Master port isolation technology to make the network more secure

Currently, Ethernet technology is widely used in the network. However, the existence of various network attacks (such as attacks on ARP, DHCP and other protocols) not only prevents legitimate network users from accessing network resources normally, but also poses a serious threat to network information security. Therefore, the security of Ethernet switching is becoming more and more important.

This series introduces common Ethernet switching security technologies, including port isolation, port security, MAC address drift detection, storm control, port rate limit, MAC address table security, DHCP Snooping and IP Source Guard, to improve the understanding and awareness of Ethernet switching security.

• In order to achieve Layer 2 isolation between messages in an Ethernet switching network, users usually add different ports to different VLANs to achieve isolation of Layer 2 broadcast domains.
• In large networks, there are many types of business requirements. Only using VLAN to implement Layer 2 isolation of packets will waste limited VLAN resources.

As shown in the figure below, due to some business requirements, although PC1 and PC2 belong to the same VLAN, they are required not to communicate with each other at Layer 2 (but Layer 3 communication is allowed). PC1 and PC3 cannot communicate with each other under any circumstances, but the host in VLAN 3 can access the host in VLAN 2. So how to solve this problem?

Port Isolation Technology Overview

The port isolation function can be used to isolate ports in the same VLAN. Users only need to add ports to the isolation group to isolate the Layer 2 data between ports in the isolation group. The port isolation function provides users with a safer and more flexible networking solution.

Port Isolation Technology Principle

(1) Bidirectional isolation

The interfaces in the same port isolation group are isolated from each other, but the interfaces in different port isolation groups are not isolated. Port isolation is only for the members of the port isolation group on the same device, and cannot be implemented for interfaces on different devices.

(2) One-way isolation

To isolate interfaces in different port isolation groups, you can configure unidirectional isolation between interfaces. By default, unidirectional port isolation is not configured.

(3) L2 (Layer 2 isolation and Layer 3 interconnection)

Broadcast packets in the same VLAN are isolated, but users on different ports can still communicate at Layer 3. By default, the port isolation mode is Layer 2 isolation and Layer 3 communication.

(4) ALL (the second and third layers are isolated)

Users on different ports in the same VLAN are completely isolated at Layer 2 and Layer 3 and cannot communicate.

In the Layer 2 isolation and Layer 3 interconnection mode, enable the intra-VLAN Proxy ARP function on the VLANIF interface and run the arp-proxy inner-sub-vlan-proxy enable command to implement communication between hosts in the same VLAN.

Port Isolation Configuration Commands

(1) Enable port isolation

 [Huawei-GigabitEthernet0/0/1] port-isolate enable [ group group-id ]

By default, port isolation is disabled. If the group-id parameter is not specified, the default port isolation group is 1.

(2) (Optional) Configuring port isolation mode

 Huawei] port-isolate mode { l2 | all }

By default, the port isolation mode is L2.

• The L2 port isolation mode is Layer 2 isolation and Layer 3 interconnection.
• All port isolation mode is layer 2 and layer 3 isolation

(3) Configuring unidirectional port isolation

 [Huawei-GigabitEthernet0/0/1] am isolate {interface-type interface-number }&<1-8>

Use the am isolate command to configure unidirectional isolation between the current interface and the specified interface. After unidirectional isolation is configured between interface A and interface B, the packets sent by interface A cannot reach interface B, but the packets sent by interface B can reach interface A. By default, unidirectional port isolation is not configured.

Port Isolation Configuration Example

As shown in the figure: PC1, PC2 and PC3 belong to VLAN 2. By configuring port isolation, PC3 can communicate with PC1 and PC2, but PC1 and PC2 cannot communicate with each other.

The Switch configuration is as follows:

 [Switch] vlan 2 [Switch] port-isolate mode all [Switch] interface GigabitEthernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 2 [Switch-GigabitEthernet0/0/1] port-isolate enable group 2 [Switch] interface GigabitEthernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 2 [Switch-GigabitEthernet0/0/2] port-isolate enable group 2 [Switch] interface GigabitEthernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type access [Switch-GigabitEthernet0/0/3] port default vlan 2

• display port-isolate group { group-id | all } to check the configuration of the port isolation group.
• The clear configuration port-isolate command clears all port isolation configurations on the device in one click.
• The port-isolate exclude vlan command configures the VLANs that are excluded when the port isolation function takes effect.

Port Isolation Configuration Verification

(1) Use the display port-isolate group group-number command to view the ports in the port isolation group.

 [SW]display port-isolate group 2 The ports in isolate group 2: GigabitEthernet0/0/1 GigabitEthernet0/0/2

(2) Verify that the host networks in the same port isolation group cannot communicate with each other.