Controllerless Networks

Reply
Highlighted
Occasional Contributor II

inter vlan routing in IAP Cluster

Hello,

I recently noticed a strange behavior in our IAP cluster.

We have two SSDI, one for internal staff, giving a full acces to the LAN (with same setup as a local compture) and another one for visitors, the visitor SSID is setup to put in VLAN 99 connected user, authorising internet acces only (the internet access rule are managed via our firewall).

It works fine for a long time now, but i recently discover that a user connected to visitor SSID (in vlan 99) could ping and connect another user connected via internatl Staff SSID (default VLAN 0).

I checked firewall and switch, there is no inter vlan routing. I did various test and i'm quite sure the "inter vlan connection" is done inside IAP cluster not on LAN side.

I don't understand what is did wrong in my IAP cluster setup but i really need to fix it, Vistor musn't be able to reach internal staff computer connected via Wifi.

Thanks in advance for your help.

 

Olivier

Re: inter vlan routing in IAP Cluster

By default, routing traffic between two clients of an IAP on different VLANs is done via IAP. This is is by design (in my opinion, default should be disabled). Use the command "deny-local-routing" to disable it. Following link should provide more information:

https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/CLI_commands/deny-local-routing.htm

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Occasional Contributor II

Re: inter vlan routing in IAP Cluster

Hi Jibran,

 

Thanks, it works !!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: