Aruba controller supports L-2 and L3 vlans. L-2 vlan: 1. No ip address assigned on the controller vlan. 2. Routing for user traffic is not done on the controller. User's default gateway is usually an uplink device. L-3 vlan 1. Vlan interface on the controller has IP address assigned to it. 2. Default gateway can be the vlan interface on the controller. User traffic will be routed as per the routing table of the controller. Sometimes, we do not want the controller to be the default gateway for the users. For example, we want the user traffic to be forwarded by the firewall and not the controller ( which may end up forwarding it to corporate router which is the default gateway for the controller). If we do not want the end user to change his default gateway to the controller from the firewall, we can disable ip routing on the vlan. # config t # interface vlan 1 # no ip routing To verify: #show datapath vlan table Datapath VLAN Table Entries --------------------------- Flags: N - Nat Inside, M - Route Multicast, R - Routing S - Snoop MLD, G - Snoop IGMP, P - Proxy IGMP B - BCMC Optimization, A - Proxy ARP, U - Suppress ARP 1(cert-id) - 8021X Term-PEAP, 2(cert-id) - 8021X Term-TLS VLAN Flags Ports ---- ------------ ----- 1 U 1/3 2 RU 1/0, 1/2 We see above that the vlan 1 no longer has the R flag as the routing has been disabled on that vlan. After this config, any traffic hitting Vlan 1 of the controller which needs to be routed to a different vlan will be dropped. We can ping to the vlan interface but it will no longer forward the packets. Note: We can have NAT enabled on the controller if the default gateway for the users is the controller vlan. However, it will not work and the user traffic will get dropped if the routing is disabled on the interface. It is recommended to configure "no ip routing" on the captive portal / guest SSIDs Vlan in case we want to prevent users from routing their traffic from the controller.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.