No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R012C00 Configuration Guide - Interface Management

This document describes the interface management configuration, including basic interface configuration, Ethernet interface configuration, and logical interface configuration.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Port Isolation

Configuring Port Isolation

Context

To implement Layer 2 isolation between interfaces, you can add each interface to a different VLAN. This method, however, wastes VLAN resources. Port isolation can isolate interfaces in the same VLAN, and a port isolation group can effectively implement Layer 2 isolation between these interfaces. Port isolation provides secure and flexible networking solutions.

Figure 2-1 shows a port isolation usage scenario. PC1, PC2, and PC3 belong to VLAN 10. After GE0/0/1 connecting to PC1 and GE0/0/2 connecting to PC2 are added to a port isolation group, PC1 and PC2 cannot communicate with each other in VLAN 10, but they can communicate with PC3.

Figure 2-1  Network diagram of port isolation

Unidirectional port isolation can be configured in certain scenarios. When multiple hosts connect to different interfaces of a device, a host with security risks may send a lot of broadcast packets to other hosts. You can configure unidirectional isolation to prevent the insecure host from sending packets to other hosts.

As shown in Figure 2-2, PC4 is not secure and sends many broadcast packets to other hosts. You can configure unidirectional isolation to isolate GE0/0/4 from GE0/0/5 and GE0/0/6 unidirectionally. In this way, the broadcast packets sent by PC4 cannot reach PC5 and PC6, but the broadcast packets sent by PC5 and PC6 can reach PC4.

Figure 2-2  Network diagram of unidirectional isolation

Procedure

  • Configure a port isolation group.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The Ethernet interface view is displayed.

    3. Run port-isolate enable [ group group-id ]

      Port isolation is enabled.

      By default, port isolation is disabled.

      Port isolation takes effect only for interfaces on the same device, and cannot take effect for interfaces on different devices.

      Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate. If group-id is not specified, interfaces are added to port isolation group 1 by default.

  • Configure unidirectional isolation.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The Ethernet interface view is displayed.

    3. Run am isolate { interface-type interface-number }&<1-8>

      Unidirectional isolation is configured.

      By default, unidirectional isolation is disabled.

      NOTE:

      If interface A is isolated from interface B unidirectionally, packets sent from interface A cannot reach interface B, but packets sent from interface B can reach interface A.

      Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate. To isolate interfaces in different port isolation groups, configure unidirectional isolation on these interfaces.

Verifying the Configuration

Run the display port-isolate group { group-id | all } command in any view to check the configuration of a port isolation group.

Follow-up Procedure

After configuring port isolation, you can perform the following tasks:

  • To reduce the maintenance workload and operation complexity, run the clear configuration port-isolate command in the system view to clear all the port isolation configurations on the device.

  • To exclude a VLAN when configuring port isolation, run the port-isolate exclude vlan command in the system view. This configuration ensures that port isolation does not take effect in the excluded VLAN, and users in the VLAN can communicate with each other.

Translation
Download
Updated: 2018-09-01

Document ID: EDOC1100037947

Views: 4614

Downloads: 4

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next