6

I've seen several switch products advertising port isolation feature as "way to limit ports communication without configuring VLANs" and it sounds quite... sketchy? If i understand it correctly port isolation allows you to literally specify which ports can each port talk to. And it sounds like really really error prone example of clumsy VLAN/ACL combo implementation.

So what are actual correct use cases (not ones coming from lazyness and misunderstanding) where this feature is necessary? Can we look at port isolation as kind of simplified ACL? I don't quite see any real value coming from such feature if we have switch with ACL support and VLANs support. It sounds to me like incorrect network/security design.

Lapsio
  • 231
  • 2
  • 8

1 Answers1

10

Port isolation -also called private VLAN (thanks @Stuggi)- is a very useful feature for switches that connect end users.

In a typical network you will have many end-users computers grouped together in a VLAN that communicates with some servers in other networks.

Those computers have no need to communicate together, so it's best to block those unwanted communication.

For example, if a user is infected by a virus (received either by email or by browsing a website), which spread itself on all accessible computers in the LAN, it will infect all machines. Port isolation will prevent this.

ACL are more intended to filter what pass from a network / VLAN to another, not inside a single network/VLAN.

JFL
  • 19,405
  • 1
  • 32
  • 64
  • 1
    So it's more like _addon_ to VLANs, not something to sloppily replace their functionality? – Lapsio Nov 27 '17 at 11:22
  • 3
    Right, if you wanted to use only VLAN to do the same as port isolation you would end up with one VLAN per client computers, this doesn't scale very well. It's a feature on its own. – JFL Nov 27 '17 at 11:47
  • This feature is sometimes also called Private VLANs, where you have a bit more control https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html – Stuggi Nov 27 '17 at 21:48
  • @Stuggi, actually I have generally found port isolation features to be a "simplified" implementation of what Private VLANs can do. While you can discuss both features as similar in some ways, I would not consider "Private VLANs" and "port isolation" synonymous (i.e. I wouldn't call either by the other name). Port isolation is generally more like wireless client isolation than Private VLANs. – YLearn Nov 29 '17 at 07:14
  • Yeah, I'm more familiar with Private VLANs, so to me port isolation looks like "budget" PVLANS, so you're absolutely right! – Stuggi Nov 29 '17 at 11:45