Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Forced Redirect

This thread has been viewed 0 times

  • 1.  Forced Redirect

    Posted Mar 19, 2012 04:16 PM

    Does ArubaOS support a feature which prevents a wireless station from connecting to another station without first forwarding to the upstream router?  I want to prevent the mobility controller from directly routing or switching  between wireless stations.  I need this to ensure firewall policy is applied at the up stream router (actually a firewall).

     

    Thanks

    Marvin



  • 2.  RE: Forced Redirect

    Posted Mar 19, 2012 04:22 PM

    Marvin,

     

    The controller can block communication between WLAN clients, but if they are on the same subnet, they cannot be forced to talk through a firewall.  Since the controller is a firewall, though, you can selectively allow or block traffic between clients even if they are on the same subnet.

     

    What features does your firewall have that you need?



  • 3.  RE: Forced Redirect

    Posted Mar 19, 2012 04:34 PM

    The external firewall is used to ensure consistent policy application between wireless and wired clients. I am using an ESI with a redirect ACL to the firewall.  Could you please help me with the following regarding ESI.

    Is ESI an appropriate method to redirect?

    Does session ACL use implicit deny?  I have forward direction policy.  Will I need a reverse direction policy to allow traffic initiated from outside to get through?

    The rules are stateful so I had to be very careful about routing symmetry.

     

    Thanks.



  • 4.  RE: Forced Redirect

    Posted Mar 19, 2012 04:57 PM

    I am not all that familiar with the ESI redirection, so it might be a way around L2 connected clients "seeing" each other.

     

    The other way is to create the policies on the controller.  They are definitely stateful, so if you open an application for the WLAN clients, the return traffic will be allowed.

     

    You would need to open any wired initiated traffic holes that you want (from the controller toward the WLAN clients).

     

    Yes, there is an implicit deny all at the end of any ACL used for traffic management.



  • 5.  RE: Forced Redirect

    MVP
    Posted Mar 19, 2012 04:24 PM

    yes, it has both options to deny inter-user traffic and deny inter-vlan routing.



  • 6.  RE: Forced Redirect

    Posted Mar 19, 2012 04:38 PM

    How do I turn on the feature to deny inter vlan and intra vlan forwarding?

     

    Thanks.



  • 7.  RE: Forced Redirect

    Posted Mar 19, 2012 04:52 PM

    Found it under VAP profile and Global Firewall settings.

     

    Thanks.



  • 8.  RE: Forced Redirect

    Posted Mar 19, 2012 04:54 PM

    Be careful...

     

    Those options will break routing between VLANs and/or between WLAN clients.  If you want traffic to flow between them, you should leave those off and create appropriate policies on the controller to control traffic.