Controllerless Networks

Reply
MVP

Access rules for a wireless role - direction and order of operation

We're implementing access control in the iAP for the first time - formerly done in upstream firewall, but it's time to allow one SSID better access than another.

 

The process seems straight forward, but I'm confused about direction.

The 6.3.1.1-4.0 User Guide states: "You can create rules for either inbound traffic or outbound traffic."

 

I've got a bunch of rules which appear to work exactly like I wish from wireless client to specific destination hosts, but I can't figure out how to enter a rule allowing a specific host to access one of the wireless clients.

 

three questions:

1. With regards to the iAP firewall, what is "inbound" and what is "outbound?"

2. It appears that the rules are tested sequentially and the first match is acted on, is that correct?

3. How do I allow a server in the wired network to access a client in the SSID/role covered by the ACL?

 

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: Access rules for a wireless role - direction and order of operation

1) unless I'm mistaken, the rule will apply to both in/out bound.

2) correct,  they are applied top down.

3) if your rule allows access to that server, then it is both directions, afaik, though that is easily tested.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP

Re: Access rules for a wireless role - direction and order of operation

You've confirmed my expectations, so here's what I'm seeing and can't explain:

 

Rules in the iAP:

Rules-in-iAP.PNGNote the next to last line...

 

deny's as reported to syslog:

deny-in-iAP-syslog.PNG

 

Those would be telnet session responses and so I'm expecting them to pass just fine.

Any thoughts on why I'm seing denies?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
New Contributor

Re: Access rules for a wireless role - direction and order of operation

Wouldn't you also want an allow any on server 10.22.25.167?

John Booth
MVP

Re: Access rules for a wireless role - direction and order of operation

Not if #1 is correct in the prior post on anticipated behavior.

"any and 10.21.10.5"  should apply both ways.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
New Contributor

Re: Access rules for a wireless role - direction and order of operation

Were you referring to this:  "1) unless I'm mistaken, the rule will apply to both in/out bound."?  

 

John Booth
Contributor I

Re: Access rules for a wireless role - direction and order of operation

Any progress made towards understanding and configuring rules to access clients vs rules of what clients can access?

Twitter: @swackhap
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: