07-01-2013 01:22 AM
the controller is on 192.168.0.248/24 vlan, and it has two vlans that extend to our LAN, the two vlans are 10.3.150.0 and 10.3.151.0 for employee and guest, I configured the controller to have an ip address 10.3.150.2 and 10.3.151.2 on both vlans.
I managed to prevent users from accessing the managment portal through the 192.168.0.248 ip, but guest users can still access the management portal through the 10.3.151.2 ip address. how to prevent that.
i thought about removing that ip address from the vlan configuration, but i didn't know if that would disrupt the functionality of the dhcp.
any ideas on how to do that.
thanks in advance.
Solved! Go to Solution.
07-01-2013 03:31 AM - edited 07-01-2013 05:54 AM
Create an access list to deny https/ssh to the management IP address and place it right on top in the user roles employee and guest
access-list session CONTROLLER-PROTECTION-ACL position 1
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
07-01-2013 10:58 PM
Session ACL configured with the ip access-list session command.
Note: This parameter requires the PEFNG license.
I don't have the PEFNG license. and buying the license is not an option. we limited the guest vlan access to our internal network through an ACL on the switch port connected to the controller.
is there any other way to do it?
07-02-2013 07:03 PM
Depending on your configuration you may be able to configure the vlan number that corresponds to that IP range as untrusted under the port configuration. This will stop the users from having the ability to connect to the controller on that interface. I have done that in the past when I have not had the PEF license.
07-03-2013 02:10 AM
configuring the vlan as untrusted killed all connections to internal network and to internet.
I want employee to have access to internal network, guest is already filtered on the switch. but both have access to the controller.
if you have don't it before, then i must be doing something wrong. any ideas.
07-03-2013 02:40 AM
ok for your vlans is the defauly gateway for those vlans(10.3.150.0 and 10.3.151.0) the Aruba controller or is it the core switch? If the default gateway is the core switch and not the controller then you should not need to have ip addresses on the controller for those vlans.
If the default gateway for those vlans is the aruba controller and you are routing all traffic through the controller then there is probably not a lot you can do without a PEF license.
If you could post your config that includes the vlan, ip and port configuration that would help.
07-03-2013 04:36 AM
but the controller is the dhcp server for the vlan 150 and 151, if I remove the ip address of the controller will that affect.
the gate way is the switch and not the controller as you see in the attached configuration.
thank you for your help, I really appreciate it.
07-03-2013 04:11 PM
As the controller is the DHCP server then I think the only way you will be able to do it is via a PEF license unless you can move DHCP to a server on the network rather than the controller.
07-03-2013 11:01 PM
you are right, for now due to how the network is designed I can't move dhcp server. later in time we are going to do that, then I'll just disable the dhcp on the controller and point the users to a dhcp on the network.
Revans thank you for your help I really appreciate it