WLANs use Firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from which they arrive, as opposed to filtering packets on Layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of conditions (rules) a packet must satisfy to match the ACE. The order of conditions in the list is critical since filtering is stopped after the first match.
IP based Firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC.
Additionally, administrators can filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC Firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to WLAN packet traffic.
Keep in mind that IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.
To review access policies, create a new policy or edit the properties of an existing policy:
The screen displays editable fields for IP Firewall Rules, MAC Firewall Rules, Trust Parameters, and Client Deny Limits.
If you are creating a new IP firewall rule, provide a name up to 32 characters.
Note
Only those selected IP ACL filter attributes display. Each value can have its current setting adjusted by selecting that IP ACL‘s column to display a pop-up to adjust that one value.Precedence | Specify or modify a precedence for this IP policy between 1 and 5000. Rules with lower precedence are always applied to packets first. If you modify a precedence to apply a higher integer, it will move down the table to reflect its lower priority. |
Action | Every IP Firewall rule is made up
of matching criteria rules. The action defines what to do
with the packet if it matches the specified criteria. The
following actions are supported:
|
DNS Name | Specify the DNS Name which may be a full domain name, a portion of a domain name or a suffix. This name is used for the DNS Match Type criteria. |
DNS Match Type | Specify the DNS matching criteria that the DNS Name can be matched against. This can be configured as an exact match for a DNS domain name, a suffix for the DNS name or a domain that contains a portion of the DNS name. If traffic matches the configured criteria in the DNS Match Type, that rule will be applied to the ACL. |
Source | Select the source IP address or network group configuration used as basic matching criteria for this IP ACL rule. |
Destination | Determine whether filtered packet destinations for this IP firewall rule do not require any classification (any), are designated as a set of configurations consisting of protocol and port mappings (an alias), set as a numeric IP address (host) or defined as network IP and mask. Selecting alias requires that a destination network group alias be available or created. |
Network Service Alias | The service alias is a set of configurations consisting of protocol and port mappings. Both source and destination ports are configurable. Set an alphanumeric service alias (beginning with a $) and include the protocol as relevant. Selecting either tcp or udp displays an additional set of specific TCP/UDP source and destination port options. |
Source Port | If you are using either tcp or
udp as the protocol, define whether the source
port for incoming IP ACL rule application is any,
equals, or an administrator defined range. If
you are not using tcp or
udp, this setting displays as N/A. This is the
data local origination port designated by the administrator.
Selecting equals invokes a spinner control for setting a
single numeric port. Selecting equals invokes a spinner control for setting a single numeric port. Selecting range displays spinner controls for low and high numeric range settings. A source port cannot be a destination port. |
Destination Port | If you are using either tcp or
udp as the protocol, define whether the
destination port for outgoing IP ACL rule application is
any, equals, or
an administrator defined range. If you are not using tcp or
udp, this setting displays as N/A. This is the
data destination virtual port designated by the
administrator. Selecting equals invokes a spinner control for setting a single numeric port. Selecting range displays spinner controls for low and high numeric range settings. A source port cannot be a destination port. |
ICMP Type | Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. The Internet Control Message Protocol (ICMP) uses messages identified by numeric type. ICMP messages are used for packet flow control or generated in IP error responses. ICMP errors are directed to the source IP address of the originating packet. Assign an ICMP type from 1-10. |
ICMP Code | Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. Many ICMP types have a corresponding code, helpful for troubleshooting network issues, for example 0 - Net Unreachable, 1 - Host Unreachable, and 2 - Protocol Unreachable. |
Start VLAN | Select a Start VLAN icon within a table row to set (apply) a start VLAN range for this IP ACL filter. The Start VLAN represents the virtual LAN beginning numeric identifier arriving packets must adhere to in order to have the IP ACL rules apply. |
End VLAN | Select an End VLAN icon within a table row to set (apply) an end VLAN range for this IP ACL filter. The End VLAN represents the virtual LAN end numeric identifier arriving packets must adhere to in order to have the IP ACL rules apply. |
Mark | Select an IP Firewall rule‘s Mark checkbox to enable or disable event marking and set the rule‘s 8021p or dscp level (from 0 - 7). |
Log | Select an IP Firewall rule‘s Log checkbox to enable or disable event logging for this rule‘s usage. |
Enable | Select an IP Firewall rule‘s Enable or Disable icon to determine this rule‘s inclusion with the IP firewall policy. |
Description | Lists the administrator assigned description applied to the IP ACL rule. Select a description within the table to modify its character string as filtering changes warrant. Select the icon within the Description table header to launch a Select Columns screen used to add or remove IP ACL criteria from the table. |
Allow | Every IP Firewall rule is made up of matching criteria
rules. The action defines what to do with the packet if it
matches the specified criteria. The following actions are
supported:
|
