About Port Isolation
Port Isolation prevents local switching among ports on a Netvisor ONE switch or on a pair of Netvisor ONE switches configured as a cluster. With Port Isolation, Netvisor ONE disables direct communication with hosts part of same Layer 2 domain connected to isolated ports or to mutually learn the other MAC address. Communication between these hosts occurs through a Layer 3 device. Use this feature to secure bridged east-west traffic through a firewall.
When using this feature on ports within a cluster, you must configure the port-link state association rules between the uplink ports and the downlink isolated ports.
Example Configuration
In a typical scenario, as shown in the Figure 13-1 below, ports 1, 2, and 3 are configured as isolated ports so that the hosts attached to these ports cannot communicate with each other directly, but only through the upstream firewall or router that is connected to port 64.
Figure 13-1 - Port Isolation Scenario
As shown in the figure, create the configuration as follows:
PN-HA1
CLI (network-admin@Leaf1) > port-config-modify port 1 no-local-switching
CLI (network-admin@Leaf1) > port-config-modify port 2 no-local switching
PN-HA2
CLI (network-admin@Leaf1) > port-config-modify port 2 no-local-switching
CLI (network-admin@Leaf1) > port-config-modify port 3 no-local-switching
Typically, you configure the upstream router or firewall to perform local proxy ARPs and/or NDP proxy and respond to all ARP requests and/or Neighbor Solicitations coming from isolated hosts.
To avoid interfering with local proxy ARPs and NDP proxy, disable ARP and ND Optimization as follows:
CLI (network-admin@Leaf1) > system-settings-modify no-optimize-arps
CLI (network-admin@Leaf1) > system-settings-modify no-optimize-nd