Remote Networking

Reply
MVP
Posts: 952
Registered: ‎04-13-2009

Bridge mode SSID on RAP issue

Hi All,

We have a customer who are having an issue with a bridge mode SSID on a RAP. Any wireless clients connected to the bridged SSID can communicate with the wired clients on the remote network however the wired clients cannot communicate with the wireless ones.

The test machines that I'm using have the windows firewall turned off and there are no other firewalls on the PCs.

When I run wireshark on the wireless client I can't see any traffic originating from the wired clients only replies to request sent from the wireless client.

I have identified that the AP is not allowing this traffic by attempting to ping wireless clients from the customers router and this fails.

It looks to me like there's a ACL in place that's doing user any filtering rather than any any and just allowing all traffic.

I've been speaking to Aruba tech support but things are moving slowly so thought I'd post here to share the issue I'm seeing.

Hardware involved:
650 Controller
AP93
Zyxel router

Note: The controller is running version 6.0.0.1 (I've modified the logon rule to allow FTP access so their RAPs could upgrade their code.)

The image below shows their basic network setup.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 952
Registered: ‎04-13-2009

Re: Bridge mode SSID on RAP issue

Nevermind, I found the answer in this thread:

http://airheads.arubanetworks.com/vBulletin/showthread.php?t=3091

cjoseph said:
You need to modify the Session ACL parameter in the AP system profile to allow whatever you want to do to the clients. Access points have a firewall policy that only allow certain incoming traffic to bridged users, so you have to modify it. To modify what traffic is allowed, go to configuration> security> access control> policies tab. Edit the ap-uplink-acl parameter to allow port 3389 traffic (terminal services).

By default, it only allows DHCP responses, ICMP and Bonjour traffic.


Obviously just modify the ap-uplink-acl to allow whatever traffic you do not wish to be blocked.
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
Showing results for 
Search instead for 
Did you mean: