Classifying Traffic as Trusted or Untrusted
You can classify wired traffic based not only on the incoming physical port and channel configuration, but also
on the VLAN associated with the port and channel.
About Trusted and Untrusted Physical Ports
Physical ports on the switch are trusted and usually connected to internal networks by default, while untrusted
ports connect to third-party APs, public areas, or other networks to which you can apply access controls. When
you define a physical port as untrusted, traffic passing through that port needs to go through a predefined
access control list policy.
About Trusted and Untrusted VLANs
You can also classify traffic as trusted or untrusted based on the VLAN interface and port or channel. This
means that wired traffic on the incoming port is trusted only when the port’s associated VLAN is also trusted;
otherwise the traffic is untrusted. When a port and its associated VLANs are untrusted, any incoming and
outgoing traffic must pass through a predefined ACL. For example, this setup is useful if your company
provides wired user guest access, and you want guest user traffic to pass through an ACL to connect to a
captive portal.
You can set a range of VLANs as trusted or untrusted in trunk mode. The following table lists the port, VLAN
and the trust/untrusted combination to determine if traffic is trusted or untrusted. Both the port and the
VLAN have to be configured as trusted for traffic to be considered as trusted. If the traffic is classified as
untrusted, then traffic must pass through the selected session access control list and firewall policies.
Port VLAN Traffic Status
Trusted Trusted Trusted
Untrusted Untrusted Untrusted
Untrusted Trusted Untrusted
Trusted Untrusted Untrusted
Table 34: Classifying Trusted and Untrusted Traffic
Configuring Trusted/Untrusted Ports and VLANs
You can configure an Ethernet port as an untrusted access port, assign VLANs and classify them as untrusted,
and designate a policy through which VLAN traffic on this port must pass.
In the WebUI
1. Navigate to the Configuration > Network > Ports window.
2. In the Port Selection section, click the port you want to configure.
3. In the Make Port Trusted section, clear the Trusted check box to make the port untrusted. The default is
trusted (checked).
4. In the Port Mode section, select Access.
5. From the VLAN ID drop-down list, select the VLAN ID whose traffic will be carried by this port.
6. In the Enter VLAN(s) section, clear the Trusted check box to make the VLAN untrusted. The default is
trusted (checked).
7. In the VLAN Firewall Policy drop-down list, select the policy through which VLAN traffic must pass. You
can select a policy for both trusted and untrusted VLANs.
AOS-W 6.5.3.x | User Guide Network Configuration Parameters | 111
To Next Page
Loading...