type trunk

[SwitchB-GigabitEthernet2/0/1] port trunk permit vlan 2 3

Configuring Switch C

Configure Switch C as you configure Switch B.

Verifying the configuration

# Display information about isolation group 1 on Switch A.

[SwitchA] display port-isolate group 1

Port-isolate group information:

 Uplink port support: NO

 Group ID: 1

Group members:

   GigabitEthernet3/0/2     GigabitEthernet3/0/3

The output shows that ports GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to isolation group 1.

# Display the configuration of isolation group 1.

[SwitchA] port-isolate group 1

[SwitchA -port-isolate-group1] display this

#

port-isolate group 1

 community-vlan vlan 3

#

return

The output shows that Switch A contains isolation group 1, in which VLAN 3 is a non-isolated VLAN.