Security

last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

No L3 connectivity within same subnet

This thread has been viewed 0 times

  • 1.  No L3 connectivity within same subnet

    Posted Aug 06, 2012 10:37 AM

    I have a situation I'm trying to troubleshoot for a temporary project and wonder if you anyone can help.

    I created a new wireless network and new SSID, etc.  I put a single client vlan in that SSID (pool of one). This vlan was one of the existing active client vlans on the controller. Clients are successfully connecting onto the new network and receiving a lease from the appropriate vlan. We then configured a wireless web server with a static IP address in that same vlan (making sure the IP was not in that subnet's dhcp pool). The web server connects to the network with the static and has inbound and outbound network connectivity.

    We can browse to the IP address of the web server (port 80) from wireless clients on our existing open and .1x  wireless networks, as well as from clients on wired connections. We cannot, however, browse to that IP address from wireless clients connected within the same wireless network on the same subnet.

     

    I tried changing to authenticated role to a simplke allow-all role in case there was a policy block but this had no effect.

     

    'Deny inter user traffic' is disabled both globally an in the VAP. 'Deny inter user bridging' is enabled globally (no VAP setting) but I thought that only pertained to L2 connectivity. We are trying to connect via L3 (IP of web server). Is this the issue? Can anyone think of anything else that might prevent wireless clients from connecting to a web server on the same wireless subnet?

     

    Thanks in advance.

     

    Mike

     



  • 2.  RE: No L3 connectivity within same subnet

    Posted Aug 06, 2012 11:23 AM

    What does the ACL read for devices on that network; more specifically the wireless web server (if it is different)?

     

    Maybe unrelated, but I ran into a similiar siutaiton with a customer where they had a wireless web srever like you.  In their case it was a minor change to the ACL.   Is the source "user" or "any"?    In their case we needed to change the source to be "any" for any http/https traffic rules that may reach that wireless webserver.   The user was permitted to hit the webserver, but because the webserver is also a wireless client, the rules did not permit http inbound.

     

    Chris



  • 3.  RE: No L3 connectivity within same subnet

    Posted Aug 06, 2012 08:02 PM
    Run the command "show datapath session table <ip-address>" where
    <ip-addr> is the address of the client that is not able to browse the server IP. If you see a "D" flag on the session it means that the session is being blocked by an ACL.
    Find out more by running "show acl hits" command repeatedly and seeing which particular deny rule is being hit.