role for the user is a trusted role as they are the Corp user and authenticated.
they are allowed to ping. all controllers have the same config and acl settings.
no ACL on the port, we have an ACL on the Guest direct internet port.
VRRP is the same as the user VLAN
in the ARP table users mac address is the controller and not the user device.
i will have to look at inervlan routing.