beautypg.com

Configuring user isolation, User isolation overview, Before user isolation is enabled – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 653

background image

632

Configuring user isolation

User isolation overview

Without user isolation, all the devices in the same VLAN can access each other directly. This causes

security problems. User isolation can solve this problem.

When an AC configured with user isolation receives unicast packets, broadcast packets or multicast
packets from a wireless client to another wireless client in the same VLAN, the AC determines

whether to isolate the two devices according to the configured list of permitted MAC addresses.

When an AC configured with user isolation receives unicast packets (broadcast and multicast
packets in a VLAN are not isolated) from a wireless client to a wired client or from a wired client to

another wired client in the same VLAN, the AC determines whether to isolate the two devices

according to the configured list of permitted MAC addresses.

When an AC configured with user isolation receives unicast packets from a wired client to a
wireless client, the AC determines whether to isolate the two devices according to the configured list

of permitted MAC addresses. Whether to isolate broadcast or multicast packets varies with the

configuration of command user-isolation permit broadcast (see "

Configuring stateful failover

").

To avoid user isolation from affecting communications between users and the gateway, you can add the

MAC address of the gateway to the list of permitted MAC addresses.
User isolation both provides network services for users and isolates users, disabling them from

communication at Layer-2 and thus ensuring service security.

Before user isolation is enabled

As shown in

Figure 396

, before user isolation is enabled in VLAN 2 on the AC, wireless terminals the

client and the server and wired terminal the host in the VLAN can communicate with each other and

access the Internet.