Configuring Port Isolation to Implement Intra-VLAN Layer 2 Isolation

Context

To isolate broadcast packets in the same VLAN but allow users connecting to different interfaces to communicate at Layer 3, you can set the port isolation mode to Layer 2 isolation and Layer 3 interworking. To prevent interfaces in the same VLAN from communicating at both Layer 2 and Layer 3, you can set the port isolation mode to Layer 2 and Layer 3 isolation.

Figure 1 shows a port isolation usage scenario. PC1, PC2, and PC3 belong to VLAN 10. After GE0/0/1 connecting to PC1 and GE0/0/2 connecting to PC2 are added to a port isolation group, PC1 and PC2 cannot communicate with each other in VLAN 10, but they can communicate with PC3.

Figure 1 Network diagram of port isolation

Unidirectional port isolation can be configured in certain scenarios. When multiple hosts connect to different interfaces of a device, a host with security risks may send a lot of broadcast packets to other hosts. You can configure unidirectional isolation to prevent the insecure host from sending packets to other hosts.

As shown in Figure 2, PC4 is not secure and sends many broadcast packets to other hosts. You can configure unidirectional isolation to isolate GE0/0/4 from GE0/0/5 and GE0/0/6 unidirectionally. In this way, the broadcast packets sent by PC4 cannot reach PC5 and PC6, but the broadcast packets sent by PC5 and PC6 can reach PC4.

Figure 2 Network diagram of unidirectional isolation

Procedure

Configure a port isolation group.
1. Run system-view
  The system view is displayed.
2. (Optional) Run port-isolate mode { l2 | all }
  The port isolation mode is configured.
  
  The default port isolation mode is Layer 2 isolation and Layer 3 interworking.
3. Run interface interface-type interface-number
  The Ethernet interface view is displayed.
4. Run port-isolate enable [ group group-id ]
  Port isolation is enabled.
  
  By default, port isolation is disabled.
  
  Port isolation takes effect only for interfaces on the same device.
  
  Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate. If group-id is not specified, interfaces are added to port isolation group 1 by default.
Configure unidirectional isolation.
1. Run system-view
  The system view is displayed.
2. (Optional) Run port-isolate mode { l2 | all }
  The port isolation mode is configured.
  
  The default port isolation mode is Layer 2 isolation and Layer 3 interworking.
3. Run interface interface-type interface-number
  The Ethernet interface view is displayed.
4. Run am isolate { interface-type interface-number }&<1-8>
  Unidirectional isolation is configured.
  
  By default, unidirectional isolation is disabled.
  
  If interface A is isolated from interface B unidirectionally, packets sent from interface A cannot reach interface B, but packets sent from interface B can reach interface A.
  
  Interfaces in a port isolation group are isolated from each other, but interfaces in different port isolation groups can communicate. To isolate interfaces in different port isolation groups, configure unidirectional isolation on these interfaces.

Configuration Example

In Figure 3, PC3 needs to communicate with PC1 and PC2 but PC1 and PC2 cannot communicate with each other.

Figure 3 Network of port isolation

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] port-isolate enable   //By default, the interface is added to port isolation group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/2] port-isolate enable   //By default, the interface is added to port isolation group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 10
[Switch-GigabitEthernet0/0/3] quit

Verifying the Configuration

Run the display port-isolate group { group-id | all } command in any view to check the configuration of a port isolation group.

Follow-up Procedure

After configuring port isolation, you can perform the following tasks:

To reduce the maintenance workload and operation complexity, run the clear configuration port-isolate command in the system view to clear all the port isolation configurations on the device.
To exclude a VLAN when configuring port isolation, run the port-isolate exclude vlan command in the system view. This configuration ensures that port isolation does not take effect in the excluded VLAN, and users in the VLAN can communicate with each other.