From User guide page 5-8 (requires extranet log in)
You can also apply policy rules on the IdentiFi Wireless AP. Applying policy rules at the AP helps restrict unwanted traffic at the edge of your network. Different AP models support different numbers of policy rules per role. Most AP2600 models accept a maximum of 32 rules per role. The 3600 and 3700 series APs accept a maximum of 64 rules per role. Filtering at the AP can be configured with the following Topology types:
To Enable:1.Select VNS menu
2.Select Roles menu
3.Select Policy Rules Tab
4.Check AP Filtering when bridged at the AP
5.Un-check AP Filtering when bridged at the controller
- Bridge Traffic Locally at the AP - If filtering at the AP is enabled on a Bridge Traffic Locally at the AP topology, the filtering is applied to traffic in both the inbound and outbound direction the inbound direction is from the wireless device to the network, and the outbound direction is from the network to the wireless device.
- Routed and Bridge Traffic Locally at the EWC - If filtering at the AP is enabled on a Routed or Bridge Traffic Locally at the EWC topology, the filtering is applied only to traffic in the inbound direction. The filters applied in the outbound direction at the AP can be the same as or different from filters applied at the controller. A role can use more than one topology and can use more than one type of topology. If a role uses at least one Bridged at AP topology the AP will filter all inbound traffic assigned to the rule. The controller will perform all outbound filtering.
- IdentiFi Wireless AP Filtering - When filtering at the IdentiFi Wireless AP is enabled, APs obtain client filter information from the controller. In addition, direct inter‐AP communication allows APs to exchange client filter information as clients roam from one AP to another. This allows the system to achieve a very fast roaming time. To take advantage of inter‐AP communication, you should configure the network such that APs in the mobility domain can communicate with each other through the APʹs Ethernet interface. Also, multicast traffic with an IP address of 220.127.116.11 should be allowed between APs.