use [aaa-policy|application-policy|association-acl-policy|bonjour-gw-discovery-policy|
captive-portal|ip-access-list|ipv6-access-list|mac-access-list|passpoint-policy|
purview-application-policy|roaming-assist-policy|url-filter|wlan-qos-policy]
use [aaa-policy <AAA-POLICY-NAME>|application-policy <APP-POLICY-NAME>|
association-acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy <POLICY-NAME>|
captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-POLICY-NAME>|
purview-application-policy <POLICY-NAME>|roaming-assist-policy <POLICY-NAME>|
url-filter <URL-FILTER-NAME>|wlan-qos-policy <WLAN-QOS-POLICY-NAME>]
use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>
use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>
use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>
use [aaa-policy <AAA-POLICY-NAME>|application-policy <APP-POLICY-NAME>|
association-acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy <POLICY-NAME>|
captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-POLICY-NAME>|
purview-application-policy <POLICY-NAME>|roaming-assist-policy <POLICY-NAME>|
url-filter <URL-FILTER-NAME>|wlan-qos-policy <WLAN-QOS-POLICY-NAME>]
| aaa-policy <AAA-POLICY-NAME> | Uses an existing AAA policy with a WLAN
|
| association-acl <ASSOCIATION-POLICY-NAME> | Uses an existing association ACL policy with a WLAN
|
| application-policy <APP-POLICY-NAME> | Uses an existing application policy with the WLAN. WLAN traffic is
inspected and access control and quality of service actions applied based on
the rules defined in the application policy.
Note: The WiNG 5.9.X
enabled devices use a third-party, DPI engine to detect pre-defined
application definitions. To enable AVC and app-usage stats reporting in a
WiNG 5.9.X network, see application-group and application-policy.
|
| bonjour-gw-discovery-policy <POLICY-NAME> | Uses an existing Bonjour GW Discovery policy with a WLAN. When
associated, the Bonjour GW Discovery policy defines a list of Apple services
clients can discover across subnets. Bonjour enables discovery of services on a LAN. Bonjour allows the setting up a network (without any configuration) in which services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains.
|
| captive-portal <CAPTIVE-PORTAL-NAME> | Specifies the captive-portal policy to use if enforcing captive-portal
authentication on this WLAN
|
| passpoint-policy <PASSPOINT-POLICY-NAME> | Associates a passpoint policy (Hotspot2 configuration) with this
WLAN.
Map a passpoint policy to a WLAN. Since the configuration gets applied to the radio by BSS, only the Hotspot 2.0 configuration of primary WLANs on a BSSID is used. Incoming Hotspot 2.0 GAQ/ANQP requests from clients are identified by their destination MAC addresses and are handled by the passpoint policy from the primary WLAN on that BSS. Define one passpoint policy for every WLAN configured. |
| purview-application-policy <PURVIEW-APP-POLICY-NAME> | Uses an existing Purview application policy with the WLAN.
WLAN traffic is inspected and access control and quality of service actions
applied based on the rules defined in the Purview application policy.
Note: The WiNG 7.1.X
enabled devices use Extreme Networks' ExtremeAnalytics for ExtremeCloud IQ - Site Engine
(Purview™) DPI engine to detect pre-defined application definitions. To
enable AVC in a WiNG 7.1.X network, see purview-application-group and purview-application-policy.
|
| roaming-assist-policy <POLICY-NAME> | Associates an existing roaming assist policy with this WLAN
|
| url-filter <URL-FILTER-NAME> | Associates an existing URL list with this WLAN
|
| wlan-qos-policy <WLAN-QOS-POLICY-NAME> | Uses an existing WLAN QoS policy with a WLAN
|
use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>
| ip-access-list [in|out] <IP-ACCESS-LIST-NAME> | Applies an IP access list to incoming and
outgoing packets
|
use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>
| ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME> | Applies an IPv6 access list to incoming and outgoing packets
|
use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>
| mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> | Applies a MAC access list to incoming and
outgoing packets.
|
IP and MAC ACLs act as firewalls within a WLAN. WLANs use ACLs as firewalls to filter or mark packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies a set of conditions (rules) and the action taken in case of a match. The action can be permit, deny, or mark. Therefore, when a packet matches an ACE‘s conditions, it is either forwarded, dropped, or marked depending on the action specified in the ACE. The order of conditions in the list is critical since filtering is stopped after the first match.
IP ACLs contain deny and permit rules specifying source and destination IP addresses. Each rule has a precedence order assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC.
Additionally, you can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny, or mark designation to WLAN packet traffic.
Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.
nx9500-6C8809(config-wlan-test)#use aaa-policy test
nx9500-6C8809(config-wlan-test)#use association-acl-policy test
nx9500-6C8809(config-wlan-test)#show context wlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test use association-acl-policy test acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller nx9500-6C8809(config-wlan-test)#
nx9500-6C8809(config-wlan-ipad_clients)#use bonjour-gw-discovery-policy generic
nx9500-6C8809(config-wlan-ipad_clients)#show context wlan ipad_clients ssid ipad_clients vlan 41 bridging-mode local encryption-type none authentication-type none use bonjour-gw-discovery-policy generic nx9500-6C8809(config-wlan-ipad_clients)#
| no (wlan-config-mode) | Removes the following policies associated with a WLAN: aaa-policy, application-policy, association-acl-policy, bonjour-gw-discovery-policy, captive-portal, ip-access-list, ipv6-access-list, mac-access-list, passpoint-policy, roaming-assist-policy, url-filter, or wlan-qos-policy. |