Controllerless Networks

Reply
Occasional Contributor I
Posts: 7
Registered: ‎05-24-2012

How to deny broadcast/multicast between IAP

Hello

We have instant AP cluster with 120 AP's and we want to deny Layer 2 broadcast and multicast between clients on different AP's. As I understand enableing "deny inter user bridging" is only denying l2 traffic between clients on the same AP but what can we do to deny traffic between different AP's if we are using instant AP cluster not the controller solution.

On layer 3 its easily done by access rules but what about layer 2 traffic?

 

Aruba instant

version 6.4.4.8-4.2.4.2_56164

Guru Elite
Posts: 21,285
Registered: ‎03-29-2007

Re: How to deny broadcast/multicast between IAP

Edit the SSID.  Under Advanced, turn on Broadcast Filter ARP for all of your SSIDs.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎05-24-2012

Re: How to deny broadcast/multicast between IAP

thanks for the reply! This setting does not help. My problem is between AP's in the same SSID I can see other AP client MAC addresses from different AP in the same SSID.

Like if 2 clients are connected to same SSID and to AP A and other 2 are connected to same SSID AP B then A and B clients can see their mac addresses visa versa. Every client can see two mac addresses on the arp table.

Access points are connected together with L2 switches. Can i even fix that with this kind of design?

Guru Elite
Posts: 21,285
Registered: ‎03-29-2007

Re: How to deny broadcast/multicast between IAP

In that case, you would use "Deny Inter User Bridging" under the Advanced Section of the SSID.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎05-24-2012

Re: How to deny broadcast/multicast between IAP

yes but if you read my first post as i mentioned deny inter user bridging is only denying client communication inside one AP but not between clients on different AP (same SSID).

 

Currently if i send ARP request to each IP on the subnet I get back answers from all the clients which are not connected to same AP from where i did the request Ergo getting IP and mac addresses from all the active clients wich is security issue!

With the broadcast filter AP's are converting ARP request to unicast but whatever i do i still get answers from clients who are not on the same AP. Ergo how can i deny all l2 traffic between clients. Basically i only need ARP request to reach DHCP server nowhere else.

Guru Elite
Posts: 21,285
Registered: ‎03-29-2007

Re: How to deny broadcast/multicast between IAP

[ Edited ]

Under Access, Create a network rule that blocks traffic from users to the subnet that users are on.

Screenshot 2016-10-26 at 04.46.15.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎05-24-2012

Re: How to deny broadcast/multicast between IAP

I have done that. But Access Rules are only blocking Layer3 traffic. How can I deny clients for sending arp request wich is layer2 traffic.

Guru Elite
Posts: 21,285
Registered: ‎03-29-2007

Re: How to deny broadcast/multicast between IAP

I don't know how that would be accomplished.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎05-24-2012

Re: How to deny broadcast/multicast between IAP

is it design error of instant access point solution with virtual controller? If we go over to controller version can we accomplish this with controller?

I know that Juniper controller is able to make ACL to deny l2 traffic based on mac address. In juniper controller i can make a rule to deny all layer 2 traffic except dhcp mac address and problem is solved.

Guru Elite
Posts: 21,285
Registered: ‎03-29-2007

Re: How to deny broadcast/multicast between IAP

You should open a case with TAC and see if that feature exists the way you need it.  Instant is not an exact copy of a controller-based environment.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: