Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎12-23-2011

Per Vlan Trust on physical port

Hello 

 

I have an Aruba controler connected to the wired network via a 802.1q trunk port. I want to make only one of these vlans untrusted and all others trusted, so that the controlller adds only the clients from the untrusted vlan to user database. However, when I make the port trusted and add the trusted vlans to interface config, the controller only sees a few (around 20) users on the interface randomly; although there exist a few hundred. When I do not make the port trusted and only add the trusted vlans, the controller sees all clients from all vlans (any IP's from the whole world that sends any packet through the controller); that make the system exceed its user capacity.

 

How can I make only some of the vlans trusted on a trunk port.

 

Note: The vlan I try make untrusted is an OSPF vlan, that connects several LAN's beyond.

 

 

 

MVP
Posts: 4,082
Registered: ‎07-20-2011

Re: Per Vlan Trust on physical port

 

 

Your config should look like this :

VLAN that you want to use :

VLAN 10

VLAN 20

VLAN 30

 

VLAN that you don't want to use :

 

VLAN 40

VLAN 50

 

interface gigabitethernet 0/0

switchport trunk allow vlan 10, 20 , 30

trusted vlan 10 , 20, 30

 

Is this what you are trying to accomplish ? or did I just misunderstood what you are trying to do ?

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 14
Registered: ‎12-23-2011

Re: Per Vlan Trust on physical port

Hello,

 

No, in fact what I want is slightly different.

 

Let's say, I have vlans 10, 20 , 30,

I want all three as allowed vlans on the port,

I want the controller to pass the traffic from 10,20 directly without any user process,

I want the sources of packets from vlan 30 to be added to the user list.

 

when I do

 

interface gigabitethernet 0/0

trusted
switchport trunk allow vlan 10, 20 , 30
trusted vlan 10 , 20

 

the controller adds only a random small part of the sources from vlan 30 to the list.

 

 

when I do

 

interface gigabitethernet 0/0

switchport trunk allow vlan 10, 20 , 30
trusted vlan 10 , 20

 

the controller adds sources of all packets from vlans 10,20,30. But I want ony sources of the packets from vlan 30 to appear on the user list.

MVP
Posts: 4,082
Registered: ‎07-20-2011

Re: Per Vlan Trust on physical port

 

You may want to apply an ip access-group to the interface with the traffic you want to allow

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 14
Registered: ‎12-23-2011

Re: Per Vlan Trust on physical port

Helllo,

 

In the example, My purpose is to have the sources of the packets from vlan30 in the user list, and not vlan 10 and 20. Therefore using ACL does not help.

One of the vlans that I want to be trusted is the path to the Internet. Therefore, if the controller tracks all the sources from all three vlans as users, all external IP's that send any packet to any of my clients are added to the user list.

In other words in this stuation all my clinets and all IP addresses from the Internet, that interact with my clinets,  are added to user list. This makes an excess user table, that the controller cannot handle.

 

MVP
Posts: 4,082
Registered: ‎07-20-2011

Re: Per Vlan Trust on physical port

 

you could define that in the validuser ACL 

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-40

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 14
Registered: ‎12-23-2011

Re: Per Vlan Trust on physical port

Hello,

 

The validuser acl provides filter for the users to appear in the user list, but when I tried that way I got performace problem. Furthermore this not what I need.

 

I think I failed to explain what I need, so let me explain starting from what I do now.

 

Currently, I have the controller connected  to my core switch via two cables. One port has vlan x which is the vlan that connects the controler to the outer world, and the other port has vlan y that connects wired clients to the controller. The controller routes packet between two vlans. 

One of the port of the controller is trusted and the other not. The trutsed port has vlan x which is the vlan that connects the controler to the outerworld. The untrusted port has vlan y that  connects the clients to controller. 

 

as config such thing exist

 

interface gigabitethernet 0/0

trusted
switchport trunk allow vlan x
trusted vlan x

 

interface gigabitethernet 0/1
switchport trunk allow vlan y
trusted vlan y

 

Then the controller adds the sources of the packets from vlan y to the user list.

 

I just want to make the same thing with using only one physical port.

 

I think this should be possible using trusted vlans. If not what is the purpose of having trusted van command when there is trusted command form the physical port.

 

 

MVP
Posts: 4,082
Registered: ‎07-20-2011

Re: Per Vlan Trust on physical port

That's an interesting setup you , I don't think you will be able to accomplish what you want under one port since you need the trusted port configured under the trunk to allow the rest of the traffic to be allowed on the interface
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 14
Registered: ‎12-23-2011

Re: Per Vlan Trust on physical port

Hello again,

 

Then, what is the purpose of trusted vlan command.  

MVP
Posts: 4,082
Registered: ‎07-20-2011

Re: Per Vlan Trust on physical port

To me is similar to the allow VLANs under trunk command , you are specifying which VLANs you want your trunk to trust (extra TRUST).

That's how I have always seen it but maybe there's another reason or purpose for it.
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: