User's Manual

ManualsBrandsSiemens Communications ManualsElectronicsHiPath Wireless AP, Altitude 450, Altitude 451

151

152

153

154

155

156

157

158

159

160

hwc_vnsintro.fm

Virtual Network Services

Filtering for a VNS

A31003-W1050-U100-2-7619,

March 2008

HiPath Wireless Controller, Access Points and Convergence Software V5 R1 , C20/C2400 User Guide 155

5.6.1 Final filter rule

The final rule in any filter should act as a catch-all for any traffic that did not match

a filter. This final rule should either allow all or deny all traffic, depending on the

requirements for network access. For example, the final rule in a non-

authenticated filter for Captive Portal is typically deny all. A final allow all rule in a

default filter will ensure that a packet is not dropped entirely if no other match can

be found.

A default rule of deny all is automatically created by the system for initial filter

definitions. The administrator can change the action to allow all. However, a

default filter rule cannot be removed. Since a default filter rule provides a catch-

all default behavior for packet handling, all applicable user defined filter rules

must be defined prior to this rule.

Each rule can be based on any one of the following:

• Destination IP address or any IP address within a specified range that is on

the network subnet (as a wildcard)

• Destination ports, by number and range

• Protocols (UDP, TCP, etc.)

5.6.2 Filtering sequence

The filtering sequence depends on the type of authentication used:

• No authentication (network assignment by SSID)

Only the default filter will apply. Specific network access can be defined.

• Authentication by captive portal (network assignment by SSID)

The non-authenticated filter will apply before authentication. Specific network

access can be defined. The filter should also include a rule to allow all users

to get as far as the Captive Portal Web page where the user can enter login

identification for authentication. When authentication is returned, the filter ID

group filters are applied. If no filter ID matches are found, then the default filter

is applied. The filter ID group is an optional behavior specification. If a filter ID

is not returned, or an invalid one is returned, the default filter group is applied.

• Authentication by AAA (802.1x)

AAA assignment requires that user authentication is completed using the

802.1x/EAP protocol before a user is granted access to a network resource.

Therefor, the enforcement of non-authenticated traffic rules is not applicable.

When authentication is returned, then the filter ID group filters are applied. A

VNS can have a subgoup with Login-LAT-Group ID that has its own filtering

rules. The Login-LAT-Group indicates that a user session should be

associated with a more specific VNS (a child VNS). The sub-VNS provides a