Wired Intelligent Edge

Our IDS system (Alert Logic) detects p2p traffic coming from the guest network as coming from the controller - we currently have the controller handing out IP addresses for that network. Is there someway to get the Aruba to send the IP address of the device so that we can track what system is causing the issue?

 

I'm stumped here and could really use some fresh eyes.

 

thanks!

 

Gerri

If you have IP NAT inside on your first vlan, your ids cannot see the actual IP address of the guest user. You must use a routable ip address for the ids to see the correct IP address..

Thank you Collin

 

OK - so for my guest network it has the following VLAN configuration:

 

interface vlan 100
ip address 192.168.100.1 255.255.255.0
ip nat inside

 

ip dhcp pool guest
default-router 192.168.100.1
dns-server 10.0.1.121 10.0.1.125
network 192.168.100.0 255.255.255.0
authoritative

 

 

Not sure what this command does:

 

ip cp-redirect-address 192.168.100.1

 

If I wanted to change that to pull the IP address (but keep the restricted access) from the DHCP servers on site - I'm not sure how to do that, or do I need to be handing out a different IP address in the internal DHCP scope on the controller?

 

THanks!

 

Gerri

Gerri,

I would look to a security person in your organisation to design a networking solution that meets your security needs. I don't want to suggest something that might expose your organization to security risks.

I appreciate that Collin - unfortunately our Security people are looking to me to get it fixed. :(

 

I was at one point able to pull the IP addresses for the Guest network from the DHCP server on the network - I'm no longer sure how I did that unfortunately .

Do you have any recommendations on how to do that?

 

Thanks!

 

Gerri

You would have to have your guests on a fully routable subnet and NOT NAT your traffic out the controller. Run that by them...

Well that's what they want - now I have to make it happen.

 

So I see on the VLAN that I have enabled source nat for this VLAN. I"m guessing that I would need to change the ip address range for the vlan to be something that is routable on my network (which is currently a 10.0.x.x)

 

So (and I'm just trying to figure this out so forgive my ramblings) if I set up a vlan on my core switch that is the same as the vlan for the guest network on the aruba, then set up my dhcp scope for that address it *should* all work, and then all the traffic will be going  over the network and then hitting the IDSd properly, at least in theory, right?

 

I would need to disable the DHCP pool on the aruba, but it should all work with the IDS since the natting won't take place at the router not before.

 

My apologies for all the questions - I just don't have anybody to bounce some of these off of.

 

Thank you in advance!

 

Gerri