Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Doubt about "Deny inter user traffic" option

Jump to Best Answer
This thread has been viewed 23 times
  • 1.  Doubt about "Deny inter user traffic" option

    Posted Jul 06, 2020 05:36 PM

    Hi community,

     

    I have a network with many RAPs, and all of them with wired users. I have to prevent users from communicating with each other, either on the same VLAN or on differents VLANs. I thinking of using ""Deny inter user traffic" option, but the documentation is ambiguos. According to the User Guide:

     

    Deny inter user traffic: Denies traffic between untrusted users by disallowing layer-2 and layer-3 traffic. This parameter does not depend on the deny-inter-user-bridging parameter being enabled or disabled.

     

    But according to the MM WebUI:

     

    denyinter.png

    According to User Guide, it denies layer-2 and layer-3 traffic, but according to the WebUI, it denies only non-IP frames on same VLAN. Am I missing anything? Please help.

     

    Regards,

    Julián



  • 2.  RE: Doubt about "Deny inter user traffic" option

    Posted Jul 06, 2020 05:44 PM

    EDIT post



  • 3.  RE: Doubt about "Deny inter user traffic" option

    Posted Jul 06, 2020 06:47 PM

    Hi Victor,

     

    That post clearly indicates that can be enabled under VAP level or globally:

     

    Enabling Deny Inter User traffic and bridging from Global firewall

    (Aruba-Controller) #configure t
    
    (Aruba-Controller) (config) #firewall deny-inter-user-bridging
    
    (Aruba-Controller) (config) #firewall deny-inter-user-traffic

    Regards,

    Julián



  • 4.  RE: Doubt about "Deny inter user traffic" option

    Posted Jul 06, 2020 08:11 PM

    This might explain why the GUI is showing that information.

     

    For example, let say you have got two users under the same VLAN, but they fall into different roles based on some criteria (mac, OUI, CPPM Profiling etc), then the traffic between them is denied if the deny inter user traffic is under any one single role. Multicast traffic however will not be denied. 

     

     

     

     

     



  • 5.  RE: Doubt about "Deny inter user traffic" option

    Posted Jul 06, 2020 10:23 PM

    Hi,

     

    I have wired users on differents AP groups, each AP group is in a different VLAN. I want to prevent users from communicating with each other, on the same VLAN (same AP group) and between differents VLANs (differents AP groups). Then, based on the user guide definition:

     

    Deny inter user traffic: Denies traffic between untrusted users by disallowing layer-2 and layer-3 traffic. This parameter does not depend on the deny-inter-user-bridging parameter being enabled or disabled.

     

    If I enable "Deny inter user traffic" globally, will I achieve what I want?

     

    Regards,

    Julián



  • 6.  RE: Doubt about "Deny inter user traffic" option

    Posted Jul 07, 2020 10:34 AM

    Hi guys,

     

    I also found that as usual, the Aruba documentation isn't somewhat clear. According to the ArubaOS Hardening guide, "Deny Inter User Traffic" is intended only for wireless, and "Deny Inter User Bridging" is intended only for non-IP traffic:

     

    Preventing Inter-User Traffic

    When this setting is enabled, wireless users are prevented from communicating with each other. All traffic originating from a wireless user, destined for another wireless user, is dropped. Note that this option may have significant impacts on network behavior; all forms of peer-to-peer communication are interrupted. To enable the feature:

    (Hostname) (config) #firewall deny-inter-user-traffic

     

    A related feature will block only non-IP traffic, but will permit IP traffic between users (subject to firewall policies that have been applied to the user role.) This is a less-restrictive option than the previous setting. Because ARP traffic is considered non-IP, this setting will also disrupt ARP between wireless clients. For this reason, you may wish to enable proxy ARP on the user VLANs, which will cause the controller to proxy-ARP on behalf of wireless users.

    (Hostname) (config) #firewall deny-inter-user-bridging

    (Hostname) (config) #interface vlan 1

    (Hostname) (config-subif)#ip local-proxy-arp

     

    Any ideas?

     

    Regards,

    Julián



  • 7.  RE: Doubt about "Deny inter user traffic" option
    Best Answer

    Posted Jul 10, 2020 10:19 AM

    Hi guys,

     

    If someone is interested, I tested and enabled the option “Deny Inter User Traffic” globally on the firewall, and it worked. Users weren’t able to ping each other neither on different VLANs, or on the same VLAN, all those were wired users. So the Aruba documentation is wrong:

     

    Preventing Inter-User Traffic

    When this setting is enabled, wireless users are prevented from communicating with each other. All traffic originating from a wireless user, destined for another wireless user, is dropped. Note that this option may have significant impacts on network behavior; all forms of peer-to-peer communication are interrupted. To enable the feature:

    (Hostname) (config) #firewall deny-inter-user-traffic

     

    Regards,

    Julián



  • 8.  RE: Doubt about "Deny inter user traffic" option

    Posted 29 days ago
    Running AOS 8.6.0.7 - I found that activating the VAP "deny inter user traffic" makes it so that it only denies for clients within the same VLAN on the same VAP regardless of the role assigned. A user on a different VLAN on the same VAP is able to reach across the vlan unless denied in the ROLE. I also found that even across two VAP profiles (different SSID) the behaviour is the same - I'm still unable to access the client as long as I'm on the same VLAN. Change VLAN and voila - I can reach across VLAN.

    "Deny inter user traffic" in the GUI explanation says "Deny inter user traffic between the users on the same virtual AP profile". There needs to be appended something like this "... AND the same VLAN" to that sentence.

    ------------------------------
    John-Egil Solberg |
    ACMX | ACCX
    ------------------------------



  • 9.  RE: Doubt about "Deny inter user traffic" option

    Posted 26 days ago
    I remember a client creating issues with something similar. TAC came back saying this is by design and had to use "deny-local-routing" to disable routing between clients on different VLANs.

    ------------------------------
    Jibran Aziz
    ------------------------------