[NEBULA] How to block traffic between guest and employ SSID?
Zyxel_Dean
Posts: 237 
Zyxel Employee
Zyxel Employee
How to block traffic between guest and employ SSID?
Scenario: Deploying only NAPs, how can I configure to block traffic between guest and employee SSIDs?
The answer is to use L2 isolation. Layer 2 isolation will only allow the traffic of whitelisted destination MAC addresses. In this case if we configure L2 isolation and limit the traffic of guest SSID, the traffic outgoing from guest SSID will not be able to pass through.
*Note that L2 isolation only applies to SSIDs under the same subnet, if SSIDs have different LAN subnets it is up to the switch or gateway to block traffic with ACL or firewall rules.
Configuration:
1. In Authentication page, select the guest SSID and scroll down to the bottom to find L2 isolation.
2. Enable L2 isolation and input the MAC address of the gateway PORT where the uplink is, to allow clients to have internet access.
*If you don't know the MAC address of the gateway Port, you can connect under the network and in your CMD or terminal input "arp -a" to find the gateway MAC.
3. If there are other devices in the network that should be allowed to connect, simply press "Add" to create a new entry and enter the MAC of the device.
Scenario: Deploying only NAPs, how can I configure to block traffic between guest and employee SSIDs?
The answer is to use L2 isolation. Layer 2 isolation will only allow the traffic of whitelisted destination MAC addresses. In this case if we configure L2 isolation and limit the traffic of guest SSID, the traffic outgoing from guest SSID will not be able to pass through.
*Note that L2 isolation only applies to SSIDs under the same subnet, if SSIDs have different LAN subnets it is up to the switch or gateway to block traffic with ACL or firewall rules.
Configuration:
1. In Authentication page, select the guest SSID and scroll down to the bottom to find L2 isolation.
2. Enable L2 isolation and input the MAC address of the gateway PORT where the uplink is, to allow clients to have internet access.
*If you don't know the MAC address of the gateway Port, you can connect under the network and in your CMD or terminal input "arp -a" to find the gateway MAC.
3. If there are other devices in the network that should be allowed to connect, simply press "Add" to create a new entry and enter the MAC of the device.
1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 246 Service & License
- 383 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight