Controllerless Networks

Hi,

Im trying to block client-to-client traffic and at the same time allow some external networks to initiate sessions with wirless clients. Ive tried to add the following rules, which deny clients-to-clients traffic but also block external networks to contact clients.

allow any on server 10.95.0.1(gateway)

deny any to network 10.95.0.0/24(wireless subnet)

allow any to all destination 

Whats the best practice in this situation? 

http://www.arubanetworks.com/techdocs/Instant_41_WebHelp/InstantWebHelp.htm#UG_files/GeneralConfTasks/Adv_conf_tasks/ConfigureInterUserBridging.htm

Deny inter user bridging is enabled.

Currently im running acl in the switches that the IAPs are connected to to allow/deny traffic between clients that are on different IAPs. I would like to skip this and manage everything from the IAP controller.

If that is the case, use what you mentioned in your first post.  You would configure a role for your users, then rules within it:  http://www.arubanetworks.com/techdocs/Instant_41_WebHelp/InstantWebHelp.htm#UG_files/Roles_and_policies/ConfACLRule.htm

The rules below that you mentioned in your first post would work:

deny any to network 10.95.0.0/24(wireless subnet)
allow any to all destination 

 You do not have to allow traffic to your default gateway.  Hopefully you have no server resources like DNS or anything on 10.95.0.0/24

The problem is that the external network 192.168.10.0/24 needs to initiate sessions with the wireless clients. And the deny any to network 10.95.0.0/24 rule will block this, right?

Unfortunately, I think that is the case..