Configuring Access Rules
You can configure access rules using Instant UI or CLI.
In the Instant UI
|
1.
|
Navigate to the WLAN wizard or Wired settings window: |
|
|
To configure access rules for a WLAN SSID, in the Network tab, click New to create a new network profile or edit to modify an existing profile. |
|
|
To configure access rules for a wired profile, More>Wired. In the Wired window, click New under Wired Networks to create a new network or click Edit to select an existing profile. |
|
3.
|
Slide to Network-based using the scroll bar to specify access rules for the network. |
|
4.
|
Click New to add a new rule. The New Rule window is displayed. |
|
5.
|
In the New Rule window, specify the following parameters: |
Table 1: Access Rule Configuration Parameters
Rule type
|
Select a rule type, for example Access control from the drop-down list.
|
Action
|
Select any of following attributes:
|
l
|
Select Allow to allow access users based on the access rule. |
|
l
|
Select Deny to deny access to users based on the access rule. |
|
l
|
Select Destination-NAT to allow changes to destination IP address. |
|
l
|
Select Source-NAT to allow changes to the source IP address. |
|
Service
|
Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement:
|
l
|
any—Access is allowed or denied to all services. |
|
l
|
custom—Available options are TCP, UDP, and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID. |
|
l
|
adp—Application Distribution Protocol |
|
l
|
bootp— Bootstrap Protocol |
|
l
|
cups—Common UNIX Printing System |
|
l
|
dhcp—Dynamic Host Configuration Protocol |
|
l
|
esp—Encapsulating Security Payload |
|
l
|
ftp—File Transfer Protocol |
|
l
|
gre—Generic Routing Encapsulation |
|
l
|
h323-tcp—H.323-Transmission Control Protocol |
|
l
|
h323-udp— H.323-User Datagram Protocol |
|
l
|
http-proxy2— Hypertext Transfer Protocol-proxy2 |
|
l
|
http-proxy3— Hypertext Transfer Protocol-proxy3 |
|
l
|
http—Hypertext Transfer Protocol |
|
l
|
https—Hypertext Transfer Protocol Secure |
|
l
|
icmp—Internet Control Message Protocol |
|
l
|
ike—Internet Key Exchange |
|
l
|
kerberos—Computer network authentication protocol |
|
l
|
l2tp—Layer 2 Tunneling Protocol |
|
l
|
lpd-tcp—Line Printer Daemon protocol-Transmission Control Protocol |
|
l
|
lpd-udp—Line Printer Daemon protocol-User Datagram Protocol |
|
l
|
msrpc-tcp— Microsoft Remote Procedure Call-Transmission Control Protocol |
|
l
|
msrpc-udp—Microsoft Remote Procedure Call-User Datagram Protocol |
|
l
|
netbios-dgm—Network Basic Input/Output System-Datagram Service |
|
l
|
netbios-ns—Network Basic Input/Output System-Name Service |
|
l
|
netbios-ssn—Network Basic Input/Output System-Session Service |
|
l
|
noe—Alcatel NOE service |
|
l
|
ntp—Network Time Protocol |
|
l
|
papi—Point of Access for Providers of Information |
|
l
|
pop3—Post Office Protocol 3 |
|
l
|
pptp—Point-to-Point Tunneling Protocol |
|
l
|
rtsp—Real Time Streaming Protocol |
|
l
|
sccp—Skinny Call Control Protocol |
|
l
|
sips—Session Initiation Protocol |
|
l
|
sip-tcp—Session Initiation Protocol-Transmission Control Protocol |
|
l
|
sip-udp—Session Initiation Protocol-User Datagram Protocol |
|
l
|
smb-tcp—Server Message Block-Transmission Control Protocol |
|
l
|
smb-udp—Server Message Block-User Datagram Protocol |
|
l
|
smtp—Simple mail transfer protocol |
|
l
|
snmp—Simple network management protocol |
|
l
|
snmp-trap—Simple network management protocol-trap |
|
l
|
svp—Software Validation Protocol |
|
l
|
telnet—Telnet network protocol |
|
l
|
tftp— Trivial file transfer protocol |
|
Destination
|
Select a destination option. You can allow or deny access to any the following destinations based on your requirements.
|
l
|
To all destinations— Access is allowed or denied to all destinations. |
|
l
|
To a particular server—Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server. |
|
l
|
Except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. |
|
l
|
To a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. |
|
l
|
Except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. |
|
l
|
To domain name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box. |
|
Log
|
Select this check box if you want a log entry to be created when this rule is triggered. Instant firewall supports firewall based logging function. Firewall logs on the IAPs are generated as syslog messages.
|
Blacklist
|
Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window. For more information, see Blacklisting Clients.
|
Classify media
|
Select the Classify media check box to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT traffic and the traffic is marked as follows:
|
l
|
Video: Priority 5 (Critical) |
|
l
|
Voice: Priority 6 (Internetwork Control) |
|
Disable scanning
|
Select Disable scanning check box to disable ARM scanning when this rule is triggered.
The selection of the Disable scanning applies only if ARM scanning is enabled, For more information, see Configuring Radio Settings for an IAP.
|
DSCP tag
|
Select the DSCP tag check box to specify a DSCP value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 to 63. To assign a higher priority, specify a higher value. |
802.1p priority
|
Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value. |
|
6.
|
Click OK and then click Finish. |
In the CLI
To configure access rules:
(Instant Access Point)(config)# wlan access-rule <access-rule-name>
(Instant Access Point)(Access Rule <Name>)# rule <dest> <mask> <match> <protocol> <start-port> <end-port> {permit |deny | src-nat | dst-nat {<IP-address> <port> | <port>}}[<option1…option9>]
(Instant Access Point)(Access Rule <Name>)# end
(Instant Access Point)# commit apply