Wireless Access

Reply
New Contributor
Posts: 2
Registered: ‎04-06-2013

Configuring a access list to block access between wired and wireless devices

Our cusomer has 2 PC's plugged into a switch and then into the controller on ethernet port 1.

 

The wired and wireless devices are in a shared VLAN and the customer wants to be able to stop intercommunication within the VLAN. This has been achieved for the wireless devices  by enabling the deny inter user traffic for the VAP feature.

 

Is it possible to create a access list on the controllers ethernet port 1 to stop the wired computers accessing the wireless devices and only having access the the gateway?

 

Ideally the customer wants to avoid creating an additional VLAN's/PVLANs to do this

 

many thanks in advance

MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Configuring a access list to block access between wired and wireless devices

 

If you know the amount of devices supported you could potentially create a split subnet than away you could create an ACL that blocks the wired side subnet.

 

What exactly they are trying to block ? is it a certain port ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Configuring a access list to block access between wired and wireless devices

[ Edited ]

There's really no easy way to do this without splitting the subnet or using DHCP reservations and then masking on a boundary in your ACL. For example, tie the wired devices to 10.11.12.1 - 127, and the wireless to 128 - 254, then you could block access in the user role with a /25 mask. For this scenario, your wired device AND the controller would need an IP in this subnet, otherwise the devices will still be able to reach each other at layer 2.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 2
Registered: ‎04-06-2013

Re: Configuring a access list to block access between wired and wireless devices

The customerhas the guest wifi vlan which is seperate from the corporate network and wanting to add 2 PC's to that VLAN for resiliancy purposes in case there is a issue with the corporate network they will still have access to the internet via the 2 PC's. For security purposes they do not want the PC to have access to the wireless devices and vice versa.

 

They were hoping this could be acheived with a ACL and without having to create a seperate VLAN. Ethernet port 1 is the interface the switch with the 2 PC's is connected to so this would be the interface to add the ACL to if possible.   

MVP
Posts: 4,269
Registered: ‎07-20-2011

Re: Configuring a access list to block access between wired and wireless devices

[ Edited ]

 

Do you have clearpass ?

 

If you dont then you could do a UDR matching the mac addresses of those devices and moving those devices to a role that is only allowed to do HTTP/HTTPS and deny everything else or you could explicitly just allow certain things and block everything else 

 

Authentication User Rules_2013-11-06_12-52-24.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: