A

11 Messages

 • 

210 Points

Mon, Sep 13, 2021 6:32 PM

Guest WLAN exception

Hello,

I have two WLANs in my zone. One for our employees and one for guests/ employee mobile devices.

We wanted to have a Guest WLAN that was isolated and we wanted mobile devices on it as well. The issue I am having is that when people are not at their desk but a different office or building, they cannot access their email (we have an on-site email server). 

I have tried to do a whitelist exception but cannot because I am running DHCP/ NAT services. Is there another option? I was thinking maybe a L3 Access Control policy?

Official Rep

 • 

1.3K Messages

 • 

17.7K Points

3 m ago

Hi,

In this case you can create a standard WLAN and then create the isolation using L3 ACLs. This is the only way.

11 Messages

 • 

210 Points

3 m ago

Ok, that is what I was starting to think...

I do have a question though, I am using a Virtual SmartZone, On the L3 Access Control, can I do a range of IPs? or would this have to be a 1:1?

11 Messages

 • 

210 Points

3 m ago

I guess what I am trying to figure out is

1) Do I NEED to use the source/ destination ports? 

2) Source IP: Is this the Network ID/ Subnet or the device IP and Subnet?

3) Destination IP: Destination IP/ Subnet of Server I am trying to get to?

Official Rep

 • 

1.3K Messages

 • 

17.7K Points

3 m ago

Hi Ashour,

If you use the toggle button, it will change the setting between single port/IP vs range.

For example, if you Turn Off the Source IP button, it will let you define single IP address. If you turn it On, you can configure whole subnet.

If you don't want to define any ports, you can leave it, because it is not a mandatory field.

If you use the combination, then access rule will be more specific.

For example, if you use source and destination both addresses, then system will allow/deny the traffic based on source and destination IP.

If you just use source or destination IP, then rule will be applicable accordingly.

11 Messages

 • 

210 Points

2 m ago

The one part I am having trouble figuring out still is this, I have a Virtual Machine running on VCenter that I want to be able to access, but not anything else. When I make my policy, I would have to make rules to allow me to get to the IP of VCenter and the Virtual Machine I am wanting to get access to?

Official Rep

 • 

1.3K Messages

 • 

17.7K Points

@ashour_shamoon I think only allowing DHCP, DNS and VCenter server IP should be enough. No need to use source and destination, just add these on destination and choose Direction as bi-directional 

Regards,

Syamantak Omer

Official Rep | Staff TSE | CWNA | CCNA | RASZA | RICXI

Follow me on Linkedin

Important Announcement