Wireless Access

Hi,

 

is it possible to create a rule (with PEF-NG) to restrict the client traffic to a router MAC address?

 

I already created a new MAC-firewall policy (permitted my router mac addresses there), sticked this policy onto a user role, added this user role to an AAA-profile rejoined the wifi network with my client, but unfortunately (even if my client is in the new role) no traffic seems to flow through the air. (I do see hits in a deny any any filter in the firewall, but I couldn't find any "deny any any" filter in the role or profile :().

 

Any suggestions?

Like a consumer router plugged into your network? 


Thanks, 
Tim

I'm not sure if I understand what you mean.

 

We have APs of different vendors in the same VLANs. So the "deny interuser traffic" on the aruba controller is more or less useless. Therefore I'm looking for a different opportunity to avoid inter-user traffic.

 

Normally we setup a L2-filter that a user is only able to communicate with the L2-address of our Cisco VSS-cluster and that only packets from this cluster are getting forwarded to the user. All other traffic should be blocked / blackholed / thrown away.

If the APs are wired and L2 adjacent and the traffic is not passing through
the controller, there's not much you can do unfortunately.

 

Can you set up management ACLs on the third-party APs themselves?

The traffic from the aruba clients is passing through the controller. The traffic from the others not. Does the aruba controller really not offer any kind of possibility to restrict traffic from / to unauthorized sources / destinations being redirected from the controller? Yes, management ACLs on the APs partially setup (only our really old ciscos don't offer this possibility). But what scenario is being covered by the MAC-filter in the firewall then?

Part of the problem is the DST of a frame is not always the router's mac but the client mac address. So if the non-Aruba WLAN AP is L2 on the same network, from a traffic flow perspetive you are going to see SRC and DST of the non-Aruba client to the Aruba client and not the macaddr of the non-Aruba AP (it's there because it's L2, but if it's all on the same L2, then everyone is on the same CAM table). So if that is the goal, it would be better to put the non-Aruba WLAN into a separate VLAN, or put the Aruba-clients into their own VLAN. Ultimately though if everything is L2, then you would have to write ACLS that block based on SRC/DST macaddr which likely isn't feasible...

 

IMHO I think your best options are to move the non-Aruba WLAN APs into their own VLAN. Get rid of the shared L2 between two disparate WLAN systems.

Oh, well I think we're talking past each other ... Sorry for that! From a traffic flow perspective one can distinguish two types of traffic: - src: client-mac, dst: router-mac; src: router-mac, dst: client-mac - src: client-mac, dst: NOT router-mac; src: NOT router-mac, dst: client-mac (for my definition client-mac isn't restricted to a specific accesspoint though) The only thing I want the aruba controller to do is that it should drop the traffic if the router-mac address is not in the dst nor in the src address field of a packet that is passing through it.. - Nothing else. (I'm aware of possible problems regarding multicast and IPv6 ND). A further separation of VLANs is - due to the large historical grown setup - a bit complicated. "Ultimately though if everything is L2, then you would have to write ACLS that block based on SRC/DST macaddr which likely isn't feasible..." -> why should that not be feasible? For HP gear it's an easy job to do it with a netfilter-like syntax. On gear of a second vendor I could setup a user-defined bridge that is working fine.