Skip to main content
Cisco Meraki

Restricting Traffic with Isolated Switch Ports

Port isolation allows a network administrator to prevent traffic from being sent between specific ports. This can be configured in addition to an existing VLAN configuration, so even client traffic within the same VLAN will be restricted. This article outlines how to configure isolated ports, as well as best practices and example implementations.

 

For MS210, MS225, and MS250 series switches, port isolation is only supported on the first 24 ports

Configuration

Isolated ports can either be configured on a per-port basis, or in bulk. The following instructions explain how to enable isolation in Dashboard:

  1. Navigate to the Dashboard network containing the switch(es) to be configured.
  2. Select Configure > Monitor > Switch ports.
  3. Click the check box on the left of each port.
  4. Click the Edit button to edit the port configuration.


     
  5. Set Isolation to “enabled” in the configuration window.


     
  6. Select Update to save the configuration.

Note: Isolation can also be enabled/disabled on individual switch ports, on the switch's page in Dashboard.

Implementation and Best Practices

When ports on a switch have been isolated, the MS will not send any layer-2 network traffic from one isolated port to another. This can be useful in a multi-tenant environment, for example, where clients should be unable to send traffic to each other.

In the following two example diagrams, the orange ports indicate isolated ports, and the green ports have isolation disabled. The topology below is an example of port isolation being used to block inter-client communication, while still allowing Internet access:
 

Isolated Ports 1.png

 

When implementing port isolation, it is important to ensure that the appropriate ports have been isolated, so that traffic can reach the appropriate destination. It should also be noted that ports that are NOT isolated can communicate with ports that are isolated. In the example below, switch A’s uplink port has been isolated, so clients connected to any other isolated port on A are unable to communicate with the gateway:

Isolated Ports 2.png

  • Was this article helpful?