Security

Reply
New Contributor
Posts: 3
Registered: ‎02-22-2012

Disable Client to Client on guest network???

Disable Client to Client on guest network???

 

Running Aruba Instant with 6.x latest update as of 2/22/2012

Have an Employee Network working fine

Have a Guest Network using Guest DMZ using built in DHCP, which properly segregates guest from employee network

 My problem is I can find a way to stop guest clients from communicating with other guest clients

I really don’t want guest to be able to port scan other guest

Most other AP’s I have worked with have a option to block client to client traffic on a given SID

Any suggestions?

 

Thanks

Aruba Employee
Posts: 100
Registered: ‎12-02-2011

Re: Disable Client to Client on guest network???

How about adding an ACL in the guest role: "user user any deny" (src dst svc action)?

user-> any user in the controller's user table

This ACL will not let two users talk to each other.

New Contributor
Posts: 3
Registered: ‎02-22-2012

Re: Disable Client to Client on guest network???

that may work with a controller, but i'm running Instant

 

no option for Deny Any User User

 

i only have {Allow:Deny} | {Service} | {to All:to a server:except a server:to a network: except a network}

 

I dont want to list out each possible guest IP as a server, it would work but a lot of enteries

 

Retired Employee
Posts: 234
Registered: ‎04-19-2011

Re: Disable Client to Client on guest network???


mjob81 wrote:

that may work with a controller, but i'm running Instant

 

no option for Deny Any User User

 

i only have {Allow:Deny} | {Service} | {to All:to a server:except a server:to a network: except a network}

 

I dont want to list out each possible guest IP as a server, it would work but a lot of enteries

 


mjob81, 

 

One way of achieving this is as follows: 

 

Create Network based access rules for the guest network 

 

Example:

Guest network - 192.168.1.0/24 

Gateway: 192.168.1.1 

 

RULES:

1.  allow any on server 192.168.1.1

2. allow any on server <to any other server you want users to be able to access>

3. deny any to network 192.168.1.0/24

4. allow any to all destination 

 

This would prevent inter-user traffic on the guest network. 

 

NOTE: the above rules will not allow external sources to initiate session with the guest network clients. 

 

Hope it helps ! 

 

--
HT
New Contributor
Posts: 3
Registered: ‎02-22-2012

Re: Disable Client to Client on guest network???

YES that works

 

In instant you cannot use xxx.xxx.xxx.0/x


you need to use xxx.xxx.xxx.0 and 255.xxx.xxx.xxx in the subnet

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: