bureaucraten, interfacemoderatoren, Beheerders (Semantic MediaWiki), Curatoren (Semantic MediaWiki), Redacteuren (Semantic MediaWiki), toezichthouders, beheerders
205
bewerkingen
Geen bewerkingssamenvatting |
Geen bewerkingssamenvatting |
||
(Een tussenliggende versie door dezelfde gebruiker niet weergegeven) | |||
Regel 121: | Regel 121: | ||
**vlan 1336 (dhcp-server) | **vlan 1336 (dhcp-server) | ||
**vlan 1337 (dhcp-server) | **vlan 1337 (dhcp-server) | ||
== Firewall == | |||
Reject traffic from guest VLANs (villanova & HSN) to management VLAN: | |||
* Firewall/NAT -> Firewall/NAT Groups -> create "management" group, then Actions -> Config and set network "10.138.64.0/24" and save | |||
* Firewall Policies -> Add ruleset "GUEST_NET_LOCAL" : | |||
** Description "Guest to router" | |||
** Default action DROP | |||
** add rule 1 "allow DNS" action Accept protocol TCP+UDP destination port 53 | |||
** add rule 2 "allow DHCP" action Accept protocol UDP destination port 67 | |||
** go to Interfaces and add switch0.1336 direction local, and switch0.1337 direction local | |||
* Firewall Policies -> Add ruleset "GUEST_NET_IN" | |||
** Description "From villanova/HSN nets" | |||
** Default action ACCEPT | |||
** add rule 1 "drop guestnet to mgmt" action Drop protocol All protocols destination network group Management subnet | |||
** go to Interfaces and add switch0.1336 direction In, and switch0.1337 direction In | |||
Now, hosts on villanova & HSN nets can use DHCP and DNS, but nothing else on the router; also, they can't access the management subnet at all. | |||
=Aruba Accesspoints= | =Aruba Accesspoints= | ||
Regel 133: | Regel 151: | ||
*hij vindt dan automatisch zijn controller, en biedt dezelfde netwerken aan | *hij vindt dan automatisch zijn controller, en biedt dezelfde netwerken aan | ||
== Individuele settings == | ==Individuele settings== | ||
Op de controller zijn alle APs online. Maak een nieuw wired network genaamd "passthrough" met: | Op de controller zijn alle APs online. Maak een nieuw wired network genaamd "passthrough" met: | ||
* Primary usage employee | *Primary usage employee | ||
* PoE enabled | *PoE enabled | ||
* Admin status Up | *Admin status Up | ||
* Mode Access | *Mode Access | ||
* Client IP Network Assigned | *Client IP Network Assigned | ||
* Access VLAN 1336 (villanova) | *Access VLAN 1336 (villanova) | ||
* VLAN Assignment Rule "If AP-Name equals AP233 assign VLAN 1337" (AP233 is de accesspoint waar de netwerkkabel naar ons atelier doorheen lust) | *VLAN Assignment Rule "If AP-Name equals AP233 assign VLAN 1337" (AP233 is de accesspoint waar de netwerkkabel naar ons atelier doorheen lust) | ||
Stel "passthrough" in op alle wired poortjes behalve 0/0 (die blijft op default_wired_port_profile). |