Configuring Port Isolation
As explained in the About Port Isolation section above, a network admin can use this feature to isolate bridged East-West traffic between hosts while allowing it through an upstream firewall or router.
To configure isolated ports, use the no-local-switching parameter in the port-config-modify command like so:
CLI (network-admin@switch) > port-config-modify port 1,2 no-local-switching
So, referring to the example shown in Figure 12-1 above, on the cluster pair the isolated port configuration can be entered as follows:
PN-HA1
CLI (network-admin@pn-ha1) > port-config-modify port 1 no-local-switching
CLI (network-admin@pn-ha1) > port-config-modify port 2 no-local switching
PN-HA2
CLI (network-admin@pn-ha2) > port-config-modify port 2 no-local-switching
CLI (network-admin@pn-ha2) > port-config-modify port 3 no-local-switching
Typically, if inter-host Layer 3 connectivity is needed, you would configure the upstream router or firewall to perform local proxy ARP and/or NDP proxy so as to respond to all ARP requests and/or neighbor solicitations coming from isolated hosts.
To avoid interfering with local proxy ARP and NDP proxy, you may want to disable ARP and ND optimization as follows:
CLI (network-admin@pn-ha1) > system-settings-modify no-optimize-arps
CLI (network-admin@pn-ha1) > system-settings-modify no-optimize-nd
CLI (network-admin@pn-ha2) > system-settings-modify no-optimize-arps
CLI (network-admin@pn-ha2) > system-settings-modify no-optimize-nd
Additionally, configure the port link state association between downlinks and uplinks for proper vLAG redundancy. A port association is required to match the link state of downlink isolated ports with the one of uplink ports.
When all uplink ports are down, downlink isolated ports are administratively disabled until one of the uplinks becomes operational again.
In this example, the port association names are PA1 and PA2. On PN-HA1, the uplink port number is 64, and isolated downlink ports’ numbers are 1 and 2. On PN-HA2, the uplink port number is also 64 (uplink vLAG member), and isolated downlink ports’ numbers are 2 and 3:
CLI (network-admin@pn-ha1) > port-association-create name PA1 master-ports 64 slave-ports 1,2 policy any-master
CLI (network-admin@pn-ha2) > port-association-create name PA2 master-ports 64 slave-ports 2,3 policy any-master
To view ports that are configured with the no-local-switching command parameter, use the port-egress-show command:
CLI (network-admin@switch) > port-egress-show
|
switch ------ |
port ---- |
egress ------ |
rx-only ------- |
active-active-vlags ------------ |
loopback -------- |
mir-prevent-out ------------ |
no-local-switching-out ------------- |
|
1 |
0-72 |
none |
none |
none |
none |
none |
none |
|
2 |
0-72 |
none |
none |
none |
none |
none |
none |
|
3 |
0-72 |
none |
none |
none |
none |
none |
none |
|
4 |
0-72 |
none |
none |
none |
none |
none |
none |
|
5 |
0-4,11-72 |
none |
none |
none |
none |
none |
5-10 |
|
6 |
0-4,11-72 |
none |
none |
none |
none |
none |
5-10 |
|
7 |
0-4,11-72 |
none |
none |
none |
none |
none |
5-10 |
|
8 |
0-4,11-72 |
none |
none |
none |
none |
none |
5-10 |
The no-local-switching configuration option is available also for the trunk-create, trunk-modify and trunk-show commands, as follows:
CLI (network-admin@switch) > trunk-create
|
trunk-create |
Create a trunk configuration for link aggregation |
|
One or more of the following options: |
|
|
local-switching|no-local-switching |
Specify local-switching or no-local-switching. A no-local-switching port cannot bridge traffic to another no-local-switching port |
CLI (network-admin@Leaf1) > trunk-modify
|
trunk-modify |
Modify a trunk configuration for link aggregation |
|
One or more of the following options: |
|
|
local-switching|no-local-switching |
Specify local-switching or no-local-switching. A no-local-switching port cannot bridge traffic to another no-local-switching port. |
CLI (network-admin@Leaf1) > trunk-show
|
trunk-show |
Display trunk configuration |
|
One or more of the following options: |
|
|
local-switching|no-local-switching |
Specify local-switching or no-local-switching. A no-local-switching port cannot bridge traffic to another no-local-switching port. |