Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Need to disable traffic between users in master - local setup

  • 1.  Need to disable traffic between users in master - local setup

    Posted Feb 03, 2015 02:24 AM

    Greeting Friends!!!

     

     

    I am stuck a bit with an issue, need your help to solve this.

     

    We have a master-local setup of 6 controller. 1 controller is master all other are local.

     

    APs terminate on all the controllers.

     

    I have enabled this feature " Deny inter-user traffic" and "Deny inter-user bridging" on all the 6 controller. Hence when 2 users are connected to APs terminating on same controller they are not able to ping.

    This is an expected behavior and we need this feature.

     

    The problem is seen, when one user terminating on AP going to controller 1 and the other user terminating on AP going to controller 2. They are able to ping. The 2 end users have the IP addresses from the same subnet.

     

    It is like a security breach ... 

     

    hence let me know how do I resolve this. Is there any other feature like " Deny inter-user traffic" which can disable the communication between the guests that are connected to different controllers.

     

    Controllers are running with 6.1.3.2 code as of now.... If required we can upgrade....

     

     



  • 2.  RE: Need to disable traffic between users in master - local setup

    Posted Feb 03, 2015 04:13 AM

    U May create your own access role , that look like this (in each controller)

    *Do it under the user role to your users are getting*

    *Do 2 set of rules*

    03-02-2015 11-13-45.png

    03-02-2015 11-13-45.png

    Dont forget to apply & save in the end.



  • 3.  RE: Need to disable traffic between users in master - local setup

    Posted Feb 03, 2015 04:21 AM

    Thanks for the reply.

     

    Do I need the PEF or any other license for this. If so, do I need the licence for all the controllers?

     



  • 4.  RE: Need to disable traffic between users in master - local setup

    Posted Feb 03, 2015 04:36 AM

    HI,

     

    Yes, we need PEF license to create and apply any roles and policies. Policies always applied at the Local ( where the AP is terminated) hence PEF license is required in all the controllers wherever user traffic is getting processed .

     

    Hope you got some more clarity.

     

    Please feel free for any further query on this.



  • 5.  RE: Need to disable traffic between users in master - local setup

    Posted Feb 03, 2015 04:38 AM

    yes this will require PEF and most likely on both.

     

    also do keep in mind that on layer 2 the clients will see be able to communicate.



  • 6.  RE: Need to disable traffic between users in master - local setup

    Posted Feb 03, 2015 04:39 AM

    Oh... But our main requirment is Layer2 users should not be able to communicate.

     

     



  • 7.  RE: Need to disable traffic between users in master - local setup

    Posted Feb 03, 2015 07:10 AM

    i had a ticket open for this: users from two different controllers being able to see each other (with an arp scan or such) while deny interface user routing / bridging was turned on. support told me this isn't possible to block at this moment.

     

    do remember that actual useful communication on layer 2 isn't that easy most applications will use IP and that will be blocked. of course if your users want it bad enough there are probably methods.

     

    you can also work around this to have your user from different controller end up in different subnets. then only using control lists is enough.