05-05-2023 03:37 AM - edited 05-05-2023 05:43 AM
Hello,
I have an old Virtual SmartZone - version is 3.4.0.0.... And I would like to enable client isolation on the SSID. Where do I need to add my gateway ip-mac for whitlisting?
05-06-2023 10:11 PM
Hi @asdasdas
The APs connected to vSZ should sniff the DHCP packets and automatically use the default gateway MAC to create the White list. However if you still face issues in reaching the gateway from clients, then you can configure the Gateway in the Whitelist.
Creating the whitelist on 3.4 version is not available on the GUI. The GUI option has been added starting from 3.5.
However, you can still create the client isolation whitelist on 3.4 from AP CLI.
You need to create the AP CLI script on the controller and push the Whitelist command to the APs from CLI script.
Below are the articles explaining the procedure.
Client isolation from AP CLI on 3.4 firmware
https://support.ruckuswireless.com/articles/000005359
Create a AP CLI script for client isolation.
https://support.ruckuswireless.com/articles/000004057
I hope this should be helpful, let me know if you have any queries.
Regards,
Sanjay Kumar
05-07-2023 11:21 PM
Hello @sanjay_kumar
Thanks four your email,
Unfortunately I can't access to the article, could you please share with me somehow?
05-07-2023 11:39 PM
You can manually create a CIWL (Client Isolation White List) in the AP directly using the AP CLI command: This command can be pushed to all APs from the AP CLI script on the controller.
set ciwl wlanX <ip> <mac> <vlan>
Additional caveats:
The L2 network will break down if auto-whitelist learn the spoofed gateway IP/MAC.
AP can NOT learn whitelist information if admin enable it after a while when isolation disabled and no DHCP is sent after enabled ,except we de-associate all stations.
IPv6 is NOT supported.
AP can NOT learn whitelist when a UE roam from AP to another AP if no other UE DHCP packet is seent.
AP can NOT learn whitelist when a UE roam from AP to another AP if no other UE DHCP packet is sent.
If user configured walled garden in WISPR WLAN, user cann’t access them after authorized when they are in the same subnet with UE.
If UE are all static DHCP configured under a subnet/vlan, user can NOT access network if AP learn whitelist.
Can NOT learn First-hop redundancy protocols (except HSRPv2) inbound gateway.
Workaround to address it:
a. Add HSRP anti-spoof ,drop HSRP packet come from wireless interface .
b. enable l2 unicast bypass via
set ci-bypass <wlan name> {enable|disable}
get ci-bypass <wlan name>
c. After enabled unicast bypass , drop if dst mac does not lies in whitelist outbound.
d. Pass l2 unicast inbound.
How to create the AP CLI script:
For controller version 5.1.0 and older, follow these steps:
1. Use any simple text editor (like Notepad or vi, notepad) with below format
#define AP FW version (must match the AP version in the zone)
fw_version=3.4.0.0.682
#define Model class (only option available is 'all')
model=all
# Command (these are examples, any AP CLI command will be accepted; One command per line)
set remote-mgmt snmp
set snmp community ro READ
Example :
fw_version=3.4.0.0.682
model=all
set ciwl wlan32 10.10.10.10 aa:bb:cc:dd:ee:ff 10
The script will be executed only on currently connected APs. If at a later time new APs are added into the zone or they were disconnected when it was executed, the script needs to be executed it again.
05-08-2023 05:26 AM
Thanks @sanjay_kumar
I have one additional question. Is it possible to apply this script directly to the one AP? I logged to the AP directly, tried to enter this command, but it doesn't work.