Security

We installed two new IAP93's today.

The employee network is wired and 172.16.x.x.; the guest network went on 192.169.x.x with using the Vlan. So perfect.

The guest network should only go to the internet and not have access to the 172.16.x.x. employee networks.

But we were not able the route the Vlan network directly to the internet or gateway (172.16.x.254), without have access to the 172 network. How to avoid Guests network access to the internal network and servers.

Marcel Berkouwer

You can setup access rules that block the guest traffic from getting to 172.16.x.x http://www.arubanetworks.com/techdocs/Instant_40_WebHelp/InstantWebHelp.htm#UG_files/CaptivePortal/ConfiguringAccessRuleSettings.htm?Highlight=role 

Recently i have deployed the same scenario at customer site. Customer wants that guest only get the ip address from external DHCP server but could not be able to access any resources of the network. In this case the how the guest network traffic would be resolved ? so guest traffice would be resolved via global DNS. So on router the customer map the guest VLAN and IP subnet with 8.8.8.8 and 208.67.222.222.

Now 104 IAP VC , I apply the rule on the guest SSID. 

Allow any service except to a network 172.16.0.0/16.

This rule will deny each guest to access a customer network resources.

Go to main interface of the IAP-> security->Roles-> now select guest ssid and apply the above rule.

Hope this idea will help you.