How to Separate Traffic through L2 Port Isolation
Zyxel Employee
It’s a common application that we desire to separate or isolate the mutual traffic between various clients/devices on switches in a network environment.
The most intuitive implementation is to create different VLANs to logically segment a LAN into different broadcast domains to achieve the goal.
However, there are certain circumstances that we may want the traffic between clients to be isolated, but yet clients still share the same subnet and VLAN. Let’s say in a commercial hotel network, clients in different rooms may belong the same subnet and VLAN to reach the internet, but there is no way that clients are able to communicate with each other.
On the Zyxel enterprise switch, we can use the feature “Port Isolation” in Advanced Application -> VLAN -> VLAN Configuration -> VLAN Port Setup to separate traffic between specific ports despite belonging to the same VLAN.
This is a scenario from customer’s issue. All client PCs are in the same subnet and VLAN
By using L2 port isolation on the switches, the goals are:
1. Every PC can surf the internet.
2. Every PC cannot communicate with each other.
In the following content, a step-by-step procedure will be introduced of how to implement L2 port isolation using 3 x GS2210-8 to achieve the goal.
Note:
All network addresses and subnet masks are used as examples in this article. Please replace them with your actual network configuration.
1. Configuration in the Switch
1-1. Access Switch C’s web GUI.
1-2. Go to Advance Application > VLAN > VLAN Configuration > VLAN Port Setup
Check Port Isolation for port 1 & 2.
Note:
If there are multiple clients under switch B, follow the same configuration pattern as Switch C. In this case, it’s unnecessary since there’s only one client under switch B.
1-3. Access Switch A’s web GUI.
1-4. Go to Advance Application > VLAN > VLAN Configuration > VLAN Port Setup
Check Port Isolation for port 1, 7 & 8.
2. Test the Result
2-1. Client D can ping Gateway and surf the internet.
2-2. Client D cannot communicate with Client A, B, or C.
3. What May Go Wrong
3-1. L2 port isolation is port-based but not VLAN-based, that is, as long as particular ports are configured as isolation ports, they cannot communicate with each other no matter in the same VLAN or not.
Categories
- All Categories
- 383 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 76 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 890 Nebula FAQ
- 415 Security FAQ
- 233 Switch FAQ
- 204 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight