Table of Contents
Advertisement
hwc_vnsintro.fm
Virtual Network Services
Filtering for a VNS
6.6
Filtering for a VNS
The VNS capability provides a technique to apply policy, to allow different network access to
different groups of users. This is accomplished by packet filtering.
After setting authentication, define the filtering rules for the filters that apply to your network and
the VNS you are setting up. Several filter types are applied by the HiPath Wireless Controller:
Exception filter – Protect access to a system's own interfaces, including the VNS' own
●
interface. VNS exception filters are applied to user traffic intended for the HiPath Wireless
Controller's own interface point on the VNS. These filters are applied after the user's
specific VNS state assigned filters.
Non-authenticated filter with filtering rules that apply before authentication –
●
Controls network access and to direct users to a Captive Portal web page for login.
Group filters, by filter ID, for designated user groups – Controls access to certain areas
●
of the network, with values that match the values defined for the RADIUS filter ID attribute.
Default filter – Controls access if there is no matching filter ID for a user.
●
Within each type of filter, define a sequence of filtering rules. The filtering rule sequence must
be arranged in the order that you want them to take effect. Each rule is defined to allow or deny
traffic in either direction:
In – From a wireless device in to the network
●
Out – From the network out to a wireless device
●
6.6.1
Final filter rule
The final rule in any filter should act as a catch-all for any traffic that did not match a filter. This
final rule should either allow all or deny all traffic, depending on the requirements for network
access. For example, the final rule in a non-authenticated filter for captive portal is typically
deny all. A final allow all rule in a default filter will ensure that a packet is not dropped entirely
if no other match can be found.
A default rule of deny all is automatically created by the system for initial filter definitions. The
administrator can change the action to allow all. However, a default filter rule cannot be
removed. Since a default filter rule provides a catch-all default behavior for packet handling, all
applicable user defined filter rules must be defined prior to this rule.
Each rule can be based on any one of the following:
Destination IP address or any IP address within a specified range that is on the network
●
subnet (as a wildcard)
Destination ports, by number and range
●
Protocols (UDP, TCP, etc.)
●
114
HiPath Wireless Controller, Access Points and Convergence Software V4.0, C10/C100/C1000 User Guide
A31003-W1040-U101-1-7619, July 2006 DRAFT
Hide quick links:
Advertisement
Table of Contents
