Wireless Access

I have a 7005 being used as a router/firewall and it works beautifully but doesn't appear to be profiling or even identifying clients and their traffic coming from wired-only VLANs on the controller. There are also a few VLANs homes on another device and shared via OSPF that it doesn't show either.

I don't want to do any authentication of any type (several of my attempts have led to a captive web portal), I just want to see them in the clients list and have their traffic identified/policed.

Any suggestions?
#ALE

Create a aaa profile with the authenticated role as the initial role. Then
tie that aaa profile to the VLAN interfaces and make them untrusted.

Is there a way to do that for VLANs that don't exist on the controller? Some sort of catch-all profile? I did create a profile and assigned it to the VLAN and made the port untrusted but everything not "homed" on the 7005 disappeared.

 

For example:

My network is setup like this (not to scale):

Internet <-- --> 7005 <-- Gi0/0/2 -- Gi0/0/1--> L3 switch

                        /   |   \                   /     |    |     \

                     10 11 12              10 100 101 102

 

• The 7005 and L3 switch are peered via OSPF on VLAN 10
• VLANs 10,11,12 exist and are "homed" on the 7005
• VLAN 10 exists and VLANs 100,101,102 exist and are "homed" on the L3 switch
• L3 gets its default gateway from the 7005 via OSPF

I want all the traffic to be permitted but also to be visible in all the traffic/client reporting. When I make the port untrusted I can see the details of the local VLANs (10,11,12) but lose reachability to anything behind the L3 switch.

What are you using to "report" client traffic? A controller can only report on client traffic that passes through it so that it can see the browser agent of clients and classify them.

Edit:
On the face of it, you would need to make make all of the vlans you want classified untrusted like TC said but they would show up in the user table and there is a possibility it would exceed the platfrom limit of the 7005 if they do. Do you just want client types or full traffic reporting?

So you want it almost like a transparent firewall. I don't think that's possible. The IP has to be in the user table in order for the dpi engine to process it. 


Thanks, 
Tim

Not a transparent firewall, an actual firewall. It is sitting at the border of the network and is running as the firewall. All IPs are passing through the controller on their way to the internet but the client table on the Monitoring tab is empty, AppRF data on the dashboard is inconsistent, and when I am able to get data off the directly connected VLANs all the other VLANs (see previous diagram) lose connection.

You can get data on the wired vlans, but on the controller, it does not show much history. If you point the controller at Aorwave Via Amon, it will give you even the wired traffic firewall info that is not in the user table. As long as the controller is routing the traffic, it will send the info to Aorwave.

A client's OS will only be identified on the controller if it is in the user table and the AAA profile has "Device Type Classification" enabled http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/show_aaa_profile_.htm

 

For wired clients, that typically means users coming in on an untrusted port/VLAN.

 

This differs from ClearPass classification/profiling that only requires a copy of the DHCP request packet to identify clients.

That's unfortunate for me but understandable. Thanks!