vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. If you do not specify a VLAN, this command displays user isolation statistics for all VLANs.

Examples

# Display user isolation statistics for all VLANs.

<Sysname> display user-isolation statistics

Number of VLANs enabled with user isolation: 2

Number of VLANs disabled with user isolation: 1

VLAN Status Drops Permit-Unicast Permitted MACs Permit IPv4|I

Pv6 Acl

4 Enabled 0 Y N/A 3001|3002

6 Disabled 0 N 0023-89a2-3d4d 3001|3002

5 Enabled 0 Y N/A N/A|N/A

Table 1 Command output

Field	Description
VLAN	VLAN ID.
State	Status of user isolation for the VLAN: · Enabled. · Disabled.
Drops	Number of dropped packets in the VLAN.
Permit-Unicast	Whether unicast packets are permitted among users in the VLAN: · Y—Yes. Only broadcast and multicast packets are isolated. · N—No. Unicast, broadcast, and multicast packets are all isolated.
Permitted MACs	Permitted MAC address list in the VLAN.
Permit IPv4\|IPv6 Acl	Permitted IPv4 and IPv6 ACLs in the VLAN.

Related commands

user-isolation vlan enable

user-isolation vlan permit-mac

reset user-isolation statistics

Use reset user-isolation statistics to clear user isolation statistics for a VLAN or for all VLANs.

Syntax

reset user-isolation statistics [ vlan vlan-id ]

Views

User view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094. If you do not specify a VLAN, this command clears user isolation statistics for all VLANs.

Examples

# Clear user isolation statistics for VLAN 1.

<Sysname> reset user-isolation statistics vlan 1

Related commands

user-isolation vlan enable

user-isolation vlan permit-mac

user-isolation enable

Use user-isolation enable to enable SSID-based user isolation.

Use undo user-isolation enable to disable SSID-based user isolation.

Syntax

user-isolation enable

undo user-isolation enable

Default

SSID-based user isolation is disabled.

Views

Service template view

Predefined user roles

network-admin

Examples

# Enable SSID-based user isolation.

<Sysname> system-view

[Sysname] wlan service-template 1

[Sysname-wlan-st-1] user-isolation enable

user-isolation permit-broadcast

Use user-isolation permit-broadcast to permit broadcast and multicast traffic sent from wired users to wireless users.

Use undo user-isolation permit-broadcast to restore the default.

Syntax

user-isolation permit-broadcast

undo user-isolation permit-broadcast

Default

The device does not forward broadcast or multicast traffic sent from wired users to wireless users in the VLANs where user isolation is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Isolate broadcast and multicast packets of wired users from wireless users only in the following situations:

· The wired and wireless users belong to the same VLAN.

· The AC that the users access is an IRF fabric.

Examples

# Permit broadcast and multicast traffic sent from wired users to wireless users.

<Sysname> system-view

[Sysname] user-isolation permit-broadcast

Related commands

user-isolation vlan enable

Use user-isolation vlan enable to enable user isolation for a list of VLANs.

Use undo user-isolation vlan enable to disable user isolation for a list of VLANs.

Syntax

user-isolation vlan vlan-list enable [ permit-unicast ]

undo user-isolation vlan vlan-list enable

Default

User isolation is disabled for a VLAN.

Views

System view

Predefined user roles

network-admin

Parameters

vlan-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than the value for the vlan-id1 argument.

permit-unicast: Permits unicast packets among users. If you do not specify this keyword, unicast packets are isolated among users together with broadcast and multicast packets.

Usage guidelines

To avoid network disconnection to the external network, add the MAC address of the gateway to the permitted MAC address list. To add a permitted MAC address, use the user-isolation vlan permit-mac command.

If you execute the user-isolation vlan enable command multiple times, the device accumulates the specified VLANs. If you execute the user-isolation vlan enable command multiple times for a VLAN, the most recent configuration takes effect.

Examples

# Enable user isolation for VLAN 1.

<Sysname> system-view

[Sysname] user-isolation vlan 1 enable

user-isolation vlan permit-bmc acl

Use user-isolation vlan permit-bmc acl to permit wireless users in the specified VLANs to receive broadcast and multicast traffic.

Use undo user-isolation vlan permit-bmc acl to prevent wireless users in the specified VLANs from receiving broadcast and multicast traffic.

Syntax

user-isolation vlan vlan-list permit-bmc acl [ ipv6 ] acl-number

undo user-isolation vlan vlan-list permit-bmc acl [ ipv6 ]

Default

Wireless users in a VLAN cannot receive broadcast or multicast traffic when user isolation is enabled.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 ACL. If you do not specify this keyword, the command specifies an IPv4 ACL.

acl-number: Specifies an ACL number in the range of 3000 to 3999.

Usage guidelines

Use this command for a VLAN if the VLAN contains both wired and wireless users and the wireless users are required to receive broadcast and multicast traffic. For example, the wireless users are required to receive bonjour packets.

You can specify only one IPv4 ACL and one IPv6 ACL. If you execute this command multiple times for the same type of ACL, the most recent configuration takes effect.

If you use this command only on the central AC in an AC hierarchical network, the command takes effect only on the central AC. The local ACs are not restricted by the command.

Examples

# Permit wireless users in VLAN 1 to receive broadcast and multicast traffic that matches ACL 3002.

<Sysname> system-view

[Sysname] user-isolation vlan 1 permit-bmc acl 3002

user-isolation vlan permit-mac

Use user-isolation vlan permit-mac to configure the permitted MAC address list for a list of VLANs.

Use undo user-isolation vlan enable to remove a list of permitted MAC addresses for VLANs.

Syntax

user-isolation vlan vlan-list permit-mac mac-list

undo user-isolation vlan vlan-list permit-mac { mac-list | all }

Default

No permitted MAC address list is specified for a VLAN.

Views

System view

Predefined user roles

network-admin

Parameters

mac-list: Specifies a space-separated list of up to 16 MAC addresses. Each MAC address is in the form of H-H-H. The MAC addresses cannot be broadcast or multicast MAC addresses.

all: Specifies all permitted MAC addresses.

Usage guidelines

Packets from users of the permitted MAC addresses are not isolated in their corresponding VLANs.

If you execute the user-isolation vlan permit-mac command multiple times, the device accumulates the specified permitted MAC addresses. The number of permitted MAC addresses cannot exceed 64 for a VLAN.

Examples

# Specify permitted MAC addresses 00bb-ccdd-eeff and 0022-3344-5566 for VLAN 1.

<Sysname> system-view

[Sysname] user-isolation vlan 1 permit-mac 00bb-ccdd-eeff 0022-3344-5566

Related commands

display user-isolation statistics

user-isolation vlan enable

11-WLAN Traffic Optimization Command Reference

User isolation commands

display user-isolation statistics

reset user-isolation statistics

user-isolation enable

user-isolation permit-broadcast

user-isolation vlan enable

user-isolation vlan permit-bmc acl

user-isolation vlan permit-mac

Cloud & AI

InterConnect

Intelligent Computing

Security

SMB Products

Intelligent Terminal Products

Industry Solutions

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Training & Certification

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Online Exhibition Center

Contact Us