Network Management

last person joined: 15 hours ago 

Keep an informative eye on your network with HPE Aruba Networking network management solutions
Back to discussions
Expand all | Collapse all

Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

This thread has been viewed 0 times

  • 1.  Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

    Posted Apr 30, 2014 05:24 AM

    Just wondering if anybody has seen this, or can explain it?

     

    I've attached a couple of screenshots (airwave), and note the data looks similar (recent obviously) on the controller (data centre one).

     

    Background

    The customer I'm working on right now has 2 x 7200 and airwave (new deployment). One of the 7200s and airwave is in a data centre. The 7200 in the other site appears normal in terms of firewall dash data. The controller in the data centre (and airwave) is showing me firewall data regarding what looks like server-server comms in that data centre. This is strange, as that server traffic cannot be traversing the controller. The controller is attached to a core Cisco in that DC (to which these servers also attach, same vlan/subnet), but the controller isn't the router. It's simply attached L2 on a port channel, with an IP address in that VLAN.

     

    Thoughts?

    amppic1.jpg

    amppic2.jpg

     

     



  • 2.  RE: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

    EMPLOYEE
    Posted Apr 30, 2014 07:37 AM
    Is the management IP space of the controller used for anything else in the
    datacenter? We see this on our controllers because our mgmt IP space is
    used for other network gear and services.


  • 3.  RE: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

    Posted Apr 30, 2014 07:44 AM

    It is yes.

     

    The customer's datacentre in terms of the vlan/subnet where this contoller "lives" is shared on a /16 with lots of servers. Whilst this clearly sucks, it's outside the scope of my works for the moment.

     

    Interesting that you're seeing the same. Doesn't it strike you as a bit odd? i.e.

     

    In our scenario, the controller is attached L2 style to a Cisco core, to which all the other DC servers attach. As a result, server-server unicast traffic should never be seen by the controller at all. Yet, the firewall data suggests otherwise. I appear to be seeing evidence of application flows host-to-host.

     

    The only reason I could see this happening, is if the servers traffic flow was flooded by the switches, which of course it might be if the servers are using broadcast macs or some sort of multicast which hasn't been snooped? That's probably it now I think of it.

     

    I'm almost inclined to go to the DC and sniff things.



  • 4.  RE: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

    Posted Apr 30, 2014 07:46 AM

    Now I think more about it, doesn't Microsoft NFT generate traffic like this in certain conditions? I'll go look...

     



  • 5.  RE: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

    EMPLOYEE
    Posted Apr 30, 2014 09:01 AM

    The racking.monkey. are any of the VLANs on the port channel untrusted?

     



  • 6.  RE: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

    Posted Apr 30, 2014 09:55 AM

    Hi CJ,

     

    No, they're all trusted. I checked.

     

    Interestingly, you do see the sessions represented in the firewall data, ALSO in a "show datapath session table", suggesting they look like flooded unicasts. Just doing a packet capture now...

     



  • 7.  RE: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

    Posted Apr 30, 2014 10:08 AM

    The controller based packet-capture features don't appear to have options for directly capturing all packets received on the wired ports. Am I wrong?