03-19-2012 01:15 PM
Does ArubaOS support a feature which prevents a wireless station from connecting to another station without first forwarding to the upstream router? I want to prevent the mobility controller from directly routing or switching between wireless stations. I need this to ensure firewall policy is applied at the up stream router (actually a firewall).
03-19-2012 01:21 PM
The controller can block communication between WLAN clients, but if they are on the same subnet, they cannot be forced to talk through a firewall. Since the controller is a firewall, though, you can selectively allow or block traffic between clients even if they are on the same subnet.
What features does your firewall have that you need?
03-19-2012 01:23 PM
yes, it has both options to deny inter-user traffic and deny inter-vlan routing.
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
03-19-2012 01:33 PM
The external firewall is used to ensure consistent policy application between wireless and wired clients. I am using an ESI with a redirect ACL to the firewall. Could you please help me with the following regarding ESI.
Is ESI an appropriate method to redirect?
Does session ACL use implicit deny? I have forward direction policy. Will I need a reverse direction policy to allow traffic initiated from outside to get through?
The rules are stateful so I had to be very careful about routing symmetry.
03-19-2012 01:53 PM
Those options will break routing between VLANs and/or between WLAN clients. If you want traffic to flow between them, you should leave those off and create appropriate policies on the controller to control traffic.
03-19-2012 01:56 PM
I am not all that familiar with the ESI redirection, so it might be a way around L2 connected clients "seeing" each other.
The other way is to create the policies on the controller. They are definitely stateful, so if you open an application for the WLAN clients, the return traffic will be allowed.
You would need to open any wired initiated traffic holes that you want (from the controller toward the WLAN clients).
Yes, there is an implicit deny all at the end of any ACL used for traffic management.