1. How can I prevent the users from using my controller's vlan IP address as the default gateway to forward the traffic?
2. Why are the users unable to access the internet when the default gateway is the controller?
3. Users are not getting natted when "IP nat inside" command is enabled on the user vlan.
Environment : This article applies to all Aruba controller and code versions.
Aruba controller supports L-2 and L3 vlans.
1. No ip address assigned on the controller vlan.
2. Routing for user traffic is not done on the controller. User's default gateway is usually an uplink device.
1. Vlan interface on the controller has IP address assigned to it.
2. Default gateway can be the vlan interface on the controller. User traffic will be routed as per the routing table of the controller.
Sometimes, we do not want the controller to be the default gateway for the users. For example, we want the user traffic to be forwarded by the firewall and not the controller ( which may end up forwarding it to corporate router which is the default gateway for the controller).
If we do not want the end user to change his default gateway to the controller from the firewall, we can disable ip routing on the vlan.
# config t
# interface vlan 1
# no ip routing
#show datapath vlan table
Datapath VLAN Table Entries
Flags: N - Nat Inside, M - Route Multicast, R - Routing
S - Snoop MLD, G - Snoop IGMP, P - Proxy IGMP
B - BCMC Optimization, A - Proxy ARP, U - Suppress ARP
1(cert-id) - 8021X Term-PEAP, 2(cert-id) - 8021X Term-TLS
VLAN Flags Ports
---- ------------ -----
1 U 1/3
2 RU 1/0, 1/2
We see above that the vlan 1 no longer has the R flag as the routing has been disabled on that vlan.
After this config, any traffic hitting Vlan 1 of the controller which needs to be routed to a different vlan will be dropped. We can ping to the vlan interface but it will no longer forward the packets.
Note: We can have NAT enabled on the controller if the default gateway for the users is the controller vlan. However, it will not work and the user traffic will get dropped if the routing is disabled on the interface.
It is recommended to configure "no ip routing" on the captive portal / guest SSIDs Vlan in case we want to prevent users from routing their traffic from the controller.