Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-User isolation commands | 63.22 KB |
Contents
display user-isolation statistics
reset user-isolation statistics
user-isolation permit-broadcast
user-isolation vlan permit-bmc acl
user-isolation vlan permit-mac
User isolation commands
display user-isolation statistics
Use display user-isolation statistics to display user isolation statistics for a VLAN or for all VLANs.
Syntax
display user-isolation statistics [ vlan vlan-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays user isolation statistics for all VLANs.
Examples
# Display user isolation statistics for all VLANs.
<Sysname> display user-isolation statistics
Number of VLANs enabled with user isolation: 2
Number of VLANs disabled with user isolation: 1
VLAN State Drops Permit-Unicast Permitted MAC list
4 Enabled 0 Y N/A
6 Disabled 0 N 0023-89a2-3d4d
0033-89a2-3d4a
5 Enabled 0 Y N/A
Table 1 Command output
|
Description |
|
|
VLAN |
VLAN ID. |
|
State |
|
|
Permit-Unicast |
Whether unicast packets are permitted among users in the VLAN: · Y—Yes. Only broadcast and multicast packets are isolated. · N—No. Unicast, broadcast, and multicast packets are all isolated. |
Related commands
user-isolation vlan enable
user-isolation vlan permit-mac
reset user-isolation statistics
Use reset user-isolation statistics to clear user isolation statistics for a VLAN or for all VLANs.
Syntax
reset user-isolation statistics [ vlan vlan-id ]
Views
User view
Predefined user roles
network-admin
Parameters
vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. If you do not specify a VLAN, this command clears user isolation statistics for all VLANs.
Examples
# Clear user isolation statistics for VLAN 1.
<Sysname> reset user-isolation statistics vlan 1
Related commands
user-isolation vlan enable
user-isolation vlan permit-mac
user-isolation enable
Use user-isolation enable to enable SSID-based user isolation.
Use undo user-isolation enable to disable SSID-based user isolation.
Syntax
user-isolation enable
undo user-isolation enable
Default
SSID-based user isolation is disabled.
Views
Service template view
Predefined user roles
network-admin
Examples
# Enable SSID-based user isolation.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] user-isolation enable
user-isolation permit-broadcast
Use user-isolation permit-broadcast to permit broadcast and multicast traffic sent from wired users to wireless users.
Use undo user-isolation permit-broadcast to restore the default.
Syntax
user-isolation permit-broadcast
undo user-isolation permit-broadcast
Default
The device does not forward broadcast or multicast traffic sent from wired users to wireless users in the VLANs where user isolation is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Isolate broadcast and multicast packets of wired users from wireless users only when the wired and wireless users belong to the same VLAN.
Examples
# Permit broadcast and multicast traffic sent from wired users to wireless users.
<Sysname> system-view
[Sysname] user-isolation permit-broadcast
Related commands
user-isolation vlan enable
user-isolation vlan enable
Use user-isolation vlan enable to enable user isolation for a list of VLANs.
Use undo user-isolation vlan enable to disable user isolation for a list of VLANs.
Syntax
user-isolation vlan vlan-list enable [ permit-unicast ]
undo user-isolation vlan vlan-list enable
Default
User isolation is disabled for a VLAN.
Views
System view
Predefined user roles
network-admin
Parameters
vlan-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than the value for the vlan-id1 argument.
permit-unicast: Permits unicast packets among users. If you do not specify this keyword, unicast packets are isolated among users together with broadcast and multicast packets.
Usage guidelines
To avoid network disconnection to the external network, add the MAC address of the gateway to the permitted MAC address list. To add a permitted MAC address, use the user-isolation vlan permit-mac command.
If you execute the user-isolation vlan enable command multiple times, the device accumulates the specified VLANs. If you execute the user-isolation vlan enable command multiple times for a VLAN, the most recent configuration takes effect.
Examples
# Enable user isolation for VLAN 1.
<Sysname> system-view
[Sysname] user-isolation vlan 1 enable
user-isolation vlan permit-bmc acl
Use user-isolation vlan permit-bmc acl to permit wireless users in the specified VLANs to receive broadcast and multicast traffic.
Use undo user-isolation vlan permit-bmc acl to prevent wireless users in the specified VLANs from receiving broadcast and multicast traffic.
Syntax
user-isolation vlan vlan-list permit-bmc acl [ ipv6 ] acl-number
undo user-isolation vlan vlan-list permit-bmc acl [ ipv6 ]
Default
Wireless users in a VLAN cannot receive broadcast or multicast traffic when user isolation is enabled.
Views
System view
Predefined user roles
network-admin
Parameters
vlan-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than or equal to the value for the vlan-id1 argument.
ipv6: Specifies an IPv6 ACL. If you do not specify this keyword, the command specifies an IPv4 ACL.
acl-number: Specifies an ACL number in the range of 3000 to 3999.
Usage guidelines
Use this command for a VLAN if the VLAN contains both wired and wireless users and the wireless users are required to receive broadcast and multicast traffic. For example, the wireless users are required to receive bonjour packets.
You can specify only one IPv4 ACL and one IPv6 ACL. If you execute this command multiple times for the same type of ACL, the most recent configuration takes effect.
Examples
# Permit wireless users in VLAN 1 to receive broadcast and multicast traffic that matches ACL 3002.
<Sysname> system-view
[Sysname] user-isolation vlan 1 permit-bmc acl 3002
user-isolation vlan permit-mac
Use user-isolation vlan permit-mac to configure the permitted MAC address list for a list of VLANs.
Use undo user-isolation vlan enable to remove a list of permitted MAC addresses for VLANs.
Syntax
user-isolation vlan vlan-list permit-mac mac-list
undo user-isolation vlan vlan-list permit-mac { mac-list | all }
Default
No permitted MAC address list is specified for a VLAN.
Views
System view
Predefined user roles
network-admin
Parameters
vlan-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than the value for the vlan-id1 argument.
mac-list: Specifies a space-separated list of up to 16 MAC addresses. Each MAC address is in the form of H-H-H. The MAC addresses cannot be broadcast or multicast MAC addresses.
all: Specifies all permitted MAC addresses.
Usage guidelines
Packets from users of the permitted MAC addresses are not isolated in their corresponding VLANs.
If you execute the user-isolation vlan permit-mac command multiple times, the device accumulates the specified permitted MAC addresses. The number of permitted MAC addresses cannot exceed 64 for a VLAN.
Examples
# Specify permitted MAC addresses 00bb-ccdd-eeff and 0022-3344-5566 for VLAN 1.
<Sysname> system-view
[Sysname] user-isolation vlan 1 permit-mac 00bb-ccdd-eeff 0022-3344-5566
Related commands
display user-isolation statistics
user-isolation vlan enable
