Wireless Access

 View Only
last person joined: 7 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

AOS8 - deny inter user traffic within clustered MD

This thread has been viewed 28 times
  • 1.  AOS8 - deny inter user traffic within clustered MD

    Posted Dec 07, 2022 05:42 AM

    We are running AOS8.6.  2 MD per cluster; clients & AP are nicely balanced between both the MD;

    We have a guest network where we set on virtual AP level : deny-inter-user-traffic
    This works fine for active clients connected to the same MD. However, when a client performs a network scan, it detects clients who are anchored to the other MD. It is possible to ping to a client on the other MD, while ping-ing to clients on the same MD is not. 

    A port scan also discovers open/blocked/closed ports on other clients (on the other MD), so this opens security risk


    Setting a user-role that only allows traffic to the default gw on that network does not solve the issue.  

    It looks like the concept of "deny-inter-user-traffic" is not valid in a clustered MD setup.
    Is there any other security measure we can take? 



    ------------------------------
    Danny Bosman
    KBC Group - Belgium
    ------------------------------


  • 2.  RE: AOS8 - deny inter user traffic within clustered MD

    MVP EXPERT
    Posted Dec 07, 2022 02:34 PM
    Hi Danny,

    Far as i known deny-inter-user-traffic works only within the same controller. When leaving the controller your client is visible at layer-2 on the Ethernet switch and the controller is out-of-control. Thats why you see incoming ethernet packages from the second controller and/or other wired clients in the same vlan.

    Maybe you can try client isolation on your switch backend but personally never tried that.

    Mostly i solved this only at layer-3 in the user-role where i put a "user destination rfc1918-nets deny". So a user cannot have a private lan IP address as destination (when you want internet-only offcourse).

    ------------------------------
    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 3.  RE: AOS8 - deny inter user traffic within clustered MD

    Posted Dec 08, 2022 07:10 AM

    Marcel,
    thanks for your answer. Unfortunately, this solution does not prevent devices on another MD being discovered and/or ping. Some L2 protection is needed. 



    ------------------------------
    Danny Bosman
    KBC Group - Belgium
    ------------------------------



  • 4.  RE: AOS8 - deny inter user traffic within clustered MD

    MVP EXPERT
    Posted Dec 08, 2022 06:38 PM
    Hi Danny,

    The inter-user traffic denial happens only within an Mobility Controller
     and does not span across multiple Mobility Controllers.

    See also this topic: https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=d89d5945-fe80-4273-8200-f3b9a313da11

    You can prevent layer-3 traffic (such as a ping) in the user-role ACL.


    ------------------------------
    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 5.  RE: AOS8 - deny inter user traffic within clustered MD

    EMPLOYEE
    Posted Dec 09, 2022 10:58 AM
    @dannybosman I believe it was fixed in ArubaOS 8.7.1.x and above (EDIT)

    https://www.arubanetworks.com/techdocs/ArubaOS/Consolidated_8.x_RN/Content/8.7/10/resolved_8710.htm
    aos-206878

    I will double check and get back to you.​

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------