Network Management

Reply
Moderator

Re: Why do some of my clients report 2 LAN IP addresses?

@Kevets wrote:

should my "Forward Mode" in VAP's that use VLAN 1 be set to tunnel? That's how they are currently


yes - don't change that.

Highlighted
Moderator

Re: Why do some of my clients report 2 LAN IP addresses?

to configure validuseracl - you need to follow these steps, but it presumes you have a pefng license.

 

** note / disclaimer **

I have tried to follow your subnets, but you must doublecheck the below before just cut/pasting it into the controller CLI. Further, I strongly recommend you make a 'backup flash' just before doing this, in case you hit any issues and want to back out the changes (restore flash). You can also backup the flash from the controller webui , go to Maintenance -> Backup Flash -> Create Backup.


step 1> create a network destination called VALID_SUBNETS, add to it all your DHCP scopes for all VAPs. Note that in the future if you create a new subnet, you will need to add it to this list or the user will *not* appear in the controller, despite being able to associate.

 

 

configure t
netdestination VALID_SUBNETS network 10.20.4.0 255.255.252.0 network 10.114.138.0 255.255.255.0 network 10.170.138.0 255.255.255.0 network 10.1.1.0 255.255.252.0 !


step 2> create a network destination called PROTECTED_HOSTS, add to it all your important host IPs that reside within user subnets (i.e. default gateways, AD servers, radius servers, external captive portals etc.)

 

I have scraped the below from your config, please double check each one. These IPs can never become users in the controller (which is a good thing).

 

 

configure t
netdestination PROTECTED_HOSTS host 10.20.4.1 host 10.114.138.5 host 10.170.138.1 host 10.1.1.61 host 10.1.1.10 host 10.1.1.5 host 10.1.1.3 !

 

step 3> we are going to create two new rules in the valid user ACL, and delete one rule:

  i)   add a rule "deny anything that is using a source IP within PROTECTED_HOSTS"

  ii)  add a rule "allow anything with a source IP within VALID_SUBNETS"

  iii) delete the rule  "allow anything from anywhere" (rule 6 below)

 

the existing ACL looks like this (tidied slighly to fit in this screen)

 

# show ip access-list session validuser
validuser
---------
Priority  Source       Destination  Service  Application    Action
--------  ------            -----------  -------  -----------  ------  --------- 
1         127.0.0.0 255.0.0.0      any          any          deny  
2         169.254.0.0 255.255.0.0  any          any      deny 
3         224.0.0.0 240.0.0.0      any          any          deny 
4         255.255.255.255          any          any           deny
5         240.0.0.0 240.0.0.0      any          any           deny
6         any                               any          any          permit

 

so we need to insert our new two rules at position 6 and 7, and then delete the existing rule at position 6.

configure t
ip access-list session validuser
  alias PROTECTED_HOSTS any any deny position 6
  alias VALID_SUBNETS any any permit position 7
  no any any any permit
!

which we check after with "show ip access-list validuser", you should see now this (again tidied to fit, and ipv6 stuff removed)

(sg-7030) #show ip access-list validuser

ip access-list session validuser
validuser
---------
Priority  Source                   Destination  Service  Application  Action  
--------  -----------                   -----------    -------  -----------  ------  ---------  
1         127.0.0.0 255.0.0.0         any          any      deny
2         169.254.0.0 255.255.0.0  any         any       deny
3         224.0.0.0 240.0.0.0         any          any       deny
4         255.255.255.255             any          any       deny
5         240.0.0.0 240.0.0.0         any          any       deny
6         PROTECTED_HOSTS     any          any       deny
7         VALID_SUBNETS             any          any       permit
<ipv6 stuff below here>

at this point, you should be good to go - you should find that the junk IPs are no longer appearing in the usertable and Airwave. You can check it's working using "show acl hits", in this below example you can see a couple of allows and a reject, this is from a windows 8 client that is dual stack but also leaking the VPN IP into the controller, usually it has 3 IPs

 

> before validuseracl

(sg-7030) #show user
fe80::a4ae:a862:2451:2211  5c:c5:d4:00:00:01    authenticated  
10.11.12.13 5c:c5:d4:00:00:01 authenticated 192.168.1.3 5c:c5:d4:00:00:01 authenticated
(sg-7030) #

> added validuser acl to allow 192.168.1.0/24, disconnect -> reconnect client

(sg-7030) #show acl hit
User Role ACL Hits
------------------
<snip>

Port Based Session ACL
----------------------
Policy     Src         Dst   Service/Application  Action  New Hits  Total Hits  
------ --- --- ------------------- ------ ----------- ---------- ----- --------- validuser VALID_SUBNETS any any permit 0 1 validuser fe80::/64 any any-v6 permit 1 1
validuser any any 0 deny 2 2

> can see two hits on deny, and an allow in VALID_SUBNET - now the usertable shows:

(sg-7030) #show user
fe80::a4ae:a862:2451:2211  5c:c5:d4:00:00:01    authenticated  
192.168.1.3                5c:c5:d4:00:00:01              authenticated  
(sg-7030) #

and if all is well, "write memory" at the end.

