08-13-2015 12:49 PM
Hello, we have a large network with many sites that all have Aruba MC and APs. At each of these sites, we have created an Apple Airplay/print SSID for all Apple Devices to connect to. We also have other SSIDs that employees connect to, as well as a Clearpass Guest network. The way the Airplay/print SSID is set up is even though it is a separate SSID, it is still on the same L2 VLAN as the other SSIDs. This way, even if someone is on the other SSID, they can still see the Airplay/print devices and connect to them.
However, the Guest network has a ACL in place to drop all packets destined for the company internal networks, so it prevents guests who may come to our locations and need to present something to employees using Airplay.
What we would like to do is one of two options:
1) Put an ACL or some other policy in place that prevents anyone/anything that connects to the Airplay/print SSID from accessing the company internal network, but they can see only the Airplay/print devices that are on that SSID/VLAN. (The problem with this is the AP/P devices would be on the company network and have an IP address on the internal LAN, so how would users see this if their traffic to the internal LAN is blocked by the ACL.....and wouldn't an ACL also block the AP/P devices from returning traffic to users who are on the other employee SSID who are trying to connect to it?)
2) Put a policy in place that would proxy the AppleTV traffic across all SSIDs, including the Guest network, so regardless if the AP/P device is on the internal LAN, all traffic to/from any SSID would be allowed....but considering the Guest network ACL, they ONLY thing they would see is the AP/P devices, and no access to anywhere else on the network.
How can this be accomplished?
I'm hoping this makes sense. If not, please let me know how I can clarify better.
Thank you very much.
Solved! Go to Solution.
08-13-2015 01:29 PM
Through AirGroup device registration, devices will be visible the devices owner or in the case of shared devices, to whoever you want.
The beauty is that "dumb" devices like printers, Chromecasts, AppleTVs, etc can have a different role and different VLAN with different policies attached.
08-13-2015 01:40 PM