CloudEngine S5700 V600R022C01 Command Reference

Port Isolation Configuration Commands

am isolate
clear configuration port-isolate
port-isolate enable
port-isolate exclude vlan
port-isolate l3 enable
port-isolate mode

am isolate

Function

The am isolate command enables unidirectional isolation of an interface from a specified interface.

The undo am isolate command disables unidirectional isolation of an interface from a specified interface.

By default, unidirectional isolation of an interface from a specified interface is disabled.

Format

am isolate { { interface-type interface-number1 | interface-name } &<1-8> | { interface-type interface-number1 to interface-number2 } }

undo am isolate [ { interface-type interface-number1 | interface-name } &<1-8> | { interface-type interface-number1 to interface-number2 } ]

Parameters

Parameter	Description	Value
interface-type	Specifies the type of an interface.	-
interface-number1	Specifies the start interface number.	-
interface-name	Specifies the name of an interface.	-
to interface-number2	Specifies the end interface number.	-

Views

Layer 2 100GE interface view, 100GE interface view, Layer 2 10GE interface view, 10GE interface view, 25GE-L2 view, 25GE interface view, Layer 2 40GE interface view, 40GE interface view, Layer 2 Eth-Trunk interface view, Eth-Trunk interface view, Layer 2 GE interface view, GE optical interface view, GE electrical interface view, Layer 2 multi-GE interface view, Multi-GE interface view, Interface group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The am isolate command enables unidirectional isolation. For example, if unidirectional isolation is enabled on interface A, the packets sent by interface A cannot reach interface B, but the packets sent from interface B can reach interface A.

Precautions

Unidirectional isolation is supported on interfaces of different types but not on an interface from itself, an interface from a management network interface, or an Eth-Trunk interface from its member interface.

Example

# Enable unidirectional isolation of 10GE 1/0/1 from 10GE 1/0/2.

<HUAWEI> system-view
[HUAWEI] interface 10GE1/0/1
[HUAWEI-10GE1/0/1] am isolate 10GE1/0/2

clear configuration port-isolate

Function

The clear configuration port-isolate command clears all the port isolation configurations on the device.

By default, port isolation configurations on the device are not cleared.

Format

clear configuration port-isolate

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To clear all the port isolation configurations on the device, you need to delete the configurations one by one. If a large number of configurations exist on the device, deleting the configurations takes much time and increases the maintenance workload. To reduce the maintenance workload and operation complexity, run the clear configuration port-isolate command in the system view to clear all the port isolation configurations on the device. The configurations involve the port isolation group, unidirectional port isolation, and isolation mode.

Example

# Clear all the port isolation configurations on the device.

<HUAWEI> system-view
[HUAWEI] clear configuration port-isolate
Warning: The port isolate will be cancelled. Continue?[Y/N]:y

port-isolate enable

Function

The port-isolate enable command enables port isolation.

The undo port-isolate enable command disables port isolation.

By default, interface isolation is disabled.

Format

port-isolate enable group group-id

undo port-isolate enable [ group group-id ]

Parameters

Parameter	Description	Value
group group-id	Specifies the ID of a port isolation group.	The value is an integer ranging from 1 to 64.

Parameter

Description

Value

group group-id

Specifies the ID of a port isolation group.

The value is an integer ranging from 1 to 64.

Views

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The port isolation function isolates ports in the same VLAN. Port isolation provides more secure and flexible networking solutions.

Configuration Impact

Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate.

Precautions

Management interfaces do not support the port-isolate enable command.

Example

# Enable Layer 2 interface isolation on 10GE 1/0/1.

<HUAWEI> system-view
[HUAWEI] interface 10GE 1/0/1
[HUAWEI-10GE1/0/1] port-isolate enable group 1

port-isolate exclude vlan

Function

The port-isolate exclude vlan command excludes VLANs to make port isolation ineffective for them.

The undo port-isolate exclude vlan command cancels the configuration.

By default, no VLAN is excluded when port isolation is configured.

