Hi Educause wifi:
We use a filter that only allows clients to "have" a valid IP address from
"our" range.
It' a bit of overhead, but it solves this issue for us. We also say
clients listed with addresses that really make no sense.
you build a list something like this:
netdestination umn-wiredv4-wireless-user-networks
network 10.128.0.0 255.224.0.0
network 10.160.0.0 255.240.0.0
network 192.168.157.0 255.255.255.192
network 10.32.253.128 255.255.255.128
network 10.33.9.0 255.255.255.0
description "wiredv4 service ip's for users"
add it to valid user:
ip access-list session validuser
network 127.0.0.0 255.0.0.0 any any deny
network 169.254.0.0 255.255.0.0 any any deny
network 224.0.0.0 240.0.0.0 any any deny
host 255.255.255.255 any any deny
network 240.0.0.0 240.0.0.0 any any deny
alias umn-wiredv4-wireless-user-networks any any permit
any any any deny
Something similar is needed for V6.
/daniel/
daniel westacott
University of Minnesota
On Tue, Sep 7, 2021 at 11:04 AM Sidharth Nandury <[email protected]>
wrote:
> So..... sigh!
>
> It seems like an end client either statically or for some unknown reason
> got assigned the IP address for these websites. The role that the client
> was assigned had a policy to "deny" traffic to the internet (as per
> design). The part that we did not know was that when a client is going to a
> particular destination, the controllers look at the user table to see if
> there is an IP and a route available before even going to the role-based
> ACLs.
>
> Once we blacklisted the client or deleted the client from the user-table,
> the websites were accessible again.
>
> Sid
>
> On Tue, Sep 7, 2021 at 11:29 AM Norman Mourtada <[email protected]>
> wrote:
>
>> With 8.6.0.9, no issues.
>>
>>
>>
>> (Aruba7220-MC-05) *#show datapath session | include 35.186.224.25
>>
>> 35.186.224.25 172.16.122.193 6 443 58612 0/0 0 24 3
>> tunnel 2306 a5 69 11747 17
>>
>> 172.16.126.143 35.186.224.25 6 65364 443 0/0 0 24 0
>> tunnel 1718 1a 29 3592 TC 26
>>
>> 172.18.91.115 35.186.224.25 6 56982 443 0/0 0 0 0
>> tunnel 1102 505 145 24120 C 29
>>
>> 172.16.174.33 35.186.224.25 6 54373 443 0/0 0 24 0
>> tunnel 2773 6da 9576 1018764 TC 21
>>
>> 35.186.224.25 172.16.166.198 6 443 60052 0/0 0 24 1
>> tunnel 133 de 371 269692 31
>>
>> 172.16.172.51 35.186.224.25 6 63940 443 0/0 0 24 3
>> tunnel 862 5c 17 2849 TC 30
>>
>> 172.19.90.133 35.186.224.25 6 54371 443 0/0 0 24 0
>> tunnel 1509 890 161 33426 TC 18
>>
>> 172.19.91.45 35.186.224.25 6 62292 443 0/0 0 24 2
>> tunnel 1630 4d 14 2502 TC 27
>>
>> 35.186.224.25 172.16.166.198 6 443 60050 0/0 0 24 14
>> tunnel 133 de 24 8727 31
>>
>> 172.16.176.74 35.186.224.25 6 58973 443 0/0 0 24 2
>> tunnel 1964 236 35 5322 TC 16
>>
>> 172.16.176.193 35.186.224.25 6 61015 443 0/0 0 24 1
>> tunnel 2160 10 44 15853 FTC 20
>>
>>
>>
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> [email protected]> *On Behalf Of *Dan Oachs
>> *Sent:* Tuesday, September 7, 2021 10:59 AM
>> *To:* [email protected]
>> *Subject:* [EXTERNAL] Re: [WIRELESS-LAN] Websites inaccessible from
>> wireless network - Aruba
>>
>>
>>
>> CAUTION: This email originated from outside of the University. Do not
>> click links or open attachments unless you recognize the sender and know
>> the content is safe.
