Client isolation on vSZ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2016 07:20 AM
Hi
i configured client isolation on vSZ. Its working from Wifi client to wifi client. But i can reach hosts connected with ethernet cable in the same subnet.
ok... so i tryed to place a L2 Access list, to allow only traffic to Gateway, dhcp and broadcast. but it seems, that this ACL uses the MAC adresses as source MAC and not destination. ... so i have to add all wifi clients, and this is not possible...
Is there another way to place a L2 or L3 ACL? How can i setup a isolation with cabled hosts in the net?
Thank you very much!
Adrian
i configured client isolation on vSZ. Its working from Wifi client to wifi client. But i can reach hosts connected with ethernet cable in the same subnet.
ok... so i tryed to place a L2 Access list, to allow only traffic to Gateway, dhcp and broadcast. but it seems, that this ACL uses the MAC adresses as source MAC and not destination. ... so i have to add all wifi clients, and this is not possible...
Is there another way to place a L2 or L3 ACL? How can i setup a isolation with cabled hosts in the net?
Thank you very much!
Adrian
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2016 07:50 AM
When Client Isolation = Yes, it should result in WiFi clients not being able to communicate with each other but they should be able to communicate with the Default Gateway (which is learned via DHCP traffic).
Do you have a DHCP server running on this SSID?
Are you trying to communicate with an IP which is not listed in the DHCP Response?
Do you have a DHCP server running on this SSID?
Are you trying to communicate with an IP which is not listed in the DHCP Response?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2016 08:58 AM
Yes there is a DHCP Server in place.
What do you mean with, not listed in the dhcp response?
The IP which i tried to ping was de domain controller in this network, and because its a guest wlan this access should not be able... as far i remember the IPs which i could ping was fix configured IPs, at least the Server was fix for shure.
But i have to test again with focus on dynamic configured IPs next week.
It is the only way to block theese access with a L2 access List and block mac addresse from the Server?
What do you mean with, not listed in the dhcp response?
The IP which i tried to ping was de domain controller in this network, and because its a guest wlan this access should not be able... as far i remember the IPs which i could ping was fix configured IPs, at least the Server was fix for shure.
But i have to test again with focus on dynamic configured IPs next week.
It is the only way to block theese access with a L2 access List and block mac addresse from the Server?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-23-2016 09:02 AM
Take a look at https://support.ruckuswireless.com/answers/000005359 to understand how CI works.
In simple terms, to make CI work correctly, you need to design your network to have nothing but a default gateway and DHCP server on your guest VLAN.
In simple terms, to make CI work correctly, you need to design your network to have nothing but a default gateway and DHCP server on your guest VLAN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-24-2016 01:36 PM
You could create an ACL on your network to prevent wireless cleints seeing your internal cabled network:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Good luck
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Good luck