Wireless Access

Reply
New Contributor
Posts: 1
Registered: ‎09-25-2013

Applying ACL in VLAN interface.

Hi guys,

 

my name is Jack and I'm new to Aruba. Had a chance to setup a basic network with 2 S2500 3 AP105 and needed to get advise here.

 

I have the necessary VLANs implemented and the wireless network running fine. Connections are still running fine and pings are successful. I need to configure 2 SSIDs which one of it, for the guests, will be able to go out to the internet and nothing else. Not even the other VLANs. Switchports to APs are set to trunk and both SSIDs were tagged with 60 and 70 for staff and guest respectively. My focus would be on VLAN 70 for now.

 

I am trying to find a way to apply an extended ACL to the interface VLAN and realised that there is no way for me to do so. May someone please advise on how to apply extended ACLs to VLANs? Even though the Virtual Controller for the AP does provide the ACL feature, but I will want to do the same for other VLANs as well.

 

Many thanks in advance.

 

- Jack

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Applying ACL in VLAN interface.

Jack - Welcome to Aruba!

 

I assume this is our Instant AP line?

 

All of our WLAN includes a stateful firewall.  Please consider using it.  On your Instant APs, when you setup the guest SSID, there should be an option for access policies.  I would select network based and then create the following rules

 

permit DHCP

permit DNS (can specify specific DNS servers here as well)

permit ICMP

Deny to "internal subnets"  (usually this is 192.168.0.0/16, 10.0.0.0/8, and 172.20.0.0/20)

permit any any

 

Using the above, you are only permitting the guest users to the public internet.  Putting an ACL on the VLAN is another option but it's more involved and not stateful.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: