10-WLAN Traffic Optimization

HomeSupportResource CenterH3C FAT AP Command References(R5436)-6W10110-WLAN Traffic Optimization
02-User isolation commands
Title Size Download
02-User isolation commands 63.22 KB

User isolation commands

display user-isolation statistics

Use display user-isolation statistics to display user isolation statistics for a VLAN or for all VLANs.

Syntax

display user-isolation statistics [ vlan vlan-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays user isolation statistics for all VLANs.

Examples

# Display user isolation statistics for all VLANs.

<Sysname> display user-isolation statistics

Number of VLANs enabled with user isolation: 2

Number of VLANs disabled with user isolation: 1

 

VLAN      State        Drops           Permit-Unicast        Permitted MAC list

4         Enabled      0               Y                     N/A

6         Disabled     0               N                     0023-89a2-3d4d

                                                             0033-89a2-3d4a

5         Enabled      0               Y                     N/A

Table 1 Command output

Field

Description

VLAN

VLAN ID.

State

Status of user isolation for the VLAN:

·     Enabled.

·     Disabled.

Drops

Number of dropped packets in the VLAN.

Permit-Unicast

Whether unicast packets are permitted among users in the VLAN:

·     Y—Yes. Only broadcast and multicast packets are isolated.

·     N—No. Unicast, broadcast, and multicast packets are all isolated.

Permitted MAC list

Permitted MAC address list in the VLAN.

 

Related commands

user-isolation vlan enable

user-isolation vlan permit-mac

reset user-isolation statistics

Use reset user-isolation statistics to clear user isolation statistics for a VLAN or for all VLANs.

Syntax

reset user-isolation statistics [ vlan vlan-id ]

Views

User view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. If you do not specify a VLAN, this command clears user isolation statistics for all VLANs.

Examples

# Clear user isolation statistics for VLAN 1.

<Sysname> reset user-isolation statistics vlan 1

Related commands

user-isolation vlan enable

user-isolation vlan permit-mac

user-isolation enable

Use user-isolation enable to enable SSID-based user isolation.

Use undo user-isolation enable to disable SSID-based user isolation.

Syntax

user-isolation enable

undo user-isolation enable

Default

SSID-based user isolation is disabled.

Views

Service template view

Predefined user roles

network-admin

Examples

# Enable SSID-based user isolation.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] user-isolation enable

user-isolation permit-broadcast

Use user-isolation permit-broadcast to permit broadcast and multicast traffic sent from wired users to wireless users.

Use undo user-isolation permit-broadcast to restore the default.

Syntax

user-isolation permit-broadcast

undo user-isolation permit-broadcast

Default

The device does not forward broadcast or multicast traffic sent from wired users to wireless users in the VLANs where user isolation is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Isolate broadcast and multicast packets of wired users from wireless users only when the wired and wireless users belong to the same VLAN.

Examples

# Permit broadcast and multicast traffic sent from wired users to wireless users.

<Sysname> system-view

[Sysname] user-isolation permit-broadcast

Related commands

user-isolation vlan enable

user-isolation vlan enable

Use user-isolation vlan enable to enable user isolation for a list of VLANs.

Use undo user-isolation vlan enable to disable user isolation for a list of VLANs.

Syntax

user-isolation vlan vlan-list enable [ permit-unicast ]

undo user-isolation vlan vlan-list enable

Default

User isolation is disabled for a VLAN.

Views

System view

Predefined user roles

network-admin

Parameters

vlan-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than the value for the vlan-id1 argument.

permit-unicast: Permits unicast packets among users. If you do not specify this keyword, unicast packets are isolated among users together with broadcast and multicast packets.

Usage guidelines

To avoid network disconnection to the external network, add the MAC address of the gateway to the permitted MAC address list. To add a permitted MAC address, use the user-isolation vlan permit-mac command.

If you execute the user-isolation vlan enable command multiple times, the device accumulates the specified VLANs. If you execute the user-isolation vlan enable command multiple times for a VLAN, the most recent configuration takes effect.

Examples

# Enable user isolation for VLAN 1.

<Sysname> system-view

[Sysname] user-isolation vlan 1 enable

user-isolation vlan permit-bmc acl

Use user-isolation vlan permit-bmc acl to permit wireless users in the specified VLANs to receive broadcast and multicast traffic.

Use undo user-isolation vlan permit-bmc acl to prevent wireless users in the specified VLANs from receiving broadcast and multicast traffic.

Syntax

user-isolation vlan vlan-list permit-bmc acl [ ipv6 ] acl-number

undo user-isolation vlan vlan-list permit-bmc acl [ ipv6 ]

Default

Wireless users in a VLAN cannot receive broadcast or multicast traffic when user isolation is enabled.

Views

System view

Predefined user roles

network-admin

Parameters

vlan-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than or equal to the value for the vlan-id1 argument.

ipv6: Specifies an IPv6 ACL. If you do not specify this keyword, the command specifies an IPv4 ACL.

acl-number: Specifies an ACL number in the range of 3000 to 3999.

Usage guidelines

Use this command for a VLAN if the VLAN contains both wired and wireless users and the wireless users are required to receive broadcast and multicast traffic. For example, the wireless users are required to receive bonjour packets.

You can specify only one IPv4 ACL and one IPv6 ACL. If you execute this command multiple times for the same type of ACL, the most recent configuration takes effect.

Examples

# Permit wireless users in VLAN 1 to receive broadcast and multicast traffic that matches ACL 3002.

<Sysname> system-view

[Sysname] user-isolation vlan 1 permit-bmc acl 3002

user-isolation vlan permit-mac

Use user-isolation vlan permit-mac to configure the permitted MAC address list for a list of VLANs.

Use undo user-isolation vlan enable to remove a list of permitted MAC addresses for VLANs.

Syntax

user-isolation vlan vlan-list permit-mac mac-list

undo user-isolation vlan vlan-list permit-mac { mac-list | all }

Default

No permitted MAC address list is specified for a VLAN.

Views

System view

Predefined user roles

network-admin

Parameters

vlan-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than the value for the vlan-id1 argument.

mac-list: Specifies a space-separated list of up to 16 MAC addresses. Each MAC address is in the form of H-H-H. The MAC addresses cannot be broadcast or multicast MAC addresses.

all: Specifies all permitted MAC addresses.

Usage guidelines

Packets from users of the permitted MAC addresses are not isolated in their corresponding VLANs.

If you execute the user-isolation vlan permit-mac command multiple times, the device accumulates the specified permitted MAC addresses. The number of permitted MAC addresses cannot exceed 64 for a VLAN.

Examples

# Specify permitted MAC addresses 00bb-ccdd-eeff and 0022-3344-5566 for VLAN 1.

<Sysname> system-view

[Sysname] user-isolation vlan 1 permit-mac 00bb-ccdd-eeff 0022-3344-5566

Related commands

display user-isolation statistics

user-isolation vlan enable