12-08-2021 07:26 PM
Hi all,
We just have lots of APs managed by the ZD1200.
And we want to stop users accessing those AP via Ping Test.
But, we still need to allow them to access each other.
Thanks in advance.
12-09-2021 12:12 AM
When you plan network properly, AP management network is always different from client network (different VLAN), and clients have no access whatever to AP management interface (as well as any other networking equipment).
In some cases you may need users to have access to ZD (for Guest portal authentication), than it must be limited just by required ports and IP address (using routing between VLANs and ACLs on switch or firewall rules).
So if you have this problem, you should just fix your wrong and insecure network design...
Different client VLAN can and should be used in all cases, the only limitation is that you need managed switch to do so (as you need VLAN support). But using high-end WiFi equipment with lowest-end switches just doesn't make much sense anyway, and managed switches are cheap nowadays.
12-09-2021 12:19 AM
Thanks for reaching out.
If you have a firewall in your network, you can block ICMP so that clients are not able to ping the APs and other servers/machines.
From ZD, we have one option which is Client Isolation however enabling client isolation will also block clients to access each other so as per your requirement this feature is not applicable.
Please let me know if you have any queries.
12-09-2021 09:06 AM
The easiest solution is to either put the AP's on a separate management van via tagging or have the user SSID's dumped onto a different vlan (preferred method). If it is guest traffic then you make the SSID quest and dump on to a vlan that connects directly toa port on a firewall or tunnel the traffic to the ZD or VSZ-D and pop it out onto a separate port/vlan and into a firewall. couplee of different ways to do it so that the end user devices cannot ping the AP's or controller or anything on the network.