L3/L4 User Traffic Profiles in vSCG

  • 1
  • Question
  • Updated 3 years ago
Hi, I would like to create a User Traffic Profile in the vSCG that will only allow access to the internet and no local LAN access. Then apply this to a WLAN. How to achieve this?
Photo of Samuel Eng

Samuel Eng

  • 15 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Rob Krumm

Rob Krumm

  • 10 Posts
  • 6 Reply Likes
Hi Samuel, 

If you are trying to allow internet access only you can go into the L3/L4 traffic policy list and set the policy to "allow all by default". Then you want to add deny rules for all private IP ranges on all protocols, these include:

10.0.0.0/8
192.168.0.0/16
172.16.0.0/12

This should prevent a customer from reaching any Private IP ranges.

Hope this helps!

Rob
Photo of Samuel Eng

Samuel Eng

  • 15 Posts
  • 0 Reply Likes
Thanks for your reply! 

But in order to access the internet the client would have to communicate with its default gateway. These rules above would deny that type of traffic?
Photo of Rob Krumm

Rob Krumm

  • 10 Posts
  • 6 Reply Likes
Hi Samuel,

That will not be the case. We will block traffic based on the destination address in the IP packet, not which device the packet has been passed to.

So if you try to ping an address on the internet, the destination IP in the packet will be the IP address of the website you are trying to reach and we will allow it through.

If on the other hand, you are trying to ping the router, or another AP, or maybe another client, the destination address will be private and we will drop the traffic at the AP.

Hope this clarifies!

Rob