Port Separation

Summary

The port separation function restricts communications between ports on a LAN interface incorporating a switching hub.

The port separation function differs from the LAN division function in that it does not increase or decrease the number of LAN interfaces. Separated ports are all recognized as the same LAN interface and have the same IP address.

Basic and expanded functions are available in the port separation function.
In the basic function, communications between ports are restricted but are allowed via a router.
In the expanded function, communications from a specified port via a router can be restricted in addition to restricting communications between ports.

Compatible Models & Firmware Revisions

Models and firmware compatible with each function are listed below.

Port separation (Basic)
Model Firmware
RTX5000 Rev.14.00.15 or later
FWX120 Rev.11.03.16 or later
RTX810 Rev.11.01.15 or later
Port separation (Expanded)
Model Firmware
RTX5000 Rev.14.00.15 or later
FWX120 Rev.11.03.16 or later
RTX810 Rev.11.01.15 or later

Details

The port separation function settings are configured with the "lan type" command using the port-based-option option.

The operation of the port separation function will be explained using a lan1 interface that has a 4-port switching hub as an example. lan1 is assigned the IP address of 192.168.1.1/24.

Basic function

The switching hub port is isolated into a group; and communications within the group and with a router are allowed, while communications with other group ports are restricted.

The port separation pattern is specified using split_pattern in the "lan type lan1 port-based-option=split-into-split_pattern" command. split_pattern requires a colon ":" to be inserted between the port numbers to separate them.

Example 1) Separate port 1 and the other ports
# lan type lan1 port-based-option=split-into-1:234

Port 1 cannot communicate with the other ports,
Port 2 through 4 can communicate with each other.
Example 2) Separate ports 1 and 2, and the other ports
# lan type lan1 port-based-option=split-into-1:2:34

Port 1 and 2 cannot communicate with the other ports,
Port 3 and 4 can communicate with each other.

Expanded function

You can restrict communications between ports, by the router itself and via the router by specifying the port to which the packets received by each switching hub port is forwarded. In other words, by grouping ports using this function, it is possible to configure ports and groups that are accessible from any group and those that cannot communicate externally via the router.

Specifically, configure the function as follows:

  lan type lan1 port-based-option=X1,X2,X3,X4 

In Xn(n = 1 to 4), the port number that forwards the packets received by port n is enumerated and is specified by a plus sign (+) or a minus sign (-) on the end. A plus sign (+) means that communications with the router itself and communications via the router are permitted, and a minus sign (-) means that it is prohibited. However, a plus sign (+) can be omitted. If a minus sign (-) is specified, packets received by that port are not routed. The device connected to that port also cannot communicate with the router.

Example)
# lan type lan1 port-based-option=4+,4+,4+,123-

This operation will result in the following:

  • Devices connected to ports 1, 2, and 3:
    • cannot communicate with each other
    • can communicate with a device connected to port 4
    • can communicate with the router itself
    • can communicate via the router
  • Devices connected to port 4:
    • can communicate with devices connected to ports 1, 2, and 3
    • cannot communicate with the router itself
    • cannot communicate via the router

In other words, the ports will be divided into three groups: ports 1 and 4, ports 2 and 4, and ports 3 and 4.
In this way, settings including the same port in multiple groups become possible using the expanded function.

The following is a detailed explanation.

  1. The forwarding destination setting for packets received by port 1 is the first item, 4+, in the settings values 4+, 4+, 4+, and 123-.
    Packets will only be forwarded to port 4. Moreover, since a plus sign (+) has been specified, communication is possible with the router itself and via the router.
  2. The forwarding destination setting for packets received by port 2 is the second item, 4+, in the settings values 4+, 4+, 4+, and 123-.
    Packets will only be forwarded to port 4. Moreover, since a plus sign (+) has been specified, communication is possible with the router itself and via the router.
  3. The forwarding destination setting for packets received by port 3 is the third item, 4+, in the settings values 4+, 4+, 4+, and 123-.
    Packets will only be forwarded to port 4. Moreover, since a plus sign (+) has been specified, communication is possible with the router itself and via the router.
  4. The forwarding destination setting for packets received by port 4 is the fourth item, 123-, in the settings values 4+, 4+, 4+, and 123-.
    Packets will be forwarded from port 1 to port 3. Moreover, since a minus sign (-) has been specified, communication is neither possible with the router itself nor via the router.

Remarks

In this example, port 4 is specified as the forwarding destination for port 1 (4+,4+,4+,123-). However, this setting only "forwards packets received by port 1 to port 4" and does not enable two-way communications with the device connected to port 4. Specifying port 1 as the forwarding destination for port 4 (4+,4+,4+,123-) enables port 1 and port 4 to communicate with each other.

Notes

If the source port is included in the packet forwarding destination, the packets received by this port will be looped back to the source port. For example, if port 1 itself is included in the forwarding destination for port 1 as in the setting below, the packets received by port 1 will also be sent from port 1.

# lan type lan1 port-based-option=14+,4+,4+,123- 

Command

Set the Operation Type of the LAN Interface

[Syntax]
lan type interface_with_swhub speed [port] [speed [port]...] [option=value...]
lan type interface_with_swhub option=value
lan type interface_without_swhub speed [option=value...]
lan type interface_without_swhub option=value
no lan type interface [...]
[Setting Value]
  • interface_with_swhub ... Name of the LAN interface with a switching hub
  • interface_without_swhub ... Name of the LAN interface without a switching hub
  • interface ... LAN interface name
  • speed ... LAN speed and operation mode
    • auto ... Auto speed detection
    • 1000-fdx ... Full duplex 1000BASE-T
    • 100-fdx ... Full duplex 100BASE-TX
    • 100-hdx ... Half duplex 100BASE-TX
    • 10-fdx ... Full duplex 10BASE-T
    • 10-hdx ... Half duplex 10BASE-T
    • Omitted ... auto if omitted.
  • port ... Port number of the switching hub
    • All ports if omitted
  • option=value ... Optional function
    • mtu ... Maximum data length that can be transmitted or received through the interface
    • auto-crossover ... Auto crossover function
      • on ... Enable the auto crossover function
      • off ... Disable the auto crossover function
  • macaddress-aging ... MAC address aging function
    • Number of seconds ... Aging time
    • on ... Enable the MAC address aging function
    • off ... Disable the MAC address aging function
  • port-based-option ... LAN division function and port division function
    • divide-network ... Enable the LAN division function
    • split-into-split_pattern ... Enable the port division function (normal function)
    • X1, X2, X3, X4 (X1..X4 is a series of numbers 1..4 with a "+" or "-" added at the end) ... Enable the port division function (enhanced function)
    • off ... Disable the LAN division and port division functions
  • speed-downshift ... Speed-downshift function
    • on ... Enable the speed-downshift function
    • off ... Disable the speed-downshift function
[Initial Value]
  • mtu=1500
  • auto-crossover=on
  • macaddress-aging=300
  • port-based-option=off
  • speed-downshift=on
[Description]

Sets the speed, the operation mode, and optional functions of the specified LAN interface.

The speed and operation mode can be specified for each port on a LAN interface with a switching hub.

  • mtu
    Specifies the maximum data length that can be transmitted or received through the interface. The data length does not include the MAC header and FCS. The tag length (4 bytes) for Tag VLAN is also not included.
    The data length range that can be specified will differ depending on the LAN interface. For LAN interfaces that do not support jumbo frames, the data length range will be 64 to 1500. For LAN interfaces that support jumbo frames, the range is as follows:
Model Interface Selectable Range
RTX5000 LAN1, LAN2, LAN3, LAN4 64 to 9578

If the mtu of the interface is specified but the setting of the "ip mtu" command or the "ipv6 mtu" command is not specified (default value), the mtu of the interface is used for the mtu of IPv4 or IPv6. On the other hand, if the setting of the "ip mtu" command or the "ipv6 mtu" command is specified, the setting of the "ip mtu" command or the "ipv6 mtu" command is used as mtu, regardless of whether the mtu of the interface is specified. If none of the settings is specified, including the mtu of the interface, the default value of 1500 is used.

  • Auto crossover function
    This function automatically detects whether the LAN cable is a straight cable or a crossover cable and makes the connection accordingly. Enabling this function frees you from worrying about the cable type.
  • MAC address aging function
    This function can be used on LAN interfaces with a switching hub.
    This function clears, at a given interval, the MAC address table entries that the switching hub stores. When this function is turned off, the MAC addresses stored by the switching hub are not cleared automatically. Moreover, the entries are not cleared even if the "clear switching-hub macaddress" command is executed. The entries are cleared only when this function is turned back on.
    You can specify the number of seconds for the setting. However, there may be some margin of error between the command setting and the actual time until deletion.
Model Selectable Range
RTX5000 1 to 3825
RTX810, FWX120 1 to 3551

On models that support specifying the value in seconds, turning it on will convert it to an initial value of 300.
The size of the MAC address table is indicated below.

Model Maximum Number of Entries
RTX5000 8192
RTX810, FWX120 1024
  • LAN division function
    This function can be used on LAN interfaces with a switching hub.
    There are two LAN division functions: Normal and enhanced.
    In the normal LAN division function, each of the ports on the switching hub operates as a separate LAN interface. Separate IP addresses can be assigned to each interface, and routing among the interfaces is also possible. For example, the FWX120 normally has two LAN interfaces, but using the LAN division function allows five LAN interfaces to be used.
    In the enhanced LAN division function, you can arrange the ports on the switching hub freely to make a single LAN interface (VLAN interface). Ports that belong to the same VLAN interface operate as switches.
    The interface names that are used in LAN division are different between the normal and enhanced functions.
    The name of the LAN interfaces created using the normal function is expressed as the original LAN interface name with a period and the port number.
    For example, lan1 is a LAN interface with a four-port switching hub, so the following LAN interfaces can be used:
Port Number Interface Name
1 lan1.1
2 lan1.2
3 lan1.3
4 lan1.4

