Different interfaces can be added to different VLANs to implement Layer 2 isolation between packets; however, this will waste VLAN resources. Port isolation can isolate interfaces in the same VLAN, and only interfaces need to be added to a port isolation group. Port isolation enables secure and flexible networking.
To isolate broadcast packets in the same VLAN but allow users connecting to different interfaces to communicate at Layer 3, set the port isolation mode to Layer 2 isolation and Layer 3 interworking. To prevent interfaces in the same VLAN from communicating at both Layer 2 and Layer 3, set the port isolation mode to Layer 2 and Layer 3 isolation.
Port isolation includes unidirectional isolation and bidirectional isolation. Layer 2 isolation and Layer 3 interworking is used by default. To configure Layer 2 and Layer 3 isolation, run the port-isolate mode all command.
Configure a port isolation group.
Configure GE1/0/1 and GE1/0/2 isolation.
Configure port isolation for GE1/0/1.
<HUAWEI> system-view [HUAWEI] port-isolate mode all [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port-isolate enable group 3
Configure port isolation for GE1/0/2.
<HUAWEI> system-view [HUAWEI] port-isolate mode all [HUAWEI] interface gigabitethernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] port-isolate enable group 3
Configure unidirectional isolation.
Configure unidirectional isolation for GE1/0/1 and GE1/0/2.
<HUAWEI> system-view [HUAWEI] port-isolate mode all [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] am isolate gigabitethernet 1/0/2