VLAN ID | Enter a VLAN ID representative of the shared SSID each user employs to inter-operate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between 1 - 4094. EX3500 PoE switches utilize a VLAN Mask option (from 0 - 4095) to mask the exposure of the VLAN ID. |
Match 802.1P | Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting between 0-7. |
Source and Destination MAC | Enter both Source and Destination MAC addresses. The wireless controller uses the source IP address, destination MAC address as basic matching criteria. Provide a subnet mask if using a mask. |
Action | The following actions are supported:
|
Traffic Class | Sets an ACL traffic classification value for the packets identified by this inbound MAC filter. Traffic classifications are used for QoS purposes. Use the spinner to define a traffic class from 1- 10. |
Ethertype | Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp or monitor 8021q. An EtherType is a two-octet field within an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame. EX3500 PoE switches utilize an Ether Mask option (from 0 - 65535) to mask the exposure of the Ethertype. |
Precedence | Use the spinner control to specify a precedence for this MAC Firewall rule between 1-1500. Access policies with lower precedence are always applied first to packets. |
Description | Provide an ACL setting description (up to 64 characters) for the rule to help differentiate it from others with similar configurations. |
Application Policy | Use the drop-down menu to assign an application policy to the WLAN‘s firewall
configuration. Applications recognized and classified by the
external, third-party DPI engine are applied
administrator-defined actions. An application policy defines
the rules or actions executed on recognized HTTP, SSL and
voice/video applications. For more information, refer to
Create an Application Policy. Note: Legacy WiNG devices, running WiNG 7.1.2 and
later versions of the WiNG 7 OS, use a third-party DPI
engine to detect top-level hosting applications along
with the services these applications host. Whereas,
AP5XX model APs, running WiNG 7.1.2 and later versions
of the WiNG 7 OS, use the Purview™ libDPI engine.
For legacy WiNG deployments specify an application policy to enforce AVC on the WLAN traffic. For WiNG AP5xx deployments, specify a Purview application policy to enforce AVC on the WLAN traffic. Refer to the WiNG 7.2.1 CLI reference guide for information on Purview Application policy. |
Voice/Video Metadata | Select this option to enable the extraction of voice and video metadata flows. When enabled, administrators can track voice and video calls by extracting parameters (packets transferred and lost, jitter, audio codec and application name). Most Enterprise VoIP applications like Facetime, Skype for Business, and VoIP terminals can be monitored for call quality and visualized on the Extreme NSight dashboard (starting with WiNG 5.9.3, Extreme NSight is a separate target) in manner similar to HTTP and SSL. Call quality and metrics can be determined only from calls that are established as unencrypted. This setting is disabled by default. |
HTTP Metadata | Select this option to enable the extraction of HTTP flows. When enabled, administrators can track HTTP Websites accessed by both internal and guest clients and visualize HTTP data usage, hits, active time and total clients on the Extreme NSight dashboard. This setting is disabled by default. |
SSL Metadata | Select this option to enable the extraction of SSL flows. When enabled, administrators can track SSL Websites accessed by both internal and guest clients and visualize SSL data usage, hits, active time and total clients on the Extreme NSight dashboard. This setting is disabled by default. |
Enable TCP RTT | Select this option to enable the extraction of
Round Trip Time (RTT) from
Transmission Control Protocol (TCP) flows.
When enabled, the RTT information from TCP flows detected on
the VLAN interface associated with the WLAN is extracted and
forwarded to the Extreme NSight appliance by access points.
However, this TCP-RTT metadata is viewable only on the
Extreme NSight dashboard. This setting is disabled by
default. Note: Extreme NSight is a licensed feature. For
more information on Extreme NSight, please refer to the
Extreme NSight™ User Guide, available at https://extremenetworks.com/documentation.
|
ARP Trust | Select the check box to enable ARP Trust on this WLAN. ARP packets received on this WLAN are considered trusted, and is used to identify rogue devices within the network. This setting is disabled by default. |
Validate ARP Header Mismatch | Select this option to verify the mismatch for source MAC in the ARP and Ethernet headers. By default, mismatch verification is enabled. |
DHCP Trust | Select the check box to enable DHCP trust on this WLAN. This setting is disabled by default. |
ND Trust | Select this option to enable the trust of neighbor discovery requests on an IPv6 supported firewall on this WLAN. This setting is disabled by default. |
Validate ND Header Mismatch | Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This setting is enabled by default. |
DHCPv6 Trust | Select this option to enable the trust all DHCPv6 responses on this WLAN‘s firewall. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is disabled by default. |
RA Guard | Select this option to enable router advertisements or ICMPv6 redirects on this WLAN‘s firewall. This setting is disabled by default. |
Wireless Client Denied Traffic Threshold | If enabled, any associated client that exceeds the thresholds configured for storm traffic is either de-authenticated or blacklisted depending on the selected action. The threshold range is 1-1000000 packets per second. This feature is disabled by default. |
Action | If you are enabling a wireless client threshold, use the drop-down menu to determine whether clients are deauthenticated when the threshold is exceeded or blacklisted from connectivity for a user defined interval. Selecting None applies no consequence to an exceeded threshold. |
Blacklist Duration | Select the check box and define a setting between 0 - 86,400 seconds. After the blacklist duration has been exceeded, offending clients can reauthenticate once again. |