thanks very much - setting the interface and the VLAN as "trusted" fixed the issue in the end.
Original Message:
Sent: Dec 03, 2023 08:02 PM
From: cjoseph
Subject: Public IP address entries populating user table.
That is because your interface that is physically connected to the firewall is "untrusted". Having a wired interface being untrusted means any traffic that tries to enter that wired interface from the outside becomes a "user".
You should instead have a session ACL on that port, instead of making it untrusted:
You should have something like this:
interface vlan 4000
ip address dhcp-client
ip nat outside
ip access-list session Uplink
any any svc-dhcp permit
any any any deny
interface gigabitethernet 0/0/3
description "GE0/0/3"
trusted
trusted vlan 4000
no poe
ip access-group session "Uplink"
switchport mode access
switchport access vlan 4000
It will allow your controller to get a dhcp ip address, but block everything else. VLAN 4000 is the VLAN that I use to obtain the WAN ip address that the router assigns to me.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Nov 30, 2023 02:08 PM
From: JT
Subject: Public IP address entries populating user table.
Hello,
noticed on a Aruba 7008 controller (8.10.0.7) that public IP addresses appear to be populating the user table under "wired" alongside the wireless users and consuming user table entries.
Consequently, the 1024 user limit on the controller keeps breaching and alongside the error messages, users on the site experience issues with connectivity.
The setup is pretty straight forward:
wireless user -> AP -> 7008 controller -> wired connection -> ISP firewall.
- the wired connection is a direct Cat6 cable from the controller to the ISP firewall port.
I've found an article suggesting that modifying the "validuser" acl, it might fix the issue but having tried this by defining only the internal subnet, whilst the public IP addresses disappeared, unfortunately so did the internet connectivity.
Has anyone had a similar experience and if so, what was the fix for it?
Is there any documentation someone can point me towards to explain the use of roles and profiles as I suspect there is a misconfiguration somewhere.
Apologies if this is a noob question and there is an obvious answer but that answer is eluding me..
Many thanks in advance..