CommScope RUCKUS Community Forums

asdasdas · ‎05-05-2023

Hello,

I have an old Virtual SmartZone - version is 3.4.0.0.... And I would like to enable client isolation on the SSID. Where do I need to add my gateway ip-mac for whitlisting?

sanjay_kumar · ‎05-06-2023

Hi @asdasdas
The APs connected to vSZ should sniff the DHCP packets and automatically use the default gateway MAC to create the White list. However if you still face issues in reaching the gateway from clients, then you can configure the Gateway in the Whitelist.

Creating the whitelist on 3.4 version is not available on the GUI. The GUI option has been added starting from 3.5.
However, you can still create the client isolation whitelist on 3.4 from AP CLI.
You need to create the AP CLI script on the controller and push the Whitelist command to the APs from CLI script.
Below are the articles explaining the procedure.

Client isolation from AP CLI on 3.4 firmware
https://support.ruckuswireless.com/articles/000005359

Create a AP CLI script for client isolation.
https://support.ruckuswireless.com/articles/000004057

I hope this should be helpful, let me know if you have any queries.

Regards,
Sanjay Kumar

asdasdas · ‎05-07-2023

Hello @sanjay_kumar

Thanks four your email,

Unfortunately I can't access to the article, could you please share with me somehow?

sanjay_kumar · ‎05-07-2023

You can manually create a CIWL (Client Isolation White List) in the AP directly using the AP CLI command: This command can be pushed to all APs from the AP CLI script on the controller.
set ciwl wlanX <ip> <mac> <vlan>

Additional caveats:

The L2 network will break down if auto-whitelist learn the spoofed gateway IP/MAC.
AP can NOT learn whitelist information if admin enable it after a while when isolation disabled and no DHCP is sent after enabled ,except we de-associate all stations.
IPv6 is NOT supported.
AP can NOT learn whitelist when a UE roam from AP to another AP if no other UE DHCP packet is seent.
AP can NOT learn whitelist when a UE roam from AP to another AP if no other UE DHCP packet is sent.
If user configured walled garden in WISPR WLAN, user cann’t access them after authorized when they are in the same subnet with UE.
If UE are all static DHCP configured under a subnet/vlan, user can NOT access network if AP learn whitelist.
Can NOT learn First-hop redundancy protocols (except HSRPv2) inbound gateway.

Workaround to address it:

a. Add HSRP anti-spoof ,drop HSRP packet come from wireless interface .
b. enable l2 unicast bypass via

set ci-bypass <wlan name> {enable|disable}
get ci-bypass <wlan name>

c. After enabled unicast bypass , drop if dst mac does not lies in whitelist outbound.
d. Pass l2 unicast inbound.

How to create the AP CLI script:

For controller version 5.1.0 and older, follow these steps:

1. Use any simple text editor (like Notepad or vi, notepad) with below format

#define AP FW version (must match the AP version in the zone)
fw_version=3.4.0.0.682
#define Model class (only option available is 'all')
model=all
# Command (these are examples, any AP CLI command will be accepted; One command per line)
set remote-mgmt snmp
set snmp community ro READ

Example :
fw_version=3.4.0.0.682
model=all
set ciwl wlan32 10.10.10.10 aa:bb:cc:dd:ee:ff 10

2. Save the file.
3. Go to v/SZ/SCG WebUI: Administration -> Diagnostics -> AP CLI Scripts.
4. Select the zone where you want to apply it.
5. Click on 'Browse' and select the file from your PC.
6. Click on 'Upload' to load into SCG.
7. Click on 'Execute' to run it in the selected zone. For each AP you obtain execution status, if any command fails that AP will be marked as Failed. Otherwise it will be marked as 'succeed'.

The script will be executed only on currently connected APs. If at a later time new APs are added into the zone or they were disconnected when it was executed, the script needs to be executed it again.

asdasdas · ‎05-08-2023

Thanks @sanjay_kumar

I have one additional question. Is it possible to apply this script directly to the one AP? I logged to the AP directly, tried to enter this command, but it doesn't work.