Wireless Access

Reply
Highlighted
New Contributor

Separating SSID from Other VLANs on Wireless Controller

I am not 100% certain that I am explaining this correct, so obviously feel free to ask questions.

 

I have an Aruba7210-US controller with multiple AP Groups, Virtual APs, and SSIDs. I recently created a new Virtual AP/SSID on a separate VLAN, in other to connect specific laptops and completely separate them from the rest of the network.

 

The problem is that since there are other, existing Virtual AP/SSIDs that the "general public" (staff) uses within these AP Groups, I am unable to remove those other VLANs from the uplink port for the wireless controller on the switch, which means that my new Virtual AP/SSID can still connect to other servers/systems that I do not want them to connect to.

 

What can I do on the actual wireless controller in order to completely segratate this new Virtual AP/SSID from the rest of the network. Thank you in advance for any help.

Guru Elite

Re: Separating SSID from Other VLANs on Wireless Controller

You can apply an ACL to any user role to block any destination, protocol or any combination of both that you don't want specific users connecting to.  This is irrespective of any VLAN you have trunked to a controller.

 

Again, you should be restricting user traffic based on ACLs attached to the the user's role.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Separating SSID from Other VLANs on Wireless Controller

Are you able to point me in the right direction of where the ACLs are configured within the GUI? I actually have an open case with support, but the technician was doing it via the terminal and could not get it working. I am willing to do it myself, as I am familiar with networking. I just don't know how to do it on an Aruba Controller; either via the GUI or the terminal.

 

Please advise. Thank you.

Guru Elite

Re: Separating SSID from Other VLANs on Wireless Controller

What version of ArubaOS is this?  That will determine where to look.

 

What was the technican trying to do?  If you are not satisified, you should ask to escalate the issue.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Separating SSID from Other VLANs on Wireless Controller

Model: Aruba7210-US / Version: 6.5.3.4

 

The technician was attempting to create an ACL via the terminal, but for whatever reason was not successful. If I can be honest, I have never had a successful support call with Aruba and I am knowledgeable enough that if I am guided in the right direction I can figure it out.

Guru Elite

Re: Separating SSID from Other VLANs on Wireless Controller

The documentation for creating a firewall policy in a user role is here:  https://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Firewall_Roles/Policies.htm


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: Separating SSID from Other VLANs on Wireless Controller

You have been so helpful that I have to take advantage of your knowledge with one last question. I know that I have been concentrating on blocking everything, but could you point me in the right the direction if I wanted to allow access to one specific IP address?

 

Thanks again.

Guru Elite

Re: Separating SSID from Other VLANs on Wireless Controller

In the session ACL you would have:

 

user  host <ip address> any permit


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor I

Re: Separating SSID from Other VLANs on Wireless Controller

Just to add to the other comments. You want to create a "session" ACL, which uses the Aruba firewall, as opposed to the traditional standard or extended ACLs that are traditionally used with switches.

 

Firewall rules make up policies. Firewall policies make up roles. Roles are assigned to users that connect to untrusted connections, such as an SSID.

 

If you wanted/needed to put restrictions on a physical port or a VLAN, you can assign a firewall policy to the port or VLAN.

 

I hope this helps,

 

David
Sr. Trainer and Author of upcoming "Understanding ArubaOS: Version 8.x" book
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: