Wired Networks

How to enable Deny-Inter User Traffic on MAS 7.4 Code

Environment : There is NO special environment required to enable this feature.

 

Deny-Inter Traffic feature is supported from MAS 7.4 code.
 

  • Feature supported on a single Aruba stack, it does not span across multiple switches.
  • By default feature is disabled in the user role.
  • If user-role has voip-profile configured, then traffic is denied for phones as well.
  • When the port has 2 users connected and one user in role1 and the other user in role2 and both role1 and role2 has the same vlan and role 1 has deny-inter-user traffic enabled, then the traffic originating from another user in role1will be denied to both the users on that port.
  • L3 multicast traffic originated from the users cannot be denied across the users in same role different Vlan.
  • If users are in same role, different Vlan, inter user traffic will be denied if the switch is the default-gateway for the users.
  • If users are in same role, different Vlan, but session processing or natt is enabled on the Vlan, then inter user traffic will be allowed.
  • “AMP 8.0” and “CPPM 6.3/6.4 Downloadable Standard Mode” do not have support for this.
  • Use Downloadable Advanced mode in CPPM to push “deny-inter-user-traffic”.
  • This feature provides support to block users communicating with one another directly when in same role (e.g. guest to guest).
  • Organizations which want to deny inter user communication, say between the guest users can use this feature and block the communication between them.
  • Mostly used in hospitality industry.

rtaImage (3).png

 

Configuration
-----------------------
 
 
(ArubaS1500-24P) (config) #user-role test
(ArubaS1500-24P) (config-role) #deny-inter-user-traffic ?
<cr>
(ArubaS1500-24P) (config-role) #deny-inter-user-traffic
(ArubaS1500-24P) (config-role) #end
 
 
(ArubaS1500-24P) #show aaa deny-inter-user-traffic roles
Maximum number of user roles supported: 7
Enabled on user roles:
----------------------
test
mac-user
aman-phone
(ArubaS1500-24P) #
 
 
(ArubaS1500-24P) #show rights test
Derived Role = 'test'
 Assigned VLAN = 100
 Periodic reauthentication: Disabled
 Deny inter-user traffic: Enabled
 ACL Number = 41/0/42
access-list List
----------------
Position  Name                Type       Location
--------  ----                ----       --------
1         allowall-stateless  stateless
allowall-stateless
------------------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  QoS  Policer  Blacklist  Mirror  IPv4  Nexthop
--------  ------  -----------  -------  ------  ---------  ---  -------  ---  -------  ---------  ------  ----  -------
1         any     any          any      permit                                                            4
Expired Policies (due to time constraints) = 0
(ArubaS1500-24P) #
 
 
(ArubaS1500-24P) #show user role aman-ap
Users
-----
    IP               MAC            Name              Role      Age(d:h:m)  Auth  Connection  Interface  Profile        Vlan
----------      ------------       ------             ----      ----------  ----  ----------  ---------  -------        ----
192.168.30.249  00:24:6c:cc:61:26  00:24:6c:cc:61:26  aman-ap   03:16:43    MAC   Wired       0/0/43     mac-ics-dot1x  31 (30)
192.168.30.250  00:24:6c:cc:61:61  00:24:6c:cc:61:61  aman-ap   03:16:43    MAC   Wired       1/0/40     mac-ics-dot1x  31 (30)
192.168.30.251  d8:c7:c8:cf:b5:48  d8:c7:c8:cf:b5:48  aman-ap   03:16:38    MAC   Wired       0/0/41     mac-ics-dot1x  31 (30)
192.168.30.252  d8:c7:c8:cf:bd:ae  d8:c7:c8:cf:bd:ae  aman-ap   03:16:43    MAC   Wired       1/0/36     mac-ics-dot1x  31 (30)
192.168.30.253  d8:c7:c8:c7:12:22  d8:c7:c8:c7:12:22  aman-ap   03:16:44    MAC   Wired       1/0/38     mac-ics-dot1x  31 (30)
192.168.30.254  24:de:c6:ca:9e:b4  24:de:c6:ca:9e:b4  aman-ap   03:16:44    MAC   Wired       0/0/39     mac-ics-dot1x  31 (30)
User Entries: 6/6
(ArubaS1500-24P) #
 
 
From below example,
 
Traffic from User 2 to both User 1 and User 3 is dropped.
Traffic from User 4 to both User 1 and User 3 is permited.

 

rtaImage (2).jpg

Traffic from User1 to User 2 is dropped. But if Vlan of User1 and User2 is different then traffic is permitted.
 
Role A – deny-inter-user-traffic – enabled
Role B – deny-inter-user-traffic – disabled
Role C – deny-inter-user-traffic – enabled
 or
Role A – deny-inter-user-traffic – disabled
Role B – deny-inter-user-traffic – enabled
Role C – deny-inter-user-traffic – enabled

 

rtaImage (4).jpg

 

 

From below example,
 
If the default-router is upstream then traffic is permitted Only Unicast traffic is denied in this case, multicast traffic will be permitted.

 

rtaImage (5).jpg

 

 

 

 

 

 

 

Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 01:39 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.