【Ethernet Switching Security】--- Port isolation operation principle and Layer 2 isolation and Layer 3 communication example configuration explanation

1. Overview of Port Isolation Technology

Generally 以太网交换网络, 隔绝广播域different vlans are usually used for Layer 2 isolation between packets. However, with the continuous expansion of the network, the types of services are also flourishing. If we still use the previous traditional vlans, we will use a large number of vlan ids and run them. Maintenance work is also very heavy. In order to meet such a wide variety of needs, a 端口隔离技术more flexible and fast networking method has been created.

2. Operating Principle of Port Isolation Technology

The main port isolation technology is 可以对·同一个vlan内的用户进行二层数据进行隔离that the port isolation can also configure whether the ports in the same isolation group are isolated from each other （缺省）, or you can choose single isolation. On the basis of the isolation type, you can also set the two-layer isolation and three-layer intercommunication （缺省）or the two-layer three-layer. layers are isolated.

Note: When configuring the isolation mode of Layer 2 isolation and Layer 3 intercommunication, you need to enable the proxy ARP/ARP proxy function in the vlan on the vlanif interface, so that the vlan内communication can be carried out through the proxy.
Enable Proxy ARP/ARP code:

#内部子vlan代理
arp-proxy inner-sub-vlan-proxy enable

3. Port isolation instance configuration configuration

Experimental requirements:

1. PC1 and PC2 cannot communicate through Layer 2 vlan
2. PC4 can communicate with PC1 and PC2

Requirement analysis:
PC1 and PC2 cannot communicate through vlan. This is to put them into the same isolation group and then set L2 in isolation mode. With the previous foreshadowing, PC4 can complete the requirements without doing anything.
Experimental steps: The
old rule is to configure the second layer first, and then realize the requirements.
LSW1

#lsw1
vlan b 10
int e 0/0/1
p l a
p d v 10
int e 0/0/2
p l a
p d v 10
int e 0/0/3
p l a
p d v 10
int g 0/0/1
p l t
p t a v 10

LSW2

interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10

At this point, the second layer configuration is complete!

---

We add PC1 PC2 to the same isolation group 10
LSW1

#
interface Ethernet0/0/1
 port link-type access
 port default vlan 10
 port-isolate enable group 1
 port-isolate enable group 10
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 10
 port-isolate enable group 1
 port-isolate enable group 10
#
interface Ethernet0/0/3
 port link-type access
 port default vlan 10

We have to divide the vlan into ports 开启ARP代理!！！and add the gateway address on the Layer 3 device.
LSW2

#
interface Vlanif10
 ip address 192.168.1.254 255.255.255.0
 arp-proxy inner-sub-vlan-proxy enable

All configuration is done

---

Fourth, the effect detection

Detect whether PC1 and PC2 communicate through three layers

Detect whether PC4 can communicate with PC 1PC2

Five, port configuration command

1. Enable port isolation

[Huawei-GigabitEthernet0/0/1] port-isolate enable [ group group-id ]

2. (Optional) Configure port isolation mode

#缺省情况下，端口隔离模式为L2。
#L2 端口隔离模式为二层隔离三层互通。
#all 端口隔离模式为二层三层都隔离。
[Huawei] port-isolate mode {
    
     l2 | all }

3. Configure port unidirectional isolation

[Huawei-GigabitEthernet0/0/1] am isolate {
    
    interface-type interface-number }&<1-8>

4. Query delete command

display port-isolate group {
    
     group-id | all }，查看端口隔离组的配置。
clear configuration port-isolate命令一键式清除设备上所有的端口隔离配置。
port-isolate exclude vlan命令配置端口隔离功能生效时排除的VLAN。