cancel
Showing results for 
Search instead for 
Did you mean: 

L3/L4 User Traffic Profiles in vSCG

samuel_eng
New Contributor III
Hi, I would like to create a User Traffic Profile in the vSCG that will only allow access to the internet and no local LAN access. Then apply this to a WLAN. How to achieve this?
3 REPLIES 3

rob_krumm
New Contributor III
Hi Samuel, 

If you are trying to allow internet access only you can go into the L3/L4 traffic policy list and set the policy to "allow all by default". Then you want to add deny rules for all private IP ranges on all protocols, these include:

10.0.0.0/8
192.168.0.0/16
172.16.0.0/12

This should prevent a customer from reaching any Private IP ranges.

Hope this helps!

Rob

samuel_eng
New Contributor III
Thanks for your reply! 

But in order to access the internet the client would have to communicate with its default gateway. These rules above would deny that type of traffic?

rob_krumm
New Contributor III
Hi Samuel,

That will not be the case. We will block traffic based on the destination address in the IP packet, not which device the packet has been passed to.

So if you try to ping an address on the internet, the destination IP in the packet will be the IP address of the website you are trying to reach and we will allow it through.

If on the other hand, you are trying to ping the router, or another AP, or maybe another client, the destination address will be private and we will drop the traffic at the AP.

Hope this clarifies!

Rob