No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Port Isolation

Configuring Port Isolation

Port isolation isolates interfaces in a VLAN, providing a secure and flexible network solution.

Context

To implement Layer 2 isolation between interfaces, you can add different interfaces to different VLANs. This wastes VLAN resources. Port isolation can isolate interfaces in the same VLAN. That is, you only need to add interfaces to a port isolation group to implement Layer 2 isolation between these interfaces. Port isolation provides secure and flexible networking schemes.

NOTE:

Only Layer 2 interfaces of the device support this function.

Figure 4-6 shows the port isolation method and application scenario. PC1, PC2, and PC3 belong to VLAN 10. After GE1/17/1 on PC1 and GE1/17/2 on PC2 are added to the port isolation group, PC1 and PC2 cannot communicate with each other in VLAN 10, but they can communicate with PC3.

Figure 4-6 Networking diagram of port isolation

Unidirectional port isolation can be configured in certain scenarios. When multiple hosts connect to different interfaces of the same device, if a certain host with security risks sends many broadcast packets to the other hosts, you can isolate the host from the other hosts unidirectionally to prevent the other hosts from receiving packets from the host.

As shown in Figure 4-7, assume that PC4 with security risks sends many broadcast packets to the other hosts. You can configure unidirectional isolation from GE1/17/5 and GE1/17/6 only on GE1/17/4. In this way, the broadcast packets sent by PC4 cannot reach PC5 and PC6, but the broadcast packets sent by PC5 and PC6 can reach PC4.

Figure 4-7 Networking diagram of port isolation

Procedure

  • Configure a port isolation group.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The Ethernet interface view is displayed.

    3. Run:

      port-isolate enable group group-id

      Port isolation is enabled.

      By default, port isolation is disabled.

      NOTE:

      Port isolation takes effect only for the port isolation group members on the same device. This function does not take effect on the interfaces of different devices.

      Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate.

    4. Run:

      commit

      The configuration is committed.

  • Configure unidirectional isolation on interfaces.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The Ethernet interface view is displayed.

    3. Run:

      am isolate { interface-type  interface-number  }&<1-8>  or am isolate interface-type interface-number1 [ to interface-number2 ]

      Unidirectional port isolation is configured.

      By default, unidirectional port isolation is not configured.

      NOTE:

      If interface A is isolated from interface B unidirectionally, packets sent from interface A cannot reach interface B, but packets sent from interface B can reach interface A.

      Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate. To isolate interfaces in different port isolation groups, configure unidirectional isolation between these interfaces.

    4. Run:

      commit

      The configuration is committed.

Checking the Configuration

Run the display port-isolate group { group-id | all } command in any view to check the configuration of the interface isolation group.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57398

Downloads: 3619

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next