04-22-2015 10:10 PM - edited 07-05-2021 03:00 AM
Hi
My environment have 1 WLC 7.6, and Cisco ISE 1.3, but guest needed to be Isolated.
Problem now is even I apply ACL_INTERNET_ONLY. when run the scanning tools still able to discover the network segment.
how I can achieve to not allow guest to attempt scanning my network?
04-23-2015 12:19 AM
if you can use host discovery scanner which uses icmp ,tcp, udp probes , I think you should check the ACL on WLC once. I will also suggest you to do some packet captures and drill down if any probes present the guest scanner to the subnets.
04-23-2015 06:50 AM
Honestly.....I'd put the ACL at L3 instead of on the WLC.
For ACL on the WLC you have to remember to put your entries in bidirectionally. Allow and disallow in both inbound and outbound directions.
HTH,
Steve
04-23-2015 07:45 PM
TQ, let me try out deny the outbound from Private segment
06-24-2015 01:49 AM
Hi,
check this configuration example as well.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide