Introduction to Port Isolation
To implement Layer 2 isolation between packets, users can add different ports to different VLANs, but this will waste limited VLAN resources. The port isolation function can realize the isolation between ports in the same VLAN. Users only need to add ports to the isolation group to realize the isolation of Layer 2 data between ports in the isolation group. The port isolation function provides users with a safer and more flexible networking solution.
Port isolation is divided into two modes: Layer 2 isolation and Layer 3 intercommunication and Layer 2 and Layer 3 isolation:
Steps
- If users want to isolate broadcast packets in the same VLAN, but users on different ports can still communicate at Layer 3, they can set the isolation mode to Layer 2 isolation and Layer 3 intercommunication.
- If the user wants users under different ports in the same VLAN to be completely unable to communicate, the isolation mode can be configured to isolate both layers 2 and 3.
-
Networking requirements
Employees in the R&D office of an enterprise are divided into employees of the company, employees of partner company A, and employees of partner company B. As shown in Figure 3-70 , PC1 and PC2 represent the employees of partners A and B respectively, and PC3 represents the R&D employees of the company. They can communicate with each other, but the employees of the two partner companies, A and B, cannot communicate.
-
Configuration idea
Configure port isolation as follows:
-
Configure the interface to join the VLAN.
-
The default port isolation of the device is Layer 2 isolation and Layer 3 intercommunication. You only need to add the interface to the isolation group to realize the isolation of Layer 2 data between interfaces in the isolation group.
- Configure port isolation
# Configure port isolation on GE1/0/1.
-
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan 10 [Switch-vlan10] quit [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type access //Configure GE1 The interface type of /0/1 is access. [Switch-GigabitEthernet1/0/1] port default vlan 10 //Configure GE1/0/1 to join VLAN 10. [Switch-GigabitEthernet1/0/1] port-isolate enable //Add to port isolation group 1 by default, and the isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-isolate mode all command in the system view to configure the isolation mode as Layer 2 and Layer 3 isolation. [Switch-GigabitEthernet1/0/1] quit
-
# Configure port isolation on GE1/0/2.
[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] port link-type access //Set the interface type of GE1/0/2 to access. [Switch-GigabitEthernet1/0/2] port default vlan 10 //Configure GE1/0/2 to join VLAN 10. [Switch-GigabitEthernet1/0/2] port-isolate enable //Add to port isolation group 1 by default, and the isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-isolate mode all command in the system view to configure the isolation mode as Layer 2 and Layer 3 isolation. [Switch-GigabitEthernet1/0/2] quit
-
# Add GE1/0/3 to VLAN 10.
[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] port link-type access //Set the interface type of GE1/0/3 to access. [Switch-GigabitEthernet1/0/3] port default vlan 10 //Configure GE1/0/3 to join VLAN 10. [Switch-GigabitEthernet1/0/3] quit
- Verify configuration results
# Data packets from PC1 and PC2 cannot communicate with each other.
# Data packets from PC1 and PC3 can communicate with each other.
# PC2 and PC3 data packets can communicate with each other.