Configuring and managing security ACLs 441
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Restricting client-to-client forwarding among
IP-only clients
You can use an ACL to restrict clients in a VLAN from communicating directly at the IP layer. Configure an
ACL that has ACEs to permit traffic to and from the default router (gateway), an ACE that denies traffic
between all other addresses within the subnets, and another ACE that allows traffic that doesn’t match the
other ACEs.
For example, to restrict client-to-client forwarding within subnet 10.10.11.0/24 in VLAN vlan-1 with default
router 10.10.11.8, perform the following steps:
1 Configure an ACE that permits all traffic from the default router IP address to any other IP
address:
WSS# set security acl ip c2c permit 10.10.11.8 0.0.0.0
2 Configure an ACE that permits traffic from any IP address to the default router IP address:
WSS# set security acl ip c2c permit ip 0.0.0.0
255.255.255.255 10.10.11.8 0.0.0.0
3 Configure an ACE that denies all IP traffic from any IP address in the 10.10.11.0/24 subnet to
any address in the same subnet.
WSS# set security acl ip c2c deny ip 10.10.11.0 0.0.0.255
10.10.11.0 0.0.0.255
4 Configure an ACE that permits all traffic that does not match the ACEs configured above:
WSS# set security acl ip c2c permit 0.0.0.0
255.255.255.255
5 Commit the ACL to the configuration:
WSS# commit security acl c2c
6 Map the ACL to the outbound and inbound traffic directions of VLAN vlan-1:
WSS# set security acl map c2c vlan vlan-1 out
WSS# set security acl map c2c vlan vlan-1 in
Note. AN ACL can restrict IP forwarding but not Layer 2 forwarding. To restrict Layer 2
forwarding, see “Restricting layer 2 forwarding among clients” (page 108).
Note. The commands in steps 1 and 2 permit traffic to and from the default router
(gateway). If the subnet has more than one default router, add a similar pair of ACEs for
each default router. Add the default router ACEs before the ACEs that block all traffic to and
from addresses within the subnet.