Without vlan-based user isolation, With vlan-based user isolation, Configuring vlan-based user isolation – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 40
28
User isolation both provides network services for users and isolates users, disabling them from
communication at Layer-2 and thus ensuring service security.
Without VLAN-based user isolation
As shown in
, when VLAN-based user isolation is disabled on the AC, wireless clients A and B,
and wired PC Host A in VLAN 2 can access each other directly, and can also access the Internet.
Figure 12 VLAN-based user isolation network diagram
With VLAN-based user isolation
When VLAN-based user isolation is enabled on the AC, Client A, Client B, and Host A in VLAN 2 access
the Internet through the gateway.
•
If you add only the MAC address of the gateway to the permitted MAC address list, Client A, Client
B, and Host A in the same VLAN are isolated at Layer-2.
•
If you add only the MAC address of a client (Client A, for example) to the permitted MAC address
list, Client A and Client B can access each other directly, but Client B and Host A cannot.
•
To enable all the clients in the VLAN to access one another at Layer-2, you must add the MAC
address of the gateway and the MAC addresses of the clients to the permitted MAC address list.
Configuring VLAN-based user isolation
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable user isolation for the
specified VLANs.
user-isolation vlan vlan-list enable
By default, user isolation is
disabled.