Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

firewall rules for guests on controller

This thread has been viewed 2 times

  • 1.  firewall rules for guests on controller

    Posted Jun 23, 2014 06:11 AM

     Hi,

    I have a controller with 3 vlans, 1 for guests, 1 for admin and 1 for management. I want to restrict the guests from accessing the admin and management vlans. Inter-vlan routing is on on all vlans. I want to do this with acl, so i want to know what the best practice is.

    My vlans are:

    guest : 172.16.1.0

    admin 192.168.1.0

    mgmt: 10.0.99.0

     

    I made an alias for my admin and mgmt vlans called int_network

     

    Is this a good setup?

     

    Derived Role = 'Guest_1mbit'
    Up BW contract = 1mbit_basic (1000000 bits/sec) (per-user) Down BW contract = 1mbit_basic (1000000 bits/sec) (per-user)
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Assigned VLAN = 50
    Periodic reauthentication: Disabled
    ACL Number = 55/0
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 Deny_internal_lan session

    Deny_internal_lan
    -----------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 172.16.10.0 255.255.255.0 172.16.10.1 any permit Low 4
    2 172.16.10.0 255.255.255.0 int_network  any deny Low 4
    3 172.16.10.0 255.255.255.0 any any permit Low 4

     

     

    Thanks,

    Akki



  • 2.  RE: firewall rules for guests on controller

    EMPLOYEE
    Posted Jun 23, 2014 06:52 AM

    Did you make a typo in your guest vlans?  You have the guest as, 172.16.1.0/24, then the acl has the rules for source, 172.16.10.0/24.

     

    To be safe, change line 2 to be

     

    2 any int_network  any deny Low 4



  • 3.  RE: firewall rules for guests on controller

    Posted Jun 23, 2014 07:14 AM

    Hi Michael,

    Yeah sorry it was a typo, i should have written 172.16.10.0.

     

    So it looks like this now:

     

    Derived Role = 'Guest_1mbit'
    Up BW contract = 1mbit_basic (1000000 bits/sec) (per-user) Down BW contract = 1mbit_basic (1000000 bits/sec) (per-user)
    L2TP Pool = default-l2tp-pool
    PPTP Pool = default-pptp-pool
    Assigned VLAN = 50
    Periodic reauthentication: Disabled
    ACL Number = 55/0
    Max Sessions = 65535

    Check CP Profile for Accounting = TRUE

    access-list List
    ----------------
    Position Name Type Location
    -------- ---- ---- --------
    1 Deny_internal_lan session

    Deny_internal_lan
    -----------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 172.16.10.0 255.255.255.0 172.16.10.1 any permit Low 4
    2 any int_network any deny Low 4
    3 172.16.10.0 255.255.255.0 any any permit Low 4

    Expired Policies (due to time constraints) = 0

     

    When i apply this to the guest_1mbit role i notice i get an ip adress, but after 2 sec i lose it and cant get a new one.Am i doing something wrong? When i had the allow all rule it was working fine