Wireless Access

Reply
Occasional Contributor II

Deny inter user traffic / bridging vs. Wireless printing

I'm ashamed to ask this but we have an interesting issue I hope someone can help with.

 

We have a VIP who is insisting that they have a wireless printer, saying "no" isn't an option

we have deny inter user bridging and traffic enabled in our controller, turning them off isn't an option

 

the VIP exists essentially in their own ssid, but the settings are global

 

how can I let this person print wirelessly?

 

(I'm cool with adding SSIDs if needed)

 

I tried putting the printer and user in different SSIDs, but I guess the firewall settings are L2, so it didn't help.

 

Any suggestions?

Guru Elite

Re: Deny inter user traffic / bridging vs. Wireless printing

Deny inter user traffic in ArubaOS 6.1.x is now under the Virtual AP profile, so that you can do this per VAP, instead of globally under Advanced > Firewall.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Deny inter user traffic / bridging vs. Wireless printing

The tech support guy showed me that as well, sadly we are still using sup1 cards, so 6.x.x.x is not an option :(

Aruba Employee

Re: Deny inter user traffic / bridging vs. Wireless printing

You know you can also create the rules to deny inter user traffic at the role level. I remember setting that up on 3.4 once.

Thanks,

Zach Jennings
Guru Elite

Re: Deny inter user traffic / bridging vs. Wireless printing

Are you using Deny Inter user traffic bridging so that users cannot talk to each other?  That is pretty much all it is good for.  You can use role-based rules to accomplish the same.

 

EDIT:  I see that Zjennings already mentioned that.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Deny inter user traffic / bridging vs. Wireless printing

We are using 3.4.4.3 and yes, those firewall options are making sure that the users (residents in a dorm) cannot see each other.

 

If a rule can do that and allow me to disable the firewall options I would, can an example be provided?

 

Thanks!

Guru Elite

Re: Deny inter user traffic / bridging vs. Wireless printing

user network 10.0.0.0 255.255.0.0 any deny

 

 

The network parameter would be any user network you do not want users to get to.  This is best accomplished through an alias, of course.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Deny inter user traffic / bridging vs. Wireless printing

You could also do a "user user any deny" in your ACL. This denies any traffic from wireless users to wireless users. I think this is what you are asking for.

Occasional Contributor I

Re: Deny inter user traffic / bridging vs. Wireless printing

Hate  to dig up an old thread... but now I'm facing a similar situation.  Been searching the forums, this is the closest posting found...

 

Customer wants to print from a BYOD device to a WiFi printer, while continuing to deny inter-user traffic without impacting traffic to network resources/internet.

 

What is the ACL "equivalent" of the "Deny Inter-User Traffic" VAP setting?  

 

Think it would be "user user any deny"... no good, controller (620 on v6.2) says, "Only one of source or destination must be 'user'"

 

In my mind, the following would accomplish this, but the controller doesn't allow the "user user any deny".

 

!
ip access-list session allowtest
   user (printerip) any permit
   user user any deny
   any any any permit

 

Any suggestions would be kindly appreciated...

Guru Elite

Re: Deny inter user traffic / bridging vs. Wireless printing

I would do user subnet X any deny.

 

That should do it.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: