Gotcha, I had traffic allowed from the controller, but that alias is only configured for the physical interface, not the virtual interfaces, which is where the icmp traffic was originating from. Could not modify the controller alias, so had to create new which included all the vlan interfaces. Any thoughts on allowing/blocking broadcast traffic on guest vlan? That is the only other traffic I see being constantly dropped on guest vlan. My thought was any malicious broadcast traffic would be prevented from getting to other clients on the same VLAN but not sure if it has any real impact on legit traffic.
Thanks for the post tarinelli.
-GR