03-01-2015 01:52 PM
is it possible to create a rule (with PEF-NG) to restrict the client traffic to a router MAC address?
I already created a new MAC-firewall policy (permitted my router mac addresses there), sticked this policy onto a user role, added this user role to an AAA-profile rejoined the wifi network with my client, but unfortunately (even if my client is in the new role) no traffic seems to flow through the air. (I do see hits in a deny any any filter in the firewall, but I couldn't find any "deny any any" filter in the role or profile :().
03-01-2015 02:00 PM - edited 03-01-2015 02:02 PM
I'm not sure if I understand what you mean.
We have APs of different vendors in the same VLANs. So the "deny interuser traffic" on the aruba controller is more or less useless. Therefore I'm looking for a different opportunity to avoid inter-user traffic.
Normally we setup a L2-filter that a user is only able to communicate with the L2-address of our Cisco VSS-cluster and that only packets from this cluster are getting forwarded to the user. All other traffic should be blocked / blackholed / thrown away.
03-01-2015 02:35 PM - edited 03-01-2015 02:37 PM
03-01-2015 03:08 PM
03-01-2015 04:46 PM
Part of the problem is the DST of a frame is not always the router's mac but the client mac address. So if the non-Aruba WLAN AP is L2 on the same network, from a traffic flow perspetive you are going to see SRC and DST of the non-Aruba client to the Aruba client and not the macaddr of the non-Aruba AP (it's there because it's L2, but if it's all on the same L2, then everyone is on the same CAM table). So if that is the goal, it would be better to put the non-Aruba WLAN into a separate VLAN, or put the Aruba-clients into their own VLAN. Ultimately though if everything is L2, then you would have to write ACLS that block based on SRC/DST macaddr which likely isn't feasible...
IMHO I think your best options are to move the non-Aruba WLAN APs into their own VLAN. Get rid of the shared L2 between two disparate WLAN systems.
Sr. Techical Marketing Engineer
03-02-2015 12:16 AM