the controller is on 192.168.0.248/24 vlan, and it has two vlans that extend to our LAN, the two vlans are 10.3.150.0 and 10.3.151.0 for employee and guest, I configured the controller to have an ip address 10.3.150.2 and 10.3.151.2 on both vlans.
I managed to prevent users from accessing the managment portal through the 192.168.0.248 ip, but guest users can still access the management portal through the 10.3.151.2 ip address. how to prevent that.
i thought about removing that ip address from the vlan configuration, but i didn't know if that would disrupt the functionality of the dhcp.
any ideas on how to do that.
thanks in advance.
Create an access list to deny https/ssh to the management IP address and place it right on top in the user roles employee and guest
access-list session CONTROLLER-PROTECTION-ACL position 1
Session ACL configured with the ip access-list session command.Note: This parameter requires the PEFNG license.
I don't have the PEFNG license. and buying the license is not an option. we limited the guest vlan access to our internal network through an ACL on the switch port connected to the controller.
is there any other way to do it?
Depending on your configuration you may be able to configure the vlan number that corresponds to that IP range as untrusted under the port configuration. This will stop the users from having the ability to connect to the controller on that interface. I have done that in the past when I have not had the PEF license.
configuring the vlan as untrusted killed all connections to internal network and to internet.
I want employee to have access to internal network, guest is already filtered on the switch. but both have access to the controller.
if you have don't it before, then i must be doing something wrong. any ideas.
ok for your vlans is the defauly gateway for those vlans(10.3.150.0 and 10.3.151.0) the Aruba controller or is it the core switch? If the default gateway is the core switch and not the controller then you should not need to have ip addresses on the controller for those vlans.
If the default gateway for those vlans is the aruba controller and you are routing all traffic through the controller then there is probably not a lot you can do without a PEF license.
If you could post your config that includes the vlan, ip and port configuration that would help.
but the controller is the dhcp server for the vlan 150 and 151, if I remove the ip address of the controller will that affect.
the gate way is the switch and not the controller as you see in the attached configuration.
thank you for your help, I really appreciate it.
As the controller is the DHCP server then I think the only way you will be able to do it is via a PEF license unless you can move DHCP to a server on the network rather than the controller.
you are right, for now due to how the network is designed I can't move dhcp server. later in time we are going to do that, then I'll just disable the dhcp on the controller and point the users to a dhcp on the network.
Revans thank you for your help I really appreciate it
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.