Wireless and RF

Reply
Moderator
Posts: 243
Registered: ‎09-12-2007

Article discussion: Using Policy to Control Performance

This is the discussion thread for the article "Using Policy to Control Performance" at https://edge.arubanetworks.com/article/using-policy-control-performance
---
Jon Green, ACMX, CISSP
Security Guy
Aruba Employee
Posts: 49
Registered: ‎04-02-2007

Re: Article discussion: Using Policy to Control Performance

In addition, how many times have we had to troubleshoot an issue where a rogue DHCP server has caused many hours to tracking and troubleshooting.

The policy below will prevent DHCP server response coming from the wireless side. It will allow DHCP server response to come from the wired side. Certainly, one can tighten this down by identifying the DHCP server instance.

ip access-list session
user any udp 68 deny
any any svc-dhcp permit
!
Moderator
Posts: 53
Registered: ‎04-09-2007

Re: Article discussion: Using Policy to Control Performance

Great point....using PEF to stop things that would otherwise harm the reliability of your network. Here's another example....if a wired user bridges his/her interface to the wireless NIC, what ramification could there be? Well, spanning-tree convergence, HSRP/VRRP conflicts, routing issues, a whole host of things.....using PEF, you could essentially disconnect a client's wireless NIC if you see these type of frames coming from them....you know their wired, so why not get them off of the wireless. To do this, using PEF, create a policy that get's applied in the user role that looks for these common "router-based" protocols coming from wireless "clients. Things in this list should include OSPF, EIGRP, RIP, HSRP, VRRP, PIM, etc.....if any hits against this, use the blacklist tag to knock them off the wlan for 60 seconds or so.....once they disconnect from wired, they'll be able to connect once that timer expires. Here is an example policy:


netdestination HSRP
host 224.0.0.2

netdestination VRRP
host 224.0.0.18

netdestination RIP
host 224.0.0.9

netdestination OSPF
host 224.0.0.5
host 224.0.0.6

netdestination PIM
host 224.0.0.13

netdestination EIGRP
host 224.0.0.10

ip access-list session Detect_Bridge
any alias HSRP any deny log blacklist
any alias VRRP any deny log blacklist
any alias RIP any deny log blacklist
any alias OSPF any deny log blacklist
any alias PIM any deny log blacklist
any alias EIGRP any deny log blacklist
Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Article discussion: Using Policy to Control Performance

How would you drop IPV6 traffic?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator
Posts: 53
Registered: ‎04-09-2007

Re: Article discussion: Using Policy to Control Performance

Two ways to accomplish this. Since 3.0, you are able to use ethertype ACLs in user roles.....use this to permit IPv4 and ARP, and deny anything else. Put this at the top of the list before your IPv4 policies. An example policy would look like this:

ip access-list eth ipv4-only
permit 0x800
permit 0x806
deny any

The other way would be to use IPv6 session policies in the user role. Create one that denies all, and add that to your user role.
Aruba Employee
Posts: 49
Registered: ‎04-02-2007

Re: Article discussion: Using Policy to Control Performance

or ..

ip access-list eth no-ipv6-acl
deny 0x86dd
permit any
!
MVP
Posts: 498
Registered: ‎04-03-2007

Take caution blocking ipv6 via eth ACL

Take caution and care when applying a no-ipv6 Ethernet acl to the controller's port. If you have a lot of APs with multiple SSIDs (i.e., numerous BSSIDs), you run the risk that performing configuration saves (write mem) will cause APs to bootstrap. Configuring the Ethernet ACL will cause every frame to go through firewall processing.

The better course of action is to use the new knob added in 3.3.2.14:

conf t
no ipv6 enable
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
New Contributor
Posts: 3
Registered: ‎01-26-2010

Using PEF to re TOS traffic

Jon,

Although this thread is aging, I had to chime in. PEF's potential is well beyond a firewall, I totally agree. Just for 1 example, we re-classify / re-tag multicast video traffic inbound to our controllers from our Corporate Webcast Servers. We key off of mutlicast traffic bound to a specific mutlicast address range, and then we set the TOS value to a higher priority than regular video. Since these are All Hands Meetings and QEM meetings they have more of a precedence than regular video, which of course is using our standard WMM AC mappings for video. Works like a champ!!!
Occasional Contributor II
Posts: 41
Registered: ‎09-07-2009

Re: Article discussion: Using Policy to Control Performance




How can you accomplish this? Is WIP currently available?

don
Contributor I
Posts: 31
Registered: ‎04-03-2007

dropping IPv6 traffic

Does Ryan's suggestion below of "no ipv6 enable" drop all ipv6 traffic in/out of the controller?
Search Airheads
Showing results for 
Search instead for 
Did you mean: