How to forbid intra-VLAN access


Intra-VLAN access can be forbidden on an AR router using intra-VLAN Layer 2 isolation technologies, for example, interface isolation, MUX VLAN, and MQC-based intra-VLAN Layer 2 isolation.

Other related questions:
How to forbid HTTP access on an interface of an AR router
Configure ACL rules on an interface of an AR router to forbid HTTP access.

How to configure an ACL time range on a WLAN device
If some services or functions need to be started at intervals or a specific period of time, run the time-range command on a WLAN device. When configuring ACL rules, you can use the name of a time range to reference this time range. You can associate a time range with ACL rules in either of the following ways: Mode 1 �?Periodic time range: defines a time range by week. The associated ACL rules take effect at an interval of one week. For example, if the time range of ACL rules is 8:00-12:00 on Monday, the ACL rules take effect at 8:00-12:00 on every Monday. Format: time-range time-name start-time to end-time { days } &<1-7> Mode 2 �?Absolute time range: defines a time range from YYYY/MM/DD hh:mm to YYYY/MM/DD hh:mm. The associated ACL rules take effect only in this period. Format: time-range time-name from time1 date1 [ to time2 date2 ] Create time range working-time (8:00�?8:00 from Monday to Friday) and configure a rule in ACL work-acl. The rule rejects the packets from network segment within the period of the working time. [HUAWEI] time-range working-time 8:00 to 18:00 working-day [HUAWEI] acl name work-acl basic [HUAWEI-acl-basic-work-acl] rule deny source time-range working-time

What are precautions for configuring intra-VLAN proxy ARP and inter-VLAN proxy ARP
Compared with routed proxy ARP, intra-VLAN proxy ARP and inter-VLAN proxy ARP can determine whether VLAN information meets proxy requirement based on ARP entries matching source and destination IP addresses of packets. If no ARP entry matches the destination IP address of a packet, the switch broadcasts an ARP request in all sub-VLANs of the super-VLAN to learn the APR entry matching the destination IP addresses. When multiple switches on a network have proxy ARP enabled and a requested destination IP address does not exist, this ARP broadcast packet triggers the same proxy process on other switches. This cyclic proxy process will cause a broadcast storm.

How can I forbid dynamic endpoint registration on the SC?
In the SMC2.0 R3 version, dynamic registration on the SC can be forbidden as follows: Go to the SC page, select Require authentication in the defaultEPZone node area in Zone Management, and modify the configuration so that authentication is required.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top