IP scan from within Guest SSID / VLAN shows reply from AP's native VLAN devices

  • 1
  • Question
  • Updated 10 months ago
Hi All,

Yesterday I discovered the following on a wireless implementation project:

Switches with vlans:
10 - Data network (ip subnet
900 - Guest network (layer 2 only on switch, gateway = Firewall) (ipsubnet

Aerohive AP's are connected to HP-switch in VLAN10 (native) and VLAN900 is tagged on the switchport interface. (in cisco terms - trunkport with native-VLAN10)

The situation:
When I connect to the guest network, and run Advanced IP scanner to scan ip subner, I get reply's from all the active IP's / devices in the DATA-VLAN!?

So today I tested the same thing from another customer, and I was able to scan the devices on the Native-VLAN the AP's reside in.

The question
Is this a known issue (because searching this community gave me 11323 results on my search query.. that's gonna take a while to see if there's a similar issue).
And is there a solution for the problem?

Many thanks,
Photo of Joep van den Heuvel

Joep van den Heuvel

  • 8 Posts
  • 1 Reply Like

Posted 2 years ago

  • 1
Photo of Joel Brooks

Joel Brooks

  • 20 Posts
  • 4 Reply Likes
Sounds like the AP firewall isn't setup correctly. Is there even an ACL configured for Guest?
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Did you disable Inter-station traffic?

Do you use Hivemanager NG or Hivemanager 6?

If you look at the monitor the client is in the right vlan?
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
While both suggestions above are correct. I would also suggest reviewing your VLAN setup to ensure proper boundaries between clients. It is also good practice to setup your APs on a separate management VLAN  and then tag any VLANs your require on that port. Segmentation of your network is the best way to ensure security and improve performance. 
Photo of KMD


  • 2 Posts
  • 0 Reply Likes
Oddly, I am having the same issue. I can't ping, or tracert, but I can see all domain machines from the guest SSID utilizing Advanced IP Scanner. Support says the IP Firewall uses Layer 7, and the scanner must use a different Layer. What? Was this resolved, Joep?