Question: How do I stop clients of different VLAN connecting to same Instant AP from talking to each other?
Instant AP as an individual AP or as a part of Instant cluster works in Layer-2 and acts as an extension
of wired L2 switch. So you would have to have an L3 switch or a router upstream from the VC clusters where the client default gateway resides and routes the traffic.
But, to ease the inter vlan communication, Instant AP comes with "Deny Local Routing" (by default disabled) feature that allows you to route traffic between clients which are connected to the same IAP or are on the same Instant network.
Environment: This article applies to Aruba Instant Access Points running InstantOS version 126.96.36.199-188.8.131.52 or later.
The "Deny local routing" option is disabled by default. When deny is disabled, it means it allows two wireless clients connected to the same IAP, by routing the traffic locally on IAP.
If "deny local routing" feature is enabled , it means deny is enbaled and the traffic has to reach external router or firewall for routing.
To enable "deny local routing" in Instant AP, follow these steps:
1.Log into Instant AP web interface
2.Click on "System" from the top menu.
3.On the System pop-up window, click on "Show advance options"
4.From the list of the features, locate "Deny local routing" and select Enabled from the dropdown.
Following figure shows the "Deny local routing" feature in the "system" pop-up menu.