About Port Isolation

Port Isolation prevents local switching among ports on a Netvisor One switch or on a pair of Netvisor One switches configured as a cluster. With Port Isolation, hosts that are part of same Layer 2 domain connect to isolated ports are not allowed to communicate directly or to mutually learn the other MAC address. Communication between these hosts occurs through a Layer 3 device. This is useful for securing bridged east-west traffic through a firewall.

When using this feature on ports within a cluster, you must configure the port-link state association rules between the uplink ports and the downlink isolated ports.

Example Configuration

In a typical scenario, as shown in the figure below, ports 1, 2, and 3 are configured as isolated ports so that the hosts attached to these ports cannot communicate with each other directly, but only through the upstream firewall or router that is connected to port 64.

Figure 4 - Port Isolation Scenario


As shown in the figure, create the configuration as follows:


CLI (network-admin@Leaf1) > port-config-modify port 1 no-local-switching

CLI (network-admin@Leaf1) > port-config-modify port 2 no-local switching


CLI (network-admin@Leaf1) > port-config-modify port 2 no-local-switching

CLI (network-admin@Leaf1) > port-config-modify port 3 no-local-switching

Typically, the upstream router or firewall is configured to perform local proxy ARPs and/or NDP proxy and respond to all ARP requests and/or Neighbor

Solicitations coming from isolated hosts. To avoid interfering with local proxy ARPs and NDP proxy, disable ARP and ND Optimization as follows:

CLI (network-admin@Leaf1) > system-settings-modify no-optimize-arps

CLI (network-admin@Leaf1) > system-settings-modify no-optimize-nd