Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 372
356
Brocade Mobility RFS Controller CLI Reference Guide
53-1003098-01
4
use [aaa-policy <AAA-POLICY-NAME>|association-acl-policy
<ASSOCIATION-POLICY-NAME>|
captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy
<PASSPOINT-POLICY-NAME>|
wlan-qos-policy <WLAN-QoS-POLICY-NAME>]
use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>
use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>
Usage Guidelines:
IP and MAC ACLs act as firewalls within a WLAN. WLANs use ACLs as firewalls to filter or mark
packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports.
An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies a set of
conditions (rules) and the action taken in case of a match. The action can be permit, deny, or mark.
Therefore, when a packet matches an ACE’s conditions, it is either forwarded, dropped, or marked
depending on the action specified in the ACE. The order of conditions in the list is critical since
filtering is stopped after the first match.
IP ACLs contain deny and permit rules specifying source and destination IP addresses. Each rule
has a precedence order assigned. Both IP and non-IP traffic on the same layer 2 interface can be
filtered by applying both an IP ACL and a MAC.
Additionally, you can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC
firewall rule uses source and destination MAC addresses for matching operations, where the result
is a typical allow, deny, or mark designation to WLAN packet traffic.
aaa-policy
<AAA-POLICY-NAME>
Uses an existing AAA policy with a WLAN
•
<AAA-POLICY-NAME> – Specify the AAA policy name.
association-acl
<ASSOCIATION-POLICY-NA
ME>
Uses an existing association ACL policy with a WLAN
•
<ASSOCIATION-POLICY-NAME> – Specify the association ACL policy name.
captive-portal
<CAPTIVE-PORTAL-NAME>
Enables a WLAN’s captive portal authentication
•
<CAPTIVE-PORTAL-NAME> – Specify the captive portal name.
passpoint-policy
<PASSPOINT-POLICY-NAME
>
Associates a passpoint policy (Hotspot2 configuration) with this WLAN.
•
<PASSPOINT-POLICY-NAME> – Specify the Hotspot 2.0 policy name.
For more information on passpoint policy, see
.
Map a passpoint policy to a WLAN. Since the configuration gets applied to the radio by BSS, only the
Hotspot 2.0 configuration of primary WLANs on a BSSID is used. Incoming Hotspot 2.0 GAQ/ANQP requests
from clients are identified by their destination MAC addresses and are handled by the passpoint policy from
the primary WLAN on that BSS.
Define one passpoint policy for every WLAN configured.
wlan-qos-policy
<WLAN-QOS-POLICY-NAME
>
Uses an existing WLAN QoS policy with a WLAN
•
<wlan-qos-policy-name> – Specify the WLAN QoS policy name.
ip-access-list [in|out]
<IP-ACCESS-LIST-NAME>
Specifies the IP access list for incoming and outgoing packets
•
in – Incoming packets
•
out – Outgoing packets
•
<IP-ACCESS-LIST-NAME> – Specify the IP access list name.
mac-access-list [in|out]
<MAC-ACCESS-LIST-NAME>
Specifies the MAC access list for incoming and outgoing packets.
•
in – Incoming packets
•
out – Outgoing packets
•
<MAC-ACCESS-LIST-NAME> – Specify the MAC access list name.