Network Management

Reply
MVP
Posts: 562
Registered: ‎11-28-2011

Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

Just wondering if anybody has seen this, or can explain it?

 

I've attached a couple of screenshots (airwave), and note the data looks similar (recent obviously) on the controller (data centre one).

 

Background

The customer I'm working on right now has 2 x 7200 and airwave (new deployment). One of the 7200s and airwave is in a data centre. The 7200 in the other site appears normal in terms of firewall dash data. The controller in the data centre (and airwave) is showing me firewall data regarding what looks like server-server comms in that data centre. This is strange, as that server traffic cannot be traversing the controller. The controller is attached to a core Cisco in that DC (to which these servers also attach, same vlan/subnet), but the controller isn't the router. It's simply attached L2 on a port channel, with an IP address in that VLAN.

 

Thoughts?

amppic1.jpg

amppic2.jpg

 

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

Is the management IP space of the controller used for anything else in the
datacenter? We see this on our controllers because our mgmt IP space is
used for other network gear and services.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 562
Registered: ‎11-28-2011

Re: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

[ Edited ]

It is yes.

 

The customer's datacentre in terms of the vlan/subnet where this contoller "lives" is shared on a /16 with lots of servers. Whilst this clearly sucks, it's outside the scope of my works for the moment.

 

Interesting that you're seeing the same. Doesn't it strike you as a bit odd? i.e.

 

In our scenario, the controller is attached L2 style to a Cisco core, to which all the other DC servers attach. As a result, server-server unicast traffic should never be seen by the controller at all. Yet, the firewall data suggests otherwise. I appear to be seeing evidence of application flows host-to-host.

 

The only reason I could see this happening, is if the servers traffic flow was flooded by the switches, which of course it might be if the servers are using broadcast macs or some sort of multicast which hasn't been snooped? That's probably it now I think of it.

 

I'm almost inclined to go to the DC and sniff things.

Kudos appreciated, but I'm not hunting! (ACMX 104)
MVP
Posts: 562
Registered: ‎11-28-2011

Re: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

Now I think more about it, doesn't Microsoft NFT generate traffic like this in certain conditions? I'll go look...

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

The racking.monkey. are any of the VLANs on the port channel untrusted?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

Hi CJ,

 

No, they're all trusted. I checked.

 

Interestingly, you do see the sessions represented in the firewall data, ALSO in a "show datapath session table", suggesting they look like flooded unicasts. Just doing a packet capture now...

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
MVP
Posts: 562
Registered: ‎11-28-2011

Re: Airwave (7.7.10) and controllers (6.3.1.5) showing more firewall data than expected

The controller based packet-capture features don't appear to have options for directly capturing all packets received on the wired ports. Am I wrong?

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
Showing results for 
Search instead for 
Did you mean: