Security

Hello 

 

I have an Aruba controler connected to the wired network via a 802.1q trunk port. I want to make only one of these vlans untrusted and all others trusted, so that the controlller adds only the clients from the untrusted vlan to user database. However, when I make the port trusted and add the trusted vlans to interface config, the controller only sees a few (around 20) users on the interface randomly; although there exist a few hundred. When I do not make the port trusted and only add the trusted vlans, the controller sees all clients from all vlans (any IP's from the whole world that sends any packet through the controller); that make the system exceed its user capacity.

 

How can I make only some of the vlans trusted on a trunk port.

 

Note: The vlan I try make untrusted is an OSPF vlan, that connects several LAN's beyond.

 

 

 

 

 

Your config should look like this :

VLAN that you want to use :

VLAN 10

VLAN 20

VLAN 30

 

VLAN that you don't want to use :

 

VLAN 40

VLAN 50

 

interface gigabitethernet 0/0

switchport trunk allow vlan 10, 20 , 30

trusted vlan 10 , 20, 30

 

Is this what you are trying to accomplish ? or did I just misunderstood what you are trying to do ?

 

Hello,

 

No, in fact what I want is slightly different.

 

Let's say, I have vlans 10, 20 , 30,

I want all three as allowed vlans on the port,

I want the controller to pass the traffic from 10,20 directly without any user process,

I want the sources of packets from vlan 30 to be added to the user list.

 

when I do

 

interface gigabitethernet 0/0

trusted
switchport trunk allow vlan 10, 20 , 30
trusted vlan 10 , 20

 

the controller adds only a random small part of the sources from vlan 30 to the list.

 

 

when I do

 

interface gigabitethernet 0/0

switchport trunk allow vlan 10, 20 , 30
trusted vlan 10 , 20

 

the controller adds sources of all packets from vlans 10,20,30. But I want ony sources of the packets from vlan 30 to appear on the user list.

 

You may want to apply an ip access-group to the interface with the traffic you want to allow

Helllo,

 

In the example, My purpose is to have the sources of the packets from vlan30 in the user list, and not vlan 10 and 20. Therefore using ACL does not help.

One of the vlans that I want to be trusted is the path to the Internet. Therefore, if the controller tracks all the sources from all three vlans as users, all external IP's that send any packet to any of my clients are added to the user list.

In other words in this stuation all my clinets and all IP addresses from the Internet, that interact with my clinets,  are added to user list. This makes an excess user table, that the controller cannot handle.

 

 

you could define that in the validuser ACL 

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-40

Hello,

 

The validuser acl provides filter for the users to appear in the user list, but when I tried that way I got performace problem. Furthermore this not what I need.

 

I think I failed to explain what I need, so let me explain starting from what I do now.

 

Currently, I have the controller connected  to my core switch via two cables. One port has vlan x which is the vlan that connects the controler to the outer world, and the other port has vlan y that connects wired clients to the controller. The controller routes packet between two vlans. 

One of the port of the controller is trusted and the other not. The trutsed port has vlan x which is the vlan that connects the controler to the outerworld. The untrusted port has vlan y that  connects the clients to controller. 

 

as config such thing exist

 

interface gigabitethernet 0/0

trusted
switchport trunk allow vlan x
trusted vlan x

 

interface gigabitethernet 0/1
switchport trunk allow vlan y
trusted vlan y

 

Then the controller adds the sources of the packets from vlan y to the user list.

 

I just want to make the same thing with using only one physical port.

 

I think this should be possible using trusted vlans. If not what is the purpose of having trusted van command when there is trusted command form the physical port.

 

 

That's an interesting setup you , I don't think you will be able to accomplish what you want under one port since you need the trusted port configured under the trunk to allow the rest of the traffic to be allowed on the interface

Hello again,

 

Then, what is the purpose of trusted vlan command.  

To me is similar to the allow VLANs under trunk command , you are specifying which VLANs you want your trunk to trust (extra TRUST).

That's how I have always seen it but maybe there's another reason or purpose for it.

---

@onuryu wrote:

Hello,

 

No, in fact what I want is slightly different.

 

Let's say, I have vlans 10, 20 , 30,

I want all three as allowed vlans on the port,

I want the controller to pass the traffic from 10,20 directly without any user process,

I want the sources of packets from vlan 30 to be added to the user list.

 

when I do

 

interface gigabitethernet 0/0

trusted
switchport trunk allow vlan 10, 20 , 30
trusted vlan 10 , 20

 

the controller adds only a random small part of the sources from vlan 30 to the list.

 

 

when I do

 

interface gigabitethernet 0/0

switchport trunk allow vlan 10, 20 , 30
trusted vlan 10 , 20

 

the controller adds sources of all packets from vlans 10,20,30. But I want ony sources of the packets from vlan 30 to appear on the user list.

---

Please describe what you are trying to accomplish.  I have read the thread and at first it seems like you want only VLAN 30 users in the controller table.  Later you mention you want to look at hosts that attempt to connect to your users from the internet.

 

Without the forum assuming too much, what is your use case?  We can explain trusted vlans vs. untrusted, but it might not suit your purpose.  Please tell us what you are trying to do.

 

Hello,

 

I may have failed to explain clearly, but in fact, I want a very simle thing.

 

I want two tagged vlan's on the same 802.1q trunk port. I want the controller to behave one vlan as trusted and the other vlan as untrusted.

In other words, instead of connecting two ports to different vlans and setting one port as trusted, I want two vlan's on one port and make the port trusted for only one of the vlans.

 

 

Allright.  You should be able to mark the VLAN untrusted on that port BUT....If there is any traffic that is routed by that VLAN (behind it), it will also be interrogated along with that.  This works best when there is nothing behind that VLAN and the layer3 switch is doing the routing, instead of the controller....

 

 

 I could not understand  "This works best when there is nothing behind that VLAN and the layer3 switch is doing the routing, instead of the controller....".

 

Do you mean such a stuation works only when all gateways are on the controller and controller does the routing.

 

Also, when I do the same thing using two ports, all source addresses recieved on the untrusted port are added to the user list.

Hi,

 

I think Aruba cannot be used as a gateway in that point. If you only want vlan routing you should buy a router.

 

Is there any method to see all VLAN members to be seen as user to the ARUBA controller. 

 

Thanks in advance.

 

Husnu Demir.

By the way,

 

When you set the physical port to untrust you may get what you want but you should spent 2 physical port?

 

Husnu Demir.