Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP Wired port deny inter user traffic with un manged sw connected

This thread has been viewed 0 times

  • 1.  RAP Wired port deny inter user traffic with un manged sw connected

    Posted Aug 02, 2015 09:19 AM

    Hi Guys,

    I need your assistance/advise,

    Environment:

    A3600A6.4.2.5 & RAP3WN units (Deployed as RAP - IPSEC)

    Now to my issue:

    I configured RAP3WN unit 0/1 port to be untrusted and to use 802.1x & MAC auth (L2 Failover) i assigned AAA / Tunnel Mode / same VLAN (1028) to all client - and everything working as excepted.(each client that passing the 802.1x or MAC getting same authenticated role)

    (SPI - Deny inter user traffic enabled)

     

    BUT ..(Now to my issue) When trying to ICMP or WEB-GUI to a local printer ( That also connected to the switch) we are able to pass traffic :( Even due the inter user traffic sent isnt allowed and all clients and printer are clients connected to a SW connected to ETH 0/1 on the RAP.

     

    Please advise why?

    Please advise how do i enforce it (something strange is that when i'm not allowing access based on the ACL that the client getting - ICMP still working ...BUT HTTP-ACL or DHCP ACL and other do effect)

     

    Waiting to here you solution.

     

    Me.



  • 2.  RE: RAP Wired port deny inter user traffic with un manged sw connected

    EMPLOYEE
    Posted Aug 02, 2015 09:21 AM
    Are they both wired on the same vlan? Are they both connected to a switch?


  • 3.  RE: RAP Wired port deny inter user traffic with un manged sw connected

    Posted Aug 02, 2015 09:30 AM

    Here you go (i made a fast diagrm) *YES THEY DO CONNECTED TO FLAT SWITCH - NOT MANAGED - and from it to the RAP untrusted port*

    Capture.PNG

     

     

     

    As far as i aware the clients shouldnt be able to ping each other or bypass traffic (because i enabled the DENY inter user traffic on the SPI , and the port isnt trusted)



  • 4.  RE: RAP Wired port deny inter user traffic with un manged sw connected

    EMPLOYEE
    Posted Aug 02, 2015 09:34 AM
    The RAP firewall is not between your clients. On the same layer2 subnet, traffic does not have to pass through the RAP, so it cannot be enforced. Traffic would only be enforced for traffic that would leave the subnet.


  • 5.  RE: RAP Wired port deny inter user traffic with un manged sw connected

    Posted Aug 02, 2015 09:37 AM

    But isnt all client traffic is tunneld back to the controller ?



  • 6.  RE: RAP Wired port deny inter user traffic with un manged sw connected
    Best Answer

    EMPLOYEE
    Posted Aug 02, 2015 09:40 AM
    Wired traffic that talks directly to another device on a layer2 switch..that traffic would not be tunneled back. The shortest path would be for a device to send an Arp on that switch and send traffic to it. The RAP would not even see the data from those transactions.


  • 7.  RE: RAP Wired port deny inter user traffic with un manged sw connected

    Posted Aug 03, 2015 02:32 AM

    Thank u for fast answer & a great info (I tought , that when im connecting "Stupid" switch to RAP ETH PORT - still all traffic (Even traffic between users) tunneled back to the controller.

     

    Me.