Security

Reply
New Contributor
Posts: 3
Registered: ‎02-22-2012

Disable Client to Client on guest network???

Disable Client to Client on guest network???

 

Running Aruba Instant with 6.x latest update as of 2/22/2012

Have an Employee Network working fine

Have a Guest Network using Guest DMZ using built in DHCP, which properly segregates guest from employee network

 My problem is I can find a way to stop guest clients from communicating with other guest clients

I really don’t want guest to be able to port scan other guest

Most other AP’s I have worked with have a option to block client to client traffic on a given SID

Any suggestions?

 

Thanks

Aruba Employee
Posts: 100
Registered: ‎12-02-2011

Re: Disable Client to Client on guest network???

How about adding an ACL in the guest role: "user user any deny" (src dst svc action)?

user-> any user in the controller's user table

This ACL will not let two users talk to each other.

New Contributor
Posts: 3
Registered: ‎02-22-2012

Re: Disable Client to Client on guest network???

that may work with a controller, but i'm running Instant

 

no option for Deny Any User User

 

i only have {Allow:Deny} | {Service} | {to All:to a server:except a server:to a network: except a network}

 

I dont want to list out each possible guest IP as a server, it would work but a lot of enteries

 

Retired Employee
Posts: 234
Registered: ‎04-19-2011

Re: Disable Client to Client on guest network???


mjob81 wrote:

that may work with a controller, but i'm running Instant

 

no option for Deny Any User User

 

i only have {Allow:Deny} | {Service} | {to All:to a server:except a server:to a network: except a network}

 

I dont want to list out each possible guest IP as a server, it would work but a lot of enteries

 


mjob81, 

 

One way of achieving this is as follows: 

 

Create Network based access rules for the guest network 

 

Example:

Guest network - 192.168.1.0/24 

Gateway: 192.168.1.1 

 

RULES:

1.  allow any on server 192.168.1.1

2. allow any on server <to any other server you want users to be able to access>

3. deny any to network 192.168.1.0/24

4. allow any to all destination 

 

This would prevent inter-user traffic on the guest network. 

 

NOTE: the above rules will not allow external sources to initiate session with the guest network clients. 

 

Hope it helps ! 

 

--
HT
New Contributor
Posts: 3
Registered: ‎02-22-2012

Re: Disable Client to Client on guest network???

YES that works

 

In instant you cannot use xxx.xxx.xxx.0/x


you need to use xxx.xxx.xxx.0 and 255.xxx.xxx.xxx in the subnet

 

 

 

New Contributor
Posts: 2
Registered: ‎03-17-2017

Re: Disable Client to Client on guest network???

Hi Guys,

I'm new with Aruba Controllers, My WAC series is 7220 with SW version: 6.4.3.4

I need to do the Wireless Client isolation on my network so that the only thing each user can see is the DHCP server only.

I did activate the option "Deny inter user traffic" on each SSID i have but still I can see other devices when using "fing" SW.

Please I need help.

Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Re: Disable Client to Client on guest network???

Clients will always have access to ARP, which is what fing does.  If you have an ACL that says that those clients cannot communicate, they will be blocked from doing anything to each other.  This of course breaks down on an Open SSID where there is no encryption and clients can directly contact each other.  Real protection should not be expected on an Open SSID.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 2
Registered: ‎03-17-2017

Re: Disable Client to Client on guest network???

I agree with u, so how can i do this using policies

Can you please give me an example (as i told you before, I'm new with Aruba).

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: