cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2773
Views
0
Helpful
3
Replies

WLAN Guest access can ping WLC Management interface

cmadrolle
Level 1
Level 1

Hello,

I encounter the following issue regarding WLAN guest access.

I have WiSM in a VSS context. I configured a Guest WLAN mapped on a L2 vlan.

Even if this vlan is not routed, I can ping the management interface of the controller from the Guest SSID.

The "management via Wireless" checkbox is unchecked.

- The source MAC address of the ICMP reply is the WLC virtual interface MAC address.

- If I traceroute the WLC management interface, There is just one hop wich is directly the WLC management interface and not the guest vlan gateway.

Do anybody knows why guest users can ping the WLC management interface ?? and how to avoid this ?

Thanks for any help.

Regards,

Cedric.

3 Replies 3

scottwilliamson
Level 2
Level 2

Hi Cedric,

I've no idea why this is happening but could it be prevented by using an Access List applied to the appropriate interface on the WiSM?

Regards,

Scott

Thanks for the reply,

I tried many ACLs applied on the guest and/or the management interface in order to deny the Guest subnet but... in vain.

- In some cases, the ACL is not matched

- In other cases, I observe matches but no change concerning the ping from the Guest VLAN.

Further information concerning achitecture :

We have a third party gateway for the guest access which is connected to the controller through a L2 VLAN (mapped to the Guest WLAN).

When I ping the WLC management interface, The destination MAC Address is the third party gateway Mac Address (normal) and the source MAC Address of the ICMP reply is the WLC virtual interface MAC address...

When I do a traceroute, I don't understand why the first and only hop is the WLC management interface instead of the third party Gateway IP address while my ICMP request is destined to the third party gateway MAC address...

I really don't understand what's happening !!

Cedric.

This is an old post but wanted to reply ...

I can confirm this with the 4400. It would appear after my testing the traffic is entering through the guest interface and then to the managment interface.

I will test a 5508 later this week to see if it to does the same.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: