What Is the Difference Between Port Isolation And VLAN?

For large networks, we often have trouble with IP planning. Many friends have asked how to set up their IP address for large surveillance or network with more than 1000 channels. It has also been discussed in depth in our weak VIP technology group.

For large networks, its IP planning is often divided into vlan, because dividing vlan has many advantages, which is convenient for management and improves the security of the entire network. Of course, is there any other way to divide vlan? The answer is yes, that is port isolation. These two methods are the most used in IP planning. We will learn more about vlan partitioning and port isolation in this issue.

First, divide vlan

When faced with more IP addresses, our common method is to divide vlan. The role of VLAN is to isolate broadcast. The same VLAN is in a broadcast domain. Port isolation is to isolate different interfaces of the same VLAN. Using a Layer 3 switch to divide VLANs allows VLANs to communicate with each other.

Example

A company has 1000 computers. The company has several departments. There are exchanges between departments. How to plan the IP address?

Analysis: 1000 computers can be set to 6 network segments, of course, you can also set 5 network segments, set 6 network segments for future scalability. Then our IP address can be as follows:Vlan1:192.168.1.1/24

Vlan2:192.168.2.1/24

Vlan3:192.168.3.1/24

Vlan4:192.168.4.1/24

Vlan5:192.168.5.1/24

Vlan6:192.168.6.1/24

The main advantages of VLAN are:

1. Limit the broadcast domain. The broadcast domain is limited to one VLAN, which improves network processing power.

2. Enhance the security of the LAN. The advantage of VLANs is that broadcast and unicast traffic inside a VLAN is not forwarded to other VLANs, which helps control network traffic, reduce equipment investment, simplify network management, and improve network security.

3. Flexible construction of virtual workgroups. VLANs can be used to divide different users into different workgroups. Users in the same workgroup are not necessarily limited to a fixed physical range, and network construction and maintenance are more convenient and flexible.

Second, port isolation

As mentioned above, for a mesh network, vlan is a good solution, and port isolation can be used in addition to vlan.

Users can add different ports to different VLANs, but this will waste limited VLAN resources. Port isolation can be used to isolate ports in the same VLAN. You can add the port to the isolation group to isolate the Layer 2 data between the ports in the isolation group.

Port isolation is generally used in the intranet. Ports isolated from ports cannot communicate with each other. Therefore, port isolation provides users with a more secure solution.

Example:

The method and application scenario of port isolation is shown in the following figure. PC1, PC2, and PC3 belong to VLAN 10

Requirements: to achieve pc2 and pc3 can not access each other, pc1 and pc2 can access each other pc1 and pc3 can access each other.

Pc 1 10.10.10.1 255.255.255.0 Connect the switch GE1/0/1 port

Pc 2 10.10.10.2 255.255.255.0 Connecting the switch GE1/0/2 port

Pc 3 10.10.10.3 255.255.255.0 Connect the switch GE1/0/3 port

The gateway is: 10.10.10.4

CCNP switch

Configuration steps:

<Huawei>system-view #Enter system view

[Huawei]vlan 10 #Create vlan 10

[Huawei-vlan10]int vlan 10 #Enter vlan 10

[Huawei-Vlanif10]ip address 192.168.1.1 /24 #Set vlan 10 IP and mask

[Huawei-Vlanif10]quit #Exit

[Huawei]int GigabitEthernet 1/0/3 #Enter port 3

[Huawei-GigabitEthernet1/0/3] port link-type access #Set the port mode to access mode, and the access port can belong to only one vlan.

[Huawei]int GigabitEthernet 1/0/2 #Enter port 2

[Huawei-GigabitEthernet1/0/2] port link-type access #Set the port mode to access mode.

[Huawei-GigabitEthernet1/0/2]quit #Exit

[Huawei]int GigabitEthernet 1/0/2

[Huawei-GigabitEthernet1/0/2] am isolated GigabitEthernet 1/0/3 #Isolated port 3

[Huawei-GigabitEthernet1/0/2]quit

[Huawei]int GigabitEthernet 1/0/3 #Enter port 3

[Huawei-GigabitEthernet1/0/3] am isolated GigabitEthernet 1/0/2 #Isolated port 2

[Huawei-GigabitEthernet1/0/3]quit

This achieves that ports and ports 3 cannot communicate with each other.

As one of the effective access control security control mechanisms of the switch: port isolation, its security, and flexible features are widely used in actual networking. It can add specified ports to specific port isolation groups, and the same port isolation group. Ports are isolated from each other, and ports of different port isolation groups are not isolated.

Does it feel like deja vu, it feels like dividing VLANs, but it is not the case, although VLAN and port isolation are separate devices in a space, there is protection, but VLAN is generally used to isolate broadcast, such as a building, each floor A VLAN is isolated from the broadcast domain, and the port isolation is different. Generally, users in the same VLAN are on the same network segment, so they can be pinged and accessed to share data, but after port isolation, even in the same Network segments are also prohibited from accessing each other, and the security index is higher!

In short, the role of VLANs is to isolate broadcasts. The same VLAN is in a broadcast domain. Port isolation is to isolate different interfaces of the same VLAN.

Third, summary

1. Ports isolated from ports cannot communicate with each other but can communicate with the uplink port. VLANs can communicate with any port with the same VLAN ID. Different VLANs cannot communicate directly.

2. Each port isolated from the port is still in the same IP segment; the VLAN must have a separate IP segment for each VLAN.

3, port isolation is limited to a single switch, that is, can not control the communication between the two ports connected through the uplink port; VLAN can span multiple switches, as long as the VLAN ID is different, it can not communicate directly.

4. The uplink port cannot distinguish which port the port isolation data comes from, but it can distinguish which VLAN the VLAN data belongs to.

Note: if you want to know more details of the difference between port isolation and Vlan, and you can follow SPOTO’s blog. We will still update the latest news of Cisco certification exam dumps. Any questions you have, and you can enquire directly.