11-23-2016 10:59 AM
I have a role that our computer technician receive whenever they log onto a laptop wich mostly allow them to talk to any/any/any. For some reason, this does not seam to be enough for them to connect with WinVNC to another user laptop.
Common users have rules in their role saying that they can receive communication from the wired technicien vlan. This works.
So now I realize that I should allow my mobility role TI to talk to the mere mortal role. But I cannot figure how to say that.
The wired vlan has his own IP range, so this was easy. However the mobility role can be in whatever IP range it please, depending on the site where the technicien currently is.
I guess I should force a VLAN for the TI role but I've never done that. On the other hand the trainers were so proud to tell us to get away of the whole ip range paradigme that I guess there is a way to tell a role to accept communication from another role.
Solved! Go to Solution.
11-26-2016 02:59 AM
Whenever something does not work, you should type "show datapath session table <ip address of client>" to see if your traffic is blocked by the controller's firewall.
There is no mechanism to block traffic from one role to another; you are right.
My only piece of advise is that unless you have a very, very good reason to block traffic, you should treat the wireless like wired traffic and then strategically weigh blocking traffic vs. the hassle of troubleshooting.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Re: Allow traffic between role rule
11-28-2016 05:48 AM
Thanks for the reply Collin. That's a bummer. I really thought there was such concept.
Our traffic is blocked by default. So I'm trying to grant access to the technicians. I do not want students to fiddle with WinVNC communication on either wired or wireless access. But the TI role should be able to do it. I guess I will have to assign a different VLAN to the technician then but I've never done that. Can't be that hard isn't it ?