Wireless Access

Reply
Contributor I
Posts: 60
Registered: ‎12-15-2011

Forced Redirect

Does ArubaOS support a feature which prevents a wireless station from connecting to another station without first forwarding to the upstream router?  I want to prevent the mobility controller from directly routing or switching  between wireless stations.  I need this to ensure firewall policy is applied at the up stream router (actually a firewall).

 

Thanks

Marvin

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Forced Redirect

Marvin,

 

The controller can block communication between WLAN clients, but if they are on the same subnet, they cannot be forced to talk through a firewall.  Since the controller is a firewall, though, you can selectively allow or block traffic between clients even if they are on the same subnet.

 

What features does your firewall have that you need?

MVP
Posts: 765
Registered: ‎03-25-2009

Re: Forced Redirect

yes, it has both options to deny inter-user traffic and deny inter-vlan routing.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor I
Posts: 60
Registered: ‎12-15-2011

Re: Forced Redirect

The external firewall is used to ensure consistent policy application between wireless and wired clients. I am using an ESI with a redirect ACL to the firewall.  Could you please help me with the following regarding ESI.

Is ESI an appropriate method to redirect?

Does session ACL use implicit deny?  I have forward direction policy.  Will I need a reverse direction policy to allow traffic initiated from outside to get through?

The rules are stateful so I had to be very careful about routing symmetry.

 

Thanks.

Contributor I
Posts: 60
Registered: ‎12-15-2011

Re: Forced Redirect

How do I turn on the feature to deny inter vlan and intra vlan forwarding?

 

Thanks.

Contributor I
Posts: 60
Registered: ‎12-15-2011

Re: Forced Redirect

Found it under VAP profile and Global Firewall settings.

 

Thanks.

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Forced Redirect

Be careful...

 

Those options will break routing between VLANs and/or between WLAN clients.  If you want traffic to flow between them, you should leave those off and create appropriate policies on the controller to control traffic.

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Forced Redirect

I am not all that familiar with the ESI redirection, so it might be a way around L2 connected clients "seeing" each other.

 

The other way is to create the policies on the controller.  They are definitely stateful, so if you open an application for the WLAN clients, the return traffic will be allowed.

 

You would need to open any wired initiated traffic holes that you want (from the controller toward the WLAN clients).

 

Yes, there is an implicit deny all at the end of any ACL used for traffic management.

Search Airheads
Showing results for 
Search instead for 
Did you mean: