Wireless Access

last person joined: 15 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Configuring a access list to block access between wired and wireless devices

This thread has been viewed 5 times

  • 1.  Configuring a access list to block access between wired and wireless devices

    Posted Nov 06, 2013 12:02 PM

    Our cusomer has 2 PC's plugged into a switch and then into the controller on ethernet port 1.

     

    The wired and wireless devices are in a shared VLAN and the customer wants to be able to stop intercommunication within the VLAN. This has been achieved for the wireless devices  by enabling the deny inter user traffic for the VAP feature.

     

    Is it possible to create a access list on the controllers ethernet port 1 to stop the wired computers accessing the wireless devices and only having access the the gateway?

     

    Ideally the customer wants to avoid creating an additional VLAN's/PVLANs to do this

     

    many thanks in advance



  • 2.  RE: Configuring a access list to block access between wired and wireless devices

    Posted Nov 06, 2013 12:08 PM

     

    If you know the amount of devices supported you could potentially create a split subnet than away you could create an ACL that blocks the wired side subnet.

     

    What exactly they are trying to block ? is it a certain port ?



  • 3.  RE: Configuring a access list to block access between wired and wireless devices

    Posted Nov 06, 2013 12:30 PM

    The customerhas the guest wifi vlan which is seperate from the corporate network and wanting to add 2 PC's to that VLAN for resiliancy purposes in case there is a issue with the corporate network they will still have access to the internet via the 2 PC's. For security purposes they do not want the PC to have access to the wireless devices and vice versa.

     

    They were hoping this could be acheived with a ACL and without having to create a seperate VLAN. Ethernet port 1 is the interface the switch with the 2 PC's is connected to so this would be the interface to add the ACL to if possible.   



  • 4.  RE: Configuring a access list to block access between wired and wireless devices

    Posted Nov 06, 2013 12:51 PM

     

    Do you have clearpass ?

     

    If you dont then you could do a UDR matching the mac addresses of those devices and moving those devices to a role that is only allowed to do HTTP/HTTPS and deny everything else or you could explicitly just allow certain things and block everything else 

     

    Authentication User Rules_2013-11-06_12-52-24.png



  • 5.  RE: Configuring a access list to block access between wired and wireless devices

    EMPLOYEE
    Posted Nov 06, 2013 12:16 PM

    There's really no easy way to do this without splitting the subnet or using DHCP reservations and then masking on a boundary in your ACL. For example, tie the wired devices to 10.11.12.1 - 127, and the wireless to 128 - 254, then you could block access in the user role with a /25 mask. For this scenario, your wired device AND the controller would need an IP in this subnet, otherwise the devices will still be able to reach each other at layer 2.