Wireless Access

Reply
Contributor I
Posts: 25
Registered: ‎06-27-2013

Disable inter vlan routing

Hi,

 

I have a vlan configured on a controller with a wired client attached. The vlan has dhcp enabled with the controller configured as the client gateway. I do not want the client to be able to access any other vlan interface on the controller so i have disabled inter-vlan routing on the client vlan interface but I can still access all other vlan interfaces on the controller from the client. Any ideas what is going on?

 

thanks

Aruba
Posts: 1,287
Registered: ‎08-29-2007

Re: Disable inter vlan routing

It won't work if the controller is the default gateway.  You'll need to put an acl on the wired users role blocking access to that subnet.  If the wired client does not have a aaa profile applied, you'll need to put the acl on the interface that the traffic flows through.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Contributor I
Posts: 25
Registered: ‎06-27-2013

Re: Disable inter vlan routing

OK. The vlan is part of a port channel so I can't really add an acl to it

If I remove the dhcp and it is just an L3 vlan, will the disable inter vlan routing work then?

Aruba
Posts: 1,287
Registered: ‎08-29-2007

Re: Disable inter vlan routing

For that port you can make that vlan to be untrusted, then assign a wired aaa-profile.  Within that aaa profile, put the necessary acl in that initial role.

 

aaa-wired.jpg


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Contributor I
Posts: 25
Registered: ‎06-27-2013

Re: Disable inter vlan routing

Capture.JPGTo back up a bit - what I am trying to do is secure the port so that I can use RAP's on what is effectively an internal network so it is not really related to wired clients. I need the RAPs' to access the controller via the address on vlan x but what happens is, when provisioning a RAP108, the controller provides its address on its management interface as the location for ftp download of the AP image. The download works because the controller internally routes between vlan x and the management interface. The problem is that if someone were to unplug the RAP and connect a laptop to vlan x they can access all controller interfaces because the controller routes to them. I wanted to turn off inter-vlan routing but I think this will prevent the AP image being downloaded by the RAP.

I noticed on the port channel interface that I can add a VLAN firewall policy. Can I add a policy on the RAP vlan that just allows 4500 and dhcp that will not affect any other vlans in the same port channel? Do I have to make vlan x untrusted?

Secondly, I want to restrict access to the controller GUI to only our management vlan - can I apply a firewall policy to the port channel in addition to a firewall vlan policy?

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: