That is because your interface that is physically connected to the firewall is "untrusted". Having a wired interface being untrusted means any traffic that tries to enter that wired interface from the outside becomes a "user".
You should instead have a session ACL on that port, instead of making it untrusted:
You should have something like this:
interface vlan 4000 ip address dhcp-client ip nat outside
ip access-list session Uplink any any svc-dhcp permit any any any deny
interface gigabitethernet 0/0/3 description "GE0/0/3" trusted trusted vlan 4000 no poe ip access-group session "Uplink" switchport mode access switchport access vlan 4000
It will allow your controller to get a dhcp ip address, but block everything else. VLAN 4000 is the VLAN that I use to obtain the WAN ip address that the router assigns to me.
thanks very much - setting the interface and the VLAN as "trusted" fixed the issue in the end.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.