Wireless Access

last person joined: 17 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Disable inter vlan routing

This thread has been viewed 9 times

  • 1.  Disable inter vlan routing

    Posted May 20, 2014 12:45 PM

    Hi,

     

    I have a vlan configured on a controller with a wired client attached. The vlan has dhcp enabled with the controller configured as the client gateway. I do not want the client to be able to access any other vlan interface on the controller so i have disabled inter-vlan routing on the client vlan interface but I can still access all other vlan interfaces on the controller from the client. Any ideas what is going on?

     

    thanks



  • 2.  RE: Disable inter vlan routing

    EMPLOYEE
    Posted May 20, 2014 02:09 PM

    It won't work if the controller is the default gateway.  You'll need to put an acl on the wired users role blocking access to that subnet.  If the wired client does not have a aaa profile applied, you'll need to put the acl on the interface that the traffic flows through.



  • 3.  RE: Disable inter vlan routing

    Posted May 20, 2014 05:19 PM

    OK. The vlan is part of a port channel so I can't really add an acl to it

    If I remove the dhcp and it is just an L3 vlan, will the disable inter vlan routing work then?



  • 4.  RE: Disable inter vlan routing

    EMPLOYEE
    Posted May 21, 2014 02:09 AM

    For that port you can make that vlan to be untrusted, then assign a wired aaa-profile.  Within that aaa profile, put the necessary acl in that initial role.

     

    aaa-wired.jpg



  • 5.  RE: Disable inter vlan routing

    Posted May 21, 2014 05:19 AM

    Capture.JPGTo back up a bit - what I am trying to do is secure the port so that I can use RAP's on what is effectively an internal network so it is not really related to wired clients. I need the RAPs' to access the controller via the address on vlan x but what happens is, when provisioning a RAP108, the controller provides its address on its management interface as the location for ftp download of the AP image. The download works because the controller internally routes between vlan x and the management interface. The problem is that if someone were to unplug the RAP and connect a laptop to vlan x they can access all controller interfaces because the controller routes to them. I wanted to turn off inter-vlan routing but I think this will prevent the AP image being downloaded by the RAP.

    I noticed on the port channel interface that I can add a VLAN firewall policy. Can I add a policy on the RAP vlan that just allows 4500 and dhcp that will not affect any other vlans in the same port channel? Do I have to make vlan x untrusted?

    Secondly, I want to restrict access to the controller GUI to only our management vlan - can I apply a firewall policy to the port channel in addition to a firewall vlan policy?