09-25-2013 09:36 AM
my name is Jack and I'm new to Aruba. Had a chance to setup a basic network with 2 S2500 3 AP105 and needed to get advise here.
I have the necessary VLANs implemented and the wireless network running fine. Connections are still running fine and pings are successful. I need to configure 2 SSIDs which one of it, for the guests, will be able to go out to the internet and nothing else. Not even the other VLANs. Switchports to APs are set to trunk and both SSIDs were tagged with 60 and 70 for staff and guest respectively. My focus would be on VLAN 70 for now.
I am trying to find a way to apply an extended ACL to the interface VLAN and realised that there is no way for me to do so. May someone please advise on how to apply extended ACLs to VLANs? Even though the Virtual Controller for the AP does provide the ACL feature, but I will want to do the same for other VLANs as well.
Many thanks in advance.
09-25-2013 09:52 AM
Jack - Welcome to Aruba!
I assume this is our Instant AP line?
All of our WLAN includes a stateful firewall. Please consider using it. On your Instant APs, when you setup the guest SSID, there should be an option for access policies. I would select network based and then create the following rules
permit DNS (can specify specific DNS servers here as well)
Deny to "internal subnets" (usually this is 192.168.0.0/16, 10.0.0.0/8, and 172.20.0.0/20)
permit any any
Using the above, you are only permitting the guest users to the public internet. Putting an ACL on the VLAN is another option but it's more involved and not stateful.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos