Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass, vlan on data interface

This thread has been viewed 14 times

  • 1.  Clearpass, vlan on data interface

    Posted Jun 22, 2016 05:16 AM

    We want to create multiple vlans on the Data interface of a clearpass. However not much information can be found on this.

    The setup we want to achieve is use the management interface for management ONLY.

    The data interface for

    1. vlan A for guest portal

    2. vlan B for controller traffic

    Were can i find information about how the system works with vlans on a physical interface and how the routing will be build by the system. As well wether the physical interface requires an ip adress in such case or not and how the master slave, and virtual adresses can be build



  • 2.  RE: Clearpass, vlan on data interface

    Posted Jun 23, 2016 03:00 AM

    The creation of vlans, is a two step process....

     

    1. create the vlans in the UI under 

     

    ClearPass_Policy_Manager_-_Aruba_Networks.jpg

     

    the under the cli [login with appadmin].... you ned to add the route for the vlans......

     

    HTH



  • 3.  RE: Clearpass, vlan on data interface

    Posted Jun 23, 2016 03:05 AM

    Thanks, but do i need to put an ip on the physical interface?

    This would mean that the ip on the physical interface basically goes untagged on the network cable.

     

    Second questions, if we would put for example a guest network on that vlan, directly connected, I guess no route is needed? Is the clearpass doing ip forwarding between the vlans? Meaning, can it be 'abused' as router? Goal is to put a guest portal on a seperate vlan, without giving the possibility to break out of that guest through the clearpass.



  • 4.  RE: Clearpass, vlan on data interface

    Posted Jun 23, 2016 04:35 PM

    Their is a dependency to have an IP address on the physical interface.

     

    Directly connected should be good, basic IP routing there.

     

    I 'think' but will check, we DO NOT allow IP forwarding between vlan's.



  • 5.  RE: Clearpass, vlan on data interface

    Posted Jun 24, 2016 07:38 AM

    So the physical interface will put data on the cable Untagged (without vlan tag), the vlan addition with another ip, will put traffic on the wire with a vlan tag. Is that assumption correct?

    I'm interested to hear about the routing. Wether the same route table is used for the physical interface and the vlan interface or wether they are different.



  • 6.  RE: Clearpass, vlan on data interface

    Posted Jun 25, 2016 02:05 PM

    Correct re VLAN - tags

     

    I've been out the office for the last few days, I will speak to DEV next week when I'm back in the office. If I don't get back to you... ping me to remind me.......

     

    djump@hpe.com

     

    Cheers



  • 7.  RE: Clearpass, vlan on data interface

    EMPLOYEE
    Posted Jul 10, 2018 04:30 PM

    Hi Danny,

     

    did you find out from DEV regarding the inter VLAN routing being NOT active?