>>
>>
>>
>> Not seeing that issue here. We are on 8.7.1.4
>>
>>
>>
>> (aruba-controller-1) #show datapath session | include 35.186.224.25
>> 35.186.224.25 138.236.104.67 6 443 64918 0/0 0 1 1
>> tunnel 6347 3cc 307 50335 15
>> 138.236.82.47 35.186.224.25 6 57491 443 0/0 0 0 4
>> tunnel 5540 382 179 117595 C 30
>> 35.186.224.25 138.236.248.10 6 443 54342 0/0 0 1 1
>> tunnel 972 e 209 16359 23
>> 35.186.224.25 138.236.82.47 6 443 57491 0/0 0 1 4
>> tunnel 5540 382 189 45940 30
>> 138.236.104.67 35.186.224.25 6 64918 443 0/0 0 0 1
>> tunnel 6347 3cd 345 38357 C 29
>> 35.186.224.25 138.236.232.120 6 443 61505 0/0 0 1 0
>> tunnel 7052 c 151 49165 22
>> 138.236.250.85 35.186.224.25 6 54833 443 0/0 0 0 1
>> tunnel 2686 1a 57 16206 C 27
>> 35.186.224.25 138.236.251.120 6 443 51735 0/0 0 1 1
>> tunnel 7060 8 29 3140 F 13
>> 138.236.250.85 35.186.224.25 6 54834 443 0/0 0 0 2
>> tunnel 2686 18 152 179792 C 27
>>
>>
>>
>> --Dan
>>
>>
>>
>> On Tue, Sep 7, 2021 at 9:40 AM Sidharth Nandury <[email protected]>
>> wrote:
>>
>> Hi All,
>>
>>
>>
>> Since last Monday we have seen a couple of different websites being
>> blocked on our Aruba wireless controllers. Spotify has been one of the
>> sites, as well as all websites hosted on IP 23.185.0.1 (which is our main
>> institution website - denison.edu). We can confirm that this is being
>> blocked as we see the "D" (Deny) Flag on the wireless controller. Below is
>> an example of traffic being blocked to Spotify. Is anyone suing Aruba AOS 8
>> controllers seeing this?
>>
>>
>>
>> (wlc-Thor) #show datapath session | include 35.186.224.25
>>
>> Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age
>> Destination TAge Packets Bytes Flags CPU ID
>>
>> ----------------- --------------- ---- ----- ----- -------- ---- --- ---
>> ----------- ---- ---------- ---------- --------------- -------
>>
>> 10.143.203.26 35.186.224.25 6 52082 443 0/0 0 0 0
>> tunnel 640 1 0 0 *FDYCA * 21
>>
>> 10.143.195.85 35.186.224.25 6 59767 443 0/0 0 0 0
>> tunnel 5357 0 0 0 * FDYCA* 27
>>
>> 10.143.225.178 35.186.224.25 6 52292 443 0/0 0 0 0
>> tunnel 6753 1 0 0 * FDYCA * 19
>>
>> 10.143.195.85 35.186.224.25 6 59766 443 0/0 0 0 0
>> tunnel 5357 1 0 0 *FDYCA * 27
>>
>>
>>
>> (wlc-Thor) #show datapath session | include 23.185.0.1
>> 10.143.228.16 23.185.0.1 6 59500 443 0/0 0 0 0
>> tunnel 16789 a 0 0 *FDYCA* 18
>> 10.143.244.151 23.185.0.1 6 58758 443 0/0 0 0 0
>> tunnel 553 1 0 0 *FDYCA* 23
>> 10.143.228.247 23.185.0.1 6 59063 443 0/0 0 0 0
>> tunnel 13188 a 6 384 *FDYCA* 27
>> 10.143.228.247 23.185.0.1 6 59062 443 0/0 0 0 0
>> tunnel 13188 a 6 384 *FDYCA* 27
>> 10.143.196.26 23.185.0.1 6 50851 443 0/0 0 0 0
>> tunnel 5631 1 0 0 *FDYCA* 17
>> 10.143.196.26 23.185.0.1 6 50852 443 0/0 0 0 0
>> tunnel 5631 1 0 0 *FDYCA* 17
>> 10.143.196.26 23.185.0.1 6 50853 443 0/0 0 0 0
>> tunnel 5631 1 0 0 *FDYCA* 17
>>
>>
>>
>> We have two 7240xm controllers running AOS v8.6.9 in a cluster with a
>> Mobility Conductor as a VM. We have a ticket open with TAC and have
>> escalated it up to ERT, but wanted to also reach out to others.
