44 user isolation, User isolation overview, Before user isolation is enabled – H3C Technologies H3C WX6000 Series Access Controllers User Manual

44-1

44

User Isolation

The sample output in this manual was created on the WX5004. The output on your device may

vary.

The grayed out functions or parameters on the Web interface indicate that they are not supported

or cannot be modified.

The models listed in this manual are not applicable to all regions. Please consult your local sales

office for the models applicable to your region.

User Isolation Overview

Without user isolation, all the devices in the same VLAN can access each other directly, which brings

forth security problems. User isolation can solve this problem. When an AC configured with user

isolation receives unicast packets (broadcast packets and multicast packets in a VLAN are not isolated)

from a wireless client to another wireless client or a wired PC in the same VLAN, or from a wired PC to

a wireless client in the same VLAN, the AC determines whether to isolate the two devices according to

the configured list of permitted MAC addresses.

To avoid user isolation from affecting communications between users and the gateway, you can add the

MAC address of the gateway to the list of permitted MAC addresses.

User isolation both provides network services for users and isolates users, disabling them from

communication at Layer-2 and thus ensuring service security.

Before User Isolation Is Enabled

As shown in

Figure 44-1

, before user isolation is enabled in VLAN 2 on the AC, wireless terminals Client

A and Client B and wired terminal Host A in the VLAN can communicate with each other and access the

Internet.