Wireless Access

Reply
MVP
Posts: 1,401
Registered: ‎05-28-2008

RAP Wired port deny inter user traffic with un manged sw connected

[ Edited ]

Hi Guys,

I need your assistance/advise,

Environment:

A3600A6.4.2.5 & RAP3WN units (Deployed as RAP - IPSEC)

Now to my issue:

I configured RAP3WN unit 0/1 port to be untrusted and to use 802.1x & MAC auth (L2 Failover) i assigned AAA / Tunnel Mode / same VLAN (1028) to all client - and everything working as excepted.(each client that passing the 802.1x or MAC getting same authenticated role)

(SPI - Deny inter user traffic enabled)

 

BUT ..(Now to my issue) When trying to ICMP or WEB-GUI to a local printer ( That also connected to the switch) we are able to pass traffic :( Even due the inter user traffic sent isnt allowed and all clients and printer are clients connected to a SW connected to ETH 0/1 on the RAP.

 

Please advise why?

Please advise how do i enforce it (something strange is that when i'm not allowing access based on the ACL that the client getting - ICMP still working ...BUT HTTP-ACL or DHCP ACL and other do effect)

 

Waiting to here you solution.

 

Me.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: RAP Wired port deny inter user traffic with un manged sw connected

Are they both wired on the same vlan? Are they both connected to a switch?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,401
Registered: ‎05-28-2008

Re: RAP Wired port deny inter user traffic with un manged sw connected

Here you go (i made a fast diagrm) *YES THEY DO CONNECTED TO FLAT SWITCH - NOT MANAGED - and from it to the RAP untrusted port*

Capture.PNG

 

 

 

As far as i aware the clients shouldnt be able to ping each other or bypass traffic (because i enabled the DENY inter user traffic on the SPI , and the port isnt trusted)

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: RAP Wired port deny inter user traffic with un manged sw connected

The RAP firewall is not between your clients. On the same layer2 subnet, traffic does not have to pass through the RAP, so it cannot be enforced. Traffic would only be enforced for traffic that would leave the subnet.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,401
Registered: ‎05-28-2008

Re: RAP Wired port deny inter user traffic with un manged sw connected

But isnt all client traffic is tunneld back to the controller ?

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 20,807
Registered: ‎03-29-2007

Re: RAP Wired port deny inter user traffic with un manged sw connected

Wired traffic that talks directly to another device on a layer2 switch..that traffic would not be tunneled back. The shortest path would be for a device to send an Arp on that switch and send traffic to it. The RAP would not even see the data from those transactions.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,401
Registered: ‎05-28-2008

Re: RAP Wired port deny inter user traffic with un manged sw connected

Thank u for fast answer & a great info (I tought , that when im connecting "Stupid" switch to RAP ETH PORT - still all traffic (Even traffic between users) tunneled back to the controller.

 

Me.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Search Airheads
Showing results for 
Search instead for 
Did you mean: