The invention relates to a method for realizing network security isolation with a concentrator. At least two Ethernet ports are arranged in the concentrator, wherein a public network Ethernet port and a private network Ethernet port are configured with a physical chip and a routing chip independently. The method comprises the following steps: receiving data packets transmitted by the public network Ethernet port, and acquiring an IP (Internet Protocol) address and an MAC (Media Access Control) address of a data packet sender; judging whether the IP address is matched with the MAC address or not; if so, acquiring a virtual IP address of the concentrator, and transmitting the data packets to the virtual IP address; judging whether data in the data packets is data of a target format or not in the virtual IP address; if so, transmitting the data packets to an actual IP address of the concentrator; filtering the data packets in order to remove data packets of which the data frame formats do not conform to a target communication protocol format; and transmitting the filtered data packets to a private network through the private network Ethernet port. Through adoption of the method, security isolation between a public network and the private network can be realized. The invention also relates to a concentrator.