No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Interface Management

S7700 and S9700 V200R010C00

This document describes the principles and configurations of interfaces and provides configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Port Isolation

Configuring Port Isolation

Context

To implement Layer 2 isolation between interfaces, you can add each interface to a different VLAN. This method, however, wastes VLAN resources. Port isolation can isolate interfaces in the same VLAN, and a port isolation group can effectively implement Layer 2 isolation between these interfaces. Port isolation provides secure and flexible networking solutions.

To isolate broadcast packets in the same VLAN but allow users connecting to different interfaces to communicate at Layer 3, you can set the port isolation mode to Layer 2 isolation and Layer 3 interworking. To prevent interfaces in the same VLAN from communicating at both Layer 2 and Layer 3, you can set the port isolation mode to Layer 2 and Layer 3 isolation.

Figure 2-1 shows a port isolation usage scenario. PC1, PC2, and PC3 belong to VLAN 10. After GE1/0/1 connecting to PC1 and GE1/0/2 connecting to PC2 are added to a port isolation group, PC1 and PC2 cannot communicate with each other in VLAN 10, but they can communicate with PC3.

Figure 2-1  Network diagram of port isolation

Unidirectional port isolation can be configured in certain scenarios. When multiple hosts connect to different interfaces of a device, a host with security risks may send a lot of broadcast packets to other hosts. You can configure unidirectional isolation to prevent the insecure host from sending packets to other hosts.

As shown in Figure 2-2, PC4 is not secure and sends many broadcast packets to other hosts. You can configure unidirectional isolation to isolate GE1/0/4 from GE1/0/5 and GE1/0/6 unidirectionally. In this way, the broadcast packets sent by PC4 cannot reach PC5 and PC6, but the broadcast packets sent by PC5 and PC6 can reach PC4.

Figure 2-2  Network diagram of unidirectional isolation

Procedure

  • Configuring a port isolation group
    1. Run:

      system-view

      The system view is displayed.

    2. (Optional) Run:

      port-isolate mode { l2 | all }

      The port isolation mode is configured.

      The default port isolation mode is Layer 2 isolation and Layer 3 interworking.

    3. Run:

      interface interface-type interface-number

      The Ethernet interface view is displayed.

    4. Run:

      port-isolate enable [ group group-id ]

      Port isolation is enabled.

      By default, port isolation is disabled.

      Port isolation takes effect only for interfaces on the same device, and cannot take effect for interfaces on different devices.

      Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate. If group-id is not specified, interfaces are added to port isolation group 1 by default.

  • Configuring unidirectional isolation
    1. Run:

      system-view

      The system view is displayed.

    2. (Optional) Run:

      port-isolate mode { l2 | all }

      The port isolation mode is configured.

      The default port isolation mode is Layer 2 isolation and Layer 3 interworking.

    3. Run:

      interface interface-type interface-number

      The Ethernet interface view is displayed.

    4. Run:

      am isolate { interface-type interface-number }&<1-8> 

      Unidirectional isolation is configured.

      By default, unidirectional isolation is disabled.

      NOTE:

      If interface A is isolated from interface B unidirectionally, packets sent from interface A cannot reach interface B, but packets sent from interface B can reach interface A.

      Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate. To isolate interfaces in different port isolation groups, configure unidirectional isolation on these interfaces.

Checking the Configuration

Run the display port-isolate group { group-id | all } command in any view to check the configuration of a port isolation group.

Follow-up Procedure

After configuring port isolation, you can perform the following tasks:

  • To reduce the maintenance workload and operation complexity, run the clear configuration port-isolate command in the system view to clear all the port isolation configurations on the device.

  • To exclude a VLAN when configuring port isolation, run the port-isolate exclude vlan command in the system view. This configuration ensures that port isolation does not take effect in the excluded VLAN, and users in the VLAN can communicate with each other.

Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000141901

Views: 18574

Downloads: 79

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next