IP scan from within Guest SSID / VLAN shows reply from AP's native VLAN devices

  • 1
  • Question
  • Updated 8 months ago
Hi All,

Yesterday I discovered the following on a wireless implementation project:

Setup:
Switches with vlans:
10 - Data network (ip subnet 10.10.10.0/24)
900 - Guest network (layer 2 only on switch, gateway = Firewall) (ipsubnet 192.168.1.0.24)

Aerohive AP's are connected to HP-switch in VLAN10 (native) and VLAN900 is tagged on the switchport interface. (in cisco terms - trunkport with native-VLAN10)

The situation:
When I connect to the guest network, and run Advanced IP scanner to scan ip subner 10.10.10.0/24, I get reply's from all the active IP's / devices in the DATA-VLAN!?

So today I tested the same thing from another customer, and I was able to scan the devices on the Native-VLAN the AP's reside in.

The question
Is this a known issue (because searching this community gave me 11323 results on my search query.. that's gonna take a while to see if there's a similar issue).
And is there a solution for the problem?

Many thanks,
Joep
Photo of Joep van den Heuvel

Joep van den Heuvel

  • 8 Posts
  • 1 Reply Like

Posted 1 year ago

  • 1
Photo of Joel Brooks

Joel Brooks

  • 20 Posts
  • 4 Reply Likes
Sounds like the AP firewall isn't setup correctly. Is there even an ACL configured for Guest?
Photo of Jonas Dekkers

Jonas Dekkers

  • 152 Posts
  • 29 Reply Likes
Did you disable Inter-station traffic?

Do you use Hivemanager NG or Hivemanager 6?

If you look at the monitor the client is in the right vlan?
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
While both suggestions above are correct. I would also suggest reviewing your VLAN setup to ensure proper boundaries between clients. It is also good practice to setup your APs on a separate management VLAN  and then tag any VLANs your require on that port. Segmentation of your network is the best way to ensure security and improve performance. 
Photo of KMD

KMD

  • 2 Posts
  • 0 Reply Likes
Oddly, I am having the same issue. I can't ping, or tracert, but I can see all domain machines from the guest SSID utilizing Advanced IP Scanner. Support says the IP Firewall uses Layer 7, and the scanner must use a different Layer. What? Was this resolved, Joep?
Thanks