Format

port-isolate exclude vlan { beginVlanId [ to endVlanId ] } &<1-10>

undo port-isolate exclude vlan { beginVlanId [ to endVlanId ] } &<1-10>

Parameters

Parameter	Description	Value
beginVlanId	Specifies the start VLAN ID.	The value is an integer ranging from 1 to 4094.
to endVlanId	Specifies the end VLAN ID.	The value is an integer ranging from 1 to 4094.

Parameter

Description

Value

beginVlanId

Specifies the start VLAN ID.

The value is an integer ranging from 1 to 4094.

to endVlanId

Specifies the end VLAN ID.

The value is an integer ranging from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To enable communication between users in a VLAN where port isolation needs to be disabled, run the port-isolate exclude vlan command to exclude the VLAN.

Example

# Exclude VLAN 10 to make port isolation ineffective for it.

<HUAWEI> system-view
[HUAWEI] port-isolate exclude vlan 10

port-isolate l3 enable

Function

The port-isolate l3 enable command enables Layer 3 port isolation.

The undo port-isolate l3 enable command disables Layer 3 port isolation.

By default, Layer 3 port isolation is disabled.

This command is supported only on the S6730-H-V2 and S5732-H-V2.

Format

port-isolate l3 enable

undo port-isolate l3 enable

Parameters

None

Views

100GE interface view, 10GE interface view, 25GE interface view, 40GE sub-interface view, 40GE interface view, GE interface view, Multi-GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During routing protocol convergence, the outbound and inbound interfaces of some Layer 3 traffic are the same, namely, a loop occurs temporarily. After Layer 3 port isolation is configured, Layer 3 forwarding traffic whose outbound and inbound interfaces are the same is discarded on the outbound interface to prevent the loop. After Layer 3 port isolation is enabled, only Layer 3 traffic is isolated.

Prerequisites

The working mode of the interface has been switched to Layer 3 using the undo portswitch command.

Example

# Configure Layer 3 port isolation on 10GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface 10GE 1/0/1
[HUAWEI-10GE1/0/1] undo portswitch
[HUAWEI-10GE1/0/1] port-isolate l3 enable

port-isolate mode

Function

The port-isolate mode command sets the port isolation mode.

The undo port-isolate mode command restores the default port isolation mode.

By default, ports are isolated at Layer 2 but can communicate at Layer 3.

This command is supported only on the S6730-H-V2 and S5732-H-V2.

Format

port-isolate mode { l2 | all }

undo port-isolate mode [ l2 | all ]

Parameters

Parameter	Description	Value
l2	Indicates Layer 2 isolation.	-
all	Indicates Layer 2 and Layer 3 isolation.	-

Parameter

Description

Value

Indicates Layer 2 isolation.

all

Indicates Layer 2 and Layer 3 isolation.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To implement Layer 2 isolation between ports, you can add different ports to different VLANs. This wastes VLAN resources. Use port isolation to isolate ports in the same VLAN. That is, you only need to add ports to a port isolation group to implement Layer 2 isolation between these ports. Port isolation provides secure and flexible networking schemes for customers.

You can configure the port isolation mode to all to implement Layer 2 and Layer 3 isolation between ports in a port isolation group.

Example

# Configure Layer 2 isolation and Layer 3 communication.

<HUAWEI> system-view
[HUAWEI] port-isolate mode l2

am isolate
clear configuration port-isolate
port-isolate enable
port-isolate exclude vlan
port-isolate l3 enable
port-isolate mode

Translation

Favorite

Download

Update Date：2023-11-14

Document ID：EDOC1100291031

Downloads：751

Average rating：0.0Points

Digital Signature File

digtal sigature tool

CloudEngine S5700 V600R022C01 Command Reference

Port Isolation Configuration Commands

am isolate

Function

Format

Parameters

Views

Default Level

Usage Guidelines

Example

clear configuration port-isolate

Function

Format

Parameters

Views

Default Level

Usage Guidelines

Example

port-isolate enable

Function

Format

Parameters

Views

Default Level

Usage Guidelines

Example

port-isolate exclude vlan

Function

Format

Parameters

Views

Default Level

Usage Guidelines

Example

port-isolate l3 enable

Function

Format

Parameters

Views

Default Level

Usage Guidelines

Example

port-isolate mode

Function

Format

Parameters

Views

Default Level

Usage Guidelines

Example

Related Documents

Digital Signature File

Share