What is "disable-auto-topology-rules" option with Aruba instant ?
By default, IAPs listened on all interfaces, including Wi-Fi interfaces, for PAPI messages. Previously, automatic firewall rules were added to permit PAPI, which would override any user-configured firewall rules that attempted to block PAPI.
From 4.1.3.x and 4.2.3.x a new firewall configuration option has been added
# firewall (firewall)# disable-auto-topology-rules
When this option is enabled, the automatic firewall rules that permit PAPI will not be added. This allows an administrator to configure specific firewall rules for UDP 8209/8211 to control the source of PAPI messages. Aruba recommends limiting PAPI traffic to only IP subnets where other IAP cluster members reside.
This firewall rules needs to be configured under security --> inbound-firewall . Example if the IAP cluster resides in 10.1.1.x subnet we need the following rules
rule 10.1.1.0 255.255.255.0 any any match udp 8209 8209 permit
rule 10.1.1.0 255.255.255.0 any any match udp 8211 8211 permit
rule any any any any match udp 8209 8209 deny
rule any any any any match udp 8211 8211 deny
Please note the option to enable "disable-auto-topology-rules" is available only in CLI