Wireless Access

Reply
Contributor I

Public ip address listed as wired users in controller

Hi,

 

We have a couple of controllers running 6.5.4.6, with the following topology

 

Switch----->controller1------>Router

    |

    |

Switch----->controller2------>Router

 

all the users are wired, but we noticed in the output of show user, that there are public ip addres:

 

show user | exclude 172.

 


Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
64.233.184.128 04:25:c5:a5:a6:c3 AEROGUEST-LOGON-USERROLE 00:00:00 0/0/2 Wired AEROGUEST-AAAPROF tunnel

 

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
151.101.61.254 04:25:c5:a5:a6:c3 AEROGUEST-LOGON-USERROLE 00:00:00 0/0/2 Wired AEROGUEST-AAAPROF tunnel


Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
157.240.1.54 04:25:c5:a5:a6:c3 AEROGUEST-LOGON-USERROLE 00:00:00 0/0/2 Wired AEROGUEST-AAAPROF tunnel

 


Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
151.101.78.133 04:25:c5:a5:a6:c3 AEROGUEST-LOGON-USERROLE 00:00:00 0/0/2 Wired AEROGUEST-AAAPROF tunnel

 

 

this user list belongs to controller 1, and the mac address 04:25:c5:a5:a6:c3 is the mac of the router connected to controller2.

 

vlans configuration in the interfaces:

 

interface towards swtich: 0/0/2

vlan 100 and 101 as a trunk and untrusted, the rest of the vlans are trusted but not permited in the trunk

 

interface towards the router 0/0/5

vlan 100, 101 and 105 (managment) configured as trusted and permit in the trunk. no other vlans are configured in this interface.

 

 

The question is, how is possible to see public ip addresses as wired users in both controllers and source mac address belongs to the opossite router?

 

One thing that can cause this behavior is an STP problem in the switches, if there are topology changes, the switch flushes the mac address table and forward all the frames out for all the interfaces (fllooding)

 

but, anybody knows if theres is some configuration in the controllers that could cause this behavior?

 

thanks in advance

 

MVP Expert

Re: Public ip address listed as wired users in controller

I could be off with this, but if your traffic is going out Controller 1 / Router 1 and returns on Controller 2 / Router 2 it may show Router 1's MAC on controller 2 with the public IP of the server that Controller 1's client communicated to, if that makes sense. 

 

Like I said, could be off on this, but I had a similar thing happen when I changed a GRE tunnel between controllers all of a sudden a bunch of our servers showed up as clients, although they were not actually connected via wireless, the controller saw the conversation at a strange point, which then added them into the user table.

 

The best thing to do is modify your validuser-acl to only include your IP subnets or RFC1918 addressing and it should fix that problem regardless.



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Highlighted
Contributor I

Re: Public ip address listed as wired users in controller

Hi,

 

Thansk for your reply, I don't believe waht you mentioned is possible in this scenario, router 1 and router 2 have different public ip address.

 

My questions was regarding the controller config, if something could cause this behavior, but actually I don't think so. most plausible explanation is an STP problem in the LAN.

 

Anyway, we already have applied an ACL in order to permit only private IP addresses.

 

Thanks for your help!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: