WLAN Guest access can ping WLC Management interface

Unanswered Question
Oct 1st, 2010

Hello,

I encounter the following issue regarding WLAN guest access.

I have WiSM in a VSS context. I configured a Guest WLAN mapped on a L2 vlan.

Even if this vlan is not routed, I can ping the management interface of the controller from the Guest SSID.

The "management via Wireless" checkbox is unchecked.

- The source MAC address of the ICMP reply is the WLC virtual interface MAC address.

- If I traceroute the WLC management interface, There is just one hop wich is directly the WLC management interface and not the guest vlan gateway.

Do anybody knows why guest users can ping the WLC management interface ?? and how to avoid this ?

Thanks for any help.

Regards,

Cedric.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
scottwilliamson Fri, 10/01/2010 - 03:19

Hi Cedric,

I've no idea why this is happening but could it be prevented by using an Access List applied to the appropriate interface on the WiSM?

Regards,

Scott

cmadrolle Fri, 10/01/2010 - 04:17

Thanks for the reply,

I tried many ACLs applied on the guest and/or the management interface in order to deny the Guest subnet but... in vain.

- In some cases, the ACL is not matched

- In other cases, I observe matches but no change concerning the ping from the Guest VLAN.

Further information concerning achitecture :

We have a third party gateway for the guest access which is connected to the controller through a L2 VLAN (mapped to the Guest WLAN).

When I ping the WLC management interface, The destination MAC Address is the third party gateway Mac Address (normal) and the source MAC Address of the ICMP reply is the WLC virtual interface MAC address...

When I do a traceroute, I don't understand why the first and only hop is the WLC management interface instead of the third party Gateway IP address while my ICMP request is destined to the third party gateway MAC address...

I really don't understand what's happening !!

Cedric.

George Stefanick Sat, 12/31/2011 - 09:01

This is an old post but wanted to reply ...

I can confirm this with the 4400. It would appear after my testing the traffic is entering through the guest interface and then to the managment interface.

I will test a 5508 later this week to see if it to does the same.

Actions

Login or Register to take actions

This Discussion

Posted October 1, 2010 at 2:46 AM
Stats:
Replies:3 Avg. Rating:
Views:1729 Votes:0
Shares:0

Related Content

Discussions Leaderboard