Scribd
Upload
35 views4 pages

06-Port Isolation Configuration

Uploaded by

Xan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views4 pages

06-Port Isolation Configuration

Uploaded by

Xan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Contents

Configuring port isolation ···································································1


Restrictions and guidelines: Port isolation configuration······································································ 1
Assigning a port to an isolation group ····························································································· 1
Displaying and maintaining port isolation ························································································· 2
Port isolation configuration example ······························································································· 2
Network requirements ·········································································································· 2
Configuration procedure ······································································································· 2
Verifying the configuration ····································································································· 3

i
Configuring port isolation
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.
Ports in an isolation group cannot communicate with each other. However, they can communicate
with ports outside the isolation group.

Restrictions and guidelines: Port isolation


configuration
Follow these guidelines when you configure port isolation:
• When selective flood is enabled for a VXLAN VSI, port isolation does not affect selective flood if
you assign a site-facing interface of the VSI to an isolation group. An AC on the interface still
floods frames that match selective flood entries to all site-facing interfaces in the VXLAN,
including the interfaces in the same isolation group.
To enable selective flood for a MAC address in a VXLAN VSI, use the selective-flooding
mac-address command. For more information, see VXLAN Configuration Guide.
• In an isolation group, a port associated with a VXLAN AC can still act as a trusted port to
forward DHCP packets to the other ports in the isolation group.
To configure a port as a trusted port in a DHCP snooping-enabled network, use the dhcp
snooping trust command. For more information, see DHCP snooping configuration in Layer
3—IP Services Configuration Guide.

Assigning a port to an isolation group


The device supports multiple isolation groups, which can be configured manually. The number of
ports assigned to an isolation group is not limited.
To assign a port to an isolation group:

Step Command Remarks


1. Enter system view. system-view N/A
1. Create an isolation
group. port-isolate group group-id By default, no isolation groups exist.

• The configuration in Layer 2


Ethernet interface view applies only
to the interface.
• Enter Layer 2 Ethernet • The configuration in Layer 2
interface view: aggregate interface view applies to
interface interface-type the Layer 2 aggregate interface and
interface-number its aggregation member ports. If the
device fails to apply the
2. Enter interface view. • Enter Layer 2 aggregate
configuration to the aggregate
interface view:
interface, it does not assign any
interface
aggregation member port to the
bridge-aggregation
isolation group. If the failure occurs
interface-number
on an aggregation member port, the
device skips the port and continues
to assign other aggregation member
ports to the isolation group.

1
Step Command Remarks

By default, the port is not in any isolation


group.
You can assign a port to only one
3. Assign the port to the port-isolate enable group
isolation group. isolation group. If you execute the
group-id
port-isolate enable group command
multiple times, the most recent
configuration takes effect.

Displaying and maintaining port isolation


Execute display commands in any view.

Task Command

Display isolation group information. display port-isolate group [ group-id ]

Port isolation configuration example


Network requirements
As shown in Figure 1:
• LAN users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet
1/0/2, and GigabitEthernet 1/0/3 on the device, respectively.
• The device connects to the Internet through GigabitEthernet 1/0/4.
Configure the device to provide Internet access for the hosts, and isolate them from one another at
Layer 2.
Figure 1 Network diagram

Configuration procedure
# Create isolation group 2.

2
<Device> system-view
[Device] port-isolate group 2
[Device-port-isolate-group2] quit

# Assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to isolation group
2.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port-isolate enable group 2
[Device-GigabitEthernet1/0/1] quit
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port-isolate enable group 2
[Device-GigabitEthernet1/0/2] quit
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] port-isolate enable group 2
[Device-GigabitEthernet1/0/3] quit

Verifying the configuration


# Display information about isolation group 2.
[Device] display port-isolate group 2
Port isolation group information:
Group ID: 2
Group members:
GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3
Community VLAN ID: None

The output shows that GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 are
assigned to isolation group 2. As a result, Host A, Host B, and Host C are isolated from one another
at layer 2.

You might also like