Example of Usage


A network admin can use this feature to isolate bridged East-West traffic between hosts while allowing it through a firewall or router that can properly police it. 


In the case of a router as shown in Figure 12-1 below, ports 1, 2, and 3 are configured as isolated ports so that the hosts attached to these ports cannot communicate at Layer 2 with each other directly, but only through the upstream router that is connected to the uplink vLAG 64. 



Figure 15-1 - Port Isolation Scenario 


When using this feature on downlink ports within a cluster, especially when using downlink vLAGs (as with Host B above), you must configure port state association rules between the uplink ports and the downlink isolated ports. 


This is needed because isolated port traffic cannot cross the cluster link


In other words, a port state association (with the port-association-create-name command) is required in order to mirror the uplink state to the downlink state so that vLAG member link state remains symmetrical in case of uplink failure. That allows path redundancy to work with isolated vLAGs when an uplink vLAG member fails, given that the cluster link cannot be relied upon as fallback path. 


For configuration information refer to the Configuring Port Isolation section below. 


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south