Security

Reply
Occasional Contributor I

Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

I want to designate Ethernet port 4 as a printer port on all our RAP5's. The printers will be statically assigned an ip address in vlan 48 which is only mapped to port 4. I do not want to have these authenticate but I want to build a firewall rule allowing traffic from this port/vlan to only go to specific places, like AD server and Print server. What would be the best way to do this?

 

Thanks,

Michael

Aruba Employee

Re: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

Configure enet port of RAP5 where printer is connecting as untrusted. Thus printer will fall into the initial role of aaa profile configured there. In the initial role put required ACL to allow/block traffic. (No need to configure any type of authentication)

 

-Alap

Occasional Contributor I

Re: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

Alap,

This is exactly what I had done to begin with but we occasionaly lost connectivity to the printers.

So now I'm thinking I might have my firewall rules wrong. I've loosened my rules and I'll reapply this and see if that solves the issues.

 

Thanks for the reply.

 

Michael

Aruba Employee

Re: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

If it was a firewall rule I wouldn't expect the problem to happen occasionaly but you never know.  On the controller, from CLI

 

show datapath session table

 

Is a good command to see the traffic flow from your printer.  you can pipe it to include the ip address of your printer

 

show datapath session table | include <ipaddr>

 

Occasional Contributor I

Re: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

I opened a support case. The went through the config and agreed it was fine. 

Tarinelli, I think your correct it is not a firewall issue.

The thing was that when the printers lost connectivity they were not in the user table at all. 

Anyway, at this point I'm looking at the printers going into power save mode as the problem. When they do this they leave the user table all together and thus the user rule allowing access to them is not active. Then new jobs from the print server can't reach them to 'wake' them back up.

I've removed or adjusted the hybernating settings on the printers and so far they are staying in the user-table.

I'm not sure what I'll do long term for this. These printers are leased and managed by a printer/copier distributer and I'm thinking they will want their printers to hybernate when not in use.

 

Any thought on a work around for this?

 

Thanks for the responses so far.

 

Michael

Aruba Employee

Re: Best way to set up ethernet port on RAP5 with no authentication but still have a firewall rule.

Can you please tell me which code are you running on the controller?

If this is happening on 6.1.3.2 or later code, I think issue is related to "supress ARP" feature. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: