10-01-2010 02:46 AM - edited 07-03-2021 07:14 PM
Hello,
I encounter the following issue regarding WLAN guest access.
I have WiSM in a VSS context. I configured a Guest WLAN mapped on a L2 vlan.
Even if this vlan is not routed, I can ping the management interface of the controller from the Guest SSID.
The "management via Wireless" checkbox is unchecked.
- The source MAC address of the ICMP reply is the WLC virtual interface MAC address.
- If I traceroute the WLC management interface, There is just one hop wich is directly the WLC management interface and not the guest vlan gateway.
Do anybody knows why guest users can ping the WLC management interface ?? and how to avoid this ?
Thanks for any help.
Regards,
Cedric.
10-01-2010 03:19 AM
Hi Cedric,
I've no idea why this is happening but could it be prevented by using an Access List applied to the appropriate interface on the WiSM?
Regards,
Scott
10-01-2010 04:17 AM
Thanks for the reply,
I tried many ACLs applied on the guest and/or the management interface in order to deny the Guest subnet but... in vain.
- In some cases, the ACL is not matched
- In other cases, I observe matches but no change concerning the ping from the Guest VLAN.
Further information concerning achitecture :
We have a third party gateway for the guest access which is connected to the controller through a L2 VLAN (mapped to the Guest WLAN).
When I ping the WLC management interface, The destination MAC Address is the third party gateway Mac Address (normal) and the source MAC Address of the ICMP reply is the WLC virtual interface MAC address...
When I do a traceroute, I don't understand why the first and only hop is the WLC management interface instead of the third party Gateway IP address while my ICMP request is destined to the third party gateway MAC address...
I really don't understand what's happening !!
Cedric.
12-31-2011 09:01 AM
This is an old post but wanted to reply ...
I can confirm this with the 4400. It would appear after my testing the traffic is entering through the guest interface and then to the managment interface.
I will test a 5508 later this week to see if it to does the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide