Configuring port isolation, Overview, Operating mechanism – H3C Technologies H3C S12500 Series Switches User Manual

Page 144: Community vlan

Advertising
background image

131

Configuring port isolation

Overview

Assigning access ports to different VLANs is a typical way to isolate Layer 2 traffic for data privacy and

security, but this method is VLAN resource demanding. To save VLAN resources, you can use the port
isolation feature, which can isolate ports on the switch or IRF member switch basis without using VLANs

and allows for flexibility and security.

Operating mechanism

The feature isolates ports regardless of the VLANs that the ports are assigned to. The ports in the same

isolation group cannot communicate with each other at Layer 2, but they can communicate with the ports

outside the isolation group bidirectionally if the outside ports belong to the same VLAN as the isolation

group ports.

IMPORTANT:

The ports in an isolation group support the following functions only: MAC address learning, QoS
actions (such as accounting, filter deny, car cir

committed-information-rate red discard, and traffic

mirroring) in the incoming direction of the ports, and link aggregation.

Do not configure Layer 2 protocols (such as GVRP) or Layer 3 protocols (such as multicast and routing)
on the ports in an isolation group. Doing so can cause network malfunction.

Community VLAN

A community VLAN allows the ports in an isolation group to communicate with each other within the

VLAN at Layer 2.

Figure 40

shows a network scenario that requires the community VLAN configuration.

Switch B and Switch C communicate with a public server cluster through Switch A.

Switch A connects to Switch B through GigabitEthernet 3/0/2, and connects to Switch C through

GigabitEthernet 3/0/3.

Both GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to VLAN 2 and VLAN 3.

After GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 are assigned to isolation group 1, Switch B

cannot communicate with Switch C at Layer 2, Host A cannot communicate with Host C although they

both belong to VLAN 2, and Host B cannot communicate with Host D although they both belong to VLAN

3.
To enable Layer 2 communication between Host B and Host D, you can configure VLAN 3 as a

community VLAN for isolation group 1.

Advertising
This manual is related to the following products:

H3C S9500E Series Switches, H3C SecPath F5020, H3C SecPath F5040, H3C VMSG VFW1000

Popular Brands
Popular manuals