Wireless Access

 View Only
  • 1.  Public IP address entries populating user table.

    Posted Nov 30, 2023 04:02 PM
    Hello,
     
    noticed on a Aruba 7008 controller (8.10.0.7) that public IP addresses appear to be populating the user table under "wired" alongside the wireless users and consuming user table entries.
     
    Consequently, the 1024 user limit on the controller keeps breaching and alongside the error messages, users on the site experience issues with connectivity.
     
    The setup is pretty straight forward:
     
    wireless user -> AP -> 7008 controller -> wired connection -> ISP firewall.
    - the wired connection is a direct Cat6 cable from the controller to the ISP firewall port.
     
     
    I've found an article suggesting that modifying the "validuser" acl, it might fix the issue but having tried this by defining only the internal subnet,  whilst the public IP addresses disappeared, unfortunately so did the internet connectivity.
     
    Has anyone had a similar experience and if so, what was the fix for it?
     
    Is there any documentation someone can point me towards to explain the use of roles and profiles as I suspect there is a misconfiguration somewhere.
     
    Apologies if this is a noob question and there is an obvious answer but that answer is eluding me..
     
    Many thanks in advance..


  • 2.  RE: Public IP address entries populating user table.
    Best Answer

    Posted Dec 03, 2023 08:02 PM

    That is because your interface that is physically connected to the firewall is "untrusted".   Having a wired interface being untrusted means any traffic that tries to enter that wired interface from the outside becomes a "user". 

    You should instead have a session ACL on that port, instead of making it untrusted:

    You should have something like this:

    interface vlan 4000 
        ip address dhcp-client 
        ip nat outside 

    ip access-list session Uplink 
        any any svc-dhcp permit 
        any any any deny 

    interface gigabitethernet 0/0/3 
        description "GE0/0/3" 
        trusted 
        trusted vlan 4000 
        no poe 
        ip access-group session "Uplink" 
        switchport mode access 
        switchport access vlan 4000 
       

    It will allow your controller to get a dhcp ip address, but block everything else.  VLAN 4000 is the VLAN that I use to obtain the WAN ip address that the router assigns to me.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Public IP address entries populating user table.

    Posted Dec 08, 2023 09:48 AM

    Hello,

    thanks very much - setting the interface and the VLAN as "trusted" fixed the issue in the end.