With the enhanced function, you can name the VLAN interfaces vlan1, vlan2, vlan3, and so on. Unlike the interfaces created with the normal function, the VLAN interfaces created with the enhanced function are not associated with specific ports. You can change the division method freely by using the "vlan port mapping" command to specify which VLAN interface each port on the switching hub belongs to.
The number of VLAN interfaces that can be used simultaneously varies by model, as indicated in the table below:

Model Configurable VLAN Interfaces
RTX5000 vlan1 - vlan4 (LAN1), vlan5 - vlan8 (LAN2)
RTX810, FWX120 vlan1 - vlan4

When you enable the LAN division function, the settings that apply to the lan1 interface are inherited to lan1.1 (normal function) or vlan1 (enhanced function).
The LAN interfaces' MAC addresses used in LAN division are the same as the original LAN interfaces' MAC addresses. Therefore, the MAC addresses for lan1.1-lan1.4 and vlan1-vlan4 in the above example are all the same as lan1.

  • Port division function
    Normally, each port of a switching hub can communicate with other ports without any limitation. Using the port division function, you can restrict communication between ports.
    There are two port division functions: Normal and enhanced. With the normal function, communication through the router is possible while restricting communication between ports. With the enhanced function, you can restrict communication from the specified port through the router.
    With the normal function, you can divide the ports into groups, and allow communication within the group and other routers, while restricting communication with ports belonging to other groups.
    In contrast to the LAN division function, the port division function does not cause the number of LAN interfaces to change. The divided ports are all considered to be part of the same LAN interface, and they share the same IP address.
    To specify the port division pattern, insert colons between the port numbers that you want to divide. Examples are given below:
  • If the number of ports on the switching hub is 4:
    split_pattern Port Description
    1 2 3 4
    1:234 <--> <--------> Port 1 and other ports
    1:2:34 <--> <--> <------> Port 1, 2, and other ports
    1:2:3:4 <--> <--> <--> <--> Divide all ports
  • If the switching hub has eight ports
    The group description on the end may be abbreviated. The abbreviations are shown in parentheses in the table below.
    split_pattern Port Description
    1 2 3 4 5 6 7 8
    123:45678 (123) <--------> <------------> Ports 1 - 3 and others
    1:234:5678 (1:234) <--> <--------> <----------> Port 1 and ports 2 to 4, and others
    12:34:56:78 (12:34:56) <------> <------> <------> <------> Ports 1 and 2, ports 3 and 4, ports 5 and 6, and others
    1:2:3:4:5:6:7:8 (1:2:3:4:5:6:7) <--> <--> <--> <--> <--> <--> <--> <--> Isolate all ports
    Even if you enter an abbreviated command, it will not be abbreviated in the show config output.

On the same LAN interface, communication between the network of the primary address and the network of the secondary address passes through the router, so communication with other groups is possible.

In the enhanced function, by specifying the port to which you want the packets received at each port to be transferred, you can restrict communication between specific ports or with and through the router itself. Specifically, it is set up as follows:

lan type lan1 port-based-option=X1,X2,X3,X4 

In Xn (n = 1..4), list the port numbers to which you want to transfer the packets received at port n, and append a "+" to the end to allow communication with and through the router, or "-" to disallow it. Note, "+" can be omitted.

If you specify "-", the packets received at that port will not be routed. Moreover, any device connected to that port will not be able to communicate with the router.

For example, in the following setup, the packets received at ports 1 - 3 are transferred to port 4 and the router; and although the packets received at port 4 is transferred to ports 1 - 3, they will not be transferred to the router. That is, the ports are divided into three groups - ports 1 and 4, ports 2 and 4, and ports 3 and 4. Ports 1 - 3 cannot communicate to each other, but only with port 4. Moreover, although ports 1 - 3 can communicate with the router, port 4 cannot communicate with the router, and the packets received are also not routed.

lan type lan1 port-based-option=4,4,4,123- 
  • Speed-downshift function
    When set to "on", this function tries to establish a link at a reduced speed, when a cable that does not support 1000BASE-T is connected.
[Note]

After the execution of this command, the setting takes effect after the LAN interface is automatically reset.

[Example]
  • On a LAN interface with a switching hub, connect ports 1 and 2 at full duplex 100BASE-TX, and other ports using auto negotiation.
    # lan type lan1 100-fdx 1 2 
    
  • On a LAN interface with a switching hub, connect port 1 at full duplex 100BASE-TX, and other ports using auto negotiation, and use the LAN division function.
    # lan type lan1 100-fdx 1 port-based-option=divide-network 
  • On a LAN interface with a switching hub, connect all ports using auto negotiation. Divide ports using the port division function.
    • Dividing ports 1, 2, 3, and 4 on a four-port switching hub
      # lan type lan1 port-based-option=split-into-12:3:4
      
  • (For RTX5000) On LAN1, jumbo frames (9000 bytes) can be used.
    # lan type lan1 auto mtu=9000 
    
[Applicable Models]
RTX5000 RTX810 FWX120

Return to Top