08-28-2019 11:29 PM
I recently noticed a strange behavior in our IAP cluster.
We have two SSDI, one for internal staff, giving a full acces to the LAN (with same setup as a local compture) and another one for visitors, the visitor SSID is setup to put in VLAN 99 connected user, authorising internet acces only (the internet access rule are managed via our firewall).
It works fine for a long time now, but i recently discover that a user connected to visitor SSID (in vlan 99) could ping and connect another user connected via internatl Staff SSID (default VLAN 0).
I checked firewall and switch, there is no inter vlan routing. I did various test and i'm quite sure the "inter vlan connection" is done inside IAP cluster not on LAN side.
I don't understand what is did wrong in my IAP cluster setup but i really need to fix it, Vistor musn't be able to reach internal staff computer connected via Wifi.
Thanks in advance for your help.
Solved! Go to Solution.
08-28-2019 11:46 PM - edited 08-28-2019 11:49 PM
By default, routing traffic between two clients of an IAP on different VLANs is done via IAP. This is is by design (in my opinion, default should be disabled). Use the command "deny-local-routing" to disable it. Following link should provide more information:
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.