Configuring Roles and Policies on Instant APs for User Access Control
Instant APs support identity-based access control to enforce application-layer security, prioritization, traffic forwarding, and network performance policies for wired and wireless networks. Using the Instant AP firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies, you can enforce network access policies to define access to the network, areas of the network that the user may access, and the performance thresholds of various applications.
Instant APs supports a role-based stateful firewall. In other words, Instant firewall can recognize flows in a network and keep track of the state of sessions. The firewall logs on the Instant APs are generated as syslog messages. The firewall feature also supports ALGApplication Layer Gateway. ALG is a security component that manages application layer protocols such as SIP, FTP and so on. functions such as SIPSession Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls. , Vocera, Alcatel NOENew Office Environment. NOE is a proprietary VoIP protocol designed by Alcatel-Lucent Enterprise., and Cisco Skinny protocols.
ACL Rules
You can use ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules to either permit or deny data packets passing through the Instant AP. You can also limit packets or bandwidth available to a set of user roles by defining access rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses.
You can create access rules to allow or block data packets that match the criteria defined in an access rule. You can create rules for either inbound traffic or outbound traffic. Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule. Outbound rules explicitly allow or block the network traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to an IP address through the firewall.
The Instant AP clients are associated with user roles, which determine the client’s network privileges and the frequency at which clients re-authenticate. Instant AP supports the following types of ACLs:
ACLs that permit or deny traffic based on the source IP address of the packet.
ACLs that permit or deny traffic based on source or destination IP address, or source or destination port number.
You can configure up to 64 access control rules for a firewall policy.
Configuring Network Address Translation Rules
NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. is the process of modifying network address information when packets pass through a routing device. The routing device acts as an agent between the public (the Internet) and private (local network), which allows translation of private network IP addresses to a public address space.
Instant AP supports the NAT mechanism to allow a routing device to use the translation tables to map the private addresses into a single IP address and packets are sent from this address, so that they appear to originate from the routing device. Similarly, if the packets are sent to the private IP address, the destination address is translated as per the information stored in the translation tables of the routing device.
Configuring Network Service ACLs
Configuring ACLs for Deep Packet Inspection
