Wireless Access

Reply
Occasional Contributor II
Posts: 20
Registered: ‎09-25-2013

firewall rules for guests on controller

 Hi,

I have a controller with 3 vlans, 1 for guests, 1 for admin and 1 for management. I want to restrict the guests from accessing the admin and management vlans. Inter-vlan routing is on on all vlans. I want to do this with acl, so i want to know what the best practice is.

My vlans are:

guest : 172.16.1.0

admin 192.168.1.0

mgmt: 10.0.99.0

 

I made an alias for my admin and mgmt vlans called int_network

 

Is this a good setup?

 

Derived Role = 'Guest_1mbit'
Up BW contract = 1mbit_basic (1000000 bits/sec) (per-user) Down BW contract = 1mbit_basic (1000000 bits/sec) (per-user)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 50
Periodic reauthentication: Disabled
ACL Number = 55/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Deny_internal_lan session

Deny_internal_lan
-----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 172.16.10.0 255.255.255.0 172.16.10.1 any permit Low 4
2 172.16.10.0 255.255.255.0 int_network  any deny Low 4
3 172.16.10.0 255.255.255.0 any any permit Low 4

 

 

Thanks,

Akki

Aruba
Posts: 1,285
Registered: ‎08-29-2007

Re: firewall rules for guests on controller

Did you make a typo in your guest vlans?  You have the guest as, 172.16.1.0/24, then the acl has the rules for source, 172.16.10.0/24.

 

To be safe, change line 2 to be

 

2 any int_network  any deny Low 4


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Occasional Contributor II
Posts: 20
Registered: ‎09-25-2013

Re: firewall rules for guests on controller

Hi Michael,

Yeah sorry it was a typo, i should have written 172.16.10.0.

 

So it looks like this now:

 

Derived Role = 'Guest_1mbit'
Up BW contract = 1mbit_basic (1000000 bits/sec) (per-user) Down BW contract = 1mbit_basic (1000000 bits/sec) (per-user)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Assigned VLAN = 50
Periodic reauthentication: Disabled
ACL Number = 55/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Deny_internal_lan session

Deny_internal_lan
-----------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 172.16.10.0 255.255.255.0 172.16.10.1 any permit Low 4
2 any int_network any deny Low 4
3 172.16.10.0 255.255.255.0 any any permit Low 4

Expired Policies (due to time constraints) = 0

 

When i apply this to the guest_1mbit role i notice i get an ip adress, but after 2 sec i lose it and cant get a new one.Am i doing something wrong? When i had the allow all rule it was working fine

Search Airheads
Showing results for 
Search instead for 
Did you mean: