Port isolation allows a network administrator to prevent traffic from being sent between specific ports. This can be configured in addition to an existing VLAN configuration, so even client traffic within the same VLAN will be restricted. This article outlines how to configure isolated ports, as well as best practices and example implementations.
Isolated ports can either be configured on a per-port basis, or in bulk. The following instructions explain how to enable isolation in Dashboard:
Note: Isolation can also be enabled/disabled on individual switch ports, on the switch's page in Dashboard.
When ports on a switch have been isolated, the MS will not send any layer-2 network traffic from one isolated port to another. This can be useful in a multi-tenant environment, for example, where clients should be unable to send traffic to each other.
In the following two example diagrams, the orange ports indicate isolated ports, and the green ports have isolation disabled. The topology below is an example of port isolation being used to block inter-client communication, while still allowing Internet access:
When implementing port isolation, it is important to ensure that the appropriate ports have been isolated, so that traffic can reach the appropriate destination. In the example below, switch A’s uplink port has been isolated, so clients connected to any other isolated port on A are unable to communicate with the gateway: