How to block traffic between users (L2 and L3)
Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Blocking traffic between users on both layer 2 and layer 3 must be completed in two steps.
1. Layer 2 traffic - to block this traffic we prevent bridging of user traffic. This feature is to mitigate layer 2 LAN protocols (Appletalk, NetBeui, etc) issues. command: firewall deny-inter-user-bridging Caveat: this command will only prevent bridging on an individual controller not across different controllers.
2. Layer 3 Traffic - to block layer 3 firewall polices must be configured and applied. Here is an example, where we block all user traffic with a destination on the same subnet (10.0.0.0/24) with the exception of traffic for the 2 hosts 10.0.0.1, 10.0.0.2 and the controller:
!**** example ***
! netdestination "User-Subnet" network 10.0.0.0 255.0.0.0
! netdestination "allowed-hosts" host 10.0.0.1 host 10.0.0.2
! ip access-list session block-inter-user
user alias mswitch any permit
user alias allowed-hosts any permit
user alias User-Subnet any deny user any any permit !