>>
>>
>>
>> Thank you.
>>
>> Sid
>>
>>
>>
>> --
>>
>> <https://denison.edu>
>>
>>
>>
>>
>> *Sidharth S. Nandury (He, Him, His) Infrastructure and Operations Manager
>> Information Technology Services <https://denison.edu>*
>>
>> *100 West College Street, Granville, OH 43023* | *Burton Hall*
>> Office: *740-587-5533* | Mobile: *516-314-4413*
>> *[email protected]*
>> *https://denison.edu/campus/technology/service-desk*
>> <https://denison.edu>
>>
>> *NOTICE: This email message and all attachments transmitted with it may
>> contain legally privileged and confidential information intended solely for
>> the use of the addressee. If the reader of this message is not the intended
>> recipient, you are hereby notified that any reading, dissemination,
>> distribution, copying, or other use of this message or its attachments is
>> strictly prohibited. If you have received this message in error, please
>> notify the sender immediately by phone or by email, and delete this message
>> and all copies and backups thereof. <https://denison.edu>*
>>
>> *Please consider the environment before printing this email.
>> <https://denison.edu>*
>>
>> **********
>> Replies to EDUCAUSE Community Group emails are sent to the entire
>> community list. If you want to reply only to the person who sent the
>> message, copy and paste their email address and forward the email reply.
>> Additional participation and subscription information can be found at
>> *https://www.educause.edu/community* <https://denison.edu>
>>
>> **********
>> Replies to EDUCAUSE Community Group emails are sent to the entire
>> community list. If you want to reply only to the person who sent the
>> message, copy and paste their email address and forward the email reply.
>> Additional participation and subscription information can be found at
>> *https://www.educause.edu/community* <https://denison.edu>
>>
>> **********
>> Replies to EDUCAUSE Community Group emails are sent to the entire
>> community list. If you want to reply only to the person who sent the
>> message, copy and paste their email address and forward the email reply.
>> Additional participation and subscription information can be found at
>> https://www.educause.edu/community
>>
>
>
> --
>
> [image: Denison University] <https://denison.edu>
>
> *Sidharth S. Nandury*
> (He, Him, His)
> *Infrastructure and Operations Manager*
> Information Technology Services
>
> 100 West College Street, Granville, OH 43023 <https://deniso.nu/2qF6h7M> |
> Burton
> Hall <https://denison.edu/map>
> Office: 740-587-5533 <1-740-587-5533> | Mobile: 516-314-4413
> <1-516-314-4413>
> [email protected]
> https://denison.edu/campus/technology/service-desk
>
> NOTICE: This email message and all attachments transmitted with it may
> contain legally privileged and confidential information intended solely for
> the use of the addressee. If the reader of this message is not the intended
> recipient, you are hereby notified that any reading, dissemination,
> distribution, copying, or other use of this message or its attachments is
> strictly prohibited. If you have received this message in error, please
> notify the sender immediately by phone or by email, and delete this message
> and all copies and backups thereof.
>
> *Please consider the environment before printing this email.*
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community
