Wireless Access

Reply
Occasional Contributor II

Deny inter user traffic per role?

Is there a user-role specific way to accomplish this same level of blocking?

What I am trying to accomplish is this:

 

I have an Open Guest network that returns the role guest.
I would like to put another set of devices that cannot user 802.1x on the guest network, but the devices need to be able to communicate with eachother. 

Right now I have deny inter user traffic enabled on the VAP. My thought is I need to remove that option, and move it to the guest user role. 

The only solution I've come up with is an ACL, which is not ideal since I can't do an ACL that says user user any deny, since it wants source/destination to be different. So I would need to create ACLs specific to sites.

mkk
Contributor II

Re: Deny inter user traffic per role?

You maybe make a acl like...

Src: User
Dest: 10.0.0.0 / 255.0.0.0
Dest: 172.16.0.0 / 255.240.0.0
Dest: 192.168.0.0 / 255.255.0.0
Deny

Or create a guest ssid with deny inter user traffic and a second ssid “contractor” where you allow that.
Contributor II

RE: Deny inter user traffic per role?

I think that you should limit traffic to the role you are assigned to using the bandwidth option in your role.

Re: Deny inter user traffic per role?

Hi Eugene,

 

Won't the following acl's help ?

 

any <gateway ip> any permit

any <guest network> any deny

any any any permit

Occasional Contributor II

Re: Deny inter user traffic per role?

Yes this would work, and is what I meant by ACL specific to sites. 

 

I was hoping there was an option I missed that was an easy checkmark in the user-role!


Thanks!
 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: