Controllerless Networks

Hello

We have instant AP cluster with 120 AP's and we want to deny Layer 2 broadcast and multicast between clients on different AP's. As I understand enableing "deny inter user bridging" is only denying l2 traffic between clients on the same AP but what can we do to deny traffic between different AP's if we are using instant AP cluster not the controller solution.

On layer 3 its easily done by access rules but what about layer 2 traffic?

Aruba instant

version 6.4.4.8-4.2.4.2_56164

Edit the SSID.  Under Advanced, turn on Broadcast Filter ARP for all of your SSIDs.

thanks for the reply! This setting does not help. My problem is between AP's in the same SSID I can see other AP client MAC addresses from different AP in the same SSID.

Like if 2 clients are connected to same SSID and to AP A and other 2 are connected to same SSID AP B then A and B clients can see their mac addresses visa versa. Every client can see two mac addresses on the arp table.

Access points are connected together with L2 switches. Can i even fix that with this kind of design?

In that case, you would use "Deny Inter User Bridging" under the Advanced Section of the SSID.

yes but if you read my first post as i mentioned deny inter user bridging is only denying client communication inside one AP but not between clients on different AP (same SSID).

Currently if i send ARP request to each IP on the subnet I get back answers from all the clients which are not connected to same AP from where i did the request Ergo getting IP and mac addresses from all the active clients wich is security issue!

With the broadcast filter AP's are converting ARP request to unicast but whatever i do i still get answers from clients who are not on the same AP. Ergo how can i deny all l2 traffic between clients. Basically i only need ARP request to reach DHCP server nowhere else.

Under Access, Create a network rule that blocks traffic from users to the subnet that users are on.

I have done that. But Access Rules are only blocking Layer3 traffic. How can I deny clients for sending arp request wich is layer2 traffic.

I don't know how that would be accomplished.

is it design error of instant access point solution with virtual controller? If we go over to controller version can we accomplish this with controller?

I know that Juniper controller is able to make ACL to deny l2 traffic based on mac address. In juniper controller i can make a rule to deny all layer 2 traffic except dhcp mac address and problem is solved.

You should open a case with TAC and see if that feature exists the way you need it.  Instant is not an exact copy of a controller-based environment.

Hi,

I got response from TAC that i was right, it is not possible to deny l2 traffic between clients on different AP's with IAP cluster. It can be done only with the controller. We will make request for future enhancement. We should be able to make ACL to deny client L2 traffic going out from any AP.

It shouldn't be too hard to code i think.

I am facing the same issues too. The isolation of clients works fine within a WAP however, between two WAP's it doesn't. This issue could be seen even in the latest IAP firmware 6.5.4.4 too.

Please let us know if there is a solution for this problem.

Regards,

Shiva

I believe starting from 8.5 we can use deny Intra-VLAN feature. The Deny Intra-VLAN Traffic feature isolates clients from one another and disables all communication between peers in the VLAN network. Enabling this feature disables all peer-to-peer communication and only allows traffic from a client to gateway and whitelisted servers to flow in the network. All other traffic will be dropped by the Instant AP.

For servers to serve the network they must be added to the Intra-VLAN Traffic Whitelist table. The Intra-VLAN Traffic Whitelist is a global whitelist for all WLAN SSIDs and wired networks configured with the feature.