image image image image image

On This Page

Interface isolation provides the ability to group interfaces in sets where traffic from each port is isolated from other interfaces in the group. The isolated interfaces in the group, however, are able to communicate with the interface marked as privileged.

Configuring Isolated Interfaces

  1. Create the VLANs to be used.  

    switch (config) # vlan 2-5
switch (config vlan 2-5) # exit

  2. Unlock isolation interface protocol.  

    switch (config) # protocol isolation-group

  3. Create isolation Group A.  

    switch (config) # isolation-group GroupA

  4. Assign VLANs 2 and 3 to isolation Group A.  

    switch (config isolation-group GroupA) # vlan 2-3
switch (config isolation-group GroupA) # exit

  5. Create isolation Group B.  

    switch (config) # isolation-group GroupB

  6. Assign VLANs 4 and 5 to isolation Group B.  

    switch (config isolation-group GroupB) # vlan 4-5
switch (config isolation-group GroupB) # exit

  7. Set Ethernet interfaces 1-3 to access for VLAN 3.  

    switch (config) # interface ethernet 1/1 switchport access vlan 3
switch (config) # interface ethernet 1/2 switchport access vlan 3
switch (config) # interface ethernet 1/3 switchport access vlan 3

  8. Isolate Ethernet interfaces 1 and 2 and set Ethernet interfaces 3 as privileged.  

    switch (config) # interface ethernet 1/1-1/2 isolation-group GroupA mode isolated
switch (config) # interface ethernet 1/3 isolation-group GroupA mode privileged

  9. Enable isolation Group A.  

    (config) # isolation-group GroupA no shutdown

  10. Set Ethernet interfaces 4-6 to trunk.  

    switch (config) # interface ethernet 1/4 switchport mode trunk
switch (config) # interface ethernet 1/5 switchport mode trunk
switch (config) # interface ethernet 1/6 switchport mode trunk

  11. Isolate Ethernet interfaces 4 and 5 and set Ethernet interfaces 6 as privileged.  

    switch (config) # interface ethernet 1/4-1/5 isolation-group GroupA mode isolated
switch (config) # interface ethernet 1/6 isolation-group GroupA mode privileged

  12. Enable isolation Group B.  

    switch (config) # isolation-group GroupB no shutdown

  13. Verify configuration.  

    switch (config) # show isolation-group
Isolation group: GroupA
State:           Enabled
VLANs:           2, 3
Privileged port: Eth1/3
Isolated ports:  Eth1/1, Eth1/2

Isolation group: GroupB
State:           Enabled
VLANs:           4, 5
Privileged port: Eth1/6
Isolated ports:  Eth1/4, Eth1/5

Interface Isolation Commands

protocol isolation-group


protocol isolation-group
no protocol isolation-group

Enables interface isolation and unlocks further isolation-group commands.
The no form of the command disables interface isolation and locks other isolation-group commands.

Syntax DescriptionN/A
DefaultDisabled
Configuration Modeconfig
History3.6.1002
Example
switch (config) # protocol isolation-group
Related Commandsshow isolation-group
Notes
  • MLAG must be disabled before enabling interface isolation
  • When disabled, all configuration is lost

isolation-group


isolation-group <name>
no isolation-group <name> 

Creates isolation group.
The no form of the command deletes isolation group.

Syntax DescriptionN/A
DefaultN/A
Configuration Modeconfig
History3.6.1002
Example
switch (config) # isolation-group mygroup
switch (config isolation-group mygroup) #
Related Commandsprotocol isolation-group
show isolation-group
Notes
  • The no form of this command deletes the isolation group, removes its attached ports, and the VLANs from the group
  • Up to 64 isolation groups can be created

shutdown


shutdown
no shutdown 

Disables isolation group.
The no form of the command enables isolation group.

Syntax DescriptionN/A
DefaultDisabled
Configuration Modeconfig isolation group
History3.6.1002
Example
switch (config isolation-group mygroup) # no shutdown
Related Commandsprotocol isolation-group
isolation-group
show isolation-group
Notes

Enabling isolation groups fails if there are VLANs with ports both inside and outside the group

vlan


vlan <vid>
no vlan <vid> 

Adds a VLAN to isolation group.
The no form of the command removes a VLAN from an isolation group.

Syntax DescriptionN/A
DefaultN/A
Configuration Modeconfig isolation group
History3.6.1002
Example
switch (config isolation-group mygroup) # vlan 10
Related Commandsprotocol isolation-group
isolation-group
show isolation-group
Notes
  • Enabling isolation groups fails if there are VLANs with ports both inside and outside the group
  • The VLAN must be created before running this command
  • All interfaces in the VLAN must be attached to only this isolation group
  • The VLAN added cannot have a respective VLAN interface

isolation-group mode


isolation-group <name> mode {isolated | privileged}
no isolation-group <name> mode {isolated | privileged} 

Adds a VLAN to isolation group.
The no form of the command removes a VLAN from an isolation group.

Syntax DescriptionnameThe isolation group name
isolatedConfigures this interface as isolated
privilegedConfigures this interface as privileged
DefaultN/A
Configuration Mode

config interface ethernet
config interface port-channel

History3.6.1002
Example
switch (config interface ethernet 1/2) # isolation-group mygroup mode privileged
Related Commandsprotocol isolation-group
isolation-group
show isolation-group
Notes


show isolation-group


show isolation-group <name> 

Displays isolation group information.

Syntax Description

N/A 

Default

N/A

Configuration Mode

Any command mode

History

3.6.1002


3.6.5000

Updated Example

Example
switch (config) # show isolation-group mygroup
Isolation group 1:
 State: Disabled
 VLANs: N/A
 Privileged port: N/A
 Isolated ports: N/A
Related Commands


Notes