Without vlan-based user isolation, With vlan-based user isolation, Configuring vlan-based user isolation – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

28

User isolation both provides network services for users and isolates users, disabling them from

communication at Layer-2 and thus ensuring service security.

Without VLAN-based user isolation

As shown in

Figure 12

, when VLAN-based user isolation is disabled on the AC, wireless clients A and B,

and wired PC Host A in VLAN 2 can access each other directly, and can also access the Internet.

Figure 12 VLAN-based user isolation network diagram

With VLAN-based user isolation

When VLAN-based user isolation is enabled on the AC, Client A, Client B, and Host A in VLAN 2 access

the Internet through the gateway.

•

If you add only the MAC address of the gateway to the permitted MAC address list, Client A, Client
B, and Host A in the same VLAN are isolated at Layer-2.

•

If you add only the MAC address of a client (Client A, for example) to the permitted MAC address

list, Client A and Client B can access each other directly, but Client B and Host A cannot.

•

To enable all the clients in the VLAN to access one another at Layer-2, you must add the MAC
address of the gateway and the MAC addresses of the clients to the permitted MAC address list.

Configuring VLAN-based user isolation

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable user isolation for the
specified VLANs.

user-isolation vlan vlan-list enable

By default, user isolation is
disabled.