 

regards

-jeff

 

* edited a few times for clarity/typos etc. *

 

 

 

 

Frequent Contributor II

Re: Why do some of my clients report 2 LAN IP addresses?

Jeff -

 

That was an incedibly generous thing to do, and I can't tell you how much I appreciate it. I will make these changes in my next available maintenance window.

 

I hate to call on you again, but no good deed goes unpunished! Would you look at my attached network schematic and weigh in on where I should have the 7210 connected? I originally had it going to the Aruba edge switch (138), but have moved it the 101 core switch. I ask about this because I have a daily broadcast storm (at around 9 or 9:30) that gets cleared when I temporarily disable the controllers interface. I had that same storm when it was on 138 as I do today with it on 101.

 

I am running MSTP on this primarily HP switch stack, and I am not running any flavor of STP on the 7210. And part of my 2 LAN IP address question was trying to figure out if the 7210 is causing a loop somehow.

 

Again, I can't thank you enough for your assitance.

Frequent Contributor II

Re: Why do some of my clients report 2 LAN IP addresses?


@jgoff wrote:
In VAP, I see 3 related options:

Dynamic/Multicast Optimization (currently off)

Drop Broadcast and unknown multicast (currently off)

Convert broadcast ARP request to unicast (currently on)


it is the middle one (sorry, in the CLI it's called broadcast filter all). "Drop broadcast and unknown multicast" - enable it.


Thanks. But if I do that I get the red warning: 

Warning: broadcast-filter arp should be enabled with this option. Otherwise ARP requests will be dropped!

 

and I don't see where to set broadcast-filter-arp

 

Super Contributor I

Re: Why do some of my clients report 2 LAN IP addresses?

broadcast-filter-arp is the "Convert broadcast ARP" option.  It is on by default now, did not used to be, and the warning fires whether or not it is already on.

 

BTW, If it were not for Win7 hosts also showing duplicate IPs I would write that off as dhcp clients misbehaving.  This happens a lot on Andriod and sometime on Apple stuff.  You either have to pin those guys with a dhcp reservation or run bleeding edge dhcp servers to keep it from happening.

 

Moderator

Re: Why do some of my clients report 2 LAN IP addresses?


@Kevets wrote:

@jgoff wrote:
In VAP, I see 3 related options:

Dynamic/Multicast Optimization (currently off)

Drop Broadcast and unknown multicast (currently off)

Convert broadcast ARP request to unicast (currently on)


it is the middle one (sorry, in the CLI it's called broadcast filter all). "Drop broadcast and unknown multicast" - enable it.


Thanks. But if I do that I get the red warning: 

Warning: broadcast-filter arp should be enabled with this option. Otherwise ARP requests will be dropped!

 

and I don't see where to set broadcast-filter-arp

 

enable the "Drop Broadcast and unknown multicast" + ignore the warning, as bjulin mentioned, the warning is a hangover from times past when the defaults were different (the warning is about option 3 in the previous post, it is enabled by default, didn't used to be - hence the warning)

 

regards

-jeff

Frequent Contributor II

Re: Why do some of my clients report 2 LAN IP addresses?

OK, thanks - I have this set now on all my VAPS

Moderator

Re: Why do some of my clients report 2 LAN IP addresses?

based on what you have said about the config and the diagram, I don't think it should be the controller specifically causing the loop. Having said that, please get me the following output:

 

show datapath bwm type 0

show datapath debug opcode | include BPDU

show datapath frame

show datapath maintenance counters

 

we may be able to deduce something from these stats.

 

regards,

-jeff

Frequent Contributor II

Re: Why do some of my clients report 2 LAN IP addresses?

Jeff,

 

Thanks again. I will try those commands shortly, but I believe (and dear God I hope) I may have found the problem.

 

I had IGMP on a couple of VLANS, one without an IP address, on my HP Switches and I believe my Fortigate firewall decided to be helpful. All I know is when I got rid of IGMP my switch storm immediately abated.

 

Your original config advice for the wonky IP's worked great. I had to change the IP address to 10.1.0.0 for the main subnet, but other than that it was copy and paste.

 

Thanks! You're the best!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: