I am stuck a bit with an issue, need your help to solve this.
We have a master-local setup of 6 controller. 1 controller is master all other are local.
APs terminate on all the controllers.
I have enabled this feature " Deny inter-user traffic" and "Deny inter-user bridging" on all the 6 controller. Hence when 2 users are connected to APs terminating on same controller they are not able to ping.
This is an expected behavior and we need this feature.
The problem is seen, when one user terminating on AP going to controller 1 and the other user terminating on AP going to controller 2. They are able to ping. The 2 end users have the IP addresses from the same subnet.
It is like a security breach ...
hence let me know how do I resolve this. Is there any other feature like " Deny inter-user traffic" which can disable the communication between the guests that are connected to different controllers.
Controllers are running with 126.96.36.199 code as of now.... If required we can upgrade....
U May create your own access role , that look like this (in each controller)
*Do it under the user role to your users are getting*
*Do 2 set of rules*
Dont forget to apply & save in the end.
Thanks for the reply.
Do I need the PEF or any other license for this. If so, do I need the licence for all the controllers?
Yes, we need PEF license to create and apply any roles and policies. Policies always applied at the Local ( where the AP is terminated) hence PEF license is required in all the controllers wherever user traffic is getting processed .
Hope you got some more clarity.
Please feel free for any further query on this.
yes this will require PEF and most likely on both.
also do keep in mind that on layer 2 the clients will see be able to communicate.
Oh... But our main requirment is Layer2 users should not be able to communicate.
i had a ticket open for this: users from two different controllers being able to see each other (with an arp scan or such) while deny interface user routing / bridging was turned on. support told me this isn't possible to block at this moment.
do remember that actual useful communication on layer 2 isn't that easy most applications will use IP and that will be blocked. of course if your users want it bad enough there are probably methods.
you can also work around this to have your user from different controller end up in different subnets. then only using control lists is enough.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.