Controllerless Networks

last person joined: 10 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

inter vlan routing in IAP Cluster

This thread has been viewed 7 times

  • 1.  inter vlan routing in IAP Cluster

    Posted Aug 29, 2019 02:30 AM

    Hello,

    I recently noticed a strange behavior in our IAP cluster.

    We have two SSDI, one for internal staff, giving a full acces to the LAN (with same setup as a local compture) and another one for visitors, the visitor SSID is setup to put in VLAN 99 connected user, authorising internet acces only (the internet access rule are managed via our firewall).

    It works fine for a long time now, but i recently discover that a user connected to visitor SSID (in vlan 99) could ping and connect another user connected via internatl Staff SSID (default VLAN 0).

    I checked firewall and switch, there is no inter vlan routing. I did various test and i'm quite sure the "inter vlan connection" is done inside IAP cluster not on LAN side.

    I don't understand what is did wrong in my IAP cluster setup but i really need to fix it, Vistor musn't be able to reach internal staff computer connected via Wifi.

    Thanks in advance for your help.

     

    Olivier



  • 2.  RE: inter vlan routing in IAP Cluster
    Best Answer

    Posted Aug 29, 2019 02:46 AM

    By default, routing traffic between two clients of an IAP on different VLANs is done via IAP. This is is by design (in my opinion, default should be disabled). Use the command "deny-local-routing" to disable it. Following link should provide more information:

    https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/CLI_commands/deny-local-routing.htm



  • 3.  RE: inter vlan routing in IAP Cluster

    Posted Aug 29, 2019 05:35 AM

    Hi Jibran,

     

    Thanks, it works !!