Wireless Access

Reply
Occasional Contributor I

RAP wired split tunnel with MAC policy

Hi!

 

Follwoing problem, my customer wants to connect a phone to port 1 of the RAP! Laptop will be connected to the integrated phone-switch! So two clients on a single port.

Special about that, the phone should get its IP address from the internal network but the DHCP request from the PC should already be bridged out to the local Fritzbox! So no NAT included....!

 

I've created a rule like this:

 

Action: Permit

Host MAC: 00:80:9f:00:00:00

Subent bits: 00:00:00:ff:ff:ff

 

So everything coming from MAC range 00:80:9f:00:00:00 to 00:80:9f:ff:ff:ff should be permitted and forwarded through the tunnel!

 

I have created a user role with this MAC rule as a first statement, second statement was:

 

source user destination any service any route

 

But this doesn't work! I can see matches on the MAC policy and the phones gets connected, but the PC is not getting it's IP address from the local device...!

 

Do I need the "source NAT" statement anyway although that doesn't make sense to me? Or have I forgotten something? or is a mix of layer 2 and layer 3 rules not possible? And is the MAC-range config correct like this?

 

Any idea on how to solve that would be very much appreciated!!

 

Thanks!!

 

Markus

 

Guru Elite

Re: RAP wired split tunnel with MAC policy

Policy on the port of a RAP is not effective if there is a switch between the RAP port and the devices.  Also the ethernet, or "mac" policy will not work in the context you are using it for.  Lastly, split tunneling will not work with the mac policy you are trying to use it for.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: RAP wired split tunnel with MAC policy

Split-Tunnel is really only for layer 3 traffic, not layer 2 traffic like DHCP.  A client will only get an ip address from the local network if the traffic is on a bridged, not split tunnel interface.  Again, putting a switch between clients and an AP interface breaks the security with regards to intercepting layer 2 traffic, so it should not be done.  Clients on the same switch can easily talk to each other or send and receive traffic to each other without being enforced on the RAP.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: RAP wired split tunnel with MAC policy

Hi!

 

Thanks for the answer!

 

But this is a really common configuration for a home office solution! The phone is connected to the RAP, the Laptop to the phone!

 

So the only possible solution would be to configure either an static IP address and use layer 3 ACLs or cofigure a SSID in bridge mode for the laptop to connect?

 

Thanks!!

 

Markus

 

Guru Elite

Re: RAP wired split tunnel with MAC policy

I do not think it is impossible.  Using split tunneling and a switch is the problem.

 

Is this a site with a single employee with a phone and a laptop?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: RAP wired split tunnel with MAC policy

Yes,  they are in the testing phase to roll it out as a home office solution...always a single person working behind the RAP!

 

We did this configuration some years ago, but I think we used two different vlans on this project, this time the customer doesn't want to conifgure the phones for vlan tagging....that's the challenge!

Guru Elite

Re: RAP wired split tunnel with MAC policy

What kind of RAP are they using?  This could be done if the phone plugs into one wired port and the PC into another wired port or uses wireless.  It is the PC plugging into the phone switch that would break the split tunnel.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: RAP wired split tunnel with MAC policy

Hi!

 

Thanks for your help!

 

I've shown four different options to the customer now, work with static IP, work with vlan tag and two different vlans, use two physical ports or use one physical port and one SSID to reach the target configuration!

 

I hope he'll accept one of these!!

 

Thanks!!

 

markus

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: