Principle and Configuration of Port Isolation

4.1.1 Port isolation

1. isolation type

1. two-way isolation

Interfaces in the same port isolation group are isolated from each other, and interfaces in different port isolation groups are not isolated from each other. Port isolation is only for members of the port isolation group on the same device, and this function cannot be implemented for interfaces on different devices.

1. one-way isolation

Implement isolation between interfaces of different port isolation groups. By default, unidirectional port isolation is not configured.

1. isolation mode

1. L2 (Layer 2 isolation and Layer 3 intercommunication)  

Isolate broadcast packets in the same VLAN, but users under different ports can still communicate at Layer 3. By default, the port isolation mode is Layer 2 isolation and Layer 3 interworking.

When Layer 2 isolation and Layer 3 intercommunication isolation mode is used, enable the proxy ARP function in the VLAN on the VLANIF interface and configure arp-proxy inner-sub-vlan-proxy enable to implement communication between hosts in the same VLAN.

1. ALL (Second and third floors are isolated)

The second and third layers of users under different ports of the same VLAN are completely isolated and unable to communicate.

4.3.1 Port isolation

1. Experimental purpose

2. Experimental topology

3. Experimental procedure

Huawei Datacom network engineer HCIP full set of learning courses (full set of theory + experiment) - Learning Video Tutorial - Tencent Classroom

1. Configure IP address

   Configure the IP address as shown (omitted here)

1. Create a VLAN and assign the interface to the VLAN

[Huawei]sysname LSW1

[LSW1]vlan 10

[LSW1-vlan10]quit   

[LSW1]vlan 20

[LSW1-vlan20]quit

[LSW1]interface g0/0/1

[LSW1-GigabitEthernet0/0/1]port link-type access

[LSW1-GigabitEthernet0/0/1]port default vlan 10

[LSW1-GigabitEthernet0/0/1]quit

[LSW1]interface g0/0/2

[LSW1-GigabitEthernet0/0/2]port link-type access

[LSW1-GigabitEthernet0/0/2]port default vlan 10

[LSW1-GigabitEthernet0/0/2]quit

[LSW1]interface g0/0/3

[LSW1-GigabitEthernet0/0/3]port link-type access

[LSW1-GigabitEthernet0/0/3]port default vlan 10

[LSW1-GigabitEthernet0/0/3]quit

[LSW1]interface g0/0/4

[LSW1-GigabitEthernet0/0/4]port link-type access

[LSW1-GigabitEthernet0/0/4]port default vlan 20

[LSW1-GigabitEthernet0/0/4]quit

[LSW1]interface g0/0/5

[LSW1-GigabitEthernet0/0/5]port link-type access   

[LSW1-GigabitEthernet0/0/5]port default vlan 20

[LSW1-GigabitEthernet0/0/5]quit

1. In VLAN10, PC1 can access PC2 and PC3, but PC2 and PC3 cannot communicate with each other

[LSW1]port-isolate mode l2 // Configure the port isolation mode as L2, and the port isolation mode as Layer 2 isolation and Layer 3 intercommunication

[LSW1]interface g0/0/2

[LSW1-GigabitEthernet0/0/2]port-isolate enable group 10 // Enable the port isolation function, and the added port isolation is 10.

[LSW1-GigabitEthernet0/0/2]quit

[LSW1]interface g0/0/3

[LSW1-GigabitEthernet0/0/3]port-isolate enable  group 10

[LSW1-GigabitEthernet0/0/3]quit

1. Test the connectivity of PC1, PC2, and PC3

From the above output, it can be seen that PC2 and PC3 cannot access each other, but they can access PC1

1. In VLAN 20, host PC4 has security risks and sends a large number of broadcast packets to other hosts. By configuring unidirectional isolation between interfaces, other hosts can isolate the host's packets.

[LSW1]interface g0/0/4

[LSW1-GigabitEthernet0/0/4]am isolate GigabitEthernet 0/0/5 // The packets of g0/0/4 cannot be sent to g0/0/5, but the packets of g0/0/5 can be sent to g0/0 /4

[LSW1-GigabitEthernet0/0/4]quit

1. Capture packets to view phenomena

Step 1: When PC4 accesses PC5, grab the data packets of g0/0/4 and g0/0/5 on the switch

From the above output, we can see that the packet text of g0/0/4 cannot reach g0/0/5

Step 2: When PC5 accesses PC4, grab the data packets of g0/0/4 and g0/0/5 on the switch

From the above output, we can see that the packet of g0/0/5 has reached g0/0/4.

4. Experimental debugging

1. View ports in a port isolation group

<LSW1>display port-isolate group all

  The ports in isolate group 10: // The number of the group is 10

GigabitEthernet0/0/2 GigabitEthernet0/0/3 // There are two ports in group 10

1. Test the connectivity of PC2 and PC3

You can see from the above output that they cannot be accessed

(3) Create a layer-3 interface so that PC2 and PC3 can access each other

[LSW1]interface Vlanif 10

[LSW1-Vlanif10]ip address 10.1.1.254 24

[LSW1-Vlanif10]arp-proxy inner-sub-vlan-proxy enable // Enable the proxy ARP function in the VLAN

[LSW1-Vlanif10]quit

Test the connectivity of PC2 and PC3 again

As can be seen from the above output, PC2 and PC3 can access each other.

[Technical points] L2 (two-layer isolation and three-layer intercommunication) 

• Isolate broadcast packets in the same VLAN, but users under different ports can still communicate at Layer 3. By default, the port isolation mode is Layer 2 isolation and Layer 3 interworking.
• When Layer 2 isolation and Layer 3 intercommunication isolation mode is used, enable the proxy ARP function in the VLAN on the VLANIF interface and configure arp-proxy inner-sub-vlan-proxy enable to implement communication between hosts in the same VLAN.