Interface Isolation

Interface isolation provides the ability to group interfaces in sets where traffic from each port is isolated from other interfaces in the group. The isolated interfaces in the group, however, are able to communicate with the interface marked as privileged.

Configuring Isolated Interfaces

Create the VLANs to be used.

Copy
Copied!

            
            switch (config) # vlan 2-5
switch (config vlan 2-5) # exit

Unlock isolation interface protocol.

Copy
Copied!

            
            switch (config) # protocol isolation-group

Create isolation Group A.

Copy
Copied!

            
            switch (config) # isolation-group GroupA

Assign VLANs 2 and 3 to isolation Group A.

Copy
Copied!

            
            switch (config isolation-group GroupA) # vlan 2-3
switch (config isolation-group GroupA) # exit

Create isolation Group B.

Copy
Copied!

            
            switch (config) # isolation-group GroupB

Assign VLANs 4 and 5 to isolation Group B.

Copy
Copied!

            
            switch (config isolation-group GroupB) # vlan 4-5
switch (config isolation-group GroupB) # exit

Set Ethernet interfaces 1-3 to access for VLAN 3.

Copy
Copied!

            
            switch (config) # interface ethernet 1/1 switchport access vlan 3
switch (config) # interface ethernet 1/2 switchport access vlan 3
switch (config) # interface ethernet 1/3 switchport access vlan 3

Isolate Ethernet interfaces 1 and 2 and set Ethernet interfaces 3 as privileged.

Copy
Copied!

            
            switch (config) # interface ethernet 1/1-1/2 isolation-group GroupA mode isolated
switch (config) # interface ethernet 1/3 isolation-group GroupA mode privileged

Enable isolation Group A.

Copy
Copied!

            
            (config) # isolation-group GroupA no shutdown

Set Ethernet interfaces 4-6 to trunk.

Copy
Copied!

            
            switch (config) # interface ethernet 1/4 switchport mode trunk
switch (config) # interface ethernet 1/5 switchport mode trunk
switch (config) # interface ethernet 1/6 switchport mode trunk

Isolate Ethernet interfaces 4 and 5 and set Ethernet interfaces 6 as privileged.

Copy
Copied!

            
            switch (config) # interface ethernet 1/4-1/5 isolation-group GroupA mode isolated
switch (config) # interface ethernet 1/6 isolation-group GroupA mode privileged

Enable isolation Group B.

Copy
Copied!

            
            switch (config) # isolation-group GroupB no shutdown

Verify configuration.

Copy
Copied!

            
            switch (config) # show isolation-group
Isolation group: GroupA
State:           Enabled
VLANs:           2, 3
Privileged port: Eth1/3
Isolated ports:  Eth1/1, Eth1/2
 
Isolation group: GroupB
State:           Enabled
VLANs:           4, 5
Privileged port: Eth1/6
Isolated ports:  Eth1/4, Eth1/5

Interface Isolation Commands

protocol isolation-group

	protocol isolation-group no protocol isolation-group Enables interface isolation and unlocks further isolation-group commands. The no form of the command disables interface isolation and locks other isolation-group commands.
Syntax Description	N/A
Default	Disabled
Configuration Mode	config
History	3.6.1002
Example	switch (config) # protocol isolation-group
Related Commands	show isolation-group
Notes	MLAG must be disabled before enabling interface isolation When disabled, all configuration is lost

isolation-group

	isolation-group <name> no isolation-group <name> Creates isolation group. The no form of the command deletes isolation group.
Syntax Description	N/A
Default	N/A
Configuration Mode	config
History	3.6.1002
Example	switch (config) # isolation-group mygroup switch (config isolation-group mygroup) #
Related Commands	protocol isolation-group show isolation-group
Notes	The no form of this command deletes the isolation group, removes its attached ports, and the VLANs from the group Up to 64 isolation groups can be created

shutdown

	shutdown no shutdown Disables isolation group. The no form of the command enables isolation group.
Syntax Description	N/A
Default	Disabled
Configuration Mode	config isolation group
History	3.6.1002
Example	switch (config isolation-group mygroup) # no shutdown
Related Commands	protocol isolation-group isolation-group show isolation-group
Notes	Enabling isolation groups fails if there are VLANs with ports both inside and outside the group

vlan

	vlan <vid> no vlan <vid> Adds a VLAN to isolation group. The no form of the command removes a VLAN from an isolation group.
Syntax Description	N/A
Default	N/A
Configuration Mode	config isolation group
History	3.6.1002
Example	switch (config isolation-group mygroup) # vlan 10
Related Commands	protocol isolation-group isolation-group show isolation-group
Notes	Enabling isolation groups fails if there are VLANs with ports both inside and outside the group The VLAN must be created before running this command All interfaces in the VLAN must be attached to only this isolation group The VLAN added cannot have a respective VLAN interface

isolation-group mode

	isolation-group <name> mode {isolated \| privileged} no isolation-group <name> mode {isolated \| privileged} Adds a VLAN to isolation group. The no form of the command removes a VLAN from an isolation group.
Syntax Description	name	The isolation group name
	isolated	Configures this interface as isolated
	privileged	Configures this interface as privileged
Default	N/A
Configuration Mode	config interface ethernet config interface port-channel
History	3.6.1002
Example	switch (config interface ethernet 1/2) # isolation-group mygroup mode privileged
Related Commands	protocol isolation-group isolation-group show isolation-group
Notes

show isolation-group

	show isolation-group <name> Displays isolation group information.
Syntax Description	N/A
Default	N/A
Configuration Mode	Any command mode
History	3.6.1002
History	3.6.5000	Updated Example
Example	switch (config) # show isolation-group mygroup Isolation group 1: State: Disabled VLANs: N/A Privileged port: N/A Isolated ports: N/A
Related Commands
Notes

On This Page