Follwoing problem, my customer wants to connect a phone to port 1 of the RAP! Laptop will be connected to the integrated phone-switch! So two clients on a single port.
Special about that, the phone should get its IP address from the internal network but the DHCP request from the PC should already be bridged out to the local Fritzbox! So no NAT included....!
I've created a rule like this:
Host MAC: 00:80:9f:00:00:00
Subent bits: 00:00:00:ff:ff:ff
So everything coming from MAC range 00:80:9f:00:00:00 to 00:80:9f:ff:ff:ff should be permitted and forwarded through the tunnel!
I have created a user role with this MAC rule as a first statement, second statement was:
source user destination any service any route
But this doesn't work! I can see matches on the MAC policy and the phones gets connected, but the PC is not getting it's IP address from the local device...!
Do I need the "source NAT" statement anyway although that doesn't make sense to me? Or have I forgotten something? or is a mix of layer 2 and layer 3 rules not possible? And is the MAC-range config correct like this?
Any idea on how to solve that would be very much appreciated!!
Policy on the port of a RAP is not effective if there is a switch between the RAP port and the devices. Also the ethernet, or "mac" policy will not work in the context you are using it for. Lastly, split tunneling will not work with the mac policy you are trying to use it for.
Split-Tunnel is really only for layer 3 traffic, not layer 2 traffic like DHCP. A client will only get an ip address from the local network if the traffic is on a bridged, not split tunnel interface. Again, putting a switch between clients and an AP interface breaks the security with regards to intercepting layer 2 traffic, so it should not be done. Clients on the same switch can easily talk to each other or send and receive traffic to each other without being enforced on the RAP.
Thanks for the answer!
But this is a really common configuration for a home office solution! The phone is connected to the RAP, the Laptop to the phone!
So the only possible solution would be to configure either an static IP address and use layer 3 ACLs or cofigure a SSID in bridge mode for the laptop to connect?
I do not think it is impossible. Using split tunneling and a switch is the problem.
Is this a site with a single employee with a phone and a laptop?
Yes, they are in the testing phase to roll it out as a home office solution...always a single person working behind the RAP!
We did this configuration some years ago, but I think we used two different vlans on this project, this time the customer doesn't want to conifgure the phones for vlan tagging....that's the challenge!
What kind of RAP are they using? This could be done if the phone plugs into one wired port and the PC into another wired port or uses wireless. It is the PC plugging into the phone switch that would break the split tunnel.
Thanks for your help!
I've shown four different options to the customer now, work with static IP, work with vlan tag and two different vlans, use two physical ports or use one physical port and one SSID to reach the target configuration!
I hope he'll accept one